Fundamental of Computer Network Security

Varonis analyzes data from proxy servers to protect you from data breaches and cyber attacks. The
addition of proxy data gives more context to better analyze user behavior trends for abnormalities.
You can get an alert on that suspicious activity with actionable intelligence to investigate and deal with
the incident.

For example, a user accessing GDPR data might not be significant on its own. But if they access GDPR
data and then try to upload it to an external website, it could be an exfiltration attempt and potential
data breach. Without the context provided by file system monitoring, proxy monitoring, and Varonis
threat models, you might see these events in a vacuum and not realize you need to prevent a data
breach

Authentication process and firewall in proxy server

Firewall authentication proxy feature allows network administrators to implement security policies on
a per-user basis through personalized ACLs. Without firewall authentication proxy, user identity and
any authorized access was associated with a user’s IP address. Any single security policy had to be
applied to an entire user group or subnet. Now, users can be identified and authorized on the basis of
their per-user policy, and any access privileges can be customized based on their individual access
profiles. With the authentication proxy feature, users can log in to the network or access the Internet
via HTTP.

Firewall features that operate transparently to the user, the authentication proxy feature requires
some user interaction on the client host. When a user, using a web browser, initiates an HTTP session
through a firewall configured to support the authentication proxy, the process is triggered. The first
thing the authentication proxy checks is to see if the user has already been authenticated. If so, the
connection is completed without further intervention. But, if no valid authentication entry exists, the
authentication proxy responds by providing a screen that prompts the user for a user name and a
password.

The users must successfully authenticate by supplying a valid user name and password combination
recognized by the defined authentication server. If the authentication attempt failed, the
authentication proxy would display a message stating Authentication Failed! and then prompt the
user for retries. After five failed attempts to authenticate, the user would wait two minutes, and then
would have to initiate another HTTP session to trigger authentication proxy.

Proxy Server vs. Packet Filtering

Packet Filtering :

Firewall is software program that prevents unauthorized access to or from a private network. All data
packets in it are entering or dropping network passes through the firewall and after checking whether
the firewall allows it or not. All traffic must pass through the firewall and only authorized traffic must
pass. It is a system located between two networks where it implements an access control policy
between those networks. It works on network layer of the OSI model and uses encryption to encrypt
the data before transmission.

Proxy Server :

Proxy Server is a server that acts as a gateway or intermediary between any device and the rest of the
internet. A proxy accepts and forwards connection requests, then returns data for those requests. It
uses the anonymous network id instead of actual IP address of client (means it hides the IP address of
client), so that the actual IP address of client couldn’t be reveal.

43

43

Understand Bastion Host and Honeypots

44
44

Types of Bastion Host

Non-routing Dual-homed Hosts
A non-routing dual-homed host has multiple network connections, but doesn't pass traffic between
them. Such a host might be a firewall all by itself, or might be part of a more complex firewall. For the
most part, non-routing dual-homed hosts are configured like other bastion hosts, but need extra
precautions, discussed below, to make certain they truly are non-routing. If a non-routing dual-homed
host is your entire firewall, you need to be particularly paranoid in its configuration and follow the
normal bastion host instructions with extreme care.
Victim Machines
You may want to run services that are difficult to provide safely with either proxying or packet filtering,
or services that are so new that you don't know what their security implications are. For that purpose,
a victim machine (or sacrificial goat) may be useful. This is a machine that has nothing on it you care
about, and that has no access to machines that an intruder could make use of. It provides only the
absolute minimum necessary to use it for the services you need it for. If possible, it provides only one
unsafe or untested service, to avoid unexpected interactions.
Victim machines are configured much as normal bastion hosts are, except that they almost always
have to allow users to log in. The users will almost always want you to have more services and
programs than you would configure on a normal bastion host; resist the pressure as much as possible.
You do not want users to be comfortable on a victim host: they will come to rely on it, and it will no
longer work as designed. The key factor for a victim machine is that it is disposable, and if it is
compromised, nobody cares. Fight tooth and nail to preserve this.
Internal Bastion Hosts
In most configurations, the main bastion host has special interactions with certain internal hosts. For
example, it may be passing electronic mail to an internal mail server, coordinating with an internal
name server, or passing Usenet news to an internal news server. These machines are effectively
secondary bastion hosts, and they should be configured and protected more like the bastion host than
like normal internal hosts. You may need to leave more services enabled on them, but you should go
through the same configuration process.

45

45

Honey Pots

Figure 4 : Honeypots Locations
One honeypot definition comes from the world of espionage, where Mata Hari-style spies who use a
romantic relationship as a way to steal secrets are described as setting a ‘honey trap’ or ‘honeypot’.
Often, an enemy spy is compromised by a honey trap and then forced to hand over everything he/she
knows.
In computer security terms, a cyber-honeypot works in a similar way, baiting a trap for hackers. It's a
sacrificial computer system that’s intended to attract cyberattacks, like a decoy. It mimics a target for
hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they
are operating or to distract them from other targets.

What are the levels of interactions in honeypots?

Honeypots could be categorized according to their aims such as prevention, detection, and of course
response. In addition to that, we can categorize them according to their level of interaction with the
real systems. This level of interaction determines the intensity of the interaction between an attacker
and the systems of an organization’s network. To elaborate more on this point, if a honeypot has a
high level of interaction, then this implies that the attacker can interact much more critically with the
system, opposed to low levels of interaction where the attacker will not interact with the real systems
in a critical manner. If we need to collect much more amounts of data, then a high level of interaction
is recommended. On the contrary, this aspect comes with its risks which make the high levels of
interactions really dangerous parts of the network. This is, of course, an undesirable feature which we
need to abolish. In general, we have three categories for the levels of interaction: low interaction,
medium interaction, and high interaction.
The most common type of classification is based on the level of interaction which is provided to the
malicious user by the honeypot. The more interactive an environment is presented, the closer the
honeypot becomes to the actual targets of an attack. This translates to potentially gathering more
accurate information. The downside is that the more realistic honeypots present greater challenges
to configure and setup.

46

46

Figure 5: Honeypots Diagram

An organization should decide on which level of interaction works best for its purposes and goals out
of the configured honeypots inside its network. I will explain the three levels of interactions in detail
throughout the following three points; I will advise when each level of interaction is useful and when
it should be avoided.

1. Low level of interaction:

An example is Honeyd. I talked about this in another article titled “low level of interaction honeypots.”

2. Medium level of interaction honeypots:

This is a more advanced type of honeypot where more information could be available if used. Despite
the fact these type of honeypots still do not contain an operating system which could simply get
exploited, there is a bigger chance that attacks could get through the system using this sort of
honeypots. The problem arises from the fact that there exist many more security holes through which
an attacker could simply get into the system and exploit it. Obtaining much more information and
more attacks from the hackers that are complicated is possible in this case. The following honeypot
names could be used to exemplify the medium level of interaction, honeypots that are infamously in
use nowadays: Mwcollect, honeytrap, and Nepenthes. I will also talk about some of these honeypots
in another article and implement them in practice.

To summarize what was mentioned regarding medium interaction honeypots, they are used to get
some collections of software-emulated such that an attacker could become more convinced that it is,
in fact, the actual system while he just accessed a honeypot system. In this case, the host operating
system is still shielded. Nevertheless, getting a collection of software-emulated through the honeypot
as we desire is not, in fact, a simple task at all. The reason for that lies in the fact that the response of
such emulated collection of software should be almost identical to the response of the same actual
programs. Still, we, of course, do not need to raise any real security issues here for these programs;
otherwise, there is a real danger. Finally, the possibility of comprising the system exists here in fact
with a higher percentage. This is basically because the vulnerable points that are kept for the attackers
are considerable, and he can exploit a hole in the actual system to perform his malicious activity.

47

47

Figure 6: Honeypot example location
This type of honeypots is considered the most advanced type of honeypots in general. First of all,
these types of honeypots contain an operating system. What does this imply? We can simply infer that
an attacker can possibly undertake anything on such an advanced honeypot system. However, an
organization, in this case, is capable of getting more and more data about the attack type, source, and
nature indeed.
This type of honeypots allows the user to have no restrictions to perform whatever tasks and actions
that are desired by him. From this point comes the real danger of using such honeypots inside an
organization. They are also very time-consuming honeypots to configure and implement. Moreover,
it is much more difficult to be able to maintain such type of honeypots for a long time. The most
common name in this category of honeypots is Honeywell. This is a very important high level of
interaction honeypot. I will also come back to it in another article and see how it could be configured
in practice.
So, as I just mentioned, in this type of honeypots, actual instances of programs are used, not merely
the emulations of them. An administrator has to choose this type of honeypots if he needs to grant
an attacker root access to the machine and analyze how he will react then, and what actions he wished
to do. The risk of implementing this type of honeypots is high. It is, in fact, the riskiest type of
honeypot, yet it grants an administrator the greatest potential to get data collected about the attack
and the attacker as well. Supervision of such honeypots is a must since such types of honeypots could
become a zombie or a jumping point to perform more attacks on the systems inside the network.

48

48

Virtual Private Network (VPN) Fundamentals

49
49

Types of Virtual Private Network (VPN) and its Protocols

Virtual Private Network (VPN) is basically of 2 types:

Remote Access VPN:
Remote Access VPN permits a user to connect to a private network and access all its services and
resources remotely. The connection between the user and the private network occurs through the
Internet and the connection is secure and private. Remote Access VPN is useful for home users and
business users both.
An employee of a company, while he/she is out of station, uses a VPN to connect to his/her company’s
private network and remotely access files and resources on the private network. Private users or home
users of VPN, primarily use VPN services to bypass regional restrictions on the Internet and access
blocked websites. Users aware of Internet security also use VPN services to enhance their Internet
security and privacy.

Site to Site VPN:
A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly used in the large companies.
Companies or organizations, with branch offices in different locations, use Site-to-site VPN to connect
the network of one office location to the network at another office location.

Intranet based VPN: When several offices of the same company are connected using Site-to-Site VPN
type, it is called as Intranet based VPN.
Extranet based VPN: When companies use Site-to-site VPN type to connect to the office of another
company, it is called as Extranet based VPN.

Basically, Site-to-site VPN create a imaginary bridge between the networks at geographically distant
offices and connect them through the Internet and sustain a secure and private communication
between the networks. In Site-to-site VPN one router acts as a VPN Client and another router as a VPN
Server as it is based on Router-to-Router communication. When the authentication is validated
between the two routers only then the communication starts.

50
50

Types of Virtual Private Network (VPN) Protocols:

Internet Protocol Security (IPSec):
Internet Protocol Security, known as IPSec, is used to secure Internet communication across an IP
network. IPSec secures Internet Protocol communication by verifying the session and encrypts each
data packet during the connection.
IPSec runs in 2 modes:
(i) Transport mode
(ii) Tunnelling mode
The work of transport mode is to encrypt the message in the data packet and the tunnelling mode
encrypts the whole data packet. IPSec can also be used with other security protocols to improve the
security system.
Layer 2 Tunnelling Protocol (L2TP):
L2TP or Layer 2 Tunnelling Protocol is a tunnelling protocol that is often combined with another VPN
security protocol like IPSec to establish a highly secure VPN connection. L2TP generates a tunnel
between two L2TP connection points and IPSec protocol encrypts the data and maintains secure
communication between the tunnel.
Point–to–Point Tunnelling Protocol (PPTP):
PPTP or Point-to-Point Tunnelling Protocol generates a tunnel and confines the data packet. Point-to-
Point Protocol (PPP) is used to encrypt the data between the connection. PPTP is one of the most
widely used VPN protocol and has been in use since the early release of Windows. PPTP is also used
on Mac and Linux apart from Windows.
SSL and TLS:
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) generate a VPN connection where the
web browser acts as the client and user access is prohibited to specific applications instead of entire
network. Online shopping websites commonly uses SSL and TLS protocol. It is easy to switch to SSL by
web browsers and with almost no action required from the user as web browsers come integrated
with SSL and TLS. SSL connections have “https” in the initial of the URL instead of “http”.
OpenVPN:
OpenVPN is an open source VPN that is commonly used for creating Point-to-Point and Site-to-Site
connections. It uses a traditional security protocol based on SSL and TLS protocol.
Secure Shell (SSH):
Secure Shell or SSH generates the VPN tunnel through which the data transfer occurs and also ensures
that the tunnel is encrypted. SSH connections are generated by a SSH client and data is transferred
from a local port on to the remote server through the encrypted tunnel.

51

51

Guys Lets do VPN Configuration.

Topology

Objective

In this tutorial we will learn

• To configure and use vpn on routers.
• To create a vpn between routers

Course Learning Outcome

• Manage to established VPN configuration  Create VPN Tunnel for safe
communication.

• Testing connection using CLI command prompt
Notes : Total network take here are 4.

network :

192.168.1.0/24 network

: 192.168.2.0/24

network : 1.0.0.0/8

network : 2.0.0.0/8

52
52

Step 1
To assign ip address on each and every interface of router and also assign ip address on
computers taken here.
CONFIGURATION ON ROUTER R1:
Router>enable
Router#config terminal Router(config)#host
r1 r1(config)#int fa0/0 r1(config-if)#ip add
192.168.1.1 255.255.255.0 r1(config-if)#no
shut r1(config-if)#exit r1(config)#int fa0/1
r1(config-if)#ip address 1.0.0.1 255.0.0.0
r1(config-if)#no shut

Step 2
CONFIGURATION ON ROUTER R2:
Router>enable
Router#config terminal
Router(config)#host r2
r2(config)#int fa0/0 r2(config-if)#ip
add 1.0.0.2 255.0.0.0 r2(config-
if)#no shut r2(config-if)#exit
r2(config)#int fa0/1
r2(config-if)#ip add 2.0.0.1 255.0.0.0 r2(config-
if)#no shut

Step 3
CONFIGURATION ON ROUTER R3:
Router>enable
Router#config terminal Router(config)#host
r3 r3(config)#int fa0/0 r3(config-if)#ip add
2.0.0.2 255.0.0.0 r3(config-if)#no shut
r3(config-if)#exit r3(config)#int fa0/1
r3(config-if)#ip add 192.168.2.1
255.255.255.0 r3(config-if)#no shut

53

53

Step 4
Notes : Now it is time to do routing, you needs to configure default routing.
DEFAULT ROUTING CONFIGURATION ON ROUTER R1:
r1>enable
r1#config t
Enter configuration commands, one per line. End with CNTL/Z.
r1(config)#ip route 0.0.0.0 0.0.0.0 1.0.0.2
r1(config)#

DEFAULT ROUTING CONFIGURATION ON ROUTER R3:
r3>enable
r3#config t
Enter configuration commands, one per line. End with CNTL/Z.
r3(config)#ip route 0.0.0.0 0.0.0.0 2.0.0.1
r3(config)#
Step 5
Notes : Now check the connection by pinging each other.
First go to router r1 and ping with router r3:
r1#ping 2.0.0.2

Step 6
Notes : Go to router r3 and test network by pinging router r1 interface
r3#ping 1.0.0.1

Notes : Make sure clearly see both router pinging each other successfully.

Step 7
Notes : NOW CREATE VPN TUNNEL between R1 and
R3: Start from R1 r1#config t r1(config)#interface tunnel

54

54

10 r1(config-if)#ip address 172.16.1.1 255.255.0.0
r1(config-if)#tunnel source fa0/1 r1(config-if)#tunnel
destination 2.0.0.2 r1(config-if)#no shut

Step 8 r3#config t r3(config)#interface tunnel 100 r3(config-if)#ip address 172.16.1.2
255.255.0.0 r3(config-if)#tunnel source fa0/0 r3(config-if)#tunnel destination 1.0.0.1 r3(config-
if)#no shut

Step 9
Now test communication between these two routers again by pinging eah other:
r1#ping
172.16.1.2 see
the result r3#ping
172.16.1.1 see
the result

Make sure both are success rate is 100 percent

Step 10
Now Do routing for created VPN Tunnel on Both Router R and R3:
r1(config)#ip route 192.168.2.0 255.255.255.0 172.16.1.2
r3(config)#ip route 192.168.1.0 255.255.255.0 172.16.1.1

Step 11
TEST VPN TUNNEL CONFIGURATION:
r1#show interfaces Tunnel
10 see the output r3#show
interface Tunnel 100 see the
output

55
55

Practical Task Questions/Answers
1) After check the connection by pinging each other.
From router 1 ping router 3, what is the output after ping 2.0.0.2?

Answers
Sending 5, 100-byte ICMP Echos to 2.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 26/28/33 ms

2) Identify round-trip min/avg/max for R1 after test communication between these
two routers again by pinging eah other
Answers
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/45/83 ms

3) Prove test whether tunnel is created or not between R1 R3
Answers
Tunnel10 is up, line protocol is up (connected)
Hardware is Tunnel
Internet address is 172.16.1.1/16
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 1.0.0.1 (FastEthernet0/1), destination 2.0.0.2
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled

56

56

Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 32 bits/sec, 0 packets/sec
5 minute output rate 32 bits/sec, 0 packets/sec
52 packets input, 3508 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
52 packets output, 3424 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

4) Identify how many Hop for 192.168.2.2

3 hop

57

57

MODULE 4: HARDENING OPERATING SYSTEMS

Configure Windows Services
BIOS

• Known as the system BIOS or ROM BIOS.
• A standard defining a firmware interface.
• BIOS software is built into the PC and will be the first software run by a PC

when it is powered on.
• The fundamental purpose of BIOS is to initialize and test the system hardware

components, and to start the boot loader or an operating system from a
secondary storage device.
• BIOS takes care of essential system function such as power management and
temperature regulation.
• In modern PC’s, the BIOS contents are stored on Electronically Erasable
Programmable Read Only Memory (EEPROM) chip.
• An EEPROM chip is a type of non-volatile memory used by many electronic
devices that requires small amounts of data to be stored for quick access.
• The contents of an EEPROM chip can be flashed.
• They can be overwritten with new data.
• This feature is one of the reasons that BIOS chipsets are vulnerable to attack.

BIOS security

• BIOS on motherboard offers security features including power-on passwords,
support for intrusion detection devices, and support for a Trusted Platform
Module (TPM) chip.
o Power-on Passwords
 Power-on Passwords include supervisor password which is
required to change BIOS setup, user password which is required
to use the system or view BIOS setup and drive lock password
which is required to access the hard drive.
 All three types of password can be set in BIOS setup utility.
 If supervisor password is set and forgotten, you cannot enter
BIOS setup to change any of these passwords.
 You will need to use BIOS reset jumpers on motherboard.

o Intrusion Detection Devices Support
 Installation of intrusion detection devices support is inside the
computer case and connected to pins on motherboard.
 Intrusion detection feature in BIOS setup must be ENABLED.

58

58

 Once security measures in place and case is opened, BIOS
displays alert the next time the system is powered up.

o Trusted Platform Module (TPM) Chip Support
 Installation of BitLocker encryption using Windows Vista will
initialize the TPM chip.
 Once BitLocker installed, it can be temporarily turn off which
also turn off the TPM chip.
 If having problems installing BitLocker, one thing that can be
done is clearing TPM chip but BE CAREFUL if the TPM chip
is used to hold the encryption key to protect data on hard drive,
you may have lost all encryption key as well as all data.
 DO NOT CLEAR TPM chip unless its certain that it’s not being
used to encrypt data.

Windows Registry

• Windows registry is the most important Windows component that holds information
for Windows.

• It is a database designed with treelike structure (hierarchical database).
• Contains information for Windows, users, software applications and installed hardware

devices.
• During start up, Windows build the registry in memory and keeps it there until

Windows shuts down.
• During start up, after registry is built, Windows reads to obtain information to complete

start up process.
• After Windows loaded, it continually reads from many of the sub keys in the registry.

5 keys in Windows Registry
1. HKEY_LOCAL_MACHINE (HKLM)
2. HKEY_CURRENT_CONFIG (HKCC)
3. HKEY_CLASSES_ROOT (HKCR)
4. HKEY_USERS (HKU)
5. HKEY_CURRENT_USER (HKCU)

59

59

Functions of Windows Registry Keys

1. HKEY_LOCAL_MACHINE (HKLM)

• The most important key.
• Contains hardware, software, and security data.
• Data taken from 4 hives;

o SAM hive
o Security hive
o Software hive
o System hive
• HARDWARE sub key built when registry is first loaded based on data
collected about current hardware configuration.

2. HKEY_CURRENT_CONFIG (HKCC)

• Contains Plug & Play information about hardware configuration used by
computer start up.

• Stores information that identifies each hardware device installed.
• Some data gathered from current hardware configuration when registry first

loaded into memory.
• Others taken from HKLM key which got data primarily from System hive.

60
60

3. HKEY_CLASSES_ROOT (HKCR)

• Stores information that determines which applications is opened when user
double-clicks a file.

• The process relies on file's extension to determine which program to load.
• Data is gathered from HKLM key and HKCU key.
4. HKEY_USERS (HKU)

• Contains data of all users.
• Data taken from Default hive.

61

61

5. HKEY_CURRENT_USER (HKCU)

• Contains data about current user.
• Key is built when a user logs on using data kept in HKEY_USERS key and

data kept in Ntuser.dat file of the current user.

Rootkit Detection using Rootkit Revealer

• Rootkit Revealer is an advanced rootkit detection utility.
• The mechanisms and techniques whereby malware, including viruses, spyware, and

trojans, attempt to hide their presence from spyware blockers, antivirus, and system
management utilities.
• It runs on Windows XP (32-bit) and Windows Server 2003 (32-bit), and its output lists
Registry and file system API discrepancies that may indicate the presence of a user-
mode or kernel-mode rootkit.
• Detects many persistent rootkits including AFX, Vanquish and HackerDefender.
• Looked for discrepancies in the system registry and file system.

Rootkit Classification
1. Persistent Rootkits
2. Memory-Based Rootkits
3. User-mode Rootkits
4. Kernel-mode Rootkits

Configuring Windows services to disable all unneeded services

• Windows is notorious for having useless features and CPU resource hogging programs
or services enabled by default.

• To turn off services in Windows, you may click Start  Run  Type : services.msc
• Double click on the services that you want to alter and change the start-up type to

disable or manual as directed in the list of unnecessary services.

62

62

Kerberos Authentication and Domain Security

Kerberos Authentication

• Kerberos is a computer network authentication protocol that works on the basis of
tickets to allow nodes communicating over a non-secure network to prove their identity
to one another in a secure manner.

• The protocol was named after the character Kerberos (or Cerberus) from Greek myth,
the ferocious three-headed guard dog of Hades.

• It designers aimed it primarily at a client-server model and it provides mutual
authentication both the user and the server verify each other’s identity.

• Kerberos protocol messages are protected against eavesdropping and replay attacks.
• It is a powerful authentication protocol that is transparent to the user except when

entering the initial password or smart card.
• Kerberos protocol provides authentication and strong cryptography to secure

information system across an entire network or enterprise.
• The protocol is a highly effective solution to network security problem.

• Typically used when user attempts to access a network service and that service requires
authentication

• User provided with ticket that is issued by Kerberos authentication server
• This tickets contains information linking to the user
• User presents this ticket to verify identity of the user
• If the user is verified, then he is accepted

63
63

Domain Security

• A domain security policy is a security that is specifically applied to a given domain or
set of computers or drives in a given system.

• System administrators use a domain security policy to set security protocols for part of
a network, including password protocols, access levels and much more.

Trust Relationships between domains

• Trust relationships are an administration and communication link between two
domains.

• A trust relationship between two domains enables user accounts and global groups to
be used in a domain other than the domain where the accounts are defined.

• Account information is shared to validate the rights and permissions of user accounts
and global groups residing in the trusted domain without being authenticated.

• Trust relationships simplify user administration by combining two or more domains
into a single administrative unit.

• When there are trust relationships between domains, the authentication mechanism for
each domain trusts the authentication mechanism for all other trusted domains.

• If a user or application is authenticated by one domain, its authentication is accepted by
all other domains that trust the authenticating domain.

IPSecurity

• An Internet Engineering Task Force (IETF) standard suite of protocols between 2
communication points across the IP network that provide data authentication, integrity,
and confidentiality.

• It also defines the encrypted, decrypted and authenticated packets.
• The protocols needed for secure key exchange and key management are defined in it.
• IPSec can be used to encrypt application layer data.
• Provide security for routers sending routing data across the public internet.
• Provide authentication without encryption, like to authenticate that the data originates

from a known sender.
• Protect network data by setting up circuits using IPsec tunnelling in which all data is

being sent between the two endpoints is encrypted, as with a Virtual Private
Network(VPN) connection.

Implement Infrastructure, Authentication and Auditing of Windows

Windows Server Authentication

• A secure form of authentication because the username and password are hashed before
being sent across the network.

• Windows authentication is best suited for an internet environment for the following
reason:
o Client computers and web server are in the same domain.

64

64

o Administration can make sure that every client browser is internet explorer 2.0
or later.

Tools in Windows Server to manage a set of policies

1. Security Configuration Wizard (SCW)
 A software program that allows administrators to easily change a server's
default security settings.
 Allows administrators to customize network security policies, audit policies,
registry values and services
 3 main components
o A wizard interface
o A command-line interface
o A security configuration database

2. Security Configuration Editor
 Consists of two Microsoft Management Console (MMC) snap is designed
to provide a capability for security configuration and analysis of Windows
operating systems.
 The 1st snap-in is the Security Templates snap-in which gives
administrators a graphical way to manage the int files used to apply security
settings.
 The 2nd snap-in is the Security Configuration and Analysis step-in which
allows an administrator to analyze a systems security face to face with a
particular template and apply the settings in a template to a system.

3. Active Directory Users and Computers
 An MMC snap-in that is a standard feature of Microsoft Windows Server
operating systems.
 Used to manage recipients.
 Adding users to security groups.
 Moving computer objects.

4. Group Policy Management Console
 An interface that enables Active Directory administrators to manage Group
Policy Objects (GPOs) from one console.
 Provides a view of all GPOs, organizational units, domains and sites across
an enterprise and allows editing of settings within individuals GPOs.
 Combines the functionality of such tools as Active Directory Users and
Computers, Active Directory Sites & Services, Resultant Set of Policy
(RSoP), the Access Control List Editor and the GPMC Delegation Wizard.

65

65

Windows Server Auditing and Logging

• It is important to audit all user actions concerning files and folders access.
• To help detect compromise.
• Intended to be a starting baseline guide to administrators.
• Windows Server Auditing and Logging protect data by maintaining visibility and

responding quickly to timely security alerts.
• Auditing and logging of security related event and related alert are important

component in an effective data protection strategy.
• Security logs and report provide you with an electronic record of suspicious activities

and help you detect pattern that may indicate attempted or successful external
penetration of the network as well as internal attacks.
• Auditing can be used to monitor user activity document regulatory compliance, perform
forensic analysis and more.
• Provide immediate alert notification when security events occur

o Secure identity
o Secure infrastructure
o Secure apps and data

Applying Windows Certification Authorities on clients

To distribute certificates to client computer by using Group Policy;

1. On the domain controller in the forest of the account partner organization, start the
group Policy Management snap-in.

2. Find the existing Group Policy Object (GPO) or create new FPO associated with
the domain, site or organization unit (or where the appropriate user and computer
accounts reside.

3. Right click the GPO then click edit.
4. In the console tree open computer configuration, right click trusted root certification

authorities and then click import.
5. On the welcome to the certificate, import wizard page, click next.
6. On the file import page, type the path to the appropriate certificate files and then

click next.
7. On the certificate store pages, click place all certificates in the following store and

then click next.
8. On the completing the certificate imports wizard page, verify that the information

you provided is accurate and then click finish.
9. Repeat step 2 through 6 to add additional certificates for each of the federation

servers in the form.

66

66

Understand Linux Security

User and File system security administration

• Permission defines by 3 types of users:
o Read (r) – This permission allow user to open a file for reading, as well as look
at the content of a directory.
o Write (w) – This permission allow user to open and modify existing files and
create new files in a directory.
o Execute (x) access – This permission allows user to execute file, provided it’s a
tiny program.

• FILE PERMISSION - Every file or folder in Linux has three types of access permission.
• In Linux, everything is a file so system security and permission is very important.

Steps involve in configuring UNIX services

1. Insert the windows services UNIX CD-ROM into the CD-ROM drive.
2. In the windows services for UNIX Setup Wizard dialog box, click next.
3. In the user name box, type your name, and then type the name of your organization

in the organization box.
4. In the CD key boxes, type the product key from the back of the CD-ROM case and

click next.
5. Read the end user license agreement (EULA) click ‘I accept the terms’ and click

next.
6. Click standard installation and click next.
7. In the security setting box, click the security option you want to use.
8. In the username mapping box, type the name then click next to complete the

installation.
9. Restart the computer to complete the installation.

Framework of Pluggable Authentication Module (PAM)

• A program that require authentication.
• Only need to know that there is a module available that will perform the authentication

for them.
• PAM uses a pluggable modular architecture, which affords the system administrator a

great deal of flexibility in setting authentication policies for the system.
• The PAM framework consists of four parts;

o Applications that use PAM, also referred to as PAM consumers.
o PAM framework, also referred to as the PAM library.
o PAM configuration, system-wide in /etc/pam.d/ or /etc/pam.conf and on a

per-user basis pam_user_policy(5.

67

67

o PAM service modules, also referred to as PAM service providers.
• Provides a uniform way for authentication related activities to take place.
• Enables application developers to use PAM service without having to know the

semantics of the policy.
• With PAM, administrators can tailor the authentication process to the needs of a

particular system without having to change any applications.

68
68

MODULE 5: PHYSICAL SECURITY

Understand hardening physical security

Physical security refers to the protection of building sites and equipment (and all information and
software contained therein) from theft, vandalism, natural disaster, man-made catastrophes, and
accidental damage (e.g., electrical surges, extreme temperatures, and spilled coffee).

It requires solid building construction, suitable emergency preparedness, reliable power supplies,
adequate climate control, and appropriate protection from intruders.

Need for physical security

• Protecting important data, confidential information, networks, software, equipment,
facilities, company’s assets, and personnel.

• Prevent two factors of attack, nature and malicious party. The example of malicious
party attack are terrorism, vandalism, and theft.

• It is necessary if you do not want anyone to snatch away your information or destroy it.
• To prevent any unauthorized access to computer systems.
• To prevent tampering or stealing of data from computer systems.
• To protect the integrity of the data stored in the computer.
• To prevent the loss of data or damage to systems against any natural calamities.

Physical security threats to network

• Physical – Improper installation, selecting wrong components, incomplete devices, lack
of knowledge, unsecure or less secure network components.

• Electrical – Irregular power supply such as fluctuations, high voltage, low voltage or
surge voltage.

• Environmental – Extreme weather conditions such as moisture, Electromagnetic
Interference (EMI) field, very high or low temperature and humidity.

• Maintenance – It includes lack of spare parts, poor cabling, incorrect or no labelling on
components.

• There are also man-made security threats such as terrorism, dumpster diving, wars and
others which is derived from human.

Biometric in physical security

• Devices that sample a physical or behavioural trait for example, a fingerprint and
compare it with the traits on file to determine whether you are who you claim to be.

• Able to recognize a person on the basis of the unique features of their face, fingerprint,
signature DNA or iris pattern and then impart a secure and convenient method for
authentication purposes.

69

69

Workplace Security Implementation

1. 1st Security Agent
• An excellent password protected security utility to secure Windows-based
computers.

2. Access Lock
• Easy to use security utility which can help you secure your desktop when you
are away from your computer.

3. Access Denied XP
• A message when you open the file or folder even though you are the
administrator of the Windows XP computer, then most likely you need to reset
the file or folder permissions.

4. Desktop Lock
• A computer security protection and access control software product.

5. Lockdown Plus PC
• Powerful desktop security solution for personal.
• It prevents users from deleting critical files and application.

6. PC LockUp
• PC LockUp password protects your PC and restricts others from being able to
use it while you are away.

70
70

Securing Network Devices

Securing Edge Router
• Primarily enables a local user to connect and transfer data to a network.

Assigning Administrative Roles
• A key management task in a Horizon View environment is to determine who can use
View Administrator and what tasks those users are authorized to perform.

Using Automated Security Features
• This operation is used in a wide range of applications like control and monitoring
system, data security applications, factory automation systems, automated message
response systems and so on.

Monitoring and Managing Devices
• The device must always be monitored as often as possible to ensure network is safe
and security password must be properly managed.

Challenges in ensuring physical security

• The protection of personnel, hardware, software, networks and data from
physical actions and events could cause serious loss or damage to an enterprise,
agency or institution.

• Hardened against accidents, attacks or environmental disasters.
• Physical locations should be monitored using surveillance cameras and

notification systems which is costly.
• Disaster recovery policies and procedures should be tested on regular basis to

ensure safety and to reduce the time it takes to recover.

71
71

Understand Securing Modems

Securing Modems Definition

Securing modem is a hardware component that allows a computer or other device, such as
router or switch, to connect to the Internet and make sure remain safe and unthreatened by
unauthorized users.

• Modem stands for Modulator-DEModulator
• It converts digital data into analog signals and converts analog signals back into digital

data and vice-versa.
• Modems have two (2) different transmission modes;

o Simplex – signal can be passed in only one direction
o Full duplex – signal can be passed in two directions simultaneously

72
72

Types of Modems

External Modem
• Removable device use for communication purpose.
• Attached to computer system with the help of COM1 and COM2 ports.
• Connected to telephone wall jack by another cable.
• External power is supplied to it.
• Very easy to setup.
• Example: Wireless modem and USB modem

Internal Modem
• Installed on the slots of the motherboard
• Is an expansion card
• A circuit board that can be attached inside system through expansion slots
• Cannot be moved easily from one PC to another
• Difficult to setup
• Example: PCI Modem

Network Attacks and Risks Involve in Modems

Network Attacks
• Packet sniffing – When information is sent back and forth over a network, it is sent in
what we called as packets. Meaning that, there is no encryption and files are in plaintext
for anyone to read.
• Password theft – When communicating over wireless networks, you send passwords
out over the network, and if the site does not use SSL/TLS, that password is sitting in
plaintext for an attacker to read.
• Bluetooth attacks – There are variety of Bluetooth exploits out there. These range from
annoying pop-up messages to full control over victim’s Bluetooth enable device.
• War driving – Comes from an old term called war dialling where people would dial
random phone numbers in search of modems.

Risks Shared nature of cable connections
• o All subscribers in local area can shared the same subnet when they connecting
with cable modem.
• o Easy to launch attacks against the system by hackers or unauthorized users.

Speed
o Users becomes more attractive by the speed of the network and allows the
intruder to quickly deposit Trojan horses, hacker toolkits and sensitive
documents.

73
73

• Hackers can launch DoS attacks against targeted network resources or the entire
network. The DoS attacks include service overloading, message flooding, signal
grounding and many more.

Reason for Modem Failures

1. Incompatibility between firmware and hardware device.
2. Link failure caused due to fibre cable cuts or network congestion.
3. Faults, errors or discards in network devices.
4. Device configuration changes.
5. Failed software and firmware upgrade or patches.
6. Signal from the cable outlet.
7. Modem or phone line are not stable at high connection speed.
8. Power supply was interrupted.
9. Hacked by unauthorized users.
10. Drivers are not up to date.
11. Modem is degrading.

Hardening Router Implementation Definition

Terms Device or in some cases, software on a
Router computer, that determines the best way for
Metrics a packet to be forwarded to its destination.

Algorithms Used by a router to make routing decisions.
It is typically one of many fields in a routing
Cisco IOS table.

Unambiguous specification of how to solve a
class of problems. It can perform calculation,
data processing and automated reasoning
tasks.

Originally Internetwork Operating System is
a family of software used on most Cisco
Systems routers and current Cisco network
switches.

Routing Principles and Operation Modes

• The routers offer different operation modes that can be used such as Wireless Router
Mode, Repeater Mode, AP Mode and Media Bridge.

74

74

• Routing is the process of moving a packet from one device to another on a different
network, and this is done by, the router.

Wireless Router Mode (Default)
• Router connects to the internet via PPPoE, DHCP, PPTP, L2TP, or Static IP.
• It shares the wireless network to LAN clients or devices.
• In this mode, NAT, firewall and DHCP server are enabled by default.
• Connection: Internet  Modem  Router  Computer
• If you have 1 router, this will almost always be the default router operating mode that
you will implement for your basic home use.

Repeater Mode
• It is also called the Home WiFi range extension.
• The router wirelessly connects to an existing wireless networks to extend the wireless
coverage.
• In this mode, the firewall, IP sharing, and NAT functions are disabled.
• Connection: Internet  Modem  Router  Wireless Extend to Repeater
• User will generally use repeaters or wireless extenders when they are hard to reach
place with their home WiFi setup.
• Repeater acts as a “transition” island between actual client device with the main router.

Access Point (AP) Mode
• It is a general internet extension especially at home or hotel.
• In this mode, router connects to a wireless router through an Ethernet cable to extend
the coverage of wireless signal to other network clients.
• In this mode, the firewall, IP sharing, and NAT functions are disabled by default.
• Connection: Internet  Modem  Router  Wired Connection to AP
• It is used when the main router cannot be altered but temporary wireless network is still
needed.
• It is best used in an office, hotel or places where people only have wired network.

Media Bridge
• This mode provides the fastest 802.11ac Wi-Fi connection for multiple media devices
simultaneously.
• To set it up, user need two routers which one configured as the Media station and the
other one as a router.
• In this mode, only wireless devices connect to the P-AP.
• Client devices need to be connected to the Media Bridge with a network cable.

75

75

TCP and UDP Server Proxy

• TCP-UDP proxy is a low precedence policy that allows all outbound TCP and
UDP traffic from network to be protected.

• This policy only allows outbound TCP and UDP traffic, but it also monitors
that traffic for HTTP, HTTPS, SIP and FTP packets sent on non-standard
ports.

TCP Server Proxy UDP Server Proxy

• Server that acts as an intermediary • Socket Secure (SOCKS) is an internet
between a client and destination protocol that exchanges network
server. packets between a client and server
through a proxy server.
• Proxy server is a service that takes
request and performs it on behalf • Provides authentication so only
of the user or another service. authorized users may access a server.

• TCP proxy supports a maximum
receive window size 1 MB per
session.

TCP Tools

1. hostname – Display the name of the computer
2. netstat – Display statistics for current TCP/IP connections.
3. ping – send Internet Control Message Protocol (ICMP) echo messages to verify IP

connectivity.
4. tracert – Trace a path to a destination.
5. ipconfig – Display current TCP/IP network configuration values, updates or

release Dynamic Host Configuration Protocol (DHCP) allocated leases, and display,
register, or flush Domain Name System (DNS).
6. nslookup – Check records, domain host aliases, domain host services, and operating
system information by querying DNS servers.
7. route – Display the IP routing table, and add, edit or delete IPv4 routes. Route for
Windows Server 2003 also displays IPv6 routes.

76
76

Steps to Harden a Router
Change the default
password

Disable IP directed
broadcast

Disable HTTP configuration
for the router, if possible

Block ICMP ping request

Disable IP source routing

Determine your packet
filtering needs

Establish ingress and egress
address filtering policies

Maintain physical security
of the router

77

77

Routing command (BASIC)

Use enable command

•To enter in privilege exec mode.

Router#show ip interface brief

• This command provide quick overview of all interfaces on the router
including their IP addresses and status.

Router#show ip route

• Routers use routing table to take packet forward decision. This
command displays routing table.

Router#show interfaces

• This command shows the status and configuration of interfaces.

Router#show version

• This command will display information about software version of
running IOS. It also provides information about configuration setting.

78
78

Router Types

 Broadband Router
o Can be used to connect computers or connect to the internet.

 Wireless Router
o Creates a wireless signal in your home office or office.
o Any PC within the range of wireless routers can connect to it and use your
internet.

 Core Router
o Used to connect to different cities.

 Edge Router
o Placed at the edge of the ISP network.
o Normally configured to external protocol like BGP (Border Gateway Protocol)
to another BGP of other ISP (Internet Service Provider) or large organization.

Routing Protocols

• A routing protocols specifies how routers communicate with each other, distributing
information that enables them to select routes between any two nodes on a computer
network.

• A routing protocols uses software and routing algorithms to determine optimal
network data transfer and communication paths between network nodes.

• Routing protocols facilitate router communication and overall network topology
understanding.

79

79

Wireless Network

• Computer networks that are not connected by cables of any kind.
• The use of a network enables enterprises to avoid the costly process of introducing

cables into building or as a connection between different equipment location.

Type of Wireless Network
Type of Connection :-

• Peer To Peer Network: Files can be shared directly between systems
on the network without the need of a central server.

• Extension To Wired Network: Multiple wireless access to extend
your home network. Connect two access point to the same network,
same wireless network name and password

• Multiple Access Point: Plug adapters can be used to extend a wired
and wireless network.

• Lan To Lan Wireless Network: A collection of devices connected
together in one physical location, such as a building, office, or home.

80
80

Geography :-

• WLAN: A wireless LAN (WLAN) is a wireless computer network that
links
two or more devices using wireless communication to form a local area
network (LAN) within a limited area.

• WWAN: A wireless wide area network (WWAN), is a form of
wireless
network. This type covers wireless networks over a wide area. This is
achieved by wirelessly connecting coverage cells to provide services to
an expanded geographical location.

• WPAN: provides a wireless connection to devices that surround an
individual’s personal space. In a typical network, the WPAN makes
use of a technology that enables wireless communication within a
range of 10 meters. This makes the WPAN a short-range network.

• WMA: A wireless network that is intended to cover an area that ranges
around 31 miles or 50 kilometres is a WMAN. This specific branch of
the network allows multiple locations or buildings to stay connected
within any metropolitan area.

Component of Wireless Network

• Radio NICs: A wireless LAN includes a radio NIC that operates within the
computer device and provides wireless connectivity.

• User Devices: The use of wireless LANs to network stationary PCs is beneficial
because of limited needs for wiring.

• Access Point: Access point contains a radio card that communicates with
individual user devices on the wireless.

Types of Wireless Threat and Attacks

• Rouge Access Point: These include vulnerability scans for attack preparation, ARP
poisoning, packet captures, and Denial of Service attacks.

• Packet Sniffing: This can lead to stolen passwords or leaks of sensitive information
quite easily.

• Password Theft: There are even ways to get around those types of wireless threats
and attack.

• Peer-to-peer Attacks: Devices that are connected to the same access points can be
vulnerable to attacks from other devices connected to that access point.

81

81

Wireless Standards

• WIRELESS-AD: Wireless-AD is among the newest wireless standards to hit the
consumer market.

• Wireless-G & Wireless-N: Wireless-G and Wireless-N are terms referring to
802.11g and 802.11n wireless networking standards set by the IEEE.

• WIRELESS-AC: The 802.11ac standard greatly improves nearly every aspect of
Wireless-N.

Secure Wireless Communications Using Various Techniques and Tools :-

• Encryption: The process of encoding a message or information.
• Anti-virus / Anti-spyware / Firewall: Designed to detect and remove viruses from

computers.
• Default Routers Identifiers: The router identifier is used by BGP and OSPF to

identify the routing device from which a packet.
• Authentication: Authentication technology provides access control for systems by

checking to see if a user's credentials match the credentials in a database of authorized
users or in a data authentication server.

Wireless Security Policy

• Wireless network security is also known as wireless security.
• Wireless network security is the process of designing, implementing and ensuring

security on a wireless computer network.
• It is a subset of network security that adds protection for a wireless computer network.

Implement Security Policy on Wireless Network

• To secure a network is to implement different layers of security so that an attacker
must compromise two or more systems to gain access to critical assets.

• Security measures often restrict personnel in their operating practices and make some
activities less convenient which results in a temptation to boost security regulations.

82

82

References:

1. Proceedings of the 14th National Computer Security Conference, October 1-4,
1991, Washington, D.C. (Volume 1)

178 / 372

2. https://www.ques10.com/p/11101/what-is-a-firewall-what-are-the-capabilities-and-
2/

3. https://datatracker.ietf.org/wg/cidf/about/

4.
http://etutorials.org/Networking/Router+firewall+security/Part+VII+Detecting+and+Pr
eventing+Attacks/Chapter+16.+Intrusion-Detection+System/IDS+Signatures/

5. Neeraj Kumar, Dept. of CSE, SIT Sitamarhi : https://www.sitsitamarhi.ac.in/wp-
content/uploads/2020/04/file_5e91c3210aac4.pdf

6. https://www.geeksforgeeks.org/difference-between-firewall-and-proxy-server/

7.
http://etutorials.org/Networking/Cisco+Certified+Security+Professional+Certification/
Part+II+Securing+the+Network+Perimeter/Chapter+8+IOS+Firewall+-
+Authentication+Proxy/Cisco+IOS+Firewall+Authentication+Proxy/

8. https://www.cs.ait.ac.th/~on/O/oreilly/tcpip/firewall/ch05_02.htm

9. https://www.kaspersky.com/resource-center/threats/what-is-a-honeypot

10. https://infosecaddicts.com/honeypots-interaction-levels/

11. https://www.geeksforgeeks.org/types-of-virtual-private-network-vpn-and-its-
protocols/

12. http://www.idc-
online.com/technical_references/pdfs/data_communications/Firewall_Rules.pdf

13. https://blog.ct-networks.io/types-of-wireless-attacks-9b6ecc3317b9 (Type of
threats and attacks)

14. https://www.shireeninc.com/types-of-wireless-networks/ (Type of wireless
network : geography)

Politeknik METrO Tasek Gelugor
No. 25, Jalan Komersial 2,
Pusat Komersial Tasek Gelugor,
13300 Tasek Gelugor,
Pulau Pinang.