Wednesday, March 29, 2017

Intruders

1)    INTRUDERS
Intruders and viruses(Malicious programs) are the two most publicized threats to information security. Intruder is also referred to as Hacker or Cracker. Different classes of intruders are Masquerader, Misfeasor and Clandestine user.
Masquerader:Masquerader is an individual who is not authorized to use the computer and who overcomes a systems access control to exploit a legitimate user’s account.
·         Masquearader is likely to be an outsider.
Misfeasor:Misfeasoras an individual who works within the scope of his privileges but misuses them.
·         Misfeasor generally is an insider.
Clandestine user:Clandestine user as an individual who seizessupervisory control to avoid security mechanisms of the system.
·         Clandestine user can be either an outsider or insider.

Intrusion Techniques:
The main aim of the intruder is
·         To gain access to a system
·         To gather information
·         To acquire passwords and then exercise access rights of owner
How to protect passwords: The password file can be protected in one of two ways.
1.     One-way Encryption: the user’s password is stored in encrypted form. When user presents a password, the system encrypts it and checks with the stored password.
2.     Access control:the password files access is limited to few privileged users only.
How to crack passwords:The attackerknows login id or user id from email/ web pages and then attempts to guess password for it. The following techniques are used to capture the passwords.
·         Watching over shoulder as the password is entered.
·         Exhaustively try all short passwords.
·         Try user’s phone numbers, social security numbers, and room numbers.
·         Try all legitimate licence plate numbers for this state.
·         Try user’s full names, names of their children and spouse.
·         Use a Trojan horse to bypass restrictions on access.
----------------------------------------------------------------------------THANK U---------------------------------------


2)    Intrusion Detection Systems(IDSs)
Inrusion is the act of gaining unauthorized access to a system.
Intrusion Detection is the act of detecting unwanted traffic on a network.
Intrusion Detection System (IDS) is a device or software application that monitors system activities for malicious activities and produces reports to the concerned system.

Intrusion detection systems are of two main types, network based (NIDS) and host based (HIDS) intrusion detection systems. Network Intrusion Detection Systems (NIDS) are placed within the network to monitor traffic to and from all devices on the network. Host Intrusion Detection Systems (HIDS) run on individual hosts or devices on the network.

The Intrusion Detection System approaches are Statistical anomaly detection and Rule-based Detection.
1.       Statistical anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.
a)       Threshold detection: This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events.
b)       Profile based: A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts.

2.       Rule-based detection: Involves an attempt to define a set of rules that can beused to decide that a given behavior is that of an intruder.
a)       Anomaly detection: Rules are developed to detect deviation from previous usage patterns.
b)       Penetration identification: An expert system approach that searches for suspicious behavior.

2.1 Tools for Intrusion Detection
Audit Records:A fundamental tool for intrusion detection is the audit record. Basically, two plans are used:
·         Native audit records: Virtually all multiuser operating systems include accounting software that collects information on user activity. The advantage of using this information is that no additional collection software is needed. The disadvantage is that the native audit records may not contain the needed information or may not contain it in a convenient form.
·         Detection-specific audit records: A collection facility can be implemented that generates audit records containing only that information required by the intrusion detection system. One advantage of such an approach is that it could be made vendor independent and ported to a variety of systems. The disadvantage is the extra overhead involved in having, in effect, two accounting packages running on a machine.

Each audit record contains the following fields:
·         Subject
·         Action
·         Object
·         Exception-Condition
·         Resource-usage
·         Time-stamp
Example:
Subject
Action
Object
Exception-Condition
Resource-usage
Time-stamp
Smith
Execute
Copy.exe
0
CPU=0002
11058721678
Ramesh
Read
Game.exe
0
CPU=0005
11058721700

2.2 Distributed Intrusion Detection
Until recently, work on intrusion detection systems focused on single-system stand-alone facilities. The typical organization, however, needs to defend a distributed collection of hosts supported by a LAN or internetwork. Although it is possible to mount a defense by using stand-alone intrusion detection systems on each host, amore effective defense can be achieved by coordination and cooperation among intrusion detection systems across the network.
A good example of a distributed intrusion detection system is one developed at the University of California at Davis. Figure 20.2 shows the overall architecture, which consists of three main components:
·         Host agent module: An audit collection module operating as a background process on a monitored system. Its purpose is to collect data on security- related events on the host and transmit these to the central manager.
·         LAN monitor agent module: Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results to the central manager.
·         Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion
Issues in Distributed Intrusion Detection
1. A distributed IDS deals with varying audit record formats.
2. Integrity and confidentiality of networked audit data has to be preserved.
3. A centralized or decentralized architecture can be followed.
-------------------------------------------------------------------------------THANK U-------------------------------------------
3) PASSWORD MANAGEMENT
3.1 Password Protection:
·         Password protection is the front line defense against intruders.
·         Users usually supply User Identifier (UID) and a password.
·         UID determines the privilege to access a system and password authenticates the UID of an user.

3.2 The Vulnerabilities of passwords:
                To understand the nature of the attack, let us consider a scheme i.e widely used on UNIX Systems, in which passwords are never stored in the clear. Rather, the following procedure is employed:
Fig: Loading a Password
·         User selects a password of length of 8 printable characters.
·         The password is converted to 56-bit ASCII value and acts as key to the DES based encryption routine called crypt(3).
·         Crypt(3) accepts 12-bit salt value along with key.
·         The algorithm takes 64-bit block of zeros as input and produces 64-bit output.
Fig: Verifying a password

·         User provides user id and password to log onto the UNIX system.
·         The user id is used to index the password file.
·         The plain salt and encrypted password are retrieved.
·         The salt and the user-supplied password are given as inputs to the encryption routine, Crypt(3).
3.3Access Control:
One way to thwart a password attack is to deny the opponent access to the password file. If the encrypted password portion of the file is accessible only by a privileged user, then the opponent cannot read it without already knowing the password of a privileged user.
3.4 Password Selection Strategies
Our goal, then, is to eliminate guessable passwords while allowing the user to select a password that is memorable. Four basic techniques are in use:
·         User education
·         Computer-generated passwords
·         Reactive password checking
·         Proactive password checking
User education strategy is unlikely to succeed at most installations, particularly where there is a large user population or a lot of turnover. Many users will simply ignore the guidelines. Others may not be good judges of what is a strong password. For example, many users (mistakenly) believe that reversing a word or capitalizing the last letter makes a password unguessable.
Computer-generated passwords also have problems. If the passwords are quite random in nature, users will not be able to remember them. Even if the password is pronounceable, the user may have difficulty remembering it and so be tempted to write it down. In general, computer-generated password schemes have a history of poor acceptance by users. FIPS PUB 181 defines one of the best-designed automated password generators. The standard includes not only a description of the approach but also a complete listing of the C source code of the algorithm. The algorithm generates words by forming pronounceable syllables and concatenating them to form a word. A random number generator produces a random stream of characters used to construct the syllables and words.
Reactive password checking strategy is one in which the system periodically runs its own password cracker to find guessable passwords. The system cancels any passwords that are guessed and notifies the user. This tactic has a number of drawbacks. First, it is resource intensive if the job is done right. Because a determined opponent who is able to steal a password file can devote full CPU time to the task for hours or even days, an effective reactive password checker is at a distinct disadvantage. Furthermore, any existing passwords remain vulnerable until the reactive password checker finds them.
The most promising approach to improved password security is a proactive password checker. In this scheme, a user is allowed to select his or her own password.
--------------------------------------------------------------------------THANK U------------------------------------------------
4) FIREWALL DESIGN PRINCIPLES
4.1 Firewall characteristics
                1. All traffic from inside to outside, and vice versa, must pass through the firewall.
                2. Only authorized traffic, as defined by the local security policy, will be allowed to pass.
                3. The firewall itself is immune to penetration.
4.2 Limitations of a firewall
1.       The firewall cannot protect against attacks that bypass the firewall.
2.       The firewall does not protect against internal threats.
3.       The firewall cannot protect against the transfer of virus-infected programs or files.
4.3 Types of firewalls
                Three common types of firewall are:
                1. Packet- Filtering Router
                2. Application-level Gateway
                3. Circuit-Level Gateway


1. Packet- Filtering Router
                A Packet- filtering router applies a set of rules to each incoming IP Packet and then forwards or discards the packet. The router is typically configured to filter packets going in both directions.

2. Application-level Gateway
An Application- Level Gateway, also called a proxy server, acts as a relay of application-level traffic. The user contacts the gateway using a TCP/ IP application, such as TELNET, FTP, SMTP and HTTP.
3. Circuit-Level Gateway
            A third type of firewall is the circuit- Level Gateway. This can be a specialized function performed by an application- Level Gateway for certain applications.


4.4Firewall Configurations
3 common firewall configurations are
1.       screened host firewall system( Single-homed bastion host)
2.       screened host firewall system( Dual-homed bastion host)
3.       Screened-subnet firewall system
1.      screened host firewall system( Single-homed bastion host)
In the screened host firewall, single-homed bastion configuration (Figure a), the firewall consists of two systems: a packet-filtering router and a bastion host.

2.      screened host firewall system( Dual-homed bastion host)
The screened host firewall, dual-homed bastion configuration physically prevents such a security breach (Figure b). The advantages of dual layers of security that were present in the previous configuration are present here as well. Again, an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy.
3.       Screened-subnet firewall system

The screened subnet firewall configuration of (Figure c)  is the most secure of those we have considered. In this configuration, two packet-filtering routers are used, one between the bastion host and the Internet and one between the bastion host and the internal network.
-----------------------------------------------------------------THANK U---------------------------------------------------------
5.TRUSTED SYSTEMS

Trusted is an operating system that enhances the ability of a system to defend against attackers.

5.1 Data Access Control:
A general model of access control as exercised by a file or database management system is that of an access matrix model and Bell LaPadula Model.

Access Matrix Model:

Bell LaPadula Model:
5.2 The Concept of Trusted Systems
In this we are discuss about Reference Monitor Concept.

Reference Monitor:

5.3 TROJAN HORSE DEFENSE
One way to secure against Trojan horse attacks is the use of a secure, trusted operating system. The above Figure illustrates an example. In this case, a Trojan horse is used to get around the standard security mechanism used by most file management and operating systems: the access control list. In this example, a user named Bob interacts through a program with a data file containing the critically sensitive character string "CPE170KS." User Bob has created the file with read/write permission provided only to programs executing on his own
behalf: that is, only processes that are owned by Bob may access the file.
The Trojan horse attack begins when a hostile user, named Alice, gains legitimate access to the system and installs both a Trojan horse program and a private file to be used in the attack as a "back pocket." Alice gives read/write permission to herself for this file and gives Bob write-only permission (Figure a). Alice now induces Bob to invoke the Trojan horse program, perhaps by advertising it as a useful utility. When the program detects that it is being executed by Bob, it reads the sensitive character string from Bob's file and copies it into Alice's back-pocket file (Figure b). Both the read and write operations satisfy the constraints imposed by access control lists. Alice then has only to access Bob's file at a later time to learn the value of the string.
Now consider the use of a secure operating system in this scenario (Figure c). Security levels are assigned to subjects at logon on the basis of criteria such as the terminal from which the computer is being accessed and the user involved, as identified by password/ID. In this example, there are two security levels, sensitive and public, ordered so that sensitive is higher than public. Processes owned by Bob and Bob's data file are assigned the security level sensitive. Alice's file and processes are restricted to public. If Bob invokes the Trojan horse program (Figure d), that program acquires Bob's security level. It is therefore able, under the simple security property, to observe the sensitive character string. When the program attempts to store the string in a public file (the back-pocket file), however, the is violated and the attempt is disallowed by the reference monitor. Thus, the attempt to write into the back-pocket file is denied even though the access control list permits it: The security policy takes precedence over the access control list mechanism.
-----------------------------------------------------------------------THANK U-------------------------------------