Computer Security (UNIT IV )

Intrusion Detection

Intruders
● Intruders are the attackers, who try to intrude into the privacy of a network.
● Intruders are often referred to as hackers and are the most harmful factors contributing
to the vulnerability of security.
● Intruders breach the privacy of users and aim to steal the confidential information of the
users
● Intruders are said to be of three types, as explained below:
(a) Masquerader:
● A user who does not have the authority to use a computer, but penetrates into a
system to access a legitimate user’s account is called a masquerader.
● It is generally an external user.

(b) Misfeasor
● There are two possible cases for an internal user to be called a misfeasor:
a) A legitimate user, who does not have access to some applications, data or
resources accesses them.
b) A legitimate user, who has access to some applications, data or resources
misuses these privileges.

(c) Clandestine User

● An internal or external user who tries to work using the privileges of a supervisor
user to avoid auditing information being captured and recorded is called a
clandestine user.

Example of an Intruder attack

A simple example may be considered, where the attackers try to obtain the passwords of
legitimate users, so as to impersonate them. Some of the popularly known methods of
password guessing are as follows:
1. Try all possible short password combinations (2-3 characters).
2. Collect information about users, such as their full name, names of family members, their
hobbies, etc.
3. Try default passwords that are provided by the supplier of a software product (e.g. Oracle
comes with scott as the user name and tiger as the password).
4. Try words that people choose as passwords most often. Hacker bulletin boards maintain
these lists. Also, try words from the dictionary.
5. Try using phone numbers, dates of birth, social security numbers, bank account numbers,
etc.
6. Tap the communication line between a user and the host network.
7. Use a Trojan Horse.
8. Try numbers on the vehicle license plates. Regardless of how the intruder gets into a
system, we need to first try and prevent it, if not, at least detect it and take appropriate action.
Regardless of how the intruder gets into a system, we need to first try and prevent it, if not, at
least detect it and take appropriate action.

Audit Records

● One of the most important tools in intrusion detection is the usage of audit records, also
called audit logs.
● Audit records are used to record information about the actions of users.
● Traces of illegitimate user actions can be found in these records, so as to detect
intrusions so as to take appropriate actions.
● Audit records can be classified into two categories: Native audit records and
Detection-specific audit records.
(a) Native Audit Records
● All multi-user operating systems have accounting software built-in. This software
records information about all user actions.
(b) Detection-specific Audit Records
● This type of audit records facility collects information specific only to intrusion detection.
This is more focused, but may duplicate information.

Regardless of the type of audit records, each such record contains information as shown
below

For example, if user Ram attempts to execute a program payroll.exe, the following audit
records may get generated. Here we assume that Ram does not have the access rights to
execute this program.
Intrusion Detection

Intrusion prevention is almost impossible to achieve at all times. Hence, more focus is on
intrusion detection.
Following factors motivate efforts on intrusion detection:
(a) The sooner we are able to detect an intrusion, the quicker we can act. The hope of
recovering from attacks and losses is directly proportional to how quickly we are able to detect
an intrusion.
(b) Intrusion detection can help collect more information about intrusions, strengthening the
intrusion prevention methods.
(c) Intrusion detection systems can act as good deterrents to intruders.

Intrusion detection mechanisms, also known as Intrusion Detection Systems (IDS) are
classified into two categories: Statistical anomaly detection and Rule-based detection.
(a) Statistical Anomaly Detection
● In this type, behavior of users over time is captured as statistical data and processed.
● Rules are applied to test whether the user behavior was legitimate or not.
● This can be done in two ways:
(ii) Profile-based Detection
In this type, profiles for individual users are created and they are matched against the collected
statistics to see if any irregular patterns emerge.

(b) Rule-based Detection

● A set of rules is applied to see if a given behavior is suspicious enough to be classified as
an attempt to intrude.
● This is also classified into two subtypes:
(i) Anomaly Detection
Usage patterns are collected to analyze deviation from these usage patterns, with the help of
certain rules.
(ii) Penetration Identification
This is an expert system that looks for illegitimate behavior.
Honeypots

● Modern intrusion detection systems make use of a novel idea, called as honeypots.
● A honeypot is a trap that attracts potential attackers.
● A honeypot is designed so as to do the following:
● Divert the attention of a potential intruder from critical systems
● Collect information about the intruder’s actions
● Provide encouragement to the intruder so as to stay on for some time, allowing the
administrators to detect this and swiftly act on it.

● Honeypots are designed with two important goals in mind:

(a) Make them look like real-life systems. Put as much real-looking (but fabricated)
information into them as possible.
(b) Do not allow legitimate users to know about or access them.

● Naturally, anyone trying to access a honeypot is a potential intruder.

● Honeypots are armed with sensors and loggers, which alarm the administrators of any
user actions.
 Firewalls

● A firewall is a security mechanism that guards a corporate network by standing between the
network and the outside world.
● All traffic between the network and the Internet in either direction must pass through the
firewall.
● The firewall decides if the traffic can be allowed to flow or whether it must be stopped from
proceeding further.
● Technically, a firewall is a specialized version of a router. Apart from the basic routing
functions and rules, a router can be configured to perform the firewall functionality, with the
help of additional software resources
● The characteristics of a good firewall implementation can be described as follows.
1. All traffic from inside to outside and vice versa, must pass through the firewall. To achieve
this, all the access to the local network must first be physically blocked and access only
via the firewall should be permitted.
2. Only the traffic authorized as per the local security policy should be allowed to pass
through.
3. The firewall itself must be strong enough, so as to render attacks on it useless.

Types of Firewalls

Based on the criteria that they use for filtering traffic, firewalls are generally classified into two
types as follows:
1. Packet Filters

● A packet filter applies a set of rules to each packet and based on the outcome, decides to
either forward or discard the packet.
● It is also called a screening router or screening filter.
● Packet Filter firewall involves a router, which is configured to filter packets going in either
direction (from the local network to the outside world and vice versa).
● The filtering rules are based on a number of fields in the IP and TCP/UDP headers, such as
source and destination IP addresses, IP protocol field (which identifies if the protocol in the
upper transport layer is TCP or UDP), TCP/UDP port numbers (which identify the application
which is using this packet, such as email, file transfer or World Wide Web)

Functions of Packet Filter

A packet filter performs the following functions.

(a) Receive each packet as it arrives.
(b) Pass the packet through a set of rules, based on the contents of the IP and transport
header fields of the packet. If there is a match with one of the set rules, decide whether to
accept or discard the packet based on that rule. For example, a rule could specify: disallow
all incoming traffic from an IP address 157.29.19.10 (this IP address is taken just as an
example) or disallow all traffic that uses UDP as the higher (transport) layer protocol.
(c) If there is no match with any rule, take the default action. The default can be discard all
packets or accept all packets. The former policy is more conservative, whereas the latter is
more open. Usually, the implementation of a firewall begins with the default discard all
packets option and then rules are applied one-by-one to enforce packet filtering.

Advantages of Packet Filter

1. The chief advantage of the packet filter is its simplicity. The users need not be aware
of a packet filter at all.
2. Packet filters are very fast in their operating speed.

Disadvantages of Packet Filter

1. It is difficult to set up the packet filter rules correctly
2. lack of support for authentication

Packet Filter Attacks

a) IP Address Spoofing
● An intruder outside the corporate network can attempt to send a packet towards the
internal corporate network, with the source IP address set equal to one of the IP
addresses of the internal users.
● This attack can be defeated by discarding all the packets that arrive at the incoming
side of the firewall, with the source address equal to one of the internal addresses.
(b) Source Routing Attacks
● An attacker can specify the route that a packet should take as it moves along the
Internet.
● The attacker hopes that by specifying this option, the packet filter can be fooled to
bypass its normal checks.
● Discarding all packets that use this option can prevent such an attack.

(c) Tiny Fragment Attacks

● IP packets pass through a variety of physical networks, such as Ethernet, Token
Ring, X.25, Frame Relay, ATM, etc. All these networks have a pre-defined maximum
 frame size (called as the Maximum Transmission Unit or MTU). Many times, the size
of the IP packet is greater than this maximum size allowed by the underlying
network. In such cases, the IP packet needs to be fragmented, so that it can be
accommodated inside the physical frame and carried further.

● An attacker might attempt to use this characteristic of the TCP/IP protocol suite by
intentionally creating fragments of the original IP packet and sending them. The
attacker feels that the packet filter can be fooled, so that after fragmentation, it
checks only the first fragment and does not check the remaining fragments.

● This attack can be foiled by discarding all the packets where the upper layer protocol
type is TCP and the packet is fragmented.

Dynamic Packet Filter or stateful Packet Filter

● An advanced type of packet filter is called a dynamic packet filter or stateful packet
filter.
● A dynamic packet filter allows the examination of packets based on the current state
of the network. That is, it adapts itself to the current exchange of information, unlike
the normal packet filters, which have routing rules hard coded.
● For instance, we can specify a rule with the help of a dynamic packet filter as
follows: Allow incoming TCP packets only if they are responses to the outgoing TCP
packets that have gone through our network.

2. Application Gateways
● An application gateway is also called a proxy server. This is because it acts like a proxy
(i.e. deputy or substitute) and decides about the flow of application level traffic.
● An application gateway is also called bastion host.
Working of Application Gateway

Application gateways typically work as follows.

(a) An internal user contacts the application gateway using a TCP/IP application, such as
HTTP or TELNET.
(b) The application gateway asks the user about the remote host with which the user wants
to set up a connection for actual communication (i.e. its domain name or IP address, etc.).
The application gateway also asks for the user id and the password required to access the
services of the application gateway.
(c) The user provides this information to the application gateway.
(d) The application gateway now accesses the remote host on behalf of the user and
passes the packets of the user to the remote host.
(e) From here onwards, the application gateway acts like a proxy of the actual end user and
delivers packets from the user to the remote host and vice versa.

Advantage of Application Gateway

 Application gateways are generally more secure than packet filters, because rather than
examining every packet against a number of rules, here we simply detect whether a user is
allowed to work with a TCP/IP application or not.

Disadvantage of Application Gateway

The disadvantage of application gateways is the overhead in terms of connections. As
there are two sets of connections: one between the end user and the application gateway
and another between the application gateway and the remote host. The application
gateway has to manage these two sets of connections and the traffic going between them.

Circuit Gateways
● A variation of the application gateway is called a circuit gateway, which performs some
additional functions as compared to those performed by an application gateway.
● A circuit gateway, in fact, creates a new connection between itself and the remote host.
● The user is not aware of this and thinks that there is a direct connection between itself and
the remote host.
● Also, the circuit gateway changes the source IP address in the packets from the end
user’s IP address to its own.
● This way, the IP addresses of the computers of the internal users are hidden from the
outside world.
● The SOCKS server is an example of the real-life implementation of a circuit gateway. It is a
client-server application. The SOCKS client runs on the internal hosts and the SOCKS
server runs on the firewall.
Demilitarized Zone (DMZ) Networks

● Firewalls can be arranged to form a DMZ.

● DMZ is required only if an organization has servers that it needs to make available to
the outside world (e.g. Web servers or FTP servers).
● For this, a firewall has at least three network interfaces. One interface connects to the
internal private network; the second connects to the external public network (i.e. the
Internet) and the third connects to the public servers (which form the DMZ network).
● The chief advantage of such a scheme is that the access to any service on the DMZ
can be restricted. For instance, if the Web server is the only required service, we can
limit the traffic in/out of the DMZ network to the HTTP and HTTPS protocols (i.e. ports
80 and 443, respectively).
● All other traffic can be filtered.
● Moreover, the internal private network is in no way directly connected to the DMZ. So,
even if an attacker can somehow manage to hack into the DMZ, the internal private
network is safe and out of the reach of the attacker.
Limitations of Firewall
Although a firewall is an extremely useful security measure for an organization, it does not
solve all the practical security problems. The main limitations of a firewall can be listed as
follows.
(a) Insider’s Intrusion
● A firewall system is designed to prevent outside attacks.
● Therefore, if an inside user attacks the internal network in some way; the firewall
cannot prevent such an attack.
(b) Direct Internet Traffic
● A firewall must be configured very carefully.
● It is effective only if it is the only entry-exit point of an organization’s network.
● If, instead, the firewall is one of the entry-exit points, a user can bypass the firewall
and exchange information with the Internet via the other entry exit points.
 ● This can open up the possibilities of attacks on the internal network through those
points. The firewall cannot, obviously, be expected to take care of such situations.

(c) Virus Attacks

● A firewall cannot protect the internal network from virus threats.
● This is because a firewall cannot be expected to scan every incoming file or packet
for possible virus contents.
● Therefore, a separate virus detection and removal mechanism is required for
preventing virus attacks.
● Alternatively, some vendors bundle their firewall products with anti-virus software, to
enable both the features out of the box.