Unit 5

Periphery
Security

1
Chapter 1 IDS
Outline
2 Firewalls

3 Trusted System

4 Access Control

2
1 Intrusion

Attacker always try to intrude into privacy of network,

by trying to break the security of the system & gain
the access.

•Access right
User-> 1. Legitimate/Internal 2.illegitimate/External

•Action performed or behavior of user.

Network sniffers
A general term for programs or devices that are able to examine
traffic on a LAN segment.
3
•Snort
Topics Discussed in the Section
 Types Of Intruders
 Audit Records
Classification Of Intrusion Detection
Distributed Intrusion Detection
Honeypots

4
Types Of Intruders
 Masquerader->illegitimate User->
Authorization Attack
 Misfeasor->
1. Legitimate User->has access->Misuse
privilege.
2. Legitimate User->No access->but access
them.
 Clandestine User->May be internal or
external->access the supervisor privilege-
>avoid auditing info being captured/record
5
Audit Record/Log
 Important detection tool
 Capture & record information about the
actions of users.
 Traces of illegitimate user actions can be
found.
 Appropriate actions can be taken for
prevention in future.

6
Audit Records Classification

7
Continue…

1. Native:- Multiuser OS, Built-in Acc S/W,

collect All user actions.
1. Detection Specific:- collects information
specific only to intrusion detection.
 Advantage
 More focused approach
 Disadvantage
 May gives duplicate information.
8
Fields in an Audit Record

 Subject:-Terminal user, Process, etc.

 Action:- login,RWX,Print,I/O.etc.
 Object:-Disk file, DB record, App Prog,etc.
 Exception Condition:- if any generated.
 Resource Usage:- CPU time, disk space,
no. of record & files RWX or Printed.
 Timestamp:- Date & Time of access the
same.
9
Intrusion Detection
 Possible
 Loss is directly ∞ quick detection of intruder.
 If detected in early stages then we can act.
 This info will strengthen DB for Prevention.
 Act as deterrent to intruders.

10
Classification Of Intrusion
Detection

11
Statistical Anomaly Detection:-
 behavior of users over time is captured as
statistical data & processed.
rules are applied to test whether the user
behavior was legitimate or not.
 Threshold Detection:- define for all the users
group & frequency of various events is
measured against the thresholds.
 Profile based:-profiles for individual users are
created & they are matched against the
collected statistics to see if any irregular
patterns emerge.
12
Rule Based
 A set of rules is applied to see if a given
behavior is suspicious enough to be
classified as an attempt to intrude.
 Anomaly Detection:- usage pattern are
collected to analyze deviation from these
usage pattern, with help of certain rules.
 Penetration Identification:-expert system
that looks for illegitimate behavior.

13
Distributed Intrusion Detection
 record audit information in different
formats, this need to be uniformly
processed.
 Few nodes used to gather & analyze audit
information & provision to share with all
nodes should be their.

14
Honey-pots a trap…
 Divert attention from critical information.
 Collect information about intruder’s action.
 Encourage for Detecting behavior of
intruder & act accordingly.
 Real looking (but fabricated) data used
 Sensors & loggers used to alarm
 Legitimate user don’t know about this.
 Equipped with sensors & loggers,alarm

15
2 FIREWALLS

All previous security measures cannot prevent Eve

from sending a harmful message to a system. To
control access to a system we need firewalls. A firewall
is a device (usually a router or a computer) installed
between the internal network of an organization and
the rest of the Internet. It is designed to forward some
packets and filter (not forward) others.

16
Topics Discussed in the Section
 Packet-Filter Firewall (screening router)
 Proxy Firewall (Application Gateway)
Firewall Configurations

17
Threats from inside and outside
a corporate network

18
Figure Firewall

19
Characteristics of good Firewall
Implementation
 Entry & Exit point must be firewall.
 Authorized traffic as per security policy.
 Robustness to sustain attack.

20
Packet Filter Operation

21
Figure Packet-filter firewall

TCP/
UDP

22
Advantage & Disadvantage

 Advantage
1. Simplicity
2. Fast
 Disadvantage
1. Difficulties in setting up rules correctly.
2. Lack Of authentication.

23
Attacks

 IP Address Spoof
 Source Routing Attacks
 Tiny Fragment Attack : Ethernet, Token
ring, X.25, Frame Relay, ATM.
Maximum frame size (MTU)

24
Defeating the IP address
spoofing attack

25
Dynamic Or Stateful Packet Filter

 An Advance Type
 Allows examination of packets based on
current states of the n/w.
 It maintain a list of currently open
connections & outgoing packets in order
to deal with this rule.

26
Dynamic packet filter technology

27
Note

A proxy firewall filters at the

application layer.

28
Application/Circuit gateway
operation

29
Figure Proxy firewall (Bastion Host)

Errors

All HTTP
packets
Accepted
packets

30
Advantage & Disadvantage

 Advantage
1. More Secure due to authentication.
 Disadvantage
1. Overhead in terms of managing two
connection & the traffic going between
them.

31
3.Firewall Configurations

32
3.1. Screened host firewall,
Single-homed bastion

33
Advantage & Disadvantage

 Advantage
1. Increases the Security by performing
checks at both levels.
2. Provides Flexibility to n/w Admin to
define security Policies.
 Disadvantage
1. Security compromised due to attack on
Proxy firewall.
34
3.2.Screened host firewall, Dual-
homed bastion

35
Advantage & Disadvantage

 Advantage
1. No direct connection from internal host to
proxy firewall.
2. More secure than first configuration

 Disadvantage
1. Little bit slow due too this.

36
3.3. Screened subnet firewall
3 levels of security

37
Demilitarized Zone (DMZ)
Networks

38
Advantage & Disadvantage

 Advantage
1. Access to any service on the DMZ can be
restricted. E.g: Allowing 80,443
2. All other traffic can be filtered E.g: block
23.
3. Internal Private Network (IPN) is not
directly connected too DNZ.
4. IPN is safe & out of reach of an attacker.
39
Limitation Of Firewall

1.Insider’s intrusion:
2.Direct Internet traffic: bypass
3.Virus attacks: Firewall can’t scan
packet/file.

40
3 Trusted System
• A System that you have no choice but to trust.
•The security of system depends on the success of the
system.
•If the trusted system fails, then it will compromise the
security of the entire system.
•Therefore, there should be minimum number of trusted
components in a system.
•Trusted system should provide security , integrity ,
reliability & privacy 41
Trusted System in Policy Analysis

 Some conditional prediction about the

behavior of users or elements within the
system has been determined prior to
authorising access to resources within the
system.
1. The probability of threat or risk analysis is
calculated, which is used to access trust
for taking the decision before
authorisation.
42
2. To insure the behaviour within the
system, the deviation analysis is used.

43