UNIT-V

Advanced Network
Security Technologies
Pretty Good Privacy (PGP)
► ◆ PGP is an open-source, freely available software package for e-mail security. It
provides authentication through the use of digital signature, confidentiality through
the use of symmetric block encryption, compression using the ZIP algorithm, and
e-mail compatibility using the radix-64 encoding scheme.
► ◆ PGP incorporates tools for developing a public-key trust model and public-key
certificate management.
► ◆ S/MIME is an Internet standard approach to e-mail security that incorporates the
same functionality as PGP.
► ◆ DKIM is a specification used by e-mail providers for cryptographically signing e-mail
messages on behalf of the source domain.
 Working of PGP
PGP works through a combination of cryptography, data compression, and hashing techniques.
It is similar to other popular encryption methods such as Kerberos, which authenticates network
users, secure sockets layer (SSL), which secures websites, and the Secure File Transfer Protocol
(SFTP), which protects data in motion.
PGP uses the public key system in which every user has a unique encryption key known publicly
and a private key that only they know. A message is encrypted when a user sends it to someone
using their public key, then decrypted when the recipient opens it with their private key. It
combines private-key and public-key cryptography and the use of symmetric and asymmetric
key technology to encrypt data as it travels across networks.
PGP follows a three-step process:
-PGP generates a huge, one-time-use public encryption algorithm that cannot be guessed,
which becomes the random session key.
-The session key is then encrypted using the recipient’s public key, which protects the message
while being transmitted. The recipient shares that key with anyone they want to receive
messages from.
-The message sender submits their session key, then the recipient can decrypt the message using
their private key.
 USES
Encrypting emails

► PGP is most commonly used to encrypt email messages. It was initially used by anyone
wanting to share sensitive information, such as activists and journalists. But its popularity
has increased significantly in the face of organizations and government agencies collecting
user data, as people look to keep their personal and sensitive information private.
Digital signature verification
► PGP can be used for email verification. For example, if an email recipient is not sure about
the identity of the people sending them an email, they can use a digital signature in
conjunction with PGP to verify their identity.

Encrypting files

► The algorithm that PGP uses, which is typically the RSA algorithm, is largely considered
unbreakable, which makes it ideal for encrypting files. It is particularly effective when used
with a threat detection and response tool. File encryption software enables users to encrypt
all of their files while removing the complexity of the encryption-decryption process.
 Advantages

► The biggest advantage of PGP encryption is that the algorithm is

unbreakable. It is widely used by people who need to secure their
private communications and is considered a leading method for
enhancing cloud security. That is because PGP makes it impossible
for a hacker, nation-states, or government agencies to break into
files or emails protected by PGP encryption.

► However, there have been stories that note security failings in some
PGP implementations like EFAIL, which was a vulnerability in
OpenPGP and S/MIME end-to-end encryption technologies.
 Disadvantages
► Complexity of use: PGP encryption’s biggest downside is that it is typically not user-friendly.
Encrypting data and files using PGP takes time and effort, which can complicate message
sending for users. Organizations must provide employee training if they are considering
implementing PGP.
► Key management: Users need to fully understand how the PGP system works to ensure they do
not inadvertently create holes in their security defenses. This can either be through the incorrect
usage of PGP or losing or corrupting keys, which puts their fellow users at risk in highly secure
environments.
► Lack of anonymity: PGP will encrypt messages that users send, but it does not anonymize them.
As a result, senders and recipients of emails sent through a PGP solution can be traced. The
subject line of the message is also not encrypted, so avoid including sensitive data or
information. Users who want to hide their location can use anonymous browsers through proxy
servers or virtual private networks (VPNs). They can also use encrypted messaging applications,
such as Signal, that provide simple-to-use encryption or anonymization, which is a more efficient
alternative to encrypting stored data.
► Compatibility: It is impossible to use PGP unless both the sender and recipient of the
communication are using the same version of the software.
 S/MIME

► S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and

it is a standard that allows you to encrypt and sign your email
messages using public key cryptography. By using S/MIME, you can
ensure that your email messages are confidential, authentic, and
unmodified, regardless of who or where you send them to.
 How does it work?
► S/MIME is based on the principle of PKI, also called public key cryptography, which uses two
keys: a public key and a private key. The public key is used to encrypt or lock the message,
and the private key is used to decrypt or unlock the message. The public key can be shared
with anyone, but the private key must be kept secret by the owner.

► Via PKI, S/MIME utilizes digital certificates, which are digital documents that contain the
public key and other information about the owner, such as the name, email address, and
organization. Certificates are issued and verified by trusted third parties, called certificate
authorities (CAs). Certificates help to establish the trustworthiness and validity of the public
keys and the identities of the owners.

► With a digital certificate, it can be applied as a digital signature on emails as an extra level
of security. It reassures the recipient that the email was indeed signed by you, since you were
verified by a CA, and not a fraudster. The digital certificate acts as your distinctive digital
stamp, indicating to the recipient that the content has remained unchanged during
transmission. Any modifications would render the signature invalid.
How to get S/MIME certificates

► To use S/MIME for email encryption and signing, you need to have a
valid S/MIME certificate that contains your public key and other
information about your identity. The most secure and reliable way of
obtaining S/MIME certificates is through a trusted certificate
authority (CA).
 INTRUDERS
► One of the two most publicized threats to security is the intruder (the other is
viruses), often referred to as a hacker or cracker.
► Three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and who
penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for which
such access is not authorized, or who is authorized for such access but misuses his or
her privileges
• Clandestine user: An individual who seizes supervisory control of the system and
uses this control to evade auditing and access controls or to suppress audit
collection
Intruder pattern behaviours
Intrusion detection system (SNORT)
► SNORT is a powerful open-source intrusion detection system (IDS) and intrusion
prevention system (IPS) that provides real-time network traffic analysis and data
packet logging. SNORT uses a rule-based language that combines anomaly,
protocol, and signature inspection methods to detect potentially malicious activity.

► Using SNORT, network admins can spot denial-of-service (DoS) attacks and
distributed DoS (DDoS) attacks, Common Gateway Interface (CGI) attacks, buffer
overflows, and stealth port scans. SNORT creates a series of rules that define
malicious network activity, identify malicious packets, and send alerts to users.

► SNORT is a free-to-use open-source piece of software that can be deployed by

individuals and organizations. The SNORT rule language determines which network
traffic should be collected and what should happen when it detects malicious
packets. This snorting meaning can be used in the same way as sniffers and network
intrusion detection systems to discover malicious packets or as a full network IPS
solution that monitors network activity and detects and blocks potential attack
vectors.
 Features of SNORT
► There are various features that make SNORT useful for network admins to monitor their systems and
detect malicious activity. These include:

Real-time traffic monitor

► SNORT can be used to monitor the traffic that goes in and out of a network. It will monitor traffic in
real time and issue alerts to users when it discovers potentially malicious packets or threats on
Internet Protocol (IP) networks.
Packet logging
► SNORT enables packet logging through its packet logger mode, which means it logs packets to
the disk. In this mode, SNORT collects every packet and logs it in a hierarchical directory based on
the host network’s IP address.

Analysis of protocol
► SNORT can perform protocol analysis, which is a network sniffing process that captures data in
protocol layers for additional analysis. This enables the network admin to further examine
potentially malicious data packets, which is crucial in, for example, Transmission Control
Protocol/IP (TCP/IP) stack protocol specification.
Content matching
SNORT collates rules by the protocol, such as IP and TCP, then by ports, and then by those
with content and those without. Rules that do have content use a multi-pattern matcher
that increases performance, especially when it comes to protocols like the Hypertext
Transfer Protocol (HTTP). Rules that do not have content are always evaluated, which
negatively affects performance.
OS fingerprinting
Operating system (OS) fingerprinting uses the concept that all platforms have a unique
TCP/IP stack. Through this process, SNORT can be used to determine the OS platform being
used by a system that accesses a network.
Can be installed in any network environment
SNORT can be deployed on all operating systems, including Linux and Windows, and as
part of all network environments.
Open source
As a piece of open-source software, SNORT is free and available for anyone who wants to
use an IDS or IPS to monitor and protect their network.
 Different SNORT models
► There are three different modes that SNORT can be run in, which will be dependent on
the flags used in the SNORT command.
Packet sniffer
► SNORT’s packet sniffer mode means the software will read IP packets then display
them to the user on its console.
Packet logger
► In packet logger mode, SNORT will log all IP packets that visit the network. The network
admin can then see who has visited their network and gain insight into the OS and
protocols they were using.
NIPDS (Network Intrusion and Prevention Detection System)
► In NIPDS mode, SNORT will only log packets that are considered malicious. It does this
using the preset characteristics of malicious packets, which are defined in its rules. The
action that SNORT takes is also defined in the rules the network admin sets out.
 SNORT Rules
Perform packet sniffing
SNORT can be used to carry out packet sniffing, which collects all data that transmits in and out of a
network. Collecting the individual packets that go to and from devices on the network enables detailed
inspection of how traffic is being transmitted.
Debug network traffic
Once it has logged traffic, SNORT can be used to debug malicious packets and any configuration issues.
Generate alerts
SNORT generates alerts to users as defined in the rule actions created in its configuration file. To receive
alerts, SNORT rules need to contain conditions that define when a packet should be considered unusual or
malicious, the risks of vulnerabilities being exploited, and may violate the organization’s security policy or
pose a threat to the network.
Create new rules
SNORT enables users to easily create new rules within the software. This allows network admins to change
how they want SNORT conversion to work for them and the processes it should carry out. For example, they
can create new rules that tell SNORT to prevent backdoor attacks, search for specific content in packets,
show network data, specify which network to monitor, and print alerts in the console.
Differentiate between normal internet activities and malicious activities
Using SNORT rules enables network admins to easily differentiate between regular, expected internet activity
and anything that is out of the norm. SNORT analyzes network activity in real time to sniff out malicious
activity, then generates alerts to users.
 Honeypots
► A relatively recent innovation in intrusion detection technology is the honeypot.
Honeypots are decoy systems that are designed to lure a potential attacker away from
critical systems. Honeypots are designed to
• divert an attacker from accessing critical systems
• collect information about the attacker’s activity
• encourage the attacker to stay on the system long enough for administrators to respond
These systems are filled with fabricated information designed to appear valuable but that
a legitimate user of the system wouldn’t access. Thus, any access to the honeypot is
suspect. The system is instrumented with sensitive monitors and event loggers that detect
these accesses and collect information about the attacker’s activities. Because any
attack against the honeypot is made to seem successful, administrators have time to
mobilize and log and track the attacker without ever exposing productive systems. Initial
efforts involved a single honeypot computer with IP addresses designed to attract
hackers. More recent research has focused on building entire honeypot networks that
emulate an enterprise, possibly with actual or simulated traffic and data. Once hackers
are within the network, administrators can observe their behavior in detail and figure out
defenses.
Purpose:
• Detect attacks
• Study hacker behavior
• Divert attackers from real systems
Example:
► A honeypot might be a fake banking system or login page. When a
hacker tries to attack it, the system records everything they do.
 Honeynets
A honeynet is like a honeypot but at the network level.
Instead of just one fake computer or service, a honeynet includes many fake
systems:
• Web servers
• Email servers
• Internal networks
• User accounts
• Routers and firewalls
It’s Designed To:
• Look like a real company’s network
• Attract more complex attackers
• Capture large-scale attack strategies
Security in emerging technologies:
IoT, cloud computing, and
blockchain

DIY