1) INTRUDERS
Intruders and viruses(Malicious programs)
are the two most publicized threats to information security. Intruder is also referred to as Hacker or Cracker. Different classes of
intruders are Masquerader, Misfeasor and Clandestine user.
Masquerader:Masquerader is an individual who is not authorized to use the
computer and who overcomes a systems access control to exploit a legitimate
user’s account.
·
Masquearader
is likely to be an outsider.
Misfeasor:Misfeasoras an individual who works within the scope of his
privileges but misuses them.
·
Misfeasor
generally is an insider.
Clandestine
user:Clandestine
user as an individual who seizessupervisory
control to avoid security mechanisms of the system.
·
Clandestine
user can be either an outsider or
insider.
Intrusion
Techniques:
The main aim of the intruder is
·
To
gain access to a system
·
To
gather information
·
To
acquire passwords and then exercise access rights of owner
How to protect passwords: The password file can be protected in one of two ways.
1. One-way
Encryption: the user’s
password is stored in encrypted form. When user presents a password, the system
encrypts it and checks with the stored password.
2. Access
control:the
password files access is limited to few privileged users only.
How to crack passwords:The attackerknows login id or user id from email/ web pages and
then attempts to guess password for it. The following techniques are used to
capture the passwords.
·
Watching
over shoulder as the password is entered.
·
Exhaustively
try all short passwords.
·
Try
user’s phone numbers, social security numbers, and room numbers.
·
Try
all legitimate licence plate numbers for this state.
·
Try
user’s full names, names of their children and spouse.
·
Use
a Trojan horse to bypass restrictions on access.
----------------------------------------------------------------------------THANK
U---------------------------------------
2) Intrusion
Detection Systems(IDSs)
Inrusion is the act of gaining unauthorized access to a system.
Intrusion Detection is the act of detecting unwanted traffic
on a network.
Intrusion Detection System (IDS) is a device or software application that monitors system activities for
malicious activities and produces
reports to the concerned system.
Intrusion
detection systems are of two main types,
network based (NIDS) and host based (HIDS) intrusion detection
systems. Network Intrusion Detection
Systems (NIDS) are placed within the network to monitor traffic to and from
all devices on the network. Host
Intrusion Detection Systems (HIDS) run on individual hosts or devices on
the network.
The
Intrusion Detection System approaches are Statistical
anomaly detection and Rule-based
Detection.
1.
Statistical
anomaly detection: Involves the collection of data relating to the behavior
of legitimate users over a period of time. Then statistical tests are applied
to observed behavior to determine with a high level of confidence whether that
behavior is not legitimate user behavior.
a) Threshold detection: This approach involves defining
thresholds, independent of user, for the frequency of occurrence of various
events.
b) Profile based: A profile of the activity of each
user is developed and used to detect changes in the behavior of individual
accounts.
2.
Rule-based
detection: Involves an attempt to define a set of rules that can
beused to decide that a given behavior is that of an intruder.
a) Anomaly detection: Rules are developed to detect
deviation from previous usage patterns.
b) Penetration identification: An expert
system approach that searches for suspicious behavior.
2.1 Tools
for Intrusion Detection
Audit Records:A
fundamental tool for intrusion detection is the audit record. Basically, two plans are used:
·
Native audit
records: Virtually all multiuser operating systems include accounting software
that collects information on user activity. The advantage of using this
information is that no additional collection software is needed. The
disadvantage is that the native audit records may not contain the needed
information or may not contain it in a convenient form.
·
Detection-specific
audit records: A collection facility can be implemented that
generates audit records containing only that information required by the
intrusion detection system. One advantage of such an approach is that it could
be made vendor independent and ported to a variety of systems. The disadvantage
is the extra overhead involved in having, in effect, two accounting packages
running on a machine.
Each
audit record contains the following fields:
·
Subject
·
Action
·
Object
·
Exception-Condition
·
Resource-usage
·
Time-stamp
Example:
Subject
|
Action
|
Object
|
Exception-Condition
|
Resource-usage
|
Time-stamp
|
Smith
|
Execute
|
Copy.exe
|
0
|
CPU=0002
|
11058721678
|
Ramesh
|
Read
|
Game.exe
|
0
|
CPU=0005
|
11058721700
|
2.2
Distributed
Intrusion Detection
Until recently, work on intrusion detection systems
focused on single-system stand-alone facilities. The typical organization,
however, needs to defend a distributed collection of hosts supported by a LAN
or internetwork. Although it is possible to mount a defense by using
stand-alone intrusion detection systems on each host, amore effective defense
can be achieved by coordination and cooperation among intrusion detection
systems across the network.
A good example of a distributed intrusion detection
system is one developed at the University of California at Davis. Figure 20.2
shows the overall architecture, which consists of three main components:
·
Host agent
module: An audit collection module operating as a background process on a
monitored system. Its purpose is to collect data on security- related events on
the host and transmit these to the central manager.
·
LAN monitor
agent module: Operates in the same fashion as a host agent module
except that it analyzes LAN traffic and reports the results to the central
manager.
·
Central
manager module: Receives reports from LAN monitor and host agents and
processes and correlates these reports to detect intrusion
Issues in Distributed
Intrusion Detection
1. A distributed IDS deals with
varying audit record formats.
2. Integrity and confidentiality of
networked audit data has to be preserved.
3. A centralized or decentralized
architecture can be followed.
-------------------------------------------------------------------------------THANK
U-------------------------------------------
3) PASSWORD
MANAGEMENT
3.1 Password
Protection:
·
Password protection is
the front line defense against intruders.
·
Users usually supply
User Identifier (UID) and a password.
·
UID determines the
privilege to access a system and password authenticates the UID of an user.
3.2 The
Vulnerabilities of passwords:
To understand the nature of the
attack, let us consider a scheme i.e widely used on UNIX Systems, in which
passwords are never stored in the clear. Rather, the following procedure is
employed:
Fig: Loading
a Password
·
User selects a password
of length of 8 printable characters.
·
The password is
converted to 56-bit ASCII value and acts as key to the DES based encryption
routine called crypt(3).
·
Crypt(3) accepts 12-bit
salt value along with key.
·
The algorithm takes
64-bit block of zeros as input and produces 64-bit output.
Fig:
Verifying a password
·
User
provides user id and password to log onto the UNIX system.
·
The
user id is used to index the password file.
·
The
plain salt and encrypted password are retrieved.
·
The
salt and the user-supplied password are given as inputs to the encryption
routine, Crypt(3).
3.3Access Control:
One way to thwart a password attack is
to deny the opponent access to the password file. If the encrypted password
portion of the file is accessible only by a privileged user, then the opponent
cannot read it without already knowing the password of a privileged user.
3.4 Password Selection Strategies
Our goal, then, is to eliminate
guessable passwords while allowing the user to select a password that is
memorable. Four basic techniques are in use:
·
User
education
·
Computer-generated
passwords
·
Reactive
password checking
·
Proactive
password checking
User education strategy is unlikely to succeed at most
installations, particularly where there is a large user population or a lot of
turnover. Many users will simply ignore the guidelines. Others may not be good
judges of what is a strong password. For example, many users (mistakenly)
believe that reversing a word or capitalizing the last letter makes a password
unguessable.
Computer-generated passwords also have problems. If the passwords are
quite random in nature, users will not be able to remember them. Even if the password
is pronounceable, the user may have difficulty remembering it and so be tempted
to write it down. In general, computer-generated password schemes have a
history of poor acceptance by users. FIPS PUB 181 defines one of the
best-designed automated password generators. The standard includes not only a
description of the approach but also a complete listing of the C source code of
the algorithm. The algorithm generates words by forming pronounceable syllables
and concatenating them to form a word. A random number generator produces a
random stream of characters used to construct the syllables and words.
Reactive password checking strategy is one in which the system
periodically runs its own password cracker to find guessable passwords. The
system cancels any passwords that are guessed and notifies the user. This
tactic has a number of drawbacks. First, it is resource intensive if the job is
done right. Because a determined opponent who is able to steal a password file
can devote full CPU time to the task for hours or even days, an effective
reactive password checker is at a distinct disadvantage. Furthermore, any
existing passwords remain vulnerable until the reactive password checker finds
them.
The most promising approach to improved
password security is a proactive password checker. In this scheme, a
user is allowed to select his or her own password.
--------------------------------------------------------------------------THANK
U------------------------------------------------
4)
FIREWALL DESIGN PRINCIPLES
4.1 Firewall
characteristics
1. All
traffic from inside to outside, and vice versa, must pass through the firewall.
2. Only
authorized traffic, as defined by the local security policy, will be allowed to
pass.
3. The
firewall itself is immune to penetration.
4.2 Limitations
of a firewall
1. The firewall cannot protect against attacks that bypass the
firewall.
2. The firewall does not protect against internal threats.
3. The firewall cannot protect against the transfer of
virus-infected programs or files.
4.3 Types of
firewalls
Three common types of firewall
are:
1. Packet- Filtering Router
2. Application-level Gateway
3. Circuit-Level Gateway
1. Packet- Filtering
Router
A Packet- filtering router
applies a set of rules to each incoming IP Packet and then forwards or discards
the packet. The router is typically configured to filter packets going in both
directions.
2. Application-level
Gateway
An Application- Level Gateway, also
called a proxy server, acts as a relay of application-level traffic. The user
contacts the gateway using a TCP/ IP application, such as TELNET, FTP, SMTP and
HTTP.
3. Circuit-Level
Gateway
A
third type of firewall is the circuit- Level Gateway. This can be a specialized
function performed by an application- Level Gateway for certain applications.
4.4Firewall
Configurations
3
common firewall configurations are
1. screened
host firewall system( Single-homed bastion host)
2. screened
host firewall system( Dual-homed bastion host)
3. Screened-subnet
firewall system
1. screened host firewall system( Single-homed bastion
host)
In the screened host firewall, single-homed bastion configuration (Figure a),
the firewall consists of two systems: a packet-filtering router and a bastion
host.
2. screened host firewall system( Dual-homed bastion
host)
The screened host firewall, dual-homed bastion configuration physically
prevents such a security breach (Figure b). The advantages of dual layers of
security that were present in the previous configuration are present here as well.
Again, an information server or other hosts can be allowed direct communication
with the router if this is in accord with the security policy.
3.
Screened-subnet
firewall system
The screened subnet firewall configuration of (Figure c)
is the most secure of those we have
considered. In this configuration, two packet-filtering routers are used, one
between the bastion host and the Internet and one between the bastion host and
the internal network.
-----------------------------------------------------------------THANK
U---------------------------------------------------------
5.TRUSTED
SYSTEMS
Trusted
is an operating system that enhances the ability of a system to defend against
attackers.
5.1 Data Access Control:
A general model of access control as
exercised by a file or database management system is that of an access
matrix model and Bell LaPadula Model.
Access Matrix Model:
Bell LaPadula Model:
5.2 The Concept of Trusted Systems
In this we are
discuss about Reference Monitor Concept.
Reference Monitor:
5.3 TROJAN HORSE DEFENSE
One way to secure against Trojan horse
attacks is the use of a secure, trusted operating system. The above Figure illustrates an example. In this case, a Trojan horse
is used to get around the standard security mechanism used by most file
management and operating systems: the access control list. In this example, a
user named Bob interacts through a program with a data file containing the
critically sensitive character string "CPE170KS." User Bob has
created the file with read/write permission provided only to programs executing
on his own
behalf:
that is, only processes that are owned by Bob may access the file.
The Trojan
horse attack begins when a hostile user, named Alice, gains legitimate access
to the system and installs both a Trojan horse program and a private file to be
used in the attack as a "back pocket." Alice gives read/write
permission to herself for this file and gives Bob write-only permission (Figure a). Alice now induces Bob to invoke the Trojan horse
program, perhaps by advertising it as a useful utility. When the program
detects that it is being executed by Bob, it reads the sensitive character
string from Bob's file and copies it into Alice's back-pocket file (Figure b). Both the read and write operations satisfy the
constraints imposed by access control lists. Alice then has only to access
Bob's file at a later time to learn the value of the string.
Now consider
the use of a secure operating system in this scenario (Figure c). Security levels are assigned to subjects at logon
on the basis of criteria such as the terminal from which the computer is being
accessed and the user involved, as identified by password/ID. In this example,
there are two security levels, sensitive and public, ordered so that sensitive
is higher than public. Processes owned by Bob and Bob's data file are assigned
the security level sensitive. Alice's file and processes are restricted to public.
If Bob invokes the Trojan horse program (Figure d), that program acquires Bob's security level. It is
therefore able, under the simple security property, to observe the sensitive
character string. When the program attempts to store the string in a public
file (the back-pocket file), however, the is violated and the attempt is
disallowed by the reference monitor. Thus, the attempt to write into the
back-pocket file is denied even though the access control list permits it: The
security policy takes precedence over the access control list mechanism.
-----------------------------------------------------------------------THANK
U-------------------------------------