Loading

Module 1: Physical Layer

Notes
Study Reminders
Support
Text Version

Network Security: Fundamentals

Set your study reminders

We will email you at these times to remind you to study.
  • Monday

    -

    7am

    +

    Tuesday

    -

    7am

    +

    Wednesday

    -

    7am

    +

    Thursday

    -

    7am

    +

    Friday

    -

    7am

    +

    Saturday

    -

    7am

    +

    Sunday

    -

    7am

    +

Network Security: Fundamentals
Hello. So, we will be continue our discussion on Computer Networks and Internet.Actually we are discussing on Network Security in the last lecture; we will be continuingour discussion on network security. So, what we are in the last lecture we are discussingon some of the aspects of network security like determining network security policies,implementing the security policies and there rest of the things are step by step what arethe things will be there.(Refer Slide Time: 00:49)
So, actually we have seen that how to this thing that what are the issues related todetermining the network security policies.
(Refer Slide Time: 00:57)
And also we have seen the issues related to implementation of the security policies, right.(Refer Slide Time: 01:03)
And, today we will look at the other aspects. So, if you look at the implementation of thesecurity policies. So, we require other than our standard devices we require some morestock right like one is that IDS intrusion detection system. And, there is a concept offirewall like firewalling the thing and there is another thing called firewall or NAT willcome to those aspects and this is my internet network.
So, what I am trying to do? I am trying to do a internet network secure from the rest ofthe world or so to say the internet, right. So, what I am having a router to connect to theinternet and there are some of the devices which needs to be external to be needs to beput some place where it will be accessed by the external world. So, that is the concept ofdemilitarized zone or DMZ zone where the external server which need to be accessedlike a for example, web server or some other servers we need to be accessed they are inthe DMZ zone. So, there is a switch which connects this DMZ zone through the firewallto a some sort of a hub to router and this hub as the whatever the packets comes in thehub it is in the same broadcast and collision domain.This idea is basically try to look at the intrusion detection system. So, it has protocols ithas a logic to look at that to detect the interface or it has a database of knowledge basethat how to detect. And, this firewall is basically to prevent to the thing from the externalworld. Now, IDS cannot be inside firewall right then it cannot know that what is goingon inter the things right. And so, there that is DMZ zone if you see there are two categoryor two firewalls one is which basically makes a isolated DMZ zone.So, this network is protected through this firewall whereas, this firewall protect this thesystems in the DMZ zone and create a space where this type of systems can be therewhereas this is a more exposed things where we want to know that what are the differenttype of net attacks etcetera are going on.(Refer Slide Time: 03:25)
So, implementing security policies one is the firewall is one of the major aspects other isthe intrusion detection system or IDS and also there is a concept of honeypot orhoneynet, right. So, it is something which are which attracts as the name suggest attractsthis attackers to attack on the things.By that it the signatures of the attacks are learned which may update the knowledge baseof the IDS or something IDS detection systems and other things. So, that is important tohave those type of things in large installation which are things. Now, there can be anetwork of this honeypots and to share the information and it can be across differentorganisations also. So, that there is a other information. So, simulates a decoy host ornetwork with services which are exposed to the attack where the attack signatures arelearned.(Refer Slide Time: 04:21)
The next step is to learn about the network. I need to know that what the networks IPaddress of the host on the network, key servers on the critical data, services running onthose host and server, vulnerabilities on those server. So, two form, one maybe a passiveor active. Passive thing is that undetectable as I will say and active are by active attackon the things or which can be detectable by the intrusion detection system.
(Refer Slide Time: 04:57)
So, another aspect what we want to look at the network that is the vulnerability scanningnext step is the. So, I want to scan that how vulnerable I am. What are the vulnerabilitiesinside the thing? So, list of host and services that and many scanners will detectvulnerabilities like there is a scanner called nessus, other scanner will allow you toexploit them right. So, there is a metasploit source cannot exploit. So, if the vulnerabilityis there how to exploit them. Like I say there is a vulnerability in the user level logincase, right. So, that is exploited to generate a higher level access right to the things. So,this is a one is that one the attack happens then you detect and learn other is that I can doa self scanning of the things.That what are the different vulnerabilities viz a viz with my exploit database and try tofind out what sort of vulnerabilities are there. So, there are scanners which are updatablethat is for few vulnerabilities install write new plugins. So, nessus attack scriptinglanguage and there are several language is there. So, that is means scanning thevulnerabilities.
(Refer Slide Time: 06:13)
So, if I have the vulnerabilities whether I can do some sort of a penetration testing like Iwant to do some sort of a what we say non-lethal attack on my system and see that howmuch I can penetrate and type of things or some sort of a ethical hacking on the systemsright identify the vulnerabilities once the vulnerability identify we can exploit them togain access using a framework like metasploit is a simple as selecting a payload toexecute otherwise we manufacture a exploit or we generate an exploit and type of thing.So, there are different exploit for which there is no per se prevention on the things. So,these are these are what we say this zero day exploit type of things.So, there are with there are so to say quote unquote costly exploits. So, that things arethere, but once we learn then we go on patching. So, we may have also try to find outnew vulnerabilities, this involves writing code testing function etcetera. So, these are thisis a separate activity of the security group of a organisation to look at that what are thedifferent well known vulnerabilities and type of things do a sec self exploitation of mynetwork or ethical hacking on my network, find out that what are the possible attackswhich are possible in to the systems and then try to recommend or find out what are themechanisms will help in the detecting a in preventing those, right. So, these are thedifferent aspects of this exploits vulnerability scanning and what we say penetrationtesting.
(Refer Slide Time: 07:45)
Now finally, we have the post attack investigation. So, forensic of the attack so, like ifthere is a attack then we have to investigate and do the some forensic or post mortem ofthe attacks, right. This process is heavily guided by law like what we have to do andwhat are allowed etcetera and there can be different guidelines from the organisation toorganisations like the type of things which is true for academic organisation may not betrue for a banking or financial organisation.So, retain chain of evidences. This evidence is the case in this case is the data on thehost. So, that is a what are the different evidences log files of the compromised host tohold the footstep or the fingerprints of that attacker to find out that how that attackercame. Every minute with that host must be accounted for. For legal reason you shouldalso examine a low level copy of the disk and not modify the original thing, right. So,type of things that for legal later on some litigation etcetera we need to do speciallycommercial organisation, organisation giving services to other organisation and type ofthings.So, in some cases your data is in some other place and type of things and need to behandled appropriately. So, what we see these type of steps are not a onetime things, it hasto be executed on a routine basis because the system is evaluating or having differentstate at different point of time. There are different updates applications attacks and type
of scenarios are changing both the system scenarios are changing on the other side theseattack scenarios are changing, right.(Refer Slide Time: 09:33)
So, vulnerability assessment of any network is very important, right that I need to a prioriknow that how vulnerable I am, right. So, though it say something which is difficult tosay that I fully charged, but never the less there should be always a way of or alwayslooking at the vulnerabilities. So, today’s enterprise are fully or mostly IT enabled, right.So, any enterprise any organisation any even academic institution or any governmentfederal organisations are all IT enabled, right or heavily dependent on IT infrastructurewhere the networking plays a major role in making things connected. So, need for selfsecurity that is vulnerability assessment is a order of the day, right. You need to dovulnerability assessment. So, there are content aware intrusion protection system. So, itis content aware IPS, file system scanning, penetration testing. So, these are the differentaspects which we need to be looked into.
(Refer Slide Time: 10:53)
Now, this penetration testing sometimes also called the tiger team attack or red teamattack that test for evaluating the strength of all security controls on the computersystems. Goal, violate the site security policies. So, the I have a security policy amechanism to implement those policies then I what I want to know that whether I canbasically compromise this policy and attack this the system, right. So, not a replacementfor careful design and implementation with structured testing. So, it is independent ofwhat the best practices you are having. So, it is a careful design implementation structuretesting in spite of that whether there is a loop hole or not need to be looked into.So, methodology for testing the system in toto right once it is in so, system in place. So,the system is in place I have a mechanism to testing that whether the system is workingfaithfully or not.Examine procedural operational control as well as technological control, alright. So, ittries to look at procedural operation control and as well as the technological control inthe things.
(Refer Slide Time: 12:05)
So, there are different tools some are proprietary tool which are pretty costly publicdomain tools, but good, but others also knows that you are doing like this and there areintegration problem and issues like that. Need to evolve our own framework - proprietaryto the organisations etcetera that maybe a need, but is not may not be always followablenevertheless there are price product always there.(Refer Slide Time: 12:27)
So, system vulnerability is in a hole or weakness in the application design flowimplementation vulnerability type can be different SQL injection, buffer overflow.
Penetration testing - method of evaluating vulnerabilities of a computer system onnetwork by simulating the attack of the malicious hacker.(Refer Slide Time: 12:47)
So, methods again it falls in that same line we are not again discussing.(Refer Slide Time: 12:53)
So, if you if you look at the penetration testing things. So, location of the target, block IP,network setup, vulnerability is in open services. So, enumeration vulnerabilityidentification then whether we can exploit from the using the exploit database gainaccess of the system. Escalation and advancement stage to exploit the other targets,
information gathering and reconnaissance so, to look into this whole loop. So, this is theway it goes on that you first learn about the system, get the footprint of the differentdevices and type of things then accordingly whether they are exploitable consulting theexploit database then try to escalate and advancement and then again informationgathering and so and so forth, it goes in a loop.(Refer Slide Time: 13:45)
Or if you look at the typical architectural model of a penetration testing tool, so, there isa system characteristic knowledge base and system vulnerabilities right. So, these are thethings. So, obtain footprint fingerprint services enumerator. So, that is fingerprint OSscan reports. So, it is a these are the things which go to find out the systemcharacteristics. So, this from these the scan vulnerability is to find out what are thevulnerabilities consulting the knowledge base whether the system vulnerabilities thenexploit targets can be there, right. On the other hand this thing can be used to patch thetarget also. So, some of the processes some of the data stores where things are there.So, it is a not that very straightforward process the requires lot of expertise on the systemlevel or wage level it also need good exploit database which and which are up to goodand up updated exploit database which allows you to this exploit the system, buteverything done in a quote unquote ethical manner that is non destructive manner. So,that the system is not goes off rather try to find out that what are the different
vulnerabilities and other things so that the patchwork can be or appropriate patches canbe deployed.So, with these mechanisms we will try to look at now that different system level thingslike as if you just recollect this one. So, there are different type of things right, one isyour router, firewall or NAT there is IDS and type of things. So, we try to see that thewhat are the different properties whether something can help us in achieving bettersecurity features.Network Security: Fundamentals- Part 2
So, some of the things like proxy server, network address translator, firewall are some ofthe features or the things. To be very to be on at the beginning so, say that these are thethings which are not primarily some not all the things are primarily meant for thesecurity etcetera. So, they have other purposes also, but also can be looked into as asecurity measure.As these are nowadays common for at all the network and it has some of the property toisolate the incoming or expose the or can handle the exposing of the internal host to theexternal things. So, this can be utilized by the things. Some of the things has beenalready discussed in our in your in this lecture series also. But for the say sake ofgenerality and to continue our discussion we are looking into some aspects again withthe first; that means, we say so, that it is easy to correlate with the what we arediscussing.
(Refer Slide Time: 16:31)
So, what is a proxy or proxy server? Acts on behalf of other clients and presents requestsfrom the other clients to the server, right. So, proxy is as the name suggest proxy is forthe other clients, right. Acts as a server while talking to a client and acts as a client whiletalking to the server. So, it is a intermediate system with this proxying for the other.So, the primary need maybe I like IIT Kharagpur we may be private IP block which arenot routable. So, somebody is proxing for me and type of things or actually proxy canhave much higher levels like or different type of aspects of the things even do contentbased filtering etcetera and type of and allows to do some of the things like caching andlike caching and giving a better accessibility and type of things. So, commonly usedHTTP for this squid, mostly available in most of the systems.
(Refer Slide Time: 17:57)
Proxy server it is a server that sits between the client application for example, webbrowser and a real server. So, I am accessing something like for typically for IITKharagpur, if I want to access say any external surface IIT Bombay page, IITBhuvaneshwar page or IIT something or some any other page say some networking orIEEE standard page. So, what I am doing I am sending a request as I am generating fromthe IP a particular private IP even not that we have a proxy server which it hits the proxytakes that observe that IP and the port and in turn send a request on behalf for me, right.How the things maintained I have a IP and port proxy has a IP and port and this and theprotocol this proof and this particular tuple is unique for our connections, right.So, even if I have two browser say Mozilla or something, two instances do the same pageif the things, but they have a different port right going out the thing. So, it intercepts it ait intercepts all requests to the real server to see if the fulfills the request itself if not itforward the request to the real server, right. So, what happened that as it is accessing thethings it is also caching the content, somebody requesting it may check there where isfulfilling the request or not.
(Refer Slide Time: 19:29)
So, there are many servers this two types of servers this works up improve the primary toimprove performance can dramatically improve performance for a group of users. Itsaves all the results of request in a cache can generally conserve bandwidth. So, I wehave a thing which is of replying the proxy in turn replying if the already it is in cachethere is filter request that is another types is there or if instead of type I should say thatbasic purpose of the proxy server. So, it is not the proxy server types it is rather purposesof the proxy server.One is that input performance because it is sending on the cache another it has a propertyof filter request right when a request comes checking it that the whether request can besent or not there filter the request, in turn it gives a some sort of a security feature. Likeprevent users from accessing a specific set of website IIT Kharagpur, the organisationthink that these set of website cannot be accessed by the inside by means it is own users,so, it can prevent. Prevent user from accessing pages containing some specified thingseven the higher level proxy where the content can be seen where which can prevent userfrom specified pages which having a string.Prevent user from accessing video files for example, the type of things, right and it alsohave apart from that the caching effect that we have discussed that to give you things. So,these are different mechanisms what we can do with this proxy things.
(Refer Slide Time: 21:19)
There is a concept of anonymous proxy hide the users IP thereby preventingunauthorised access to the user’s computer to the internet. So, it is anonymous proxyhides the user IP, right and all request to the outside world original with the IP address ofthe proxy server, right. So, what are the external IP address of the proxy server theoriginal routers original this it basically the hides the users IP right. So, all request of theoutside world originate with the IP address. So, the IP address of the proxy becomes theIP address which is gone to the external server.It is sometimes very convenient like online subscription of channel like IIT Kharagpurhave online subscription of various journals IEEE, AICE, (Refer Time: 22:05) and typeof things, right I do not know the exact list immediately with me. But, what happenedthat instead of while accessing it gives the proxy IP for the access of authentication toaccess the journal. Whoever has going using this proxy will be able to authenticate theget a access to this general things then digital libraries these are the things which we arewhich we are benefited here at sitting at IIT Kharagpur and that must be doing we mustbe doing in several other organizations.
(Refer Slide Time: 22:33)
So, where the it is located. So, somewhere in between right one side that original serverwhere it accessing all these user agents are is request come to this proxy server. It has aaccess control list or access rules that by which the proxy that particular page can berequested and all the cache if it is already there, it will reply from the cache. So, that isthe basic bottom line of the proxy server.(Refer Slide Time: 23:01)
So, function of HTTP proxy request forwarding primary function acts as a rudimentaryfire wall of taking care of that which can be filter. Access control allow or deny access is
based on contents and locations, right. It can do if it is if the proxy is able to look at up tothe content at a higher level then you can it look at the it can open up the packet at theapplication layer or the message itself and check that what whether there is a any accesscontrol restriction based on content or based on the location. Cache management utilisedefficient utilisation of the bandwidth for first hour access that is the cache management.(Refer Slide Time: 23:55)
So, this is broadly the how a proxy works, but it though we are primarily looking at theHTTP proxy there can be other type of proxy also, right. So, it is proxing for otherservices and type of things.
(Refer Slide Time: 24:13)
The next is network address translator. Now, this has been I believe this has been alreadyhas been discussed during the in this course specially, when we discussed about the IPand type of things. But, I thought that it may be good to have a quick review of the thingsto look at the things.(Refer Slide Time: 24:31)
The as the name suggest allows a single device router or dedicated box to access agentbetween the internet, public network and the local or the private network. So, the itallows it is sort of a single box and it basically map the one IP set to another IP set, right
for that matter IP and proxy to port to another IP an port, so that it can a seamlessconnection.So, tries to address the IP address distribution problem so that that you know that to ofthe IP address like IIT Kharagpur is running on a private IP blocks like that severalorganisation writing on their private reverse these are non routable. So, this network atthis translate a change this IP to a valid IP which is routable and go on and remember thatwho has connected to this for the particular IP. So, that when the requested come fromthe client IP plus port and also with the IP port and things goes on. Several variants ofthis network address translators are possible.(Refer Slide Time: 25:35)
So, this private address space like these are on the LAN see this is a private IP space, thisis also private IP space. Incidentally they are using same IP blocks and, but so, if it is onthe in a routable scenario this could have been IP class and it would have been gone for aspin. But, here what we are doing from there is there is something which translate this IPto a valid IP is goes on and if it is going there it also take a IP translate the IP and get thatequivalent or the translated IP to access the private IP of the other network.So, this will be this there is some again small type of there should have been private IPnetwork 1 private IP network 2, so, that it access. So, the H 1 accessing H 3. So, 10 dot 0dot 1 dot 2 are mapped to this IP, this carries over this IP again remap to H 3 means to
this particular IP address right. So, though both are 10 dot 0 dot 1 dot 2, but there aredifferent IP blocks.Now, so, while communicating across the network. So, these are NATed or translated tothis particular IP which is a routable and cross there and this also IP of this interface andgoes into the thing. Now, multiple things like H 1, H 3, H 2 can simultaneously dobecause of their having that mapping with the port number. So, it is it is mappedappropriately at the by the NATer. So, when the request comes back it knows that whereto be delivered.(Refer Slide Time: 27:23)
Now, basic operation of the net as we are discussing. So, this source IP, destination IPgoes on. So, it is the mapping goes on and it goes on into the system. So, this is privateIP, public IP NATing is being done out here, right. So, it comes with a 10 dot 0 dot 1 dot2 this one and goes out with a 128 143 73 21. While it is coming up looking at this publicIP stuff it map it to that particular IP like here 10 dot 1 dot. So, it comes with 128 143 7321. So, it was having a mapping of this and goes on doing this. So, it is a mapping.
(Refer Slide Time: 28:07)
So, IP device had address translation table so or ATT like typically this is addresstranslated table source is computer A, source IP this one, source destination NATing IP isthis one at port number 1. So, it is NATed and this stable is maintained and so that it canbasically this differ where from the request came and who will get the thing.(Refer Slide Time: 28:27)
So, capability of NATing maximum number of concurrent translator is a one thing, like itcan concurrently do typically mainly determined by the size of the memory to storetypically determine ATT takes over 160 entry of a 160 bits. So, memory size 8 bit we
will support around so much concurrent connection which say pretty high for anyorganisation.(Refer Slide Time: 28:51)
Main uses pooling of IP address supporting migration from network service providers.So, when IIT, Kharagpur today change the IP it does not have to change the internal IPblock. So, it is a private IP and still there and IP masquerading is another challenge, loadbalancing of the server is definitely need of the hour.(Refer Slide Time: 29:15)
There are some of the concern performance as there is a one hop, there is a performanceissue. Fragmentation care must be taken to datagram for fragmented before reaching thedevice. It is not design for different IP address different port number etcetera. So, that thefragmentation is a challenge.(Refer Slide Time: 29:33)
End-to-end connectivity is destroyed by the thing, right. So, you have a another hop intothe things. So, NAT destroys the universal end-to-end reachability of the hosts in theinternet a host in the public internet often cannot initiate communication to the host inthe private internet. The problem is worse. So, in the two hosts are in the private internetneed the communication with each other. So, there are two hops as we have seen righthere the NATer at the other end.
(Refer Slide Time: 29:57)
So, IP address in application if it is there. So, that it the application carries the IP addressthis NATer is destroyed application to carry IP address in the payload of the applicationgenerally do not work well with this public private NATing thing.(Refer Slide Time: 30:13)
And, there are several other benefits use of NAT automatically creates a firewall betweenthe internal. So, it is a security benefit. So, this IPs and never exposed NAT will allowonly the connection that are originated from within the internal to NAT you can devicethat method on this that approach; an outside host cannot initiate a connection with the
internal host right directly. So, inbound mapping required say static NATing. So, if youwant to this IP to think we require static NATing.(Refer Slide Time: 30:43)
So, finally, is NATing a proxy server? No, ideally no. NAT is a transparent to both thesource and destination host, but proxy is not always transparent to the things, right. Youknow that where the proxy server, NAT is primarily a layer 3 device it is a network atthis protocol though we have a port number, but it is a primary NAT 3 NATing IPaddresses, right. So, in contrast proxy is primarily layer 4 or layer 4 plus device. So, it ismore at the other end of the things, right.So, with this let us conclude our discussion today. Finally, we will like to see at on thesecurity network security part that what are the different aspects with respect to thedifferent layers of the TCP/IP or OSI layer and some aspects of firewall and so and soforth.Thank you.