Intrusion Detection:

Intruders
One of the two most publicized threats to security is the intruder (the other is viruses), often referred to as
a hacker or cracker. In an important early study of intrusion, Anderson [ANDE80] identified three classes
of intruders:

• Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s
access controls to exploit a legitimate user’s account

• Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not
authorized, or who is authorized for such access but misuses his or her privileges

• Clandestine user: An individual who seizes supervisory control of the system and uses this control to
evade auditing and access controls or to suppress audit collection

The masquerader is likely to be an outsider; the misfeasor generally is an insider;

Intruder attacks range from the benign to the serious.At the benign end of the scale, there are many people
who simply wish to explore internets and see what is out there. At the serious end are individuals who are
attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system.
[GRAN04] lists the following examples of intrusion:

• Performing a remote root compromise of an e-mail server

• Defacing a Web server

• Guessing and cracking passwords

• Copying a database containing credit card numbers

• Viewing sensitive data, including payroll records and medical information, without authorization

• Running a packet sniffer on a workstation to capture usernames and passwords

• Using a permission error on an anonymous FTP server to distribute pirated software and music files

• Dialing into an unsecured modem and gaining internal network access

• Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the
new password

• Using an unattended, logged-in workstation without permission

Patterns of Behavior

(a) Hacker

1. Select the target using IP lookup tools such as NSLookup, Dig, and others.

2. Map network for accessible services using tools such as NMAP.

3. Identify potentially vulnerable services (in this case, pcAnywhere).

4. Brute force (guess) pcAnywhere password.

5. Install remote administration tool called DameWare.

6. Wait for administrator to log on and capture his password.

7. Use that password to access remainder of network.

(b) Criminal Enterprise

1. Act quickly and precisely to make their activities harder to detect.

2. Exploit perimeter through vulnerable ports.

3. Use Trojan horses (hidden software) to leave back doors for reentry.

4. Use sniffers to capture passwords.

5. Do not stick around until noticed

. 6. Make few or no mistakes.

(c) Internal Threat

1. Create network accounts for themselves and their friends.

2. Access accounts and applications they wouldn’t normally use for their daily jobs.

3. E-mail former and prospective employers.

4. Conduct furtive instant-messaging chats.

5. Visit Web sites that cater to disgruntled employees, such as f’dcompany.com.

6. Perform large downloads and file copying.

7. Access the network during off hours.

INTRUSION DETECTION:

An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity
and issues alerts when such activity is discovered. It is a software application that scans a network or a
system for harmful activity or policy breaching. Any malicious venture or violation is normally reported
either to an administrator or collected centrally using a security information and event management
(SIEM) system. A SIEM system integrates outputs from multiple sources and uses alarm filtering
techniques to differentiate malicious activity from false alarms.

Although intrusion detection systems monitor networks for potentially malicious activity, they
are also disposed to false alarms. Hence, organizations need to fine-tune their IDS products when
they first install them. It means properly setting up the intrusion detection systems to recognize
what normal traffic on the network looks like as compared to malicious activity.
Intrusion prevention systems also monitor network packets inbound the system to check the
malicious activities involved in it and at once sends the warning notifications.
Classification of Intrusion Detection System:
IDS is basically classified into 2 types:
1. Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned point within the
network to examine traffic from all devices on the network. It performs an observation of
passing traffic on the entire subnet and matches the traffic that is passed on the subnetts to
the collection of known attacks. Once an attack is identified or abnormal behavior is
observed, the alert can be sent to the administrator. An example of an NIDS is installing it
on the subnet where firewalls are located in order to see if someone is trying crack the
firewall.

2.Host Intrusion Detection System (HIDS):

Host intrusion detection systems (HIDS) run on independent hosts or devices on the
network. A HIDS monitors the incoming and outgoing packets from the device only and
will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot
of existing system files and compares it with the previous snapshot. If the analytical system
files were edited or deleted, an alert is sent to the administrator to investigate. Anexample
of HIDS usage can be seen on mission critical machines, which are not expected to change
their layout.
Detection Method of IDS:
1. Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific patterns such as number
of bytes or number of 1’s or number of 0’s in the network traffic. It also detects on the
basis of the already known malicious instruction sequence that is used by the malware. The
detected patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern (signature) already exists
in system but it is quite difficult to detect the new malware attacks as their pattern
(signature) is not known.
2. Anomaly-based Method:
Anomaly-based IDS was introduced to detect the unknown malware attacks as new
malware are developed rapidly. In anomaly-based IDS there is use of machine learning to
create a trustful activity model and anything coming is compared with that model and it is
declared suspicious if it is not found in model. Machine learning based method has a better
generalized property in comparison to signature-based IDS as these models can be trained
according to the applications and hardware configurations.
Comparison of IDS with Firewalls:
IDS and firewall both are related to the network security but an IDS differs from a firewall as a
firewall looks outwardly for intrusions in order to stop them from happening. Firewalls restrict
access between networks to prevent intrusion and if an attack is from inside the network it don’t
signal. An IDS describes a suspected intrusion once it has happened and then signals an alarm.
PASSWORD MANAGEMENT:

Password Protection
The front line of defense against intruders is the password system. Virtually all multiuser
systems require that a user provide not only a name or identifier (ID) but also a password. The
password serves to authenticate the ID of the individual logging on to the system. In turn, the ID
provides security in the following ways:
• The ID determines whether the user is authorized to gain access to a system. In some systems,
only those who already have an ID filed on the system are allowed to gain access.
M21_STAL7044_05_SE_C20.QXD 12/3/09 12:46 PM Page 20-19 20-20 CHAPTER 20 /
INTRUDERS
• The ID determines the privileges accorded to the user. A few users may have supervisory or
“superuser” status that enables them to read files and perform functions that are especially
protected by the operating system. Some systems have guest or anonymous accounts, and users
of these accounts have more limited privileges than others.
• The ID is used in what is referred to as discretionary access control. For example, by listing the
IDs of the other users, a user may grant permission to them to read files owned by that user.
THE VULNERABILITY OF PASSWORDS
To understand the nature of the threat to password-based systems, let us consider a scheme that
is widely used on UNIX, in which passwords are never stored in the clear. Rather, the following
procedure is employed (Figure 20.4a). Each user selects a password of up to eight printable
characters in length. This is converted into a 56-bit value (using 7-bit ASCII) that serves as the
key input to an encryption routine. The encryption routine, known as crypt(3), is based on
DES.The DES algorithm is modified using a 12-bit “salt” value. Typically, this value is related
to the time at which the password is assigned to the user. The modified DES algorithm is
exercised with a data input consisting of a 64-bit block of zeros. The output of the algorithm then
serves as input for a second encryption.This process is repeated for a total of 25 encryptions.The
resulting 64-bit output is then translated into an 11-character sequence. The hashed password is
then stored, together with a plaintext copy of the salt, in the password file for the corresponding
user ID. This method has been shown to be secure against a variety of cryptanalytic attacks .
The salt serves three purposes:
• It prevents duplicate passwords from being visible in the password file. Even if two users
choose the same password, those passwords will be assigned at different times. Hence, the
“extended” passwords of the two users will differ.
• It effectively increases the length of the password without requiring the user to remember two
additional characters. Hence, the number of possible passwords is increased by a factor of 4096,
increasing the difficulty of guessing a password.
• It prevents the use of a hardware implementation of DES, which would ease the difficulty of a
brute-force guessing attack.
When a user attempts to log on to a UNIX system, the user provides an ID and a password. The
operating system uses the ID to index into the password file and retrieve the plaintext salt and the
encrypted password. The salt and user-supplied password are used as input to the encryption
routine. If the result matches the stored value, the password is accepted.
The encryption routine is designed to discourage guessing attacks. Software implementations of
DES are slow compared to hardware versions, and the use of 25 iterations multiplies the time
required by 25. However, since the original design of this algorithm, two changes have occurred.
First, newer implementations of the algorithm itself have resulted in speedups. For example, the
Morris worm described in Chapter 21 was able to do online password guessing of a few hundred
passwords
Malicious Software:

Computer Viruses and Related Threats:

THE TERM COMPUTER VIRUS is often used to refer to any software that is intended to damage
computer systems or networks. More narrowly it is used to refer to a particular type of “terrorist”
software—namely a program that performs some unwanted function while hiding within a legitimate
program and that copies its hidden code to other programs, thereby infecting them. Other categories of
malicious software include—
Trojan horse--a program that the user intentionally installs for some useful purpose but that contains
hidden code that performs mischievous or harmful acts.
network worm--a program that uses network connections and network vehicles to spread from system
to system. Once within a system, the worm can behave as a computer virus, implant Trojan horse
programs, or perform other disruptive actions.
macro virus--a computer virus that resides within data files as one or more macros (which are mini-
programs stored with data in the files created by such programs as Word and Excel).
boot sector virus--a virus that spreads when computers attempt to boot from infected floppy disks or
when infected computers access floppy disks.
polymorphic virus--a virus that changes it characteristics with each infection, making its detection more
difficult. Some viruses do little harm; others delete files, change the order or digits in entries in a
spreadsheet, or disable the computer’s operating system.
Viruses are often designed to remain undetected until they have infected other programs or other
computers. A time bomb describes a virus that is activated on a certain date or after a certain period of
time. A logic bomb is activated by a certain sequence of events, such as the virus having replicated a
specified number of times, or the program that contains it having been run a specified number of times.

MALICIOUS SOFTWARE COUNTERMEASURES

Attacks using malicious software are growing in number and sophistication.

Antivirus, Anti-Spyware and other protection products continue to play a game of
catch-up. New, increasingly complex variations are continuously being introduced
and can sometimes spread widely before protection software companies deliver the
latest detection strings and solutions.

Dealerships need to develop a malicious software strategy that clearly outlines the
objectives and procedures for malicious software control and recovery. Introducing
security measures can involve some risk and these practices should be done under the
advice of qualified dealer network management.

 Security Awareness- user awareness is one of the most powerful

countermeasures in virus control. Data should only be accepted from trusted
sources. Users should be warned not to open suspicious email or visit 'hostile'
websites. Furthermore, users should not be free to introduce unchecked media
on to systems.
 Patch Management- patch management is the process of updating your
servers or PCs with the latest security patches and service packs. Writers of
viruses, spyware and other malicious software exploit existing flaws in
software loaded on a PC to spread and do damage. Software companies will
issue patches to fix flaws once they have been discovered. Using automatic
 updates to detect available patches for security vulnerabilities is vital to
maintaining proper system functioning. However, there are times when
installing a patch or update may actually interfere with current processes.
Therefore, avoid automatic installation options. Use the following process to
manage automatic updates:
o Detect - use automatic updates to scan your systems for missing security
patches and trigger the patch management process.
o Assess - determine the severity of the issue(s) addressed by the patch and
any other factors that may influence your decision, balancing the
severity of the issue and mitigating factors to determine if the
vulnerabilities are a threat to your current environment.
o Acquire - if the vulnerability is not addressed by the security measures
already in place, download the patch for testing.
o Test - install the patch on a test system to verify the ramifications of the
update against your production configuration.
o Deploy - deploy the patch to production computers. Make sure your
applications are not affected. Employ your rollback or backup restore
plan if needed.
o Maintain - subscribe to notifications that alert you to vulnerabilities as
they are reported.
 Anti-virus scanners - these products scan files and email and instant
messaging programs for signature patterns that match known malicious
software. Since new viruses are continually emerging, these products can only
be effective if they are regularly updated with the latest virus signatures. See
your product manual for instructions on how to activate this. Anti-virus
scanners can be positioned on gateways to the network and/or on network
hosts. Anti-virus scanners need to be frequently updated to be effective.
Therefore, regularity and method of update are criteria that need to be
considered when selecting anti-virus products.
 Audit information - audit logs, including firewall logs, may detect abnormal
activity. Examples are Trojans attempting to send data from a site, or malicious
programs attempting to write or read to unauthorized areas.
 System hardening - careful implementation of system access controls, and the
policy of running applications with least privilege, can minimize the damage
caused by malicious software. This needs to be coupled with tight configuration
management procedures.
 Active Content Blocking - blocks unwanted internet traffic and protects the
network from malicious content on websites and spam emails. It also helps
ensure business resources are being used for business purposed. There are four
things you should look for in an internet blocking or filtering system:
o Automatic Updates
 o Centralized Administration
o Category Based Products
o Reporting Capabilities
 Firewalls - firewalls can restrict the ability of some remote control programs to
execute if they rely on a port that is generally blocked. A firewall can be either
PC or server based. Firewalls are most effective at the Internet's point of entry.
However, not a large degree of reliance can be placed on firewalls for
malicious software control unless a gateway incorporates an active content
filter.

Firewall Design Principles

FIREWALL DESIGN PRINCIPLES

FIREWALL
A firewall is a dedicated hardware, or software or a combination of both, which
inspects network traffic passing through it, and denies or permits passage based
on a set of rules.

FIREWALL CHARACTERISTICS

Firewall Capabilities

 A firewall defines a single choke point that keeps unauthorized users out the
protected network……..
 A firewall provides a location for monitoring security-related events. Audits
and alarms can be implemented on the firewall system.
 A firewall is a convenient platform for several Internet functions that are not
security related.
 A firewall can serve as the platform for IPSec. Using the tunnel mode
capability, the firewall can be used to implement virtual private network.

Firewall Limitations
  The firewall can not protect against attacks that bypass the firewall (dial-
up…).
 The firewall does not protect against internal threats.
 The firewall can not protect against the transfer of virus-infected programs or
files.

DESIGN GOALS

 All traffic from inside to outside, and vice verse, must pass through the
firewall.
 Only authorized traffic, as defined by the local security policy, will be allowed
to pass.
 The firewall itself is immune to penetration. This implies the use of a trusted
system with a secure operating system

METHODS OF CONTROL IN FIREWALL

 User control
Only authorized users are having access to the other side of the firewall
 Access control
The access over the firewall is restricted to certain services. A service is
characterized e.g. by IP address and port number.
 Behavior control
For an application, the allowed usage scenarios are known. E.g. filters for e-mail
attachments (virus removing)
 Direction control
Different rules for traffic into the Intranet and outgoing traffic to the Internet
can be defined

TYPES OF FIREWALL

Packet Filtering
Packet filtering is the simplest packet screening method. A packet filtering
firewall does exactly what its name implies -- it filters packets. The most common
implementation is on a router or dual-homed gateway. The packet filtering
process is accomplished in the following manner. As each packet passes through
the firewall, it is examined and information contained in the header is compared
to a pre-configured set of rules or filters. An allow or deny decision is made
based on the results of the comparison. Each packet is examined individually
without regard to other packets that are part of the same connection.

Application Gateways/Proxies
An application gateway/proxy is considered by many to be the most complex
packet screening method. This type of firewall is usually implemented on a
secure host system configured with two network interfaces. The application
gateway/proxy acts as an intermediary between the two endpoints. This packet
screening method actually breaks the client/server model in that two connections
are required: one from the source to the gateway/proxy and one from the
gateway/proxy to the destination. Each endpoint can only communicate with the
other by going through the gateway/proxy.

Circuit-level Gateway
Unlike a packet filtering firewall, a circuit-level gateway does not examine
individual packets. Instead, circuit-level gateways monitor TCP or UDP sessions.
Once a session has been established, it leaves the port open to allow all other
packets belonging to that session to pass. The port is closed when the session is
terminated. In many respects this method of packet screening resembles
application gateways/proxies and adaptive proxies, but circuit-level gateways
operate at the transport layer (layer 4) of the OSI model.
.
TRUSTED SYSTEMS
The basic elements of the model are as follows: Subject: An entity capable of
accessing objects. Generally, the concept of subject equates with that of process.
Object: Anything to which access is controlled. Examples include files, portions of
files, programs, and segments of memory. Access right: The way in which an
object is accessed by a subject. Examples are read, write, and execute.

Program1 ……….. segment A SegmentB

Read execute Read write

read

(a)Access matrix

A collection of software called the ``trusted computing base'' (TCB) maintains the
parts of the system that are related to security. The TCB consists of the UNIX system
kernel (the heart of the operating system) and the trusted utilities that reference and
maintain relevant security data. The TCB implements the security policy of the
system. The security policy is a set of rules that oversee and guard interactions
between ``subjects'' (such as processes, which are programs running on the system)
and ``objects'' (such as files, devices, and interprocess communication objects). At the
C2 level, this consists of ``discretionary access control'' (DAC), discussed later in this
section, and object reuse (which dictates that information in a storage object must be
cleared before allocation). Much of the software that you interact with is part of the
system's TCB. SCOadmin provides a menu-driven interface to help you maintain the
TCB.

Accountability

On a trusted system, all actions can be traced to a responsible person. Most UNIX
systems lack good accountability because some actions cannot be traced to a person.
For example, pseudo-user accounts, such as lp or cron, run anonymously; their actions
can be discovered only by changes to system information. As described later, a trusted
UNIX system improves accountability by associating each account with a real user,
auditing every action, and associating each action with a specific user on the system.

On a typical UNIX system, each process has a real and effective user ID as well as a
real and effective group ID. A process with the effective user ID set to root can set
these identifiers to any user. The C2 level of trust requires that the TCB be able to
identify each user uniquely and thus enforce individual accountability. The concept of
user identity is expanded on trusted UNIX systems to add a separate identifier called
the ``login user identifier'' (LUID). The LUID is an indelible stamp on every process
associated with a user. The LUID identifies the user who is responsible for the
process's session. Once stamped, the process's LUID cannot be changed by anyone.
Child processes inherit the LUID of their parent.

Discretionary access control (DAC)

The SCO OpenServer security policy prescribes a relationship between access rules
and access attributes. The access attributes allow the system to define several distinct
levels of authorization, and the access rules provide the mechanism for the system to
prevent unauthorized access to sensitive information.

Access to a file is determined by the file's absolute pathname. The kernel determines
whether or not to allow a process the kind of file access requested (read, write,
execute/search) based on

 the user and group IDs associated with the process

 the privileges (if any) associated with the process
 the discretionary controls (in the form of permission bits, and, possibly, Access
Control Lists (ACLs)) associated with the file and all the directories that make
up the absolute pathname of the file

These access checks are performed at the time the file is opened, rather than at the
time a read or write is actually attempted.

For example, if the file /usr/src/cmd/mv.c is readable by a user, but the

directory /usr/src/cmd (or any other directory in the path) is not searchable by the
user (that is, the user does not have search permission on /usr/src/cmd),
then mv.c cannot be read.