MODULE 4

Threats in Network

Unauthorized Access: Unauthorized access is one of the primary threats to intranet and extranet
security. Attackers may attempt to gain access to sensitive information or resources by exploiting
vulnerabilities in the network. Protection measures include implementing strong authentication
mechanisms, such as multi-factor authentication, and enforcing access controls to restrict access to
authorized users only.

Malware: Malicious software, or malware, poses a significant threat to intranet and extranet
environments. Malware can include viruses, worms, Trojans, ransomware, and spyware, among
others. Protection measures include deploying antivirus software, implementing email filtering to
detect and block malicious attachments, and regularly updating software to patch known
vulnerabilities.

Phishing and Social Engineering: Phishing attacks involve tricking users into disclosing sensitive
information, such as login credentials or financial data, through fraudulent emails, messages, or
websites. Social engineering tactics exploit human psychology to manipulate individuals into
performing actions that compromise security. Protection measures include providing security
awareness training to educate users about phishing tactics and implementing email filtering solutions
to detect and block phishing attempts.

Insider Threats: Insider threats occur when individuals within an organization misuse their access
privileges to intentionally or unintentionally harm the organization's security. This could involve
unauthorized access to sensitive data, theft of intellectual property, or sabotage of systems. Protection
measures include implementing least privilege principles to limit access to sensitive information,
monitoring user activity for suspicious behavior, and conducting regular security awareness training
to educate employees about the importance of security.

Data Breaches: Data breaches involve the unauthorized access or disclosure of sensitive information,
resulting in potential financial losses, reputational damage, and legal consequences. Protection
measures include encrypting sensitive data both in transit and at rest, implementing data loss
prevention (DLP) solutions to monitor and prevent unauthorized data exfiltration, and conducting
regular security audits to identify and address security weaknesses.

Denial of Service (DoS) Attacks: DoS attacks aim to disrupt the availability of intranet or extranet
services by overwhelming network resources, such as servers or bandwidth, with a flood of malicious
traffic. Protection measures include implementing DoS mitigation techniques such as rate limiting,
traffic filtering, and using content delivery networks (CDNs) to distribute traffic and mitigate the
impact of attacks.

Physical Security: Physical security threats, such as theft or unauthorized access to hardware devices,
can also poses risks to intranet and extranet environments. Protection measures include securing
physical access to servers and networking equipment, implementing surveillance systems and access
controls in data centers, and establishing procedures for proper disposal of outdated or
 decommissioned hardware.

Network security techniques

Network security techniques are essential for protecting organizational data and maintaining the integrity
of network infrastructures against various cyber threats. These techniques encompass a variety of tools
and strategies aimed at preventing unauthorized access, detecting anomalies, and responding to incidents
effectively.

1. Access Control
Access control is fundamental to network security, allowing organizations to regulate who can enter their
network and what resources they can access. By implementing policies that restrict access based on user
roles and responsibilities, organizations can minimize the risk of unauthorized access and potential
damage caused by insiders. Access controls are mechanisms used to restrict unauthorized access to
resources within intranets and extranets. Access control policies, including role-based access control
(RBAC), mandatory access control (MAC), and discretionary access control (DAC), as well as techniques
like access control lists (ACLs) and user authentication mechanisms are implemented.

2. Encryption
Encryption is a crucial security measure that protects data from unauthorized access by converting it into
an unreadable format. Different encryption algorithms such as AES (Advanced Encryption Standard) and
RSA (Rivest-Shamir-Adleman), as well as the SSL/TLS protocols are used for secure communication
over networks.

3. Data Loss Prevention (DLP)

DLP technologies help protect sensitive information from being improperly accessed or transmitted
outside the organization's network. These systems monitor data flows and enforce compliance with
policies that aim to prevent data leaks, whether intentional or accidental13.

4. Antivirus and Anti-Malware Software

Anti-malware software plays a crucial role in the detection and prevention of malicious software threats.
By regularly scanning for viruses, trojans, and other harmful programs, businesses can mitigate the risk of
malware infections spreading within their networks3.

5. Intrusion Prevention Systems (IPS)

IPS actively monitor network traffic and analyze data packets to detect and stop potential attacks in real
time. These systems are designed to identify unauthorized network access attempts and can
automatically respond to block malicious traffic. IDS and IPS are security measures used to detect and
respond to unauthorized access attempts or security breaches. IDS monitors network traffic for
suspicious activity and generates alerts, while IPS goes a step further by actively blocking or mitigating
detected threats.

6. Virtual Private Networks (VPNs)

VPNs provide secure remote access to intranet resources over untrusted networks such as the internet.
VPNs use encryption and tunneling protocols to create a secure connection between remote users and
the intranet, ensuring confidentiality and integrity of data transmission.

7. Patch Management

Regular software updates and patches are essential for addressing security vulnerabilities and
improving the overall security posture of intranet and extranet environments. The best practices
for patch management includes vulnerability assessment, prioritization of patches, and
deployment strategies to minimize downtime and risk.

8. Application Security
Application security encompasses the measures taken to protect software applications from
vulnerabilities. This includes implementing security best practices during the software
development life cycle (SDLC) to ensure that programs are resilient against external attacks.

9. Firewalls
Firewalls serve as barriers between trusted internal networks and untrusted external networks,
managing the traffic that flows between them. They enforce pre-defined security rules to allow or
block data packets, thus aiding in the prevention of unauthorized access or attacks.

10. Security Information and Event Management (SIEM)

SIEM systems collect and analyze security event data from across the organization’s network to
provide real-time insights into potential security threats. This capability allows organizations to
respond swiftly to incidents by correlating data from multiple sources.

11. Network Segmentation

Network segmentation involves dividing a larger network into smaller, manageable segments,
each with its own security protocols. This practice helps to minimize the impact of a potential
breach, as attackers would find it more challenging to move laterally across the segmented
networks.

12. Employee Training and Awareness

Human factors remain one of the weakest links in network security. Training employees to
recognize potential threats and follow security protocols is vital for enhancing overall security
posture.

These techniques collectively breed a robust approach to network security, ensuring comprehensive
protection against an ever-evolving threat landscape. Organizations that implement a combination of
these strategies will significantly improve their resilience against cyber threats.

Virtual Private Network (VPN)

VPN stands for Virtual Private Network (VPN), that allows a user to connect to a private network over
the Internet securely and privately. VPN creates an encrypted connection that is called VPN tunnel, and
all Internet traffic and communication is passed through this secure tunnel.
How Does a VPN Work?

A VPN works by securely and anonymously connecting the user to a server. Without a VPN, a user connects
straight to the internet through the Internet Ser
Service
vice Provider (ISP) without any protection. However, with a VPN, the
user connects to a VPN client, which then routes their internet traffic to the VPN server through an encrypted
connection known as a tunnel. Then, the VPN server transmits the user’s inte internet
rnet traffic to the internet under the
VPN server’s IP address.

Routing internet traffic through a VPN server creates an encrypted tunnel that allows users to securely connect to the
VPN server. It prevents the ISP and any other third parties from seeing your data since the internet traffic is
encrypted and only the user and the VPN server have the decryption key.

A VPN also masks the user’s IP address because the IP address of the VPN server is used to access the internet
instead of the user’s actual IP address.

Types of Virtual Private Network (VPN)

1. Remote Access VPN

Remote Access VPN permits a user to connect to a private network and access all its services and
resources remotely. The connection between the user and the private network occurs through
thro the Internet
and the connection is secure and private. Remote Access VPN is useful for home users and business users
both. An employee of a company, while he/she is out of station, uses a VPN to connect to his/her
company’s private network and remotely access files and resources on the private network. Private users
or home users of VPN, primarily use VPN services to bypass regional restrictions on the Internet and
access blocked websites. Users aware of Internet security also use VPN services to enhance
enhanc their Internet
security and privacy.

2. Site to Site VPN

A Site-to-Site
Site VPN is also called as Router
Router-to-Router
Router VPN and is commonly used in the large companies.
Companies or organizations, with branch offices in different locations, use Site
Site-to-site
site VPN to
t connect
the network of one office location to the network at another office location.

 Intranet based VPN: When several offices of the same company are connected using Site-to-Site
Site
VPN type, it is called as Intranet based VPN.
 Extranet based VPN: When com companies use Site-to-site
site VPN type to connect to the office of
another company, it is called as Extranet based VPN.

3. Cloud VPN
A Cloud VPN is a virtual private network that allows users to securely connect to a cloud-based
infrastructure or service. It uses the internet as the primary transport medium to connect the remote users
to the cloud-based resources. Cloud VPNs are typically offered as a service by cloud providers such as
Amazon Web Services (AWS) and Microsoft Azure. It uses the same encryption and security protocols as
traditional VPNs, such as IPsec or SSL, to ensure that the data transmitted over the VPN is secure. Cloud
VPNs are often used by organizations to securely connect their on-premises resources to cloud-based
resources, such as cloud-based storage or software-as-a-service (SaaS) applications.

4. Mobile VPN

Mobile VPN is a virtual private network that allows mobile users to securely connect to a private
network, typically through a cellular network. It creates a secure and encrypted connection between the
mobile device and the VPN server, protecting the data transmitted over the connection. Mobile VPNs can
be used to access corporate resources, such as email or internal websites, while the user is away from the
office. They can also be used to securely access public Wi-Fi networks, protecting the user’s personal
information from being intercepted. Mobile VPNs are available as standalone apps or can be integrated
into mobile device management (MDM) solutions. These solutions are commonly used by organizations
to secure their mobile workforce.

5. SSL VPN

SSL VPN (Secure Sockets Layer Virtual Private Network) is a type of VPN that uses the SSL protocol to
secure the connection between the user and the VPN server. It allows remote users to securely access a
private network by establishing an encrypted tunnel between the user’s device and the VPN server. SSL
VPNs are typically accessed through a web browser, rather than through a standalone client. This makes
them easier to use and deploy, as they don’t require additional software to be installed on the user’s
device. It can be used to access internal resources such as email, file servers, or databases. SSL VPNs are
considered more secure than traditional IPsec VPNs because they use the same encryption protocols as
HTTPS, the secure version of HTTP used for online transactions.

6. PPTP (Point-to-Point Tunneling Protocol) VPN

PPTP (Point-to-Point Tunneling Protocol) is a type of VPN that uses a simple and fast method for
implementing VPNs. It creates a secure connection between two computers by encapsulating the data
packets being sent between them. PPTP is relatively easy to set up and doesn’t require any additional
software to be installed on the client’s device. It can be used to access internal resources such as email,
file servers, or databases. PPTP is one of the oldest VPN protocols and is supported on a wide range of
operating systems. However, it is considered less secure than other VPN protocols such as L2TP or
OpenVPN, as it uses a weaker encryption algorithm and has been known to have security vulnerabilities.

7. L2TP (Layer 2 Tunneling Protocol) VPN

L2TP (Layer 2 Tunneling Protocol) is a type of VPN that creates a secure connection by encapsulating
data packets being sent between two computers. L2TP is an extension of PPTP, it adds more security to
the VPN connection by using a combination of PPTP and L2F (Layer 2 Forwarding Protocol) and it uses
stronger encryption algorithm than PPTP. L2TP is relatively easy to set up and doesn’t require additional
software to be installed on the client’s device. It can be used to access internal resources such as email,
file servers, or databases. It is supported on a wide range of operating systems, but it is considered less
secure than other VPN protocols such as OpenVPN, as it still has some vulnerabilities that can be
exploited.

8. OpenVPN

OpenVPN is an open-source
source software application that uses SSL and is highly configurable and secure. It
creates a secure and encrypted connection between two computers by encapsulating the data packets
being sent between them. OpenVPN can be used to access interna
internall resources such as email, file servers, or
databases. It is supported on a wide range of operating systems and devices, and can be easily configured
to work with various network configurations and security settings. It is considered one of the most secure
VPN protocols as it uses the industry standard SSL/TLS encryption protocols and it offers advanced
features such as two-factor
factor authentication and kill switch.

Types of Network Firewalls

A firewall is a method of network security that prevents the comput

computer
er network from users that are not
authorized to have access to a network. Firewalls can either be hardware or software or both. It acts as a
barrier between unauthorized Internet users and private computer networks connected to the Internet. It
blocks the message, viruses, hackers if they do not have authorized access and do not meet the security
criteria as per requirement. Any message entering or leaving private computer networks connected to
the Internet especially Intranet pass through the firewall. Fi
Firewall
rewall then checks each message and block
if found unauthorized. There are several types of firewall techniques:
 Packet Filter
 Application-level gateway
 Circuit-level gateway
 Stateful inspection firewall
 Next-Generation
Generation Firewall (NGFW)
 Proxy server

Packet Filters
It is a technique used to control network access by monitoring outgoing and incoming packets and
allowing them to pass or halt based on the source and destination Internet
net Protocol (IP) addresses,
protocols, and ports. This firewall is also known as a static firewall.

Stateful Inspection Firewalls

It is also a type of packet filtering that is used to control how data packets move through a firewall. It is
also called dynamic packet filtering. These firewalls can inspect that if the packet belongs to a
particular session or not. It only permits communication if and only if, the session is perfectly
established between two endpoints else it will block the communication.

Application Layer Firewalls

These firewalls can examine application layer (of OSI model) information like an HTTP request. If
finds some suspicious application that can be responsible for harming our network or that is not safe for
our network then it gets blocked right away.

Next-generation Firewalls
These firewalls are called intelligent firewalls. These firewalls can perform all the tasks that are
performed by the other types of firewalls that we learned previously but on top of that, it includes
additional features like application awareness and control, integrated intrusion prevention, and cloud-
delivered threat intelligence.

Next-generation Firewalls

Circuit-level Gateways
A circuit-level gateway is a firewall that provides User Datagram Protocol (UDP) and Transmission
Control Protocol (TCP) connection security and works between an Open Systems Interconnection
(OSI) network model’s transport and application layers such as the session layer.
Circuit-level Gateways

Hardware Firewall vs Software Firewall

A hardware firewall is a separate physical device placed between a network and its connected devices.
It monitors and controls incoming and outgoing network traffic based on set security rules. Setting up a
hardware firewall requires skilled personnel for proper installation and ongoing management.
In contrast, a software firewall runs on a server or virtual machine. It operates on a security-focused
operating system, typically using standard hardware resources. Software firewalls can often be quickly
implemented using cloud automation tools.
Both hardware and software firewalls are crucial for network security. The choice between them
depends on specific needs and deployment contexts.

Software Firewall
The software firewall is a type of computer software that runs on our computers. It protects our system
from any external attacks such as unauthorized access, malicious attacks, etc. by notifying us about the
danger that can occur if we open a particular mail or if we try to open a website that is not secure.

Software Firewall

Hardware Firewall
A hardware firewall is a physical appliance that is deployed to enforce a network boundary. All
network links crossing this boundary pass-through this firewall, which enables it to perform an
inspection of both inbound and outbound network traffic and enforce access controls and other security
policies.
Hardware Firewall

Cloud Firewall
These are software-based, cloud-deployed
deployed network devices. This cloud-based firewall protects a private
network from any unwanted access. Unlike traditional firewalls, a cloud firewall filters data at the
cloud level.

Secure Socket Layer (SSL)

1. Definition of SSL
Secure Sockets Layer (SSL) is a networking protocol specifically designed to secure connections between
web clients and servers over insecure networks, such as the internet14
internet14. It was introduced by Netscape in
1995 as the first widely used protocol for ensuring secure online transactions15.

2. Transition to TLS
In 2015, the Internet Engineering Task Force (IETF) ceased recommending SSL due to its various
vulnerabilities, replacing it with the more secure Transport Layer Security (TLS) protocol13.
protocol13 Despite
being deprecated, SSL is still commonly referenced as SSL/TLS, particularly due to its longstanding
familiarity in the industry34.

3. Importance of SSL
SSL has played a critical role in enabling secure e-commerce and data exchanges online by protecting
sensitive data from interception by malicious actors14. It allows data to be encrypted so that unauthorized
parties cannot easily access it, thereby safeguarding information such as credit card numbers and personal
details during transactions14.

4. Key Features of SSL

The protocol employs public and private key encryption to secure communications between devices over
a TCP/IP network14. SSL also initiates an authentication process known as a handshake, which verifies
the identities of both parties involved in the communication4. This process includes validating the SSL
certificate issued by a trusted certificate authority (CA) to confirm the server’s authenticity13.

5. SSL Certificates
To establish a secure connection, web servers must obtain a valid SSL certificate from a trusted CA1.
These certificates authenticate the identity of websites and are a standard requirement for ensuring the
integrity and confidentiality of online transactions3.

6. Types of SSL Certificates

There are three main types of SSL certificates: Extended Validation (EV), Organization Validated (OV),
and Domain Validated (DV)1. Each type varies in the level of verification required, with EV certificates
providing the highest level of trust1.

7. Future of SSL
SSL is still in operation primarily in legacy systems, despite the advancements and security improvements
that TLS offers. Users and organizations are encouraged to transition to TLS due to its enhanced security
mechanisms and support of modern cryptographic algorithms, as older versions of SSL, such as 3.0, are
known to be vulnerable to several attacks.

Secure Shell (SSH) Protocol

The Secure Shell (SSH) protocol is a vital networking standard that enables secure remote login and
communication between computers over unsecured networks. It utilizes encryption for data protection,
ensuring that all commands, outputs, and file transfers are securely transmitted. SSH is widely adopted in
IT environments for purposes such as system administration, file transfers, and network management due
to its strong authentication mechanisms and versatility.

1. Definition of SSH Protocol

The Secure Shell (SSH) protocol is defined as a method for secure remote login from one computer to
another. It facilitates encrypted communications to safeguard data exchanged between the client and
server. SSH is essential for providing secure access to devices like computers and routers across
unsecured networks.

Version History
The first version of SSH (SSH-1) emerged in 1995, designed by Tatu Ylönen. However, it is now
considered deprecated due to security flaws, with SSH-2 being the current widely used version1. SSH-2
offers improved security features, including modern cryptographic techniques, making it the standard for
secure communications
2. Security Features
SSH employs encryption to secure connections, ensuring that user authentication, commands, output, and
file transfers are encrypted to protect against network attacks
attacks. The protocol not only encrypts the data
during transmission but also provides
des strong authentication options using public key cryptography, which
enhances security.

4. SSH Key Management

The management of SSH keys is critical for maintaining security within organizations, as keys can
accumulate and may be left unmanaged, potenti
potentially granting unauthorized access. Proper policies and
processes for SSH key management ensure that only the intended users have access to specific resources.
resources
The port number of SSH is 22(Twenty
22(Twenty-Two).
Two). It allows you to connect to a server, or multiple servers,
serv
without having to remember or enter your password for each system that is to log remotely from one
system to another. It always comes in key pairs:

 Public key – Everyone can see it, no need to protect it. (for encryption function).
 Private key – Stays in computer, must be protected. (for decryption function).

Key pairs can be of the following types:

 User Key – If the public key and private key remain with the user.
 Host Key – If public key and private key are on a remote system.
 Session key – Used when a large amount of data is to be transmitted.

Features of SSH
 Encryption: Encrypted data is exchanged between the server and client, which ensures
confidentiality and prevents unauthorized attacks on the system.
 Authentication: For authentication, SSH uses public and private key pairs which provide more
security than traditional password authentication.
 Data Integrity: SSH provides Data Integrity of the message exchanged during the communication.
 Tunneling: Through SSH we can create secure tunnels for forwarding network connections over
encrypted channels.
 SSH allows remote login, hence is a better alternative to TELNET
 SSH provides a secure File Transfer Protocol, which means we can transfer files over the Internet
securely

SSH Protocol
 Techniques Used in SSH
There are majorly three major techniques used in SSH, which are
 Symmetric Cryptography: In Symmetric key cryptography the same key used for encrypting and
decrypting the message, a unique single shared key is kept between the sender and reciever. For ex:
DES (Data Encryption Standard) and AES (Advanced Encryption Standard).

Symmetric Cryptography

 Asymmetric Cryptography: In Asymmetric key cryptography the key used for encrypting is
different from the key used for decrypting the message. For ex: RSA (Rivest–Shamir
Shamir–Adleman) and
Digital Signature Algorithm.

Asymmetric Cryptography

 Hashing: Hashing is a procedure used in cryptography which convert variable length string to a
fixed length string, this fixed length value is called hash value which is generated by hash function.

Intrusion Detection System (IDS)

A system called an intrusion detection
tection system (IDS) observes network traffic for malicious transactions
and sends immediate alerts when it is observed. It is software that checks a network or system for
malicious activities or policy violations. Each illegal activity or violation is often recorded either
centrally using an SIEM system or notified to an administration.

Working of Intrusion Detection System(IDS)

 An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect any
suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.
 The IDS compares the network activity to a set of predefined rules and patterns to identify any
activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it sends an alert to the
system administrator.
 The system administrator can then investigate the alert and take action to prevent any damage or
further intrusion.
Classification of Intrusion Detection System(IDS)
Intrusion Detection System are classified into 5 types:
 Network Intrusion Detection System (NIDS): Network intrusion detection systems (NIDS) are set
up at a planned point within the network to examine traffic from all devices on the network. It
performs an observation of passing traffic on the entire subnet and matches the traffic that is passed
on the subnets to the collection of known attacks. Once an attack is identified or abnormal behavior
is observed, the alert can be sent to the administrator. An example of a NIDS is installing it on the
subnet where firewalls are located in order to see if someone is trying to crack the firewall.
 Host Intrusion Detection System (HIDS): Host intrusion detection systems (HIDS) run on
independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets
from the device only and will alert the administrator if suspicious or malicious activity is detected. It
takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical
system files were edited or deleted, an alert is sent to the administrator to investigate. An example of
HIDS usage can be seen on mission-critical machines, which are not expected to change their
layout.
 Protocol-Based Intrusion Detection System (PIDS): Protocol-based intrusion detection system
(PIDS) comprises a system or agent that would consistently reside at the front end of a server,
controlling and interpreting the protocol between a user/device and the server. It is trying to secure
the web server by regularly monitoring the HTTPS protocol stream and accepting the related HTTP
protocol. As HTTPS is unencrypted and before instantly entering its web presentation layer then this
system would need to reside in this interface, between to use the HTTPS.
 Application Protocol-Based Intrusion Detection System (APIDS): An application Protocol-based
Intrusion Detection System (APIDS) is a system or agent that generally resides within a group of
servers. It identifies the intrusions by monitoring and interpreting the communication on
application-specific protocols. For example, this would monitor the SQL protocol explicitly to the
middleware as it transacts with the database in the web server.
 Hybrid Intrusion Detection System: Hybrid intrusion detection system is made by the
combination of two or more approaches to the intrusion detection system. In the hybrid intrusion
detection system, the host agent or system data is combined with network information to develop a
complete view of the network system. The hybrid intrusion detection system is more effective in
comparison to the other intrusion detection system. Prelude is an example of Hybrid IDS.
Intrusion Prevention System
Intrusion Prevention System is also known as Intrusion Detection and Prevention System. It is a
network security application that monitors network or system activities for malicious activity. Major
functions of intrusion prevention systems are to identify malicious activity, collect information about
this activity, report it and attempt to block or stop it.

 Classification of Intrusion Prevention System (IPS):

Intrusion Prevention System (IPS) is classified into 4 types:

1. Network-based intrusion prevention system (NIPS):

It monitors the entire network for suspicious traffic by analyzing protocol activity.

2. Wireless intrusion prevention system (WIPS):

It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.

3. Network behavior analysis (NBA):

It examines network traffic to identify threats that generate unusual traffic flows, such as distributed
denial of service attacks, specific forms of malware and policy violations.

4. Host-based intrusion prevention system (HIPS):

It is an inbuilt software package which operates a single host for doubtful activity by scanning
events that occur within that host.