The TCP/IP are a large collection of different communication protocol is based on both the original protocol TCP and IP. TCP is used to transfer data from the application to the network. It is also responsible for breaking data into IP data packets are sent before, and gather the packet arrives. IP balances with the other computer communication. It is also responsible for sending and receiving data packets in the Internet. However, TCP/IP protocol suite has a number of vulnerabilities and considered unsecured. These vulnerabilities are frequently used by hackers, denial of service attack (DoS) attacks, connection hijacking and other attacks. Some threats of the TCP/IP security are discussed below:
Synchronize segment (SYN) Attack
The TCP sequence number used to ensure that data is taken into account the user in the correct order. The serial number is the initial establishment phase of TCP connections in an open three-way handshake. The TCP Synchronize segment (SYN) attack takes advantage of a weakness in how the most hosts implement TCP handshake in three different hosts. When host B received from A's SYN request, it must open the connection tracking part of the "listening team" at least 75 seconds, a host can chase only different connections in confined number. Malicious host can make use of small-scale listen queue SYN request sent to the host, but never answer the Synchronize segment Acknowledgement (SYN ACK) and the other host to send back. Doing so, other hosts listen queue is quickly filled, and will stop accepting new connections, until a part of the open connections in the queue to complete or timeout. This can remove the host from the network of service (DoS) attacks; can also be used to perform other attacks, such as IP Spoofing.
IP Spoofing is being unauthorized use of computers to allow an attacker to send a message to a computer's IP address and forging showed that the message is from a trusted host. IP layer source address of any assumption that it receives the same IP bundle as the actual IP address of the system to send the bundle - it does not have any certification. Several protocols and other applications make this presumption as well; it seems that anyone can forge the source address of IP data bundles to gain unauthorized privileges.
This attack made use of the Routing Information Protocol (RIP), it is an important part of a TCP/IP network. RIP distributes network's routing information, such as shortest path, and the ad line from the local network. Such as TCP/IP protocol, RIP protocol is not built-in authentication, and the information provided is often used instead of RIP packets verify it. RIP to change where the attack data, rather than where it came from. All data packets sent from the network will be routed and then X, where they can be modified or review. An attacker can also use the RIP protocol; effectively simulate any host, so that all communications are sent back to the attacker's machines.
Internet Control Message Protocol (ICMP) Attack
An Internet Control Message Protocol (ICMP) Attack is used by IP layer to send a one-way information message to the host. There is no authentication of ICMP, which led to the use ICMP attacks can cause denial of service or allow an attacker to intercept packets.
Denial of service (DoS) attacks, one of the main uses ICMP "time out" or "destination unreachable" message, which may cause the system to immediately delete a connection. An attacker could forge one of these ICMP messages, and send it to one or two communications host disconnect their connection. ICMP messages can also be used to intercept packets using ICMP "Redirect" message, the gateway is commonly used when the hosts have the misconception that the destination is not on the local network. If an attacker forging an ICMP "Redirect" message, it may lead to another host to send data packets, an attacker through some of the connected host. This attack is similar to a RIP attack, in addition to ICMP message only applies to existing connections, the attacker (host redirect packet received) must be in a local network.
Domain Name Service (DNS) Attack
Domain Name Service (DNS) attacks are a widely used protocol on the Internet host name to IP address mapping and vice versa. An attacker could use the property mapping IP addresses, host names to deceive the domain-based authentication. Such attacks can be prevented through the implementation of the second DNS query host name returned by the query.
The IP address is no longer unique
The IP address as the identifier is no longer the only - any security plan depend IP address of the remaining time or space, there may be loopholes in widely used because of the unique network address translation and dynamic IP addresses technology. In today's TCP / IP network, widely used protocols such as: PPP / SLIP, and the DHCP to allow a specific host address, change over time: each connection in the case of PPP / slip, while DHCP allows hosts "lease" The IP address for any length of time. Firewall, proxy server, sockets, and other "network
Address Translation "further complicate the use of IP addresses as identifiers, because they may change addresses as mobile communications between the internal and external networks. Different hosts may be using the same IP address, or IP address may be different the same host. Therefore, IP addresses can not be used to uniquely identify a host, even in a short period of time.
There are many tools you can reduce or avoid these security issues. On the other hand, a lot of effort has been put into improving the TCP / IP protocol to eliminate security vulnerabilities. IPsec is one of the additional TCP / IP protocol, and IPv6 has established a number of security options and features.
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is a commonly used protocol management of the Internet to spread the safety message. SSL uses a program layer located between the Internet Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) layer. SSL is included part of both Microsoft and Netscape browsers and most Web server products. Developed by the Netscape, SSL also gained support for Microsoft and other Internet client/server development, and become the actual standard until evolving into Transport Layer Security. The "socket" part of the long-term refers to the sockets method of passing data back and forth between the client and server programs or procedures between network layers on the same computer. SSL uses public and private key encryption system from RSA, such as digital certificates.
TLS and SSL are an integral part of most Web browsers (clients) and Web server. If a Web site's server to support SSL, SSL can be enabled and the specific web pages can be identified as requiring SSL access. Any Web server can enable Netscape's SSL Reference library, non-commercial use or permit can be downloaded for commercial purposes. TLS and SSL, are not compatible. However, the message is sent, you can use TLS, handling by the client's SSL, but not TLS's.
Internet Protocol Security (IPsec)
Internet Protocol Security (IPsec) is a framework agreement to establish a secure network or packet processing layer of network communications. Before a safe way into the application layer of communication. IPsec is said to be particularly useful for the implementation of virtual private network (VPN) connections and remote users to dial-up access to a private network. A major advantage is, IPsec security arrangements required to apply for change of personal computer users. Cisco has been the leader of the proposed IPsec as a standard (or combination of standards and technologies), including support for its network routers.
IPSec provides two choices of security service: Authentication Header (AH), which basically can verify the sender's data, encapsulating security payload (ESP), which supports both authentication and encryption of data sent by the good. Specific information related to these services in each packet header into the back of an IP packet header. Independent of the key protocols to be chosen.
Kerberos is a secure method of authentication of a request for service in the computer network. Kerberos was developed in the Athena Project at the Massachusetts Institute of Technology (MIT),. The name is derived from Greek mythology, Kerberos is a three-headed dog who guarded the gates of hell. Kerberos identity allows users to request an encrypted "ticket" from the authentication process, and then can be used to request a specific service from a server. The user's password does not need the network.
Security evaluation by an independent body is a widely-accepted approach which is used as an important criterion of assurance of the security of a system. Write a report discussing the following:
- Trusted Computer Security Evaluation Criteria (TCSEC) - the 'orange book'.
- Trusted Network Interpretation (TNI) - the 'red book'.
- Information Technology Security Evaluation Criteria (ITSEC).
- The Common Criteria.
- What types of products are evaluated using a security evaluation criterion?
Trusted computer system evaluation criteria (TCSEC)
Trusted computer system evaluation criteria (TCSEC) is the United States Government Department of Defense (DoD) standard specifies the basic requirements for assessing the effectiveness of computer security controls built computer systems, including safety evaluation within the whole network. In the TCSEC was used to assess, classify and select computer systems being considered for processing, storage and retrieval of sensitive or confidential information. It features security from D (Minimal protection) to A1 (Verified protection). Most operating systems and network operating systems are classified in the C2 level. It is also known as the 'Orange Book'.
Trusted Network Interpretation (TNI)
Trusted Network Interpretation (TNI) of the TCSEC, also known as the "Red Book" is a requirement of the TCSEC reiterated in the network. Evaluation of the type system (sometimes referred to as distributed or homogeneous description of the first part is usually not mentioned directly in Indonesia for TCSEC evaluation. TNI shows the implementation of the evaluation.
Information Technology Security Evaluation Criteria (ITSEC)
Information Technology Security Evaluation Criteria (ITSEC) is the evaluation of standard products and system structure of computer security settings. ITSEC is probably the most successful computer security evaluation criteria since 1990s. It provides much more flexible than the TCSEC and easier and cheaper to use. ITSEC does not require evaluation of specific technical features included to ensure the realization of a particular level. For example, ITSEC objectives may provide complete functionality without the need to provide authentication or confidentiality or availability. A given target security features to be recorded in a security target document, its contents must be assessed and approved prior to the goal itself is evaluated. Each ITSEC evaluation is based solely on proven security features to determine the security goals.
Common Criteria is a framework that allows the user to specify the computer system's security features and assurance requirements, suppliers can achieve and / or claims related to the security attributes of products, and testing laboratories can evaluate products to determine whether they meet the actual claims. Thus, Common Criteria ensures common standards, process specification, implementation and evaluation of a computer security product has been carried out strict standards and methods. Common Criteria passed the production of these existing standards, the company sells computer products to the government (mainly for the Department of Defense or the intelligence to use) will only give them a set of evaluation criteria.
- Briefly describe the following:
- Intrusion detection system (IDS)
- Intrusion prevention systems
- Three main types of IDS
- IDS evasion techniques
- Many free IDSs are available on the Internet. Select an IDS, which in your opinion can effectively demonstrate the typical function of Intrusion Detection Systems. Implement the selected IDS and prepare a brief report describing your experience.
Intrusion detection system (IDS)
Intrusion Detection System (IDS) is a mechanism or procedure to detect these intrusion attempts or attacks by using the software system, running on the network. Intrusion detection systems are often combined with real-time collection of network monitoring and analysis, to determine the attack. Intrusion Detection System (IDS) is a type of computer and network security management system. IDS collect and analyze information from various computer or network to identify possible security holes, including intrusion and abuse.
Intrusion Prevention System
Intrusion Prevention System (IPS) is a network security device, monitoring networks and / or system activities for malicious or harmful behavior, you can respond immediately to stop or prevent these activities. Network-based IPS, for example, can operate on-line monitoring of all network traffic for malicious code or attacks. When an attack is detected, it can reduce the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered an extension of intrusion detection by some (IDS) technology. Intrusion prevention system, then also the host service, denies potentially malicious activity. Have advantages and disadvantages to host-based IPS compared with network-based IPS. In many cases, these technologies are considered complementary. Intrusion prevention system must also be a good intrusion detection system so that the lower false alarm rate. Some IPS system can not be found to prevent attacks, such as buffer overflow.
Types of IDS
Unluckily, no single intrusion detection solution that can monitor all the malicious activity on the network. On the contrary, different techniques to detect malicious activities in different parts of the network. In addition, to detect different types of malicious activity. However, there are three main types of intrusion detection equipment, such as network intrusion detection system (NIDS), and host intrusion detection systems (HID) and honeypots.
Network Intrusion Detection System (NIDS) is an independent platform to determine the invasion through research and monitoring network traffic multiple hosts. Network intrusion detection system network traffic received by connecting to a hub, network switch port mirroring configuration, or network taps. Host intrusion detection systems (HID) uses sensor installed directly in the production of computer systems to monitor a wide range of activities in the production system. The sensor typically consists of a software agent is responsible for overseeing all activities of the host installation on it, including the file system, log and core. Some application-based intrusion detection system, is a part of this category. Honeypots is a trap set to detect, transfer, or in some way to resist attempts to unauthorized use of information systems. Generally speaking, a computer, data, or network site, seems to be a part of the network, but is actually isolated, rather than to protect, monitor, this seems to include the value of the information or resources to the attackers.
Sourcefire ® Intrusion Detection System (IDS)
With the increasingly complex security threats, such as malicious Internet worms, denial of service attack (DoS) attacks, and attacks on e-commerce applications, achieving efficient network intrusion security is critical to maintain a high level of protection. In my opinion, it seems that Sourcefire ® Intrusion Detection System (IDS) for example can effectively show the typical function of Intrusion Detection Systems. It analyzes the network traffic, and reminds you of important threat that may affect your network. The system can be configured to reduce the most effective operational incidents and to provide complete network visibility to enable you to focus on immediate threats and weaknesses.
According to their Snort ®system itself, rule-based detection engine, Sourcefire's ® offers a wide range of network intrusion detection and analysis, powerful reporting, and unparalleled scalability. Sourcefire ® by using three-dimensional sensors and Sourcefire Defense Center ® Management Console, Sourcefire's IPS deployment of intrusion detection system uses a powerful combination of vulnerability and anomaly-based detection method to detect target weaknesses.
Sourcefire's RNA ® (Real-time Network Awareness) to provide all-weather passive network monitoring, storage, operating system, real-time inventory, services, applications, protocols, and the potential vulnerability exists in the network. Comprehensive network visibility, IT professionals have the ability to clearly see what is running on their networks, and identify threats and vulnerabilities to their network at any time.
RNA's ability to passively discover network assets, and the network traffic analysis, can detect the "deviation from normal" (for example, unusual changes in traffic type and / or quantity), and "deviated from the permit" (for example, not approved devices, operating systems, services, etc.). Sourcefire the ability to add context-sensitive host information and data, to ensure that operational responsibility for the attack out. Sourcefire's IPS deployment of an appropriate adjustment in the IDS model Sourcefire's RNA binding information can eliminate up to 99% of the actionable events.
Most vendors provide a "one size fits all" IDS / IPS systems, but Sourcefire is different. Sourcefire's support for the realization of passive IDS and IPS sensors embedded in the same, so that customers can add functionality to meet changing demand, optimize network protection. Whether your organization is large or small, new intrusion detection system or a more experienced, Sourcefire's intrusion detection and provides an intrusion prevention system solutions to meet your network security needs.
Peer-to-peer (P2P) networking has gained a great deal of popularity over the last decade. This technology has resulted in the creation of revolutionary applications in areas such as instant messaging, file sharing, shared workspaces, distributed repositories and audio/visual streaming. Most candidates should be familiar with commonly known P2P applications. Unfortunately some people have been quick to exploit this technology and new vulnerabilities have been introduced into networked systems.
Write a report addressed the following:
- Briefly describe FIVE vulnerabilities which P2P networks have in common with "traditional" network.
- Briefly describe the vulnerabilities peculiar to the P2P technology.
- For THREE of the vulnerabilities described above in parts (b) and (c), detail the countermeasures that could be implemented to defend an enterprise from potential attacks.
- Pick THREE P2P applications of your choice and then described in part (b) should not be fully described again in this answer.
Peer-to-Peer networks (P2P) is a type of network, each computers have equal capabilities and responsibilities. This differs from client / server architecture, some computers are dedicated to serve others. Peer-to-peer networks are generally simpler, but they usually do not provide the same performance under heavy load. In the P2P network itself relies on computing power at both ends of the connection, rather than from within the network itself.
P2P is often incorrectly used as a term to describe a user and another user connected to the transmission of information and documents through the use of a common P2P client to download MP3 music, video, images, games and other software. However, this is only one type of P2P network. In general, P2P networks for sharing files, but a P2P network can also mean grid computing, or instant messaging.
FIVE vulnerabilities which P2P related to the "traditional" network
Denial of Service Attack
Denial of service (or DoS), the name implies, is an attack, causing service to stop functioning. Unlimited form of rejection, but when it comes to P2P networks, the most common attack is a simple flooding. This attack floods the network with invalid data packets, which information is effective to prevent inquiry or transfer. This effectively stops all along the lines of communication.
In this type of attack, the attacker hiding in an additional layer of indirection, it is difficult to find the original source.
This DoS (and DDoS) attacks have become more likely when a node is involved in a large P2P network. To the network, nodes must be placed in a certain area to reach the network (usually involves being placed outside the corporate firewall, or by special permission P2P traffic). This makes the node at a higher level of risk, because the required access to the P2P network accessibility.
Man in the Middle (MitM) Attack
A man in the middle (MitM) attack, the attacker is your local network between two nodes, all communication between two nodes through the attacker. Such attacks can remain undetected, as long as the attacker is still passive. This allows an attacker can listen to all communications between two nodes, as long as needed. Collecting enough information (if required), an attacker can choose to become more active. In this case, the attacker can modify, he will forward them a message, but he can insert wrong message or from the other node. Through this mechanism, an attacker can assume the identity of any node (or both). In addition, the attacker can influence the point of view, either the network node, he can make a new (false) identity and analog messages from it (and receive messages sent to it). This particular attack can be performed at the network layer communication. In this case, the attacker can see all the lower-level communication between two nodes, because this layer and the following P2P layer, the attacker did not issue any form of fraud P2P messages.
A worm is a "self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself." (http://www.wikipedia.com "Wikipedia")
Although the vulnerability is not the network itself, the network certainly magnified the threat. The biggest reason is that many P2P networks will run the same software. This means that when the loopholes in the software (such as buffer overflow), all nodes in the network are also vulnerable. Well, a normal worm must be scanned (usually) randomly search for vulnerable hosts the Internet, a P2P worm need only look at P2P routing table and neighbor set of infected hosts. For this reason, the worm will spread index (the average degree of nodes), through the network. Relative to the normal network worm virus, worm infections almost instantly all the P2P nodes.
In addition to rapid spread of the style of P2P worms, and other factors, which makes a big threat. P2P networks usually have a large transmission capacity (in particular those aimed at the file transfer), so that the worm may be a large and complex software works (compared to other worms, some of which must fit in a TCP / IP packet). This is a more complex task / attack. In addition, the computer on the Internet, P2P networks are usually personal computers, they can be used to collect all kinds of information: credit cards, account passwords, which makes a major goal of P2P networks, has been at the top of the vulnerability.
Of a Sybil attack is when a malicious entity on behalf of (usually large) number of users of P2P networks to get a segmented network. The attack by the attacker to execute many different nodes in the network in the vicinity of the same part of the ID space. The network becomes more vulnerable to this attack, an attacker can manually affect all nodes in the ID space and the new location. In this case, the attacker can use the least amount of nodes and cause a lot of damage to the network. Once the attacker has enough nodes in the part (relative to the number of legitimate nodes), an attacker can control all parts of the message through. This attack is also a gateway attack, which means it can be used to perform large-scale attacks.
The goal is an Eclipse attack network into two or more separate partitions. Successful, all communication between them must be forwarded through the malicious node. The attack is basically a large-scale MitM attack, but levels in the implementation of the P2P network. To do attack, the attacker's local node routing path exists between the two partition strategies. After the network has regional, large-scale MitM attacker can continue to attack, such as: false information either to the other side cause false node B, from the side to see the solar eclipse A: A successful attack, combined to create a fake node, can most of the network is fully down (especially the liberal rules of the network to maintain an efficient routing table). This is because the false node can be filled in such a way to fill every node's routing table entry invalid.
The P2P network is effective in the network nodes must be involved in cooperation (General). However, when human nature is involved, this does not always occur in a fair and efficient manner. In this case, cooperation is not the implementation. Make the assumption that most nodes will exhibit rational behavior. That is, they seek to minimize their resource sharing, while maximizing their resource consumption. There are many reasons behind the behavior, including:
- Save upload bandwidth to a large extent by most Internet service providers.
- Legal issues - sharing of copyright material may result in legal action against the owner of the node. In most network nodes are easy to track and share content.
- Only principle - when left to their own choice, some people are less based on the desire to not help the network, no matter how small they might cost.
There are two basic types of attack:
- Content restrictions - users do not share the contents of the network.
- Resource constraints - users do not contribute their own resources to the network.
A major concern of the use of P2P architecture in the our lives, of course, network security. Security concerns from the building itself. Today, we think the most intercepted and processed by a particular route in the network server, but the P2P architecture and not a single fixed server responsible for routing and requirements. The first step in ensuring that your P2P network, to adopt strict policies to use in the workplace. Protect your network from attacks and viruses have two main strategic focalize on network access control or the control key is on file. A protocol-based approach is the system administrator to use the software or hardware solutions to monitor and prevent the intrusion of network traffic is received via P2P clients. Secondly, software protection that will provide documents to monitor and actively looking for their type of file, based on their names, their signatures, and even their content.
- Black, Uyless D. (2000) Internet security protocols : protecting IP traffic. Prentice Hall, Upper Saddle River, NJ.
- Ellis, J. (2001) The internet security guidebook : from planning to development. Academic Press, San Diego, CA..
- McMahon, D. (2000) Cyber threat : Internet security for home and business. Warwick Pub, Toronto..