Fundamental of Computer Network Security

FUNDAMENTAL OF

This guide will enable students to identify some of the security
approaches to design a defensive strategy in a computer

network environment. The overall focus is on the processes
based on security policy emphasizing on hands-on skills in

secure perimeter, connectivity, identify services and
intrusion detection.

Author :
Farah Ariffah Binti Abd Aziz
Nurul Ana Syahirah Binti Abdul Rahman
Sharizan Binti Abdul Jamil

FUNDAMENTAL OF
COMPUTER NETWORK SECURITY

FARAH ARIFFAH BINTI ABD AZIZ
NURUL ANA SYAHIRAH BINTI ABDUL RAHMAN

SHARIZAN BINTI ABDUL JAMIL

All rights reserved. It is not permissible to reproduce any part of the contents of this module in any
form and in any other way before obtaining written permission from the Director of Politeknik
METrO Tasek Gelugor.

National Library of Malaysia

Diploma In Information Technology (Digital Technology) Track Information Security
e-ISBN 978-967-17614-9-6

Author : Farah Ariffah Binti Abd Aziz
Nurul Ana Syahirah Binti Abdul Rahman
Content Sharizan Binti Abdul Jamil

Idea & : Farah Ariffah Binti Abd Aziz
Concept Nurul Ana Syahirah Binti Abdul Rahman
Design Sharizan Binti Abdul Jamil
Editorial
: Farah Ariffah Binti Abd Aziz
Nurul Ana Syahirah Binti Abdul Rahman

: Naqib Idlan Bin Nadzri

: Farah Ariffah Binti Abd Aziz
Nurul Ana Syahirah Binti Abdul Rahman
Sharizan Binti Abdul Jamil

Published by:

Politeknik METrO Tasek Gelugor
No. 25, Jalan Komersial 2,
Pusat Komersial Tasek Gelugor,
13300 Tasek Gelugor,
Pulau Pinang.

Tel: 04-5732789
Fax: 04-5732087
Website: www.pmtg.edu.my

PREFACE

The book gives an overview of network security, vulnerabilities, threats and attacks
and the tools to strength the security in operating system and devices. The book is
intended as a textbook for semester five students as introductory course on network
security, but also as a reference for IT professional. It is divided into five main chapters.
This guide will enable students to identify some of the security approaches to design
a defensive strategy in a computer network environment. The overall focus is on the
processes based on security policy emphasizing on hands-on skills in secure
perimeter, connectivity, identify services and intrusion detection.

CONTENT

MODULE 1: INTRODUCTION TO COMPUTER NETWORK SECURITY

Understand the need for network security................................................................................. 1
Need for network security.......................................................................................................... 2
Potential risks to network security.............................................................................................. 2
Goals of network security............................................................................................................. 3
Open Security Models.................................................................................................................. 4
Restrictive Security Models.......................................................................................................... 5
Closed Security Models................................................................................................................ 6
Legal Issues and Privacy Concerns.............................................................................................. 7

MODULE 2: VULNERABILITIES, THREATS AND ATTACKS

Understand vulnerabilities, threats and attacks.......................................................................... 8
8
Vulnerability Definition................................................................................................................. 8
Weaknesses in relation to security vulnerabilities....................................................................... 10
Security Threats Definition........................................................................................................... 10
Types of Threats........................................................................................................................... 11
Difference between Hackers vs. Attackers................................................................................... 11
Attacks Definition.......................................................................................................................... 11
Types of Attacks........................................................................................................................... 13
13
Network Vulnerability Assessment (NVA)..................................................................................... 13
Vulnerability Assessment Services............................................................................................. 14
Source of Vulneralblities............................................................................................................. 15
NVA Methodology.......................................................................................................................
Vulnerability Assessment Tools...................................................................................................

MODULE 3: SECURITY DEVICES AND TECHNOLOGIES

Understand firewalls................................................................................................................... 19
Firewall components................................................................................................................... 19
3 Types of Packet Filtering.......................................................................................................... 20
Types of Firewall Architecture..................................................................................................... 22
Firewall Limitations...................................................................................................................... 25
Firewall Configuration, Rules and Restrictions............................................................................. 25
Understand the importance of Intrusion Detection System (IDS) and Intrusion Prevention
System (IPS)................................................................................................................................ 32
Types of IDSs............................................................................................................................... 33

IDS framework........................................................................................................................... 34
IDS Signatures........................................................................................................................... 35
IDS Tools for Monitoring............................................................................................................. 35
Information Flow in IDSs and IPSs............................................................................................. 36
IPS Tools...................................................................................................................................... 40
Proxy Server................................................................................................................................ 41

Types of Proxy Server.................................................................................................................. 42
Authentication process and firewall in proxy server...................................................................... 43
Proxy Server vs. Packet Filtering.................................................................................................. 43
Understand Bastion Host and Honeypots.................................................................................... 44
45
Types of Bastion Host.................................................................................................................. 46
Honeypots.................................................................................................................................... 46
What are the levels of interactions in Honeypots?....................................................................... 49

Virtual Private Network (VPN) Fundamentals..............................................................................

Types of Virtual Private Network (VPN) and its Protocols............................................................ 50
Types of Virtual Private Network (VPN) Protocols........................................................................ 51
Guys, Let’s do VPN Configuration................................................................................................. 52

75
76
MODULE 4: HARDENING OPERATING SYSTEMS

Configure Windows services......................................................................................................... 58
BIOS.............................................................................................................................................. 58
BIOS security................................................................................................................................ 58
Windows Registry......................................................................................................................... 59
Rookit Detection using Rookit Revealer........................................................................................ 62
Rookit Classification...................................................................................................................... 62
Configuring Windows services to disable all uneeded services.................................................... 62
Kerberos Authentication and Domain Security.............................................................................. 63
Kerberos Authentication................................................................................................................ 63
Domain Security............................................................................................................................ 64
Trust Relationship between domains............................................................................................ 64
IPSecurity...................................................................................................................................... 64
Implement Infrastructure, Authentication and Auditing of Windows.............................................. 64
Windows Server Authentication.................................................................................................... 64
Tools in Windows Server to manage a set of policies................................................................... 65
Windows Server Auditing and Logging......................................................................................... 66
Applying Windows Certification Authorities on clients.................................................................. 66

Understand Linux security............................................................................................................. 67
User and File system security administration ............................................................................... 67
Steps involve in configuring UNIX services................................................................................... 67
Framework of Pluggable Authentication Module (PAM)................................................................ 67

MODULE 5: PHYSICAL SECURITY

Understand hardening physical security........................................................................................ 69
Need for physical security.............................................................................................................. 69
Physical security threats to networks............................................................................................. 69
Biometrics in physical security....................................................................................................... 69
Workplace Security Implementation.............................................................................................. 70
Securing Network Devices............................................................................................................. 71
Securing Edge Router....................................................................................................................
Assigning Administrative Roles...................................................................................................... 71
Using Automated Security Features.............................................................................................. 71
Monitoring and Managing Devices................................................................................................ 71
Challenges in ensuring physical security....................................................................................... 71
Understand Securing Modems...................................................................................................... 71
Securing Modems Definition......................................................................................................... 72
Types of Modems.......................................................................................................................... 72
External Modems.......................................................................................................................... 73
Internal Modems........................................................................................................................... 73
Network Attacks and Risks Involve in Modems............................................................................. 73
Network Attacks............................................................................................................................. 73
Risks.............................................................................................................................................. 73
Reason of Modem Failures............................................................................................................ 73
Hardening Router Implementation................................................................................................. 74
74
Terms............................................................................................................................................. 74
Definition........................................................................................................................................ 74
Routing Principles and Operation Modes...................................................................................... 74
Wireless Router Mode (Default).................................................................................................... 75
Repeater Mode.............................................................................................................................. 75
Access Point (AP) Mode................................................................................................................ 75
Media Bridge................................................................................................................................. 75
TCP and UDP Server Proxy.......................................................................................................... 76
TCP Tools...................................................................................................................................... 76
Steps to Harden a Router.............................................................................................................. 77
Routing command (BASIC)........................................................................................................... 78
Router Types................................................................................................................................. 79
Routing Protocols.......................................................................................................................... 79

Wireless Network.......................................................................................................................... 80
Types of Wireless Networks.......................................................................................................... 80
Types of Connection..................................................................................................................... 80
Geography........................................................... ......................................................................... 81

Component of Wireless Network ................................................................................................... 81
Types of Wireless Threat and Attacks............ ............................................................................... 81
Wireless Standards........................................................................................................................ 82
Secure Wireless Communications Using Various Techniques and Tools ...................................... 82
Wireless Security Policy................................................................................................................. 82
Implement Security Policy on Wireless Network............................................................................ 82
Reference...................................................................................................................................... 83

MODULE 1: INTRODUCTION TO COMPUTER NETWORK SECURITY

Understand the need for network security

• Prevent unauthorized access to the network which are one of the potential threat to
the network and its resources.

• Ensure that the authentic users can effectively access the network and its services.
• Applications that can protect the network from unauthorized access are in place.

Important requirements of network security therefore, security is about protection of assets.
There are three important requirements of network security which are listed below;

Prevention
◦ Take measures that prevent your assets from being damaged or stolen.
◦ Example: locks at doors, window bars, secure the walls around the property, hire a

guard

Detection
◦ Take measures so that you can detect when, how, and by whom an asset has
been damaged.
◦ Example: missing items, burglar alarms, closed circuit TV

Reaction
◦ Take measures so that you can recover your assets.
◦ Example: Call the police, replace stolen items or make an insurance claim.

1
1

Need for network security

We use computers for everything from banking and investing to shopping and communicating
with others through email or chat programs.

 Governments, military, corporations, financial institutions, hospitals and other
businesses collect, process and store a great deal of confidential information
on computers.

 Transmit that data across networks to other computers.
 With the growing volume and sophistication of computer and network

attacks.
 ongoing attention is required to protect sensitive business and personal

information, as well as safeguard national security.
 During a Senate hearing in March 2013, the nation's top intelligence officials

warned that information technology attacks and digital spying are the top
threat to national security, eclipsing terrorism.

Potential risks to network security

◦ Computer virus
◦ Rogue security software
◦ Trojan Horse
◦ Adware & Spyware
◦ Computer Worm
◦ DoS & DDoS Attack
◦ Phishing
◦ Rootkit
◦ SQL Injection
◦ Man-in-the-middle Attack

2

2

Goals of network security

1. Asset identification
• To identify the resources used in network for various applications.
• Network devices such as router, switches and firewalls should be taken care.
• Network resources should be able to identify user’s privacy.

2. Threat assessment
• To identify a threat in the system.
• Unauthorized access to information through networks.

3. Risk assessment
• The process of identifying, quantifying and prioritizing the risk in the system.
• Ensure configurations are correctly set and the proper security patches are
applied.

3
3

SECURITY MODELS

Open Security Models

Figure 1.1: Open Security Policy

• Easy to configure.
• Easy for network users.
• Security cost: Least expensive.
• Suitable for LANs or public WANs that are not connected to the internet.

Authentication

• Password Authentication Protocols (PAP) used by PPP to validate users.
• Simple password and server security becomes the foundation of this model.

Access Control

• Access lists in Wide Area Network (WAN) and gateway routers.
• No standalone firewalls.
• No encryption.

4
4

Restrictive Security Models

Figure 1.2: Restrictive Security Policy

• More difficult to configure and administer.
• More difficult network users.
• Security cost: More expensive.
• Firewall and identity server become the foundation of this model and suitable for LANs

or public WANs that are not connected to the internet.
Authentication

• One-time passwords which is using dial-in and internet.
Access Control

• Access lists in WAN and gateway routers.
• Firewall between internet and enterprise.
• Route authentication for the branch offices and campus.
• Encryption on branch office links.

5
5

Closed Security Models

Figure 1.3: Closed Security Policy

• Most difficult to configure and administer.
• Most difficult network users.
• Security cost: Most expensive.
• All available security measures are implement in this design.

Authentication
• Digital certificates were needed for this model.

Access Control
• Access lists in WAN and gateway routers.
• Firewall between internet and enterprise.
• Encrypted channel.

6

6

Summary on Security Models

Figure 1.4

Legal Issues and Privacy Concerns

• Any business has potential to be attack by a hacker or taken down by virus.
• The biggest reason to create and follow a security policy is its compliance with the law.
• Depending on prevention technologies and practices that are available plus

reasonable cost for implementation.

7
7

MODULE 2: VULNERABILITIES, THREATS AND ATTACKS

Understanding vulnerabilities, threats and attacks

Vulnerability Definition

• Any type of weakness in a computer system itself, in a set of procedures, or in anything
that leaves information security exposed to a threat or attack.

• Vulnerabilities in network security can be summed up as the “soft spots” that are
present in every network. The vulnerabilities are present in the network and individual
devices that make up the network.

• This includes routers, switches, desktops, servers, and even security devices
themselves.

Weaknesses in relation to security vulnerabilities

Networks are typically plagued by one or all of three primary vulnerabilities or weaknesses below:

1. Technology weaknesses
2. Configuration weaknesses
3. Security Policy weaknesses

1. Technology Weaknesses
• TCP/IP protocol weaknesses (HTTP, FTP are inherently insecure)
• Operating system weaknesses (The UNIX, Linux, Macintosh, Windows NT, 9x,
2K, XP, and OS/2 operating system all have security problems that must be
addressed.
• Network equipment weaknesses
o Password protection
o Lack of authentication
o Routing protocols
o Firewall holes

2. Configuration Weaknesses

Network administrators or network engineers need to learn what the configuration
weaknesses are and correctly configure their computing and network devices to
compensate.

Examples as per below:
• Unsecured user accounts
• System accounts with easily guessed password
• Misconfigured internet services

8

8

• Unsecured default settings within products
• Misconfigured network equipment
3. Security Policy Weaknesses
Security policy weaknesses can create unforeseen security threats. The network can
pose security risks to the network if users do not follow the security policy.
Examples as per below:
• Lack of written security policy
• Politics
• Lacks of continuity
• Logical access controls not applied
• Software or hardware installation and changes do not follow policy
• Disaster recovery plan non-existent

9
9

Security Threats Definition

• Anything that has the potential to cause serious harm to a computer system. A threat
is something that may or may not happen, but has the potential to cause serious
damage. Threats can lead to attacks on computer systems, networks and more.

• A threat is what can go wrong because of the exploit of the vulnerabilities or attack on
the assets, such as data theft or unauthorized modification of the data

Types of Threats

• Unstructured Threats
• Structured Threats
• External Threats
• Internal Threats

Unstructured Threats

• Computer attack from novice hackers, often called script kiddies.
• Use software created by more advanced hackers to gain information from or access

to a system, or launch a denial of service attack.
• Still do serious damage to a company.

Structured Threats

• Comes from hackers who are more highly motivated and technically competent.
• Know system vulnerabilities and can understand and develop exploit code and

scripts.
• Understand, develop, and use sophisticated hacking techniques to penetrate

unsuspecting businesses.
• Often involved with the major fraud and theft cases reported to law

enforcement agencies.
External Threats

• Can arise from individuals or organizations working outside of a company.
• They do not have authorized access to the computer systems or network.
• They work their way into a network mainly from the Internet or dialup access

servers.

Internal Threats

• A threat originating inside a company, government agency, or institution
• Occur when someone has authorized access to the network with either an account

on a server or physical access to the network.
• Typically, an exploit by a disgruntled employee denied promotion or informed of

employment termination.

10

10

Difference between Hackers and Attackers

Hackers Attackers

A hacker is any skilled computer expert that Attacker is any person who attempt to
uses their technical knowledge to destroy, expose, alter, disable, steal or gain
overcome a problem.
unauthorized access to or make
unauthorized use of an asset.

Associated in popular culture with a An assault on system security that derives
"security hacker", someone who, with their from an intelligent threat.
technical knowledge, uses bugs or exploits

to break into computer systems.

Traditionally use vulnerabilities and exploits Can use any means to cause havoc.
to conduct their activities.

Attacks Definition

• Attacks is any attempt to destroy, expose, alter, disable, steal or gain unauthorized
access to or make unauthorized use of an asset.

• Use variety of tools, scripts, and programs to launch attacks against networks and
network devices.

Types of Attacks

1. Reconnaissance Attack
2. Access Attack
3. Denial of Service Attack
4. Distributed Denial of Service Attack
5. Malicious Code Attack

1. Reconnaissance
Reconnaissance is somewhat analogous to a thief casing a neighbourhood for
vulnerable homes to break into, such as an unoccupied residence, easy-to-open doors,
or open windows.

Reconnaissance Attack consists of;
• Packet sniffers
• Port scans
• Ping sweeps
• Internet information queries

11
11

2. Access
System access is the ability for an unauthorized intruder to gain access to a device.

Access attack consists of;
• Password attacks
• Trust exploitation
• Port redirection
• Man-in-the-middle attacks
• Social engineering
• Phishing

3. Denial of Service (DoS)
• DoS implies that an attacker disables or corrupts networks, systems, or services
with the intent to deny services to intended users.
• DoS attack prevent authorized people from using a service by using up system
resources.

4. Distributed Denial of Service (DDoS)
• DDoS attack are designed to saturate network links with spurious data.
• This data can overwhelm an internet link, causing legitimate traffic to be
dropped.

5. Malicious Code
• Malicious software is inserted onto a host to damage a system; corrupt a system;
replicate itself; or deny services or access to networks, systems or services.
• They can also allow sensitive information to be copied or echoed to other
systems. Trojan horses can be used to ask the user to enter sensitive information
in a commonly trusted screen.

Malicious code attack consists of;

• Virus
• Worm
• Trojan Horse

12

12

Network Vulnerability Assessment (NVA)

Vulnerability Assessment Services

1. Initial assessment
2. System baseline definition
3. Perform vulnerability scan
4. Vulnerability assessment report creation

Source of Vulnerabilities

• Information Sharing and Analysis Centres (ISACs)
• United states – Computer Emergency Readiness Team (US-CERT)
• National Vulnerability Databases (NIST)
• InfraGard
• Information Security Professional Associations
• Common Vulnerabilities and Exposures (CVE)

13
13

NVA Methodology

Data Collection

Collect and begin review of business objectives, strategic business Collect and begin review of existing policies, procedures, standards,
directions, mission statements, etc. applicable regulations, laws guidelines, circulars, letters, memos, audit

comments, etc to determine deficiencies.

Interviews, Information Review, and Hands-on Investigation

Interview key department Interview internal customers of the Collect any documentation (policy, Evaluate the security performance
representatives and business units. network environment. procedures, etc) that was of key hardware, network, and
software implementations.
discovered missing from Phase 1.

Analysis

Identify existing concerns and Identify critical and sensitive Identify security risks and formulate Formulate actions to facilitate a
critical security success factors, and data issues and practices. recommendations for mitigating successful implementation of the
those risks.
analyze possible mitigating client’s security program.
circumstances.

Draft Report

Assess the existing security policies Evaluate risks implicit in the existing Assess the effectiveness of Present the Draft Report to the
and procedures, and make network implementation and make safeguards currently implemented sponsor and the NVA team for their
recommendations where comments, which will be included in
appropriate. recommendations for improved (including firewalls) and make
security practices where recommendations for improvement, the Final Report.
appropriate.
where appropriate.

Final Report

Provide the Final Report and make presentations as requested by the sponsor; the Network Vulnerability Assessment
Team should be available to answer questions and clarify issues, as needed.

14
14

Vulnerability Assessment Tools

a) SAINT

b) Nessus

15
15

c) Network Mapper (Nmap)
d) Ethereal

16
16

e) Sandcat Scanner

17
17

3.0 SECURITY DEVICES AND
TECHNOLOGIES

a. Firewalls
b. Packet filtering.
c. Firewall architecture.
d. Intrusion Detection System
(IDS) and Intrusion Prevention
System (IPS).
e. IDS tools
f. Proxy server
g. Bastion Host and Honeypots
h. Virtual Private Network
(VPN)

18
18

MODULE 3: Security Devices and Technologies

Understand firewalls

Firewall components

a. Packet filters - https://www.youtube.com/watch?v=KZc1KaE1OKU
Controlling access to a network by analyzing the incoming and outgoing packets and letting
them pass or halting them based on the IP addresses of the source and destination. Packet
filtering is one technique, among many, for implementing security firewalls.

b. Proxy server - https://www.youtube.com/watch?v=5cPIukqXe5w
Is a computer system or router that functions as a relay between client and server. It helps prevent an
attacker from invading a private network and is one of several tools used to build a firewall.
The word proxy means "to act on behalf of another," and a proxy server acts on behalf of the user. All
requests to the Internet go to the proxy server first, which evaluates the request and forwards it to
the Internet. Likewise, responses come back to the proxy server and then to the user.

19
19

c. Authentication system – https://www.youtube.com/watch?v=woNZJMSNbuo

Authentication is used by a server when the server needs to know exactly who is accessing their
information or site. Authentication is used by a client when the client needs to know that the server
is system it claims to be. In authentication, the user or computer has to prove its identity to the server
or client.

d. Network Address Translation (NAT) -

https://www.youtube.com/watch?v=FTUV0t6JaDA

https://whatismyipaddress.com/nat

Process where a network device, usually a firewall, assigns a public address to a computer (or group
of computers) inside a private network. The main use of NAT is to limit the number of public IP
addresses an organization or company must use, for both economy and security purposes.

The most common form of network translation involves a large private network using addresses in a
private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to
192.168.255.255). The private addressing scheme works well for computers that only have to access
resources inside the network, like workstations needing access to file servers and printers. Routers
inside the private network can route traffic between private addresses with no trouble.

3 types of packet filtering

a. Stateful Packet Filtering
b. Stateless Packet Filtering
c. Dynamic Packet Filtering

20

20

21
21

Types of Firewall Architecture

22
22

23
23

DMZ Network (sometimes referred to as a “demilitarized zone”) functions as a subnetwork
containing an organization's exposed, outward-facing services. It acts as the exposed point to
an untrusted networks, commonly the Internet.
The goal of a DMZ is to add an extra layer of security to an organization's local area network.
A protected and monitored network node that faces outside the internal network can access
what is exposed in the DMZ, while the rest of the organization's network is safe behind a
firewall.
When implemented properly, a DMZ Network gives organizations extra protection in
detecting and mitigating security breaches before they reach the internal network, where
valuable assets are stored. Dmz: https://www.youtube.com/watch?v=dqlzQXo1wqo

24
24

Firewall Limitations

 It cannot stop social engineering attacks or an unauthorized user intentionally using
their access for unwanted purposes

 Firewalls cannot fix poor administrative practices or poorly designed security policies
 It cannot stop attacks if the traffic does not pass through them
 They are only as effective as the rules they are configured to enforce.

Firewall Configuration, Rules and Restrictions

Firewalls operate by examining a data packet and performing a comparison with some
predetermined logical rules. The logic is based on a set of guidelines programmed in by a
firewall administrator, or created dynamically and based on outgoing requests for
information. This logical set is most commonly referred to as firewall rules, rule base, or

firewall logic.

Most firewalls use packet header information to determine whether a specific packet should
be allowed to pass through or should be dropped. In order to better understand more
complex rules, it is important to be able to create simple rules and understand how they
interact.

For the purpose of this discussion, assume a network configuration as illustrated in Figure -

1, with an internal and an external filtering firewall. In the exercise, the rules for both

firewalls will be discussed, and a recap at the end of the exercise will show the complete

rule sets for each filtering firewall.

Figure 1 : Example Network Configuration

Some firewalls can filter packets by the name of a particular protocol as opposed to the
protocol‘s usual port numbers. For instance, Telnet protocol packets usually go to TCPport 23,
but can sometimes be directed to another much higher port number in an attempt to conceal

25

25

the activity. The System or well-known ports are those from 0 through 1023, User or
registered ports are those from 1024 through 49151, and Dynamic or Private Ports are those
from 49152 through 65535.

The following example uses the port numbers associated with several well-known protocols
to build a rule base. The port numbers to be used are listed in Table 1. Note that this is not an
exhaustive list.

Table 1 : Well known Port Number

Rule Set-1: Responses to internal requests are allowed. In most firewall implementations, it is
desirable to allow a response to an internal request for information. In dynamic or stateful firewalls,
this is most easily accomplished by matching the incoming traffic to an outgoing request in a state
table. In simple packet filtering, this can be accomplished with the following rule for the External
Filtering Router. (Note that the network address for the destination ends with .0; some firewalls use
a notation of .X instead.)

Table 2: Rule Set-1

From Table 2, you can see that this rule states that any incoming packet (with any source address and
from any source port) that is destined for the internal network (whose destination address is
10.10.10.0) and for a destination port greater than 1023 (that is , any port out of the number range
for the well-known ports) is allowed to enter. Why allow all such packets? While outgoing
communications request information from a specific port (i.e a port 80 request for a Web page), the
response is assigned a number outside the well-known port range. If multiple browser windows are

26

26

open at the same time, each window can request a packet from a Web site, and the response is
directed to a specific destination port, allowing the browser and Web server to keep each conversation
separate. While this rule is sufficient for the external router (firewall), it is dangerous simply to allow
any traffic in just because it is destined to a high port range. A better solution is to have the internal
firewall router use state tables that track connections and prevent dangerous packets from entering
this upper port range.
Rule set-2: The firewall device is never accessible directly from the public network. If hackers can
directly access the firewall, they may be able to modify or delete rules and allow unwanted traffic
through. For the same reason, the firewall itself should never be allowed to access other network
devices directly. If hackers compromise the firewall and then use its permissions to access other
servers or clients, they may cause additional damage or mischief. The rules shown in Table 3 prohibit
anyone from directly accessing the firewall and the firewall from directly accessing any other devices.
Note that this example is for the external filtering router/firewall only. Similar rules should be crafted
for the internal router. Why are there separate rules for each IP addresses? The 10.10.10.1 address
regulates external access to and by the firewall, while the 10.10.10.2 address regulates internal access.
Not all hackers are outside the firewall!

Table 3 : Rule Set 2

Rule set-3: All traffic from the trusted network is allowed out. As a general rule it is wise not to restrict
outgoing traffic, unless a separate router is configured to handle this traffic. Assuming most of the
potentially dangerous traffic is inbound, screening outgoing traffic is just more work for the firewalls.
This level of trust is fine for most organizations. If the organization wants control over outbound traffic,
it should use a separate router. The rule shown in Table 6-8 allows internal communications out.

Table 4 : Rules Set 3

Why should rule set-3 come after rule set-1 and 2? It makes sense to allow the rules that
unambiguously impact the most traffic to be earlier in the list. The more rules a firewall must process
to find one that applies to the current packet, the slower the firewall will run. Therefore, most widely
applicable rules should come first since the first rule that applies to any given packet will be applied.

27

27

Rule set-4: The rule set for the Simple mail Transport Protocol (SMTP) data is shown in Table 5. As
shown, the packets governed by this rule are allowed to pass through the firewall, but are all routed
to a well-configured SMTP gateway. It is important that e-mail traffic reach your e-mail server, and
only your e-mail server. Some hackers try to disguise dangerous packets as e-mail traffic to fool a
firewall. If such packets can reach only the email server, and the e-mail server has been properly
configured, the rest of the network ought to be safe.

Table 5: Rule set-4

Rule set 5: All Internet Control Message Protocol (ICMP) data should be denied. Pings, formally known
as ICMP echo requests, are used by internal systems administrators to ensure that clients and servers
can reach and communicate. There is virtually no legitimate use for ICMP outside the network, except
to test the perimeter routers. ICPM uses port 7 to request a response to a query (eg ―Are you there?‖)
and can be the first indicator of a malicious attack. It is best to make all directly connected networking
devices ―black holes‖ to external probes. Traceroute uses a variation on the ICMP Echo requests, so
restricting this one port provides protection against two types of probes. Allowing internal users to
use ICMP requires configuring two rules, as shown in Table 6.

Table 6: Rule set- 5

The first of these two rules allows internal administrators (and users) to use Ping. Note that this rule
is unnecessary if internal permissions rules like those in rule set 2 is used. The second rule in Table 6n
does not allow anyone else to use Ping. Remember that rules are processed in order. If an internal
user needs to Ping an internal or external address, the firewall allows the packet and stops processing
the rules. If the request does not come from an internal source, then it bypasses the first rule and
moves to the second.

Rule set 6: Telnet (Terminal emulation) access to all internal servers from the public networks should
be blocked. Though not used much in Windows environments, Telnet is still useful to systems
administrators on Unix/Linux systems. But the presence of external requests for Telnet services can
indicate a potential attack. Allowing internal use of Telnet requires the same type of initial permission
rule you use with Ping. See Table 7. Note that this rule is unnecessary if internal permissions rules like
those in rule set 2 are used.

28

28

Table 7: Rule set-6

Rule set 7: when Web services are offered outside the firewall, HTTP traffic should be denied from
reaching the internal networks through the use of some form of proxy access or DMZ architecture.
With a Web server in the DMZ you simply allow HTTP to access the Web server, and use rule set 8, the
Clean Up rule to prevent any other access. In order to keep the Web server inside the internal network,
direct all HTTP requests to the proxy server, and configure the internal filtering router/firewall only to
allow the proxy server to access the internal Web server. The rule shown in Table 8 illustrates the first
example.

Table 8 : Rule set-7a

This rule accomplishes two things: It allows HTTP traffic to reach the Web server, and it prevents non-
HTTP traffic from reaching the Web server. It does the latter through the Clean Up rule (Rule 8). If
someone tries to access theWeb server with non-HTTP traffic (other than port 80), then the firewall
skips this rule and goes to the next.
Proxy server rules allow an organization to restrict all access to a device. The external firewall would
be configured as shown in Table 9.

Table 9 : Rule set-7b

The effective use of as proxy server of course requires the DNS entries to be configured as if the proxy
server were the Web server. The proxy server would then be configured to repackage any HTTP
request packets into a new packet and retransmit to the Web server inside the firewall. Allowing for
the retransmission of the repackaged request requires the rule shown in Table 9 to enable the proxy
server at 10.10.10.5 to send to the internal router, presuming the IP address for the internal Web
server is 192.168.2.4

29
29

Table 9 : Rule set-7c

The restriction on the source address then prevents anyone else from accessing the Web server from
outside the internal filtering router/firewall. Rule set 8: The Clean up rule: As a general practice in
firewall rule construction, if a request for a service is not explicitly allowed by policy, that request
should be denied by a rule. The rule shown in Table 6-15 implements this practice and blocks any
requests that aren‘t explicitly allowed by other rules.

Table 10 : Rule set-8

Additional rules restricting access to specific servers or devices can be added, but they must be
sequenced before the clean up rule. Order is extremely important, as misplacement of a particular
rule can result in unforeseen results.
Tables 11 and 12 show the rule sets, in their proper sequences, for both external and internal firewalls.

Table 11 : Rules Set

30
30

Tables 12: Rules Set

Note that the rule allowing responses to internal communications comes first (appearing in Table 11
as Rule #1), followed by the four rules prohibiting direct communications to or from the firewall (Rules
#2-5 in Table 11). After this comes the rule stating that all outgoing internal communications are
allowed, followed by the rules governing access to the SMTP server, and denial of Ping, Telnet access,
and access to the HTTP server. If heavy traffic to the HTTP server is expected, move the HTTP server
rule closer to the top (For example, into the position of Rule #2), which would expedite rule processing
for external communications. The final rule in Table 6-16 denies any other types of communications.
Note the similarities and differences in the two rule sets. The internal filtering router/firewall rule set,
shown in Table 12, has to both protect against traffic to and allow traffic from the internal network
(192.168.2.0). Most of the rules in Table 12 are similar to those in Table 11: allowing responses to
internal communications (Rule #1); denying communications to/from the firewall itself (rule # 2-5);
and allowing all outbound internal traffic (Rule #6). Note that there is no permissible traffic from the
DMZ systems, except as in Rule #1. Why is not there a comparable rule for the 192.168.2.1 subnet?
Because this is an unrouteable network, external communications are handled by the NAT server,
which maps internal (192.168.2.0) addresses to external (10.10.10.0) addresses. This prevents a
hacker from compromising one of the internal boxes and accessing the internal network with it. The
exception is the proxy server (Rule #7 in Table 12), which should be very carefully configured. If the
organization does not need the proxy server, as in cases where all externally accessible services are
provided from machines in the DMZ, then rule #7 is not needed. Note that there are no Ping and
Telnet rules in Table 12. This is because the external firewall filters these external requests out. The
last rule, rule#8 provides clean up.

31
31

Understand and Important Intrusion Detection System (IDS) and
Intrusion Prevention System (IPS)

32
32

Types of IDS

a. Network-based intrusion detection systems

Operate differently from host-based IDSes. The design philosophy of a network-based IDS is to scan
network packets at the router or host-level, auditing packet information, and logging any suspicious
packets into a special log file with extended information. Based on these suspicious packets, a
network-based IDS can scan its own database of known network attack signatures and assign a
severity level for each packet. If severity levels are high enough, a warning email or cellular pager is
placed to security team members so they can further investigate the nature of the anomaly.

Network-based IDSes have become popular as the Internet grows in size and traffic. IDSes that can
scan the voluminous amounts of network activity and successfully tag suspect transmissions are well-
received within the security industry. Due to the inherent insecurity of the TCP/IP protocols, it has
become imperative to develop scanners, sniffers, and other network auditing and detection tools to
prevent security breaches due to such malicious network activity as:

 IP Spoofing
 denial-of-service attacks
 arp cache poisoning
 DNS name corruption
 man-in-the-middle attacks

b. Host-based IDS

Analyzes several areas to determine misuse (malicious or abusive activity inside the network) or
intrusion (breaches from the outside). Host-based IDSes consult several types of log files (kernel,
system, server, network, firewall, and more), and compare the logs against an internal database of
common signatures for known attacks. UNIX and Linux host-based IDSes make heavy use of syslog and
its ability to separate logged events by their severity (for example, minor printer messages versus
major kernel warnings). The syslog command is available when installing the syslog package, which is
included with Red Hat Enterprise Linux. This package provides system logging and kernel message
trapping. The host-based IDS filters logs (which, in the case of some network and kernel event logs,
can be quite verbose), analyzes them, re-tags the anomalous messages with its own system of severity
rating, and collects them in its own specialized log for administrator analysis.

c. Distributed Intrusion Detection System (DIDS)

DIDS that combines distributed monitoring and data reduction (through individual host and LAN
monitors) with centralized data analysis (through the DIDS director) to monitor a heterogeneous
network of computers. This approach is unique among current IDS's.

Distributed Intrusion Detection System (DIDS) which generalizes the target environment in order to
monitor multiple hosts connected via a network as well as the network itself. The DIDS components
include the DIDS director, a single host monitor per host, and a single LAN monitor for each LAN
segment of the monitored network.

33

33

d. Network Intrusion Detection System
A network intrusion detection system (NIDS) is an independent platform that monitors network traffic
and examines hosts to identify intruders. NIDSs connect to network hubs or network taps, and are
often placed at data chokepoints — usually in a demilitarized zone (DMZ) or network border — to
capture network traffic and analyze individual packets for malicious content.

A well-placed NIDS protocol can efficiently monitor total network traffic without impacting
performance. It also does not affect network availability and throughput because it does not add to
the traffic volume.

IDS framework

Intrusion Detection Framework (CIDF) Working Group is to provide mechanisms to allow
independently developed intrusion detection-related (ID) components to exchange information
about events, analyses of attacks, suggested responses, and other relevant data.
The working group aims to separate the building blocks of intrusion detection from the logic used to
manipulate them. With a uniform way of delivering and expressing information about attacks, ID
systems are able to share information and pool resources, while still making their own decisions on
how to process attacks and which components to share them with.
Furthermore, ID components have stronger security requirements for the data than do many
distributed applications. We therefore seek mechanisms for authentication, data integrity, and
confidentiality that are fast, lightweight, and flexible, and that are additionally independent of the
stability of outside specifications.
Finally, to facilitate the re-use of code developed for ID systems, implementers need a consistent API
to access ID components. Example plan to develop and distribute such an API.
To carry out this goal, the working group sets itself the following
tasks:

* To define a language in which statements about events, etc
may be expressed.
* To define an encapsulation that allows message senders and
receivers to apply security measures as needed.
* To define an architecture whereby ID components may register
their availability and mode of operation, so that other
components may locate them.

34

34

IDS Signatures

Cisco IDS network-based solutions are signature-based. Basically, a signature is a rule that examines a
packet or series of packets for certain contents, such as matches on packet header or data payload
information. Signatures are the heart of the Cisco network-based IDS solution. This section focuses on
signatures and their implementation.

It is important to point out that it is not necessarily the number of signatures that makes an IDS
signature-based solution good. Instead, it is the flexibility of the signatures in detecting an attack. For
example, in one IDS solution, it might take three separate signatures to detect three separate attacks;
in a different solution, a single signature might be capable of detecting all three attacks. Flexibility in
signatures, as well as the ability to create your own signatures, should be more of a concern when
choosing a signature-based IDS solution.

Figure 2 : Example CISCO IDS Signatures

IDS Tools for Monitoring

a. Snort
b. BlackICE
c. M-ICE
d. Secure4Audit
e. EMERALD
f. NIDES
g. SecureHost

35

35

Information Flow in IDSs and IPS

a. Raw Packet

Capture IDS and IPS internal information flow starts with raw packet capture. This involves not only
capturing packets, but also passing the data to the next component of the system. Promiscuous mode
means a NIC picks up every packet at the point at which it interfaces with network media (except, of
course, in the case of wireless networks, which broadcast signals from transmitters). To be in non-
promiscuous mode means a NIC picks up only packets bound for its particular MAC address, ignoring
the others. Non-promiscuous mode is appropriate for host-based intrusion detection and prevention,
but not for network-based intrusion detection and prevention. A network-based intrusion
detection/prevention system normally has two NICs—one for raw packet capture and a second to
allow the host on which the system runs to have network connectivity for remote administration.
Most packets in today’s networks are IP packets, although AppleTalk, IPX, SNA, and other packets still
persist in some networks. The IDS or IPS must save the raw packets that are captured, so they can be
processed and analyzed at some later point. In most cases, the packets are held in memory long
enough so initial processing activities can occur and, soon afterwards, written to a file or a data
structure to make room in memory for subsequent input or discarded.

b. Filtering

No need for an IDS or IPS to capture every packet necessarily exists. Filtering out certain types of
packets could, instead, be desirable. Filtering means limiting the packets that are captured according
to a certain logic based on characteristics, such as type of packet, IP source address range, and others.
Especially in very high-speed networks, the rate of incoming packets can be overwhelming and can
necessitate limiting the types of packets captured. Alternatively, an organization might be interested
in only certain types of incoming traffic, perhaps (as often occurs) only TCP traffic because, historically,
more security attacks have been TCP-based than anything else. Filtering raw packet data can be done
in several ways. The NIC itself may be able to filter incoming packets. Although early versions of NICs
(such as the 3COM 3C501 card) did not have filtering capabilities, modern and more sophisticated
NICs do. The driver for the network card may be able to take bpf rules and apply them to the card. The
filtering rules are specified in the configuration of the driver itself. This kind of filtering is not likely to
be as sophisticated as the bpf rules themselves, however. Notes on Intrusion Detection Neeraj Kumar,
Dept. of CSE, SIT Sitamarhi 2 Another method of filtering raw packet data is using packet filters to
choose and record only certain packets, depending on the way the filters are configured. libpcap, for
example, offers packet filtering via the bpf interpreter. You can configure a filter that limits the
particular types of packets that will be processed further. The bpf interpreter receives all the packets,
but it decides which of them to send on to applications. In most operating systems filtering is done in
kernel space but, in others (such as Solaris), it is done in user space (which is less efficient, because
packet data must be pushed all the way up the OSI stack to the application layer before it can be
filtered). Operating systems with the bpf interpreter in the kernel are, thus, often the best candidates
for IDS and IPS host platforms, although Solaris has an equivalent capability in the form of its streams
mechanism. Filtering rules can be inclusive or exclusive, depending on the particular filtering program
or mechanism. For example, the following tcpdump filter rule (port http) or (udp port 111) or (len >=
1 and len <= 512) will result in any packets bound for an http port, or for UDP port 111 (the port used
by the portmapper in Unix and Linux systems), or that are between 1 and 512 bytes in length being
captured—an inclusive filter rule.

36

36

c. Packet Decoding

Packets are subsequently sent to a series of decoder routines that define the packet structure for the
layer two (datalink) data (Ethernet, Token Ring, or IEEE 802.11) that are collected through
promiscuous monitoring. The packets are then further decoded to determine whether the packet is
an IPv4 packet (which is the case when the first nibble in the IP header is 4), an IP header with no
options (which is the case when the first nibble in the IP header is 5), or IPv6 (where the first nibble in
the IP header will be 6), as well as the source and destination IP addresses, the TCP and UDP source
and destination ports, and so forth. It is quite important to realize just how broken a good percent of
the traffic on the Internet is. Everyone agrees on the steps for the so-called TCP three-way handshake,
but numerous instances exist where the RFCs have not done a perfect job of defining behavior for
certain protocols. Also, in many other cases, RFCs have been at least partially ignored in the
implementation of network applications that use these protocols, so some kind of “sanity check” on
these protocols is thus needed. Packet decoding accordingly examines each packet to determine
whether it is consistent with applicable RFCs. The TCP header size plus the TCP data size should, for
instance, equal the IP length. Packets that cannot be properly decoded are normally dropped because
the IDS/IPS will not be able to process them properly. Some IDSs such as Snort go even further in
packet decoding in that they allow checksum tests to determine whether the packet header contents
coincide with the checksum value in the header itself. Checksum verification can be done for one, or
any combination of, or all of the IP, TCP, UDP, and ICMP protocols. The downside of performing this
kind of verification is that today’s routers frequently perform checksum tests and drop packets that
Notes on Intrusion Detection Neeraj Kumar, Dept. of CSE, SIT Sitamarhi 3 do not pass the test.
Performing yet another checksum test within an IDS or IPS takes its toll on performance and is, in all
likelihood, unnecessary. (Despite this, the number of IP fragments per day is large).

d. Storage Once

Each packet is decoded, it is often stored either by saving its data to a file or by assimilating it into a
data structure while, at the same time, the data are cleared from memory. Storing data to a file (such
as a binary spool file) is rather simple and intuitive because “what you see is what you get.” New data
can simply be appended to an existing file or a new file can be opened, and then written to. But writing
intrusion detection data to a file also has some significant disadvantages. For one thing, it is
cumbersome to sort through the great amount of data within one or more file(s) that are likely to be
accumulated to find particular strings of interest or perform data correlation. Additionally, the amount
of data that are likely to be written to a hard drive or other storage device presents a disk space
management challenge. An alternative is to set up data structures, one for each protocol analyzed,
and overlay these structures on the packet data by creating and linking pointers to them. Taking this
latter approach is initially more complicated, but it makes accessing and analyzing the data much
easier. Still another alternative is to write to a hash table to condense the amount of data substantially.
You could, for example, take a source IP address, determine to how many different ports that address
has connected, and any other information that might be relevant to detecting attacks, and then hash
the data. The hash data can serve as a shorthand for events that detection routines can later access
and process.

37

37

e. Fragment Reassembly

Decoding “makes sense” out of packets, but this, in and of itself, does not solve all the problems that
need to be solved for an IDS/IPS to process the packets properly. Packet fragmentation poses yet
another problem for IDSs and IPSs. A reasonable percentage of network traffic consists of packet
fragments with which firewalls, routers, switches, and IDSs/IPSs must deal. Hostile fragmentation,
packet fragmentation used to attack other systems or to evade detection mechanisms, can take
several forms: ϖ One packet fragment can overlap another in a manner that the fragments will be
reassembled so subsequent fragments overwrite parts of the first one instead of being reassembled
in their “natural” sequential order. Overlapping fragments are often indications of attempted denial-
of-service attacks (DoS) or IDS/IPS or firewall evasion attempts (if none of these know how to deal
with packets of this nature, they would be unable to process them further).

ϖ Packets may be improperly sized. In one variation of this condition, the fragments are excessively
large—greater than 65,535 bytes and, thus, likely to trigger abnormal conditions, such as excessive
CPU consumption in the hosts that receive them. Excessively large packets thus usually represent
attempts to produce DoS. An example is the “ping of death” attack in which many oversized packets
are sent to victim hosts, causing them to crash. Or, the packet fragments could be excessively short,
such as less than 64 bytes. Often called a tiny fragment attack, the attacker fabricates, and then sends
packets broken into tiny pieces. If the fragment is sufficiently small, part of the header information
gets displaced into multiple fragments, leaving incomplete headers. Network devices and IDSs/IPSs
may not be able to process these headers. In the case of firewalls and screening routers, the fragments
could be passed through and on to their destination although, if they were not fragmented, the packet
might not have been allowed through. Or, having to reassemble so many small packets could
necessitate a huge amount of memory, causing DoS. ϖ Still another way of fragmenting packets is to
break them up, so a second fragment is contained completely within the first fragment. The resulting
offsets create a huge program for fragment-reassembly process, causing the host that received these
fragments to crash. This kind of attack is known as a teardrop attack. A critical consideration in dealing
with fragmented packets is whether only the first fragment will be retained or whether the first
fragment, plus the subsequent fragments, will be retained. Retaining only the first fragment is more
efficient. The first fragment contains the information in the packet header that identifies the type of
packet, the source and destination IP addresses, and so on—information that detection routines can
process later. Having to associate subsequent fragments with the initial fragment requires additional
resources. At the same time, however, although some of the subsequent fragments are unlikely to
contain information of much value to an IDS or IPS, this is not true for many types of attacks, such as
those in which many HTTP GET command options are entered, and then the packets are broken into
multiple fragments. Combining fragments is necessary if you want a more thorough analysis of
intrusion detection data. Fragment reassembly can be performed in a number of ways:

• The OS itself can reassemble the fragments.

• A utility can perform this function.

• The previously discussed filtering capability can reassemble fragments.

The main advantage of this approach is that reassembly can be selective. UDP packets, especially those
used in Network File System (NFS) mount access, tend to fragment more than do other packets, for

38

38

example. Packet reassembly requires a good amount of system resources, so selecting only certain
kinds of packets (such as TCP packets) to be reassembled is often best.

f. Stream Reassembly

Stream reassembly means taking the data from each TCP stream and, if necessary, reordering it
(primarily on the basis of packet sequence numbers), so it is the same as when it was sent by the host
that transmitted it and also the host that received it. This requires determining when each stream
starts and stops, something that is not difficult given that TCP communications between any two hosts
begin with a SYN packet and end with either a RST (reset) or FIN/ACK packet. Stream reassembly is
especially important when data arrive at the IDS or IPS in a different order from their original one. This
is a critical step in getting data ready to be analyzed because IDS recognition mechanisms cannot work
properly if the data taken in by the IDS or IPS are scrambled. Stream reassembly also facilitates
detection of out-of-sequence scanning methods. According to RFC 793, FIN packets should be sent
only while a TCP connection is being closed. If a FIN packet is sent to a closed TCP port, the server
should respond back with an RST packet. So, stream reassembly is critical in recognizing situation such
as these (such as when an ACK packet is sent for a session that has not been started. Additionally,
determining which of two hosts has sent traffic to the other is a critical piece of information needed
by analyzers. Stream reassembly results in knowing the directionality of data exchanges between
hosts, as well as when packets are missing (in which case a good IDS/IPS will report this as an anomaly).
The data from the reassembled stream are written to a file or data structure, again, either as packet
contents or byte streams, or are discarded. Stream reassembly may sound simple but, in reality, it is
rather complicated because many special conditions must be handled. Policies based on system
architecture usually dictate how stream reassembly occurs under these conditions. From an IDS/IPS
point of view, it is critical to know what the policy for overlapping fragments is—whether only the first
fragment or all fragments are retained, for example— on each target host. One host TCP may drop
overlapping fragments, whereas another may attempt to process them. Retransmissions in TCP
connections pose yet another problem. Should data from the original retransmission or the
subsequent one be retained? The issue of whether the target host handles data in a SYN packet
properly is yet another complication in stream reassembly. According to RFC 793, data can be inserted
into a SYN packet, although this is not usually done. This also applies to FIN and RST packets. Should
these data be included in the reassembled stream? Failure to include them could mean the detection
routines to which the stream will be sent could miss certain attacks. The packet timeout is another
issue. What if a packet from a stream arrives after the timeout? How does the reassembly program
handle this? Once again, the program doing the session reconstruction needs to know the
characteristics of the target host to understand what this host saw. You might think the session has
been properly reassembled when, in fact, it has not. The saving grace is that you can assume
something is wrong whenever you see overlapping fragments. Reacting to overlapping fragments is,
usually unnecessary; simply flagging the fact that they have been sent is sufficient, at least for
intrusion-detection purposes. A type of stream reassembly with UDP and ICMP traffic can also be done
but, remember, both these protocols are connectionless and session less and, thus, do not have the
characteristics TCP stream reassembly routines use. Some IDSs/IPSs make UDP and ICMP traffic into
“pseudosessions” by assuming that whenever two hosts are exchanging UDP or ICMP packets with no
pause of transmission greater than 30 seconds, something that resembles the characteristics of a TCP
session (at least to some degree) is occurring. The order of the packets can then be reconstructed.
This approach to dealing with UDP and ICMP traffic is based on some pretty shaky assumptions but,

39

39

nevertheless, useful analyses could be subsequently performed on the basis of data gleaned from
these reassembled pseudosessions. Note In general, the current generation of IDSs and IDPs actively
reassemble IP fragments and TCP streams. Accordingly, certain types of fragmentation attacks against
these systems that used to be able to evade these systems’ recognition capabilities no longer work.
Other attacks are based on how differing operating systems put fragments back together but, even
these types of attack are being thwarted by IDSs and IPSs that are aware of the flavour of the OS at
the destination and that reassemble the stream appropriately for each particular OS.

g. Stateful Inspection

of TCP Sessions Stateful inspection of network traffic is a virtual necessity whenever the need to
analyze the legitimacy of packets that traverse networks presents itself. As mentioned previously,
attackers often try to slip packets they create through firewalls, screening routers, IDSs, and IPSs by
making the fabricated packets (such as SYN/ACK or ACK packets) look like part of an ongoing session
or like one being negotiated via the three-way TCP handshake sequence, even though such a session
was never established. Notes on Intrusion Detection Neeraj Kumar, Dept. of CSE, SIT Sitamarhi 7 IDSs
and IPSs also have a special problem in that if they were to analyze every packet that appeared to be
part of a session, an attacker could flood the network with such packets, causing the IDSs and IPSs to
become overwhelmed. An IDS evasion tool called stick does exactly this. Current IDSs and IPSs
generally perform stateful inspections of TCP traffic. These systems generally use tables in which they
enter data concerning established sessions, and then compare packets that appear to be part of a
session to the entries in the tables. If no table entry for a given packet can be found, the packet is
dropped. Stateful inspection also helps IDSs and IPSs that perform signature matching by ensuring this
matching is performed only on content from actual sessions. Finally, stateful analysis can enable an
IDS or IPS to identify scans in which OS fingerprinting is being attempted. Because these scans result
in a variety of packets sent that do not confirm to RPC 793 conventions, these scans “stand out” in
comparison to established sessions.

h. Firewalling

Part of the internal information flow within an IDS and IPS includes filtering packet data according to
a set of rules. Filtering is essentially a type of firewalling, even though it is relatively rudimentary. But,
after stateful inspections of traffic are performed, more sophisticated firewalling based on the results
of the inspections can be performed. While the primary purpose of filtering is to drop packet data that
are not of interest, the primary purpose of firewalling after stateful inspection is to protect the IDS or
IPS itself. Attackers can launch attacks that impair or completely disable the capability of the IDS or
the IPS to detect and protect. The job of the firewall is to weed out these attacks, so attacks against
the IDS or IPS do not succeed. Amazingly, a number of today’s IDSs and IPSs do not have a built-in
firewall that performs this function.

IPS tools

a. Sentivist
b. Stonegate IPS
c. McAfee

40

40

Proxy Server

Figure 3 : Proxy Servers diagram
A proxy server acts as a gateway between you and the internet. It’s an intermediary server separating
end users from the websites they browse. Proxy servers provide varying levels of functionality,
security, and privacy depending on your use case, needs, or company policy.
If you’re using a proxy server, internet traffic flows through the proxy server on its way to the address
you requested. The request then comes back through that same proxy server (there are exceptions to
this rule), and then the proxy server forwards the data received from the website to you
Modern proxy servers do much more than forwarding web requests, all in the name of data security
and network performance. Proxy servers act as a firewall and web filter, provide shared network
connections, and cache data to speed up common requests. A good proxy server keeps users and the
internal network protected from the bad stuff that lives out in the wild internet. Lastly, proxy servers
can provide a high level of privacy.

How Does a Proxy Server Operate?
Every computer on the internet needs to have a unique Internet Protocol (IP) Address. Think of this IP
address as your computer’s street address. Just as the post office knows to deliver your mail to your

41
41

street address, the internet knows how to send the correct data to the correct computer by the IP
address.

A proxy server is basically a computer on the internet with its own IP address that your computer
knows. When you send a web request, your request goes to the proxy server first. The proxy server
then makes your web request on your behalf, collects the response from the web server, and forwards
you the web page data so you can see the page in your browser.

When the proxy server forwards your web requests, it can make changes to the data you send and
still get you the information that you expect to see. A proxy server can change your IP address, so the
web server doesn’t know exactly where you are in the world. It can encrypt your data, so your data is
unreadable in transit. And lastly, a proxy server can block access to certain web pages, based on IP
address.

Types of Proxy Servers

Not all proxy servers work the same way. It’s important to understand exactly what functionality
you’re getting from the proxy server, and ensure that the proxy server meets your use case.

Transparent Proxy

• A transparent proxy tells websites that it is a proxy server and it will still pass along your IP
address, identifying you to the web server. Businesses, public libraries, and schools often use
transparent proxies for content filtering: they’re easy to set up both client and server side.

Anonymous Proxy

• An anonymous proxy will identify itself as a proxy, but it won’t pass your IP address to the
website – this helps prevent identity theft and keep your browsing habits private. They can
also prevent a website from serving you targeted marketing content based on your location.
For example, if CNN.com knows you live in Raleigh, NC, they will show you news stories they
feel are relevant to Raleigh, NC. Browsing anonymously will prevent a website from using
some ad targeting techniques, but is not a 100% guarantee.

Distorting proxy

• A distorting proxy server passes along a false IP address for you while identifying itself as a
proxy. This serves similar purposes as the anonymous proxy, but by passing a false IP address,
you can appear to be from a different location to get around content restrictions.

High Anonymity proxy

• High Anonymity proxy servers periodically change the IP address they present to the web
server, making it very difficult to keep track of what traffic belongs to who. High anonymity
proxies, like the TOR Network, is the most private and secure way to read the internet.

Proxy servers are a hot item in the news these days with the controversies around Net
Neutrality and censorship. By removing net neutrality protections in the United States, Internet
Service Providers (ISP) are now able to control your bandwidth and internet traffic. ISPs can potentially
tell you what sites you can and cannot see. While there’s a great amount of uncertainty around what
is going to happen with Net Neutrality, it’s possible that proxy servers will provide some ability to work
around an ISPs restrictions.

42

42