.:: || Intrusion Detection System || ::.

Intruders

• significant issue hostile/unwanted trespass


• User trespass - unauthorized logon, privilege abuse


• Software trespass - virus, worm, or trojan horse


• Classes of intruders: - masquerader, misfeasor, clandestine user

Security Intrusion & Detection

• Security Intrusion - a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.



• Intrusion Detection - a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.

Hackers

• 1. motivated by thrill of access and status


• 2. benign intruders might be tolerable


• 3. IDS / IPS / VPNs can help counter

Intrusion Detection Systems

Classify intrusion detection systems (IDSs) as:

• 1. Host-based IDS: monitor single host activity


• 2. Network-based IDS: monitor network traffic

Logical components:

• 1. sensors - collect data


• 2. analyzers - determine if intrusion has


• 3. occurred


• 4. user interface - manage / direct / view IDS

IDS Principles

• assume intruder behavior differs from


• legitimate users


• from past history

Types of IDS

• 1. Host IDS


• 2. Network IDS


• 3. Distributed IDS

Intrusion Detection Techniques

• signature detection


• anomaly detection


• when potential violation detected sensor sends an alert and logs information

Anomaly Detection
- threshold detection

• checks excessive event occurrences over time


• alone a crude and ineffective intruder detector


• must determine both thresholds and time intervals

Signature Detection - observe events on system and applying a set of rules to decide if intruder

Honeypot

• are decoy systems


• filled with fabricated info


• instrumented with monitors / event loggers


• divert and hold attacker to collect activity info


• without exposing production systems


• initially were single systems


• more recently are/emulate entire networks

.:: || Firewall || ::.

Types of firewall

• 1. Packet filtering firewall


• 2. statefull inspection firewall


• 3. Application level gateway (application proxy)


• 4. circuit level gateway

Type 1: Packet filtering firewall


Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).

This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number).



Type 2: Stateful Inspection Firewall


Third generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.

This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.

Type 3: Application Proxy Firewall & Type 4: Circuit-level Proxy Firewall


Firewall hosting

• 1. Bastion host = single firewall that cover a network territory


• 2. Host-base = single firewall protect a single workstation/server

VPN

• Create a secure LAN connection through an internet.


• outsider will tgought that we in a LAN network but actually we use the internet.

Distributed firewall

• A firewall installed per subnet in a network

A feature of distributed firewalls:

• The ability to populate servers and end-users machines, to configure and "push out" consistent security policies helps to maximize limited resources.


• secure critical servers on the network preventing intrusion by malicious code and "jailing" other such code by not letting the protected server be used as a launch pad for expanded attacks.

.:: || Wireless Security || ::.

There are three principal ways to secure a wireless network.

• For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address. Another option is to disable ESSID broadcasting, making the access point difficult for outsiders to detect. Wireless Intrusion Prevention Systems can used to provide wireless LAN security in this network model.


• For commercial providers, hotspots, and large organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.


• Wireless networks are less secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.

Joining BBS




Roaming & channel

• roaming = walk/change away from initial AP network to another AP network

802.11a

• 54Mbps in 5Ghz range


• not compatible

802.11g

• 54Mbps in 2.4GHz range


• compatible

802.11b

• 11Mbps in 2.4GHz range


• compatible

Open system authentication

• Service Set Identifier (SSID)


• Station must specify SSID to connect to the AP

Interception

• signal week by 3 factor:

• 1. Wall


• 2. floor


• 3. interference

802.11

• 3 basic security service:

1. Authentication

2. Integrity - data will be encrypt by using WEP & WPA technique.

3. Confidential

* Some say WPA is much more secure than WEP but its actually depends on what type of shared key that actually base on ots library. the it use a simple library so it would be easy to crack and hack the network

Passive attack

• Attacker collect all trafic


• Attacker collect two message

1. encrypted with same key and IV

2. Statistical attack to reveal plain text

3. Plaintext X0R chipertext = keystream

Tool to crack the wireless AP

• Backtrack

.:: || Security Application || ::.

Email

• have 2 parts


• header


• body


• send as text file format


• Use MIME that allow us to an email that contain image file, attachment file or whatever.


• Non-encrypted because it just a plain text

S/MIME

• Encrypted content


• We can choose whether just want to send the email as plaintext or being encrypted.

Web Security

• To secure our web/http


• Use SSL/TLS,SSH,SET

Email Transported

.:: || Security In Network || ::.

Computer Networks

Definiton

Computer Networks is a computing enviroment with more than one independent processors.

Network Resources :

• Computers


• Operating Systems


• Programs


• Process


• People

Network Architecture


Network architecture is the design of a communications network. It is a framework for the specification of a network's physical components and their functional organization and configuration, its operational principles and procedures, as well as data formats used in its operation.

In computing, the network architecture is a characteristics of a computer network. The most prominent architecture today is evident in the framework of the Internet, which is based on the Internet Protocol Suite.

Basic Termonology

• Node


• Host


• Link


• Topology

Type of Network



Network Topology

Bus Topology


A bus network topology is a network architecture in which a set of clients are connected via a shared communications line, called a bus. There are several common instances of the bus architecture, including one in the motherboard of most computers, and those in some versions of Ethernet networks.

Bus networks are the simplest way to connect multiple clients, but may have problems when two clients want to transmit at the same time on the same bus. Thus systems which use bus network architectures normally have some scheme of collision handling or collision avoidance for communication on the bus, quite often using Carrier Sense Multiple Access or the presence of a bus master which controls access to the shared bus resource.

Star Topology


Star networks are one of the most common computer network topologies. In its simplest form, a star network consists of one central switch, hub or computer, which acts as a conduit to transmit messages. Thus, the hub and leaf nodes, and the transmission lines between them, form a graph with the topology of a star. If the central node is passive, the originating node must be able to tolerate the reception of an echo of its own transmission, delayed by the two-way transmission time (i.e. to and from the central node) plus any delay generated in the central node. An active star network has an active central node that usually has the means to prevent echo-related problems.

Ring Topology


A ring network is a network topology in which each node connects to exactly two other nodes, forming a single continuous pathway for signals through each node - a ring. Data travels from node to node, with each node along the way handling every packet.

Because a ring topology provides only one pathway between any two nodes, ring networks may be disrupted by the failure of a single link. A node failure or cable break might isolate every node attached to the ring. FDDI networks overcome this vulnerability by sending data on a clockwise and a counterclockwise ring: in the event of a break data is wrapped back onto the complementary ring before it reaches the end of the cable, maintaining a path to every node along the resulting "C-Ring". 802.5 networks -- also known as IBM Token Ring networks -- avoid the weakness of a ring topology altogether: they actually use a star topology at the physical layer and a Multistation Access Unit to imitate a ring at the datalink layer.

Many ring networks add a "counter-rotating ring" to form a redundant topology. Such "dual ring" networks include Spatial Reuse Protocol, Fiber Distributed Data Interface (FDDI), and Resilient Packet Ring.

Mesh Topology


Mesh networking is a type of networking where each node in the network may act as an independent router, regardless of whether it is connected to another network or not. It allows for continuous connections and reconfiguration around broken or blocked paths by “hopping” from node to node until the destination is reached. A mesh network whose nodes are all connected to each other is a fully connected network. Mesh networks differ from other networks in that the component parts can all connect to each other via multiple hops, and they generally are not mobile. Mesh networks can be seen as one type of ad hoc network.

Layer Responsibilities




Advantage Computer Network

• Resource sharing


• Increase realibility


• Distributing the workload


• Expandability

Disadvantages Computer Network

• Sharing


• Complexity


• unknown parameter


• Many point of attack


• Unknows path


• Label format diffrence

Person who cause the Security Problem:

• Hacker


• Spy


• Student


• Stockbroker


• Terrorist


• Ex-employee

Network Security Control

• Encryption


• Strong Authentication


• IPSec, VPN, SSH


• Kerberos


• Firewallt


• Intrusion Detection System (IDS)


• Intrusion Prevention System (IDS)


• Honeypot

1. Encryption

It have 2 type:

• Link to link


• End to end

Link to link

• cover layer1 and layer 2 of the OSI Model.


• decryption occursjust as the communications arrives and enters the receiving computer.

End to end

• Some assert that the end-to-end principle is one of the central design principles of the Internet and is implemented in the design of the underlying methods and protocols in the Internet Protocol Suite. It is also used in other distributed systems. The principle states that, whenever possible, communications protocol operations should be defined to occur at the end-points of a communications system, or as close as possible to the resource being controlled.

2. Strong Authentication

• Strong authentication is a notion with several unofficial definitions; is not standardized in the security literature.


• Often, strong authentication is associated with two-factor authentication or more generally multi-factor authentication. It should also be remembered, however, that "strong authentication" and "multi-factor authentication" are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor.

3. IPSec, SSH and SSL

IPSec

• optional in IPv4


• define a standard mean for handling encrypted data


• Implemented at IP layer, so affects all layer above it, in particular TCP and UDP.


• provide authentication (AH) & encryption (ESP)

SSH

• secure remote login (encrypt data send over the network)

SSL

• Secure socket layer, encrypt data over the transport layer.


• SSL interfaces between applications (such as browsers) and the TCP/IP protocols to provide server authentication, optional client authentication, and an encrypted communications channel between client and server.

4.Kerberos

• Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner.


• Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication.

A simplified and more detailed description of the protocol follows. The following abbreviations are used:

• AS = Authentication Server


• SS = Service Server


• TGS = Ticket-Granting Server


• TGT = Ticket-Granting Ticket

Phase 1: In messages 1 and 2, C and AS authenticate and set up short-term key and ticket granting ticket.

Phase 2: In messages 3 and 4, C and TGS authenticate and set up session keys and (session) ticket.

Phase 3: In messaged 5 and 6, C and S use session key and ticket to authenticate and set up secure session.

Phases 2 and 3 will usually be repeated many times for each execution of Phase 1.

5. Firewall

• A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.


• Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria

There are several types of firewall techniques:

• 1. Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. In addition, it is susceptible to IP spoofing.


• 2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.


• 3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.


• 4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

Show how a firewall works

6. Intrusion Prevention System

• An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology.

7. Intrusion Detection System

• An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.



• An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).

8. Intrusion Prevention System

• An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology.

.:: || Happy Depavali || ::.

Happy Deepavali To All Malaysian

.:: || Authentication & Access Control || ::.

Authentication?

Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one.

Requirement of Authentication

In authentication must able to verify that:

1.Message came from apparent source or author.
2.Contents have not been altered.
3.Sometimes, it was sent at a certain time or sequence.

Password

Protection of passwords
Don’t keep your password to anybody
Don’t write or login your password at everywhere
Etc.

Choosing a good password
Criteria:
Hard to guess and easy to remember
Characteristics of a good password
Not shorter than six characters
Not patterns from the keyboard
Etc.

Calculations on password
Password population, N =rs
Probability of guessing a password = 1/N
Probability of success, P=nt/N

Biometric Identifiers

Biometrics refers to methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In information technology, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance.

Biometric characteristics can be divided in 2 main classes:

* Physiological are related to the shape of the body. Examples include, but are not limited to fingerprint, face recognition, DNA, hand and palm geometry, iris recognition, which has largely replaced retina, and odor/scent.
* Behavioral are related to the behavior of a person. Examples include, but are not limited to typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics for this class of biometrics.

It is possible to understand if a human characteristic can be used for biometrics in terms of the following parameters:

* Universality – each person should have the characteristic.
* Uniqueness – is how well the biometric separates individuals from another.
* Permanence – measures how well a biometric resists aging and other variance over time.
* Collectability – ease of acquisition for measurement.
* Performance – accuracy, speed, and robustness of technology used.
* Acceptability – degree of approval of a technology.
* Circumvention – ease of use of a substitute.

A biometric system can operate in the following two modes:

* Verification – A one to one comparison of a captured biometric with a stored template to verify that the individual is who he claims to be. Can be done in conjunction with a smart card, username or ID number.
* Identification – A one to many comparison of the captured biometric against a biometric database in attempt to identify an unknown individual. The identification only succeeds in identifying the individual if the comparison of the biometric sample to a template in the database falls within a previously set threshold.

Basic Blog Diagram in Biometric System.


Biometric Method

Face recognition



Of the various biometric identification methods, face recognition is one of the most flexible, working even when the subject is unaware of being scanned. It also shows promise as a way to search through masses of people who spent only seconds in front of a "scanner" - that is, an ordinary digital camera.
Face recognition systems work by systematically analyzing specific features that are common to everyone's face - the distance between the eyes, width of the nose, position of cheekbones, jaw line, chin and so forth. These numerical quantities are then combined in a single code that uniquely identifies each person.

Fingerprint identification



Fingerprints remain constant throughout life. In over 140 years of fingerprint comparison worldwide, no two fingerprints have ever been found to be alike, not even those of identical twins. Good fingerprint scanners have been installed in PDAs like the iPaq Pocket PC; so scanner technology is also easy. Might not work in industrial applications since it requires clean hands.
Fingerprint identification involves comparing the pattern of ridges and furrows on the fingertips, as well as the minutiae points (ridge characteristics that occur when a ridge splits into two, or ends) of a specimen print with a database of prints on file.

Hand geometry biometrics



Hand geometry readers work in harsh environments, do not require clean conditions, and forms a very small dataset. It is not regarded as an intrusive kind of test. It is often the authentication method of choice in industrial environments.

Retina scan



There is no known way to replicate a retina. As far as anyone knows, the pattern of the blood vessels at the back of the eye is unique and stays the same for a lifetime. However, it requires about 15 seconds of careful concentration to take a good scan. Retina scan remains a standard in military and government installations.

Access Control

What you know about Access Control ?

An access control system is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure.

Access Control Principles



Access Control Requirements

¤ reliable input
¤ fine and coarse specifications
¤ least privilege
¤ separation of duty
¤ open and closed policies
¤ policy combinations, conflict resolution
¤ administrative policies

Access Contril Matrix

Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system.

Example Access Control Matrix

Consider system with two files and two processes. Set of rights is - r,w,x,a,o (read, write, execute, append, own).



Can get very large and hence inefficient in general purpose scenarios – seldom used.

Access Control List

An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed to be performed on given objects. In a typical ACL, each entry in the list specifies a subject and an operation (e.g. the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY).

UNIX File Access Control



¤ “set user ID”(SetUID) or “set group ID”(SetGID)
¤ system temporarily uses rights of the file owner / group in
¤addition to the real user’s rights when making access
¤control decisions
¤ enables privileged programs to access files / resources not
¤generally accessible
¤sticky bit
¤ on directory limits rename/move/delete to owner
¤superuser
¤ is exempt from usual access control restrictions.

File Permission

There are three specific permissions on Unix-like systems that apply to each class:

* The read permission

which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them, including file type, size, ownership, permissions.)

* The write permission

which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.

* The execute permission

which grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled c++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. When set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see files inside the directory (unless read is set).