Chapter Five

Network Security Management

Fundamental of SOftware Security

(SE7431)

Compiled by Alemu w., ([email protected]) , 10 M ay 2015 EC

 Introduction
The security architecture addresses three essential issues:
1. What kind of protection is needed and against what threats?
2. What are the distinct types of network equipment and facility groupings that need
to be protected?
3. What are the distinct types of network activities that need to be protected?

Security Layers
Security Layers represents hierarchical approach to securing a network
Mapping of the network equipment and facility groupings to Security Layers
Determining how the network elements in upper layers can rely on protection that the
lower layers provide.

2
 Threat Model (simplified)
1Threat
- Destruction
Models:(an attack on availability):
– Destruction of information and/or network resources
X
2 - Corruption (an attack on integrity):
– Unauthorized tampering with an asset

3 - Removal (an attack on availability):

– Theft, removal or loss of information and/or other resources

4 - Disclosure (an attack on confidentiality):

– Unauthorized access to an asset

5 - Interruption (an attack on availability):

– Interruption of services. Network becomes unavailable or
unusable X
3
 • Limit & control access to Eight Security Dimensions Address
network elements, services the Breadth of NetworkVulnerabilities • Provide Proof of Identity
& applications • Examples: shared secret,
• Examples: password, ACL, PKI, digital signature,
Access Control digital certificate
firewall
• Prevent ability to deny that Authentication • Ensure confidentiality of data
an activity on the network • Example: Encryption
occurred
Data Confidentiality
• Examples: system logs, • Ensure data is received as
digital signatures sent or retrieved as stored
Non-repudiation
• Ensure information only • Examples: MD5, digital
flows from source to signature, anti-virus
destination Data Integrity software
• Examples: VPN, MPLS,
L2TP Communication Security • Ensure identification and
network use is kept
• Ensure network elements,
Availability private
services and application
• Example: NAT, Encryption
available to legitimate users
• Examples: IDS/IPS, network Privacy
redundancy, BC/DR
4 Each Security Dimensions applied to each Security Perspective (layer and plane)
 Three Security Layers 3 - Applications Security Layer:
• Network-based applications accessed by
 end-users
Vulnerabilities • Examples:
– Web browsing
Threats – Directory assistance
– Email and E-commerce
Attacks 2 - Services Security Layer:
• Services Provided to End-Users
 Destruction
 Corruption
• Examples:
 Removal – Frame Relay, ATM, IP
 Disclosure – Cellular,Wi-Fi,
 Disclosure
 Interruption
– VoIP, QoS, IM, Location services
– Toll free call services
1 - Infrastructure Security Layer:
• Fundamental building blocks of networks services and applications
• Examples:
– Individual routers, switches, servers
5 – Point-to-point WAN links and Ethernet links
Cont.…
 Infrastructure Security Layer

 Individual routers, servers

 Communication links

 Services Security Layer

 Basic IP transport
 IP support services (e.g., AAA, DNS, DHCP)
 Value-added services: (e.g., VPN, VoIP, QoS)

 Applications Security Layer

 Basic applications (e.g. FTP, web access)

 Fundamental applications (e.g., email)
 High-end applications (e.g., e-commerce, e-training)
6
Reviewing the TCP/IP Communications Flow
When a user at a computer wants to access a Web page:
Starts a Web browser application and types the name of the Web site
 The web browser application generates a request to have the Web site name resolved
to an IP address.
The browser then attempts to establish communications with that Web site.

When application data is sent from one computer to another:

The information is passed from the Application layer to the Transport layer.
The Transport layer protocols:
Considers the Application layer information as the payload (or data)
Create a header that contains information such as source and destination port

Information is passed to the Internet layer.

7
Cont.…
The Internet layer protocols:
Considers the Transport layer information as the payload
Create an IP header that contains information such as destination IP addresses
Information is passed to the Network Interface layer.

The Network Interface layer protocols:

Consider the Internet layer information as the payload
Creates a preamble and a frame header, which contains the source and destination
MAC addresses
Once it arrives, and trailer information, called a checksum that contains the count of
the number of bits in a transmission so that the receiver can ensure the packet did
not get damaged in transit.

8 The information is placed on the local network.

Cont.….
At Distension Point when the information reaches the destination computer :
The Network Interface layer protocols strip the preamble and checksum from the
packets and then pass the payload to the Internet layer.
The Internet layer protocols strip the IP header from the packet and pass the payload
to the Transport layer.
The Transport layer protocol strips the TCP or UDP header and passes the payload to
the Application layer.
The application that is specified to manage that data receives the data.

9
 TCP/IP Layers andVulnerabilities
Identifying Possible Application Layer Attacks
Some of the most difficult to protect against because they take advantage of
vulnerabilities in applications and lack of end-user knowledge of computer security.
Some of the ways the Application layer can be exploited to compromise the CIA triad
include the following:
E-mail application exploits:
Attachments
Embedded malicious code in Hypertext Markup Language (HTML) formatted
messages.
Web browser exploits:
FTP client exploits:
10
 Cont.…
Identifying Possible Transport Layer Attacks
Either a UDP or TCP header is added to the message
 The application that is requesting the service determines what protocol will be used.
Some of the ways the Transport layer can be exploited to compromise the C-I-A triad
include the following:
Manipulation of the UDP or TCP ports.
DoS
Session hijacking
This attack occurs after a source and destination computer have established a
communications link.
A third computer disables the ability of one the computers to communicate, and
then imitates that computer.
11
 Cont.…
Identifying Possible Internet Layer Attacks
IP datagrams are formed

The packet is comprised of two areas: The header and the payload
Some of the ways the Internet layer can be exploited to compromise the C-I-A triad
include the following:
IP address spoofing
If the IP header fields and lengths are known, the IP address in the IP datagram can
be easily discovered and spoofed. Any security mechanism based on the source IP
address is vulnerable to this attack
Man-in-the-middle attacks
A hacker places himself between the source and destination computer in such a
way that neither notices his or her existence.
12
Meanwhile, the attacker can modify packets or simply view their contents.
 Cont.…
DoS
Corrupting packets
If the packet is intercepted, the information in the header can be modified,
corrupting the IP datagram.
It could change the protocols and payload information in the datagram
At the Network Interface layer, the packet of information that is placed on the
wire is known as a frame.
The packet is comprised of three areas:
The header, the payload, and the FCS
Because the Network Interface layer is used for communications on a local
network, the attacks that occur at this level would be carried out on local
networks.
13
 Cont.…
Identifying Possible Network Layer Attacks
MAC address spoofing
Attackers can easily spoof the MAC address of another computer.
Any security mechanism based on MAC addresses is vulnerable to this attack.
Denial of service (DoS)
ARP cache poisoning
The ARP(Address Resolution Protocol), a TCP/IP protocol for determining the
hardware address (or physical address) of a node on a local area network connected
to the Internet cache stores MAC (Media Access Control)
If incorrect, or spoofed, entries were added to the ARP cache, then the computer
is not able to send information to the correct destination

14
 Chapter Six
Viruses and Related Threats

Information Security
(SE3052)

Compiled by Alemu w., ([email protected]) , 13 January 2016

 Introduction
 The security of the data and information contained on computers and digital devices

today is threatened by more different types of attacks than ever before, and the threats
and attacks are escalating on a daily basis.

 Successful attacks on computers today generally consist of two elements.

 Malicious software programs: created by attackers to silently infiltrate computers

with the intent to do harm.

 Tricking users into performing a compromising action or providing sensitive

information.

 Who Are the Attackers?

 Black hat hackers: were those attackers who violated computer security for personal

gain (such as to steal credit card numbers) or to inflict malicious damage (corrupt a
hard drive).
16
 Cont.…
 White hat hackers: were described as “ethical attackers”: with an organization’s

permission they would attempt to probe a system for any weaknesses and then
privately provide information back to that organization about any uncovered
vulnerabilities.
 Gray hat hackers: who would attempt to break into a computer system without the

organization’s permission (an illegal activity) but not for their own advantage;
instead, they would publically disclose the vulnerability in order to shame the
organization into taking action.

 However, these “hat” titles did not always accurately reflect the different motives and

goals of the attackers and are not widely used in the security community.

 Instead, more descriptive categories of attackers are used, including cybercriminals,

script kiddies, brokers, insiders, cyber terrorists, hactivists, and state-sponsored

17
attackers
 Attacks and Defenses
 Attacks can be launched against a computer or network, the same basic steps are used

in most attacks.

 *An attacker who attempts to break into a web server or computer network actually

follows these same steps, known as the Cyber Kill Chain:

1. Reconnaissance: Probe for any information about the system.
2. Weaponization: The attacker creates an exploit (like a virus) and packages it into a
deliverable payload (like a Microsoft Excel) that can be used against the target.
3. Delivery: At this step the weapon is transmitted to the target, such as by an email
attachment or through an infected web server.
4. Exploitation: Triggers the intruders’ exploit. Generally the exploitation targets an
application or operating system vulnerability, but it also could involve tricking the
user into taking a specific action.
18
 Cont.…
5. Installation: The weapon is installed to either attack the computer or install a
remote “backdoor” so the attacker can access the system.
6. Command and Control: Many times the compromised system connects back to the
attacker so that the system can be remotely controlled by the attacker and receive
future instructions.
7. Actions on Objectives: Now the attackers can start to take actions to achieve their
original objectives, such as stealing user passwords or launching attacks against
other computers. Reconnaissance Installation

Exploitation
Command and
Weaponization
Control

Actions on
19 Delivery
Objectives
 Defenses Against Attacks
 Protecting computers against general steps in an attack calls for following five

fundamental security principles.

 These principles provide a foundation for building a secure system.

1. Layering: Layered security provides the most comprehensive protection and

useful in resisting a variety of attacks.
2. Limiting: Limiting access to information reduces the threat against it. This means
that only those personnel who must use the data should have access to it.
3. Diversity: Closely related to layering. Protect data with layers of security, the
layers also must be different (diverse). If attackers penetrate one layer, they
cannot use the same techniques to break through all other layers.
4. Obscurity: Conceal information to make attack more difficult to the attacker.
5. Simplicity: Complex security systems can be hard to understand, troubleshoot,
20
and even feel secure about.
 Attacks Using Malware
 Malware is software that enters a computer system without the user’s knowledge or

consent and then performs an unwanted and usually harmful action.

 Strictly speaking, malware uses a threat vector to deliver a malicious “payload” that

performs a harmful function once it is invoked.

 However, malware is most often used as a general term that refers to a wide variety of

damaging software programs.

 In order to detect malware on an infected computer, a software scanning tool can search

for the malware, looking to match it against a known pattern of malware.

 In order to circumvent this detection of their software, attackers can mask the presence of

their malware by having it “mutate” or change.

 Three types of mutating malware are:

 Oligomorphic malware: Changes its internal code to one of a set number of
21
predefined mutations whenever it is executed.
 Cont.…
 Polymorphic malware: Malware code that completely changes from its original
form whenever it is executed is known as polymorphic malware.
 Metamorphic malware: Can actually rewrite its own code and thus appears
different each time it is executed. It does this by creating a logical equivalent of its
code whenever it is run.
 Classifying the various types of malware is by using the primary trait that the malware

possesses. These traits are:

 Circulation:

 Its primary trait is spreading rapidly to other systems

 Circulate through a variety of means: by using the network to which all the

devices are connected, through USB flash drives that are shared among users, or
by sending the malware as an email attachment.
 Can be circulated automatically or it may require an action by the user.

22  Virus, Trojan Horse, Worms are some examples

 Cont.…
 Infection:

 The malware might run only one time and then store itself in the computer’s

memory, or it might remain on the system and be launched an infinite number of

times through an auto-run feature.
 Some malware attaches itself to a benign program while other malware functions

as a stand-alone process.
 Concealment:

 Its primary trait is avoiding detection by concealing its presence from scanners.

 Polymorphic malware attempts to avoid detection by changing itself, while other

malware can embed itself within existing processes or modify the host OS.
 Payload capabilities:When payload capabilities are the primary focus of malware,
the focus is on what nefarious action(s) the malware performs.
 In some cases the purpose of the malware is to use the infected system to launch
23
attacks against other computers.
 Virus Life cycle
1. Dormant phase: the virus is idle. (not all viruses have this stage)

2. Propagation phase: the virus places an identical copy of itself into other programs of

into certain system areas.

3. Triggering phase: the virus activated to perform the function for which it was created.

4. Execution phase: the function is performed, it may be harmless or damaging.

 Types ofVirus:

 Parasitic

 Memory Resident

 Stealth

 Polymorphic

 Bootsector
24
 Virus (cont.…)
 How Viruses append themselves to …

 AppendedViruses:- a program virus attaches itself to a program: then, whenever

the program is run, the virus is activated.

 Virus that surround a Program:- an alternative the attachment is a virus runs the

original program but has control before and after its execution.
 IntegratedVirus:- occurs when a virus replaces some program instructions by

integrating itself into the original code of the target.

 High risk virus properties:

 Hard to detect and destroy
 Spread infection widely
 Can re-infect
 Easy to create
 Machine independent
25
 Virus (cont.…)
 Virus Signatures:

 Storage pattern: Code always located on a specific address and increased file size

 Execution pattern:

 Transmission pattern:

 Polymorphic Viruses:

 Antivirus Approaches:

1. Detection: Determine infection and locate the virus.

2. Identification: Identify the specific virus.

3. Removal: Remove the virus from all infected systems

4. Recovery: Restore the system to its original state.

26
 Firewalls
 Firewalls are an excellent security mechanism to protect networks from intruders

 They can establish a relatively secure barrier between a system and the external

environment.

 Firewall products are available with a variety of functionality and features, such as

strong authentication, the ability to create VPNs, and easy-to-use interfaces.

 Selecting the appropriate firewall for an organization's needs requires careful

consideration of the available types and products.

 Types of Firewalls:

 Packet Filters

 Application-gateway

 Circuit-gateways

27  Hybrid
 Cont.…
 Packet Filters:

 The most basic type of firewall

 It receives packets and evaluates them according to a set of rules that are usually in

the form of access control lists.

 These packets may be forwarded to their destinations, dropped, or dropped with a

return message to the originator describing what happened.

 The types of filtering rules vary from one vendor's product to another, but those

most frequently applied are:

 Source and destination IP address (e.g.: All packets from source address 128.44.9.0

through 128.44.9.255 might be accepted, but all other packets might be rejected).
 Source and destination port (e.g.: All TCP packets originating from or destined to port

25—the simple mail transfer protocol, or SMTP, port— might be accepted, but all TCP
28
packets destined for port 79—the finger port—might be dropped).
 Cont.…
 Components that make up a firewall:

 The Internet access security policy of the organization: States, at a high level, what

degree of security the organization expects when connecting to the Internet.

 The mapping of the security policy onto technical designs and procedures that are to

be followed when connecting to the Internet.

 The firewall system, which is the hardware and software which implements the

firewall.

 Firewalls have a number of advantages:

 They can stop incoming requests to inherently insecure services

 They can control access to other services.

 They are more cost effective than securing each host on the corporate network

29
 They are more secure than securing each host
 Reading Assignment
 Types of Firewalls other than Packet Filters Firewalls
 Architectures and Drawbacks of Firewalls
 Mobile Security
 Wireless Security
 Other Advanced Security Techniques

30