1

CSIT 561 – COMPUTER SECURITY

MODULE 8 : NETWORK SECURITY –
THREATS & PROTECTIONS

Bharath K. Samanthula
Department of Computer Science
Montclair State University

Slides are adopted from Chapter 12, Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043)..
 2

Objectives
• Networking basics
• Network threats and vulnerabilities
• WiFi security
• Denial-of-service attacks
• Network encryption concepts and tools
• Types of firewalls and what they do
• Intrusion detection and prevention systems

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 3

Network Transmission Media

• Cable
• Optical fiber
• Microwave
• WiFi
• Satellite communication

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 4

Communication Media Vulnerability

Sender
Wiretap

LAN

Imposter

Rogue receiver: WAN

sniffer, wiretap

Satellite, microwave interception, LAN

wired interception

Receiver

This picture shows different touch points where attackers can take
advantage of communication media: wiretaps, sniffers and rogue
receivers, interception, and impersonation.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 5

Communication Media Pros/Cons

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 6

The OSI Model

7 – Application 7 – Application
6 – Presentation 6 – Presentation
5 – Session 5 – Session
4 – Transport 4 – Transport
3 – Network 3 – Network
2 – Data Link 2 – Data Link
1 – Physical 1 – Physical

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 7

Threats to Network Communications

• Interception, or unauthorized viewing
• Modification, or unauthorized change
• Fabrication, or unauthorized creation
• Interruption, or preventing authorized
access

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 8

Security Perimeters
Security
perimeter

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 9

What Makes a Network Vulnerable to

Interception?
• Anonymity
• An attacker can attempt many attacks, anonymously, from thousands of miles
away
• Many points of attack
• Large networks mean many points of potential entry
• Sharing
• Networked systems open up potential access to more users than do single
computers
• System complexity
• One system is very complex and hard to protect; networks of many different
systems, with disparate OSs, vulnerabilities, and purposes are that much more
complex
• Unknown perimeter
• Networks, especially large ones, change all the time, so it can be hard to tell
which systems belong and are behaving, and impossible to tell which systems
bridge networks
• Unknown path
• There may be many paths, including untrustworthy ones, from one host to
another
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 10

Unknown Perimeter
Network C Network B
Network A

Network D

Network E
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 11

Unknown Path
Host C

Network A Network B
Host A1

Host B3

Host D
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 12

Modification and Fabrication

• Data corruption
• May be intentional or unintentional, malicious or nonmalicious,
directed or random
• Sequencing
• Permuting the order of data, such as packets arriving in sequence

• Substitution
• Replacement of one piece of a data stream with another
• Insertion
• A form of substitution in which data values are inserted into a
stream
• Replay
• Legitimate data are intercepted and reused

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 13

Sources of Data Corruption

Typing
Malicious Program
error
code error
Noise,
accident
Hardware
failure

Software
flaw Transmission
problem Hacker Human
activity mistake
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 14

Simple Replay Attack

Interception

ID
ID Password (encrypted)
PW Encryption

Server
ID

Password (encrypted)
Replay

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 15

Interruption: Loss of Service

• Routing
• Internet routing protocols are complicated, and one
misconfiguration can poison the data of many routers
• Excessive demand
• Network capacity is finite and can be exhausted; an attacker can
generate enough demand to overwhelm a critical part of a network
• Component failure
• Component failures tend to be sporadic and unpredictable, and will
cause loss of service if not planned for

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 16

Port Scanning
Port scanning tells an attacker which standard ports are running, what
applications and their versions are present

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 17

Vulnerabilities in Wireless Networks

• Confidentiality
• Integrity: When WiFi access points receive two streams of
communication claiming to be the same computer, they
necessarily accept the one with greater signal strength. This
allows attackers to take over and forge sessions by spoofing
legitimate computers and boosting signal strength.
• Availability: new availability problems, such as session
hijacking, forced disassociation, and jamming
• Unauthorized WiFi access

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 18

WiFi protocol weaknesses

• Picking up the beacon

• Hidden SSIDs can easily be discovered by monitoring client
requests for SSIDs in the absence of SSID beacons from the
access point
• SSID in all frames
• Similar to picking up the beacon, once a client connects to an
access point, the SSID is stored in all communication frames and
can be sniffed that way
• Association issues
• WiFi clients generally have preferred associations—networks they
know and trust to connect to automatically—and these may include
very common SSID names, such as AT&Twifi and Apple. Without
additional security measures, attackers can spoof these trusted
SSIDs and trick devices into connecting to rogue access points.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 19

Failed Countermeasure: WEP

• Wired equivalent privacy, or WEP, was designed
at the same time as the original 802.11 WiFi
standards as the mechanism for securing those
communications
• Weaknesses in WEP were first identified in 2001,
four years after release
• More weaknesses were discovered over the
course of years, until any WEP-encrypted
communication could be cracked in a matter of
minutes
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 20

How WEP Works

• Client and access point (AP) have a pre-shared key
• AP sends a random number to the client, which the client
then encrypts using the key and returns to the AP
• The AP decrypts the number using the key and checks
that it’s the same number to authenticate the client
• Once the client is authenticated, the AP and client
communicate using messages encrypted with the key

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 21

WEP Weaknesses
• Weak encryption key
• WEP allows to be either 64- or 128-bit, but 24 of those bits are
reserved for initialization vectors (IV), thus reducing effective key
size to 40 or 104 bits
• Keys were either alphanumeric or hex phrases that users typed in
and were therefore vulnerable to dictionary attacks
• Static key
• Since the key was just a value the user typed in at the client and
AP, and since users rarely changed those keys, one key would be
used for many months of communications
• Weak encryption process
• A 40-bit key can be brute forced easily. Flaws that were eventually
discovered in the RC4 encryption algorithm WEP uses made the
104-bit keys easy to crack as well

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 22

WEP Weaknesses (cont.)

• Weak encryption algorithm
• WEP used RC4 in a strange way (always a bad sign), which resulted
in a flaw that allowed attackers to decrypt large portions of any WEP
communication
• IV collisions
• There were only 16 million possible values of IV, which, in practice, is
not that many to cycle through for cracking. Also, they were not as
randomly selected as they should have been, with some values being
much more common than others
• Faulty integrity check
• WEP messages included a checksum to identify transmission errors
but did not use one that could address malicious modification
• No authentication
• Any client that knows the AP’s SSID and MAC address is assumed to
be legitimate

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 23

WPA (WiFi Protected Access)

• WPA was designed in 2003 as a replacement for WEP
and was quickly followed in 2004 by WPA2, the algorithm
that remains the standard today
• Non-static encryption key
• WPA uses a hierarchy of keys: New keys are generated for
confidentiality and integrity of each session, and the encryption key
is automatically changed on each packet
• This way, the keys that are most important are used in very few
places and indirect ways, protecting them from disclosure
• Authentication
• WPA allows authentication by password, token, or certificate

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 24

WPA (cont.)
• Strong encryption
• WPA adds support for AES, a much more reliably strong encryption
algorithm
• Integrity protection
• WPA includes a 64-bit cryptographic integrity check

• Session initiation
• WPA sessions begin with authentication and a four-way handshake
that results in separate keys for encryption and integrity on both
ends
• While there are some attacks against WPA, they are
either of very limited effectiveness or require weak
passwords

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 25

Denial of Service (DoS)

• DoS attacks are attempts to defeat a system’s
availability
• Volumetric attacks – related to system capacity
• Application-based attacks
• Disabled communications
• Hardware or software failure

DoS attack on Estonia took away 80% of the

websites impacting businesses for almost a month

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 26

DoS Attack: Ping Flood

Ping Ping Ping
Ping Ping Ping Ping Reply Ping Ping Reply V
Ping Ping Ping

Attacker Victim
(a) Attacker has greater bandwidth

Ping Reply Ping Reply Reply Ping Reply Ping V

Attacker Victim
(b) Victim has greater bandwidth

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 27

DoS Attack: Smurf Attack

Victim

Attacker

Attacker sends
broadcast ECHO Victim is saturated
request to network, All network hosts with ECHO replies
with victim’s return address reply to victim from entire network

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 28

DoS Attack: Echo-Chargen

Chargen packet with echo bit on

Victim A Victim B
Echoing what you just sent me

Chargen another packet with echo bit on

Echoing that again

Chargen another packet with echo bit on

Chargen is an ICMP protocol that generates a steam of packets

to test network’s capacity
The above attack puts A and B into an endless loop
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 29

DoS Attack: Teardrop Attack

Fragment start = 10 len = 50
0

10

20

30

40

Fragment start = 20 len = 60 50

60

70

80

90

100

...
Fragment start = 40 len = 30

Reassembly Buffer

Packet Fragments

The attacker sends packets that cannot possibly be reassembled

(conflicting reassembly instructions). In extreme cases, this can
cause the entire OS to lock up.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 30

DoS Attack: DNS Spoofing

Please convert www.microsoft.com

7.0.1.1

207.46.197.32

User Attacker DNS server

Received too
late; ignored

The attacker acts as the DNS server in order to redirect the user to
malicious sites.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 31

DoS Attack: Rerouting Routing

10.0.0.0 A T 90.0.0.0

20.0.0.0 B

…
30.0.0.0 C

10.0.0.0 dist 3
20.0.0.0 dist 2
30.0.0.0 dist 1

This picture doesn’t show anything malicious happening. It just shows how one
router, C, advertises the routes it knows about to the routers adjacent to it.
Routers rely on these advertising messages to be accurate; when they aren’t,
DoS can ensue.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 32

Distributed Denial of Service (DDoS)

Victim

1. Attacker plants
Trojan horse in
zombies 2. Zombies attack
victim simultaneously
on command

1) Conscript an army of compromised machines to attack a victim.

2) Choose a victim, and have the whole army unleash a DoS attack at once.

DDoS attacks are much more effective than traditional DoS attacks, employing a multiplied
version of the same methods.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 33

Botnets
Attacker Attacker

Master Master Master

C&C C&C C&C

Bot Bot Bot Bot Bot Bot

Victim

Botnets are networks of machines running malicious code under remote control. They often go undetected
because they do little harm to the machines they run on. Botnets are often used to execute DDoS attacks.
The image above shows how Botnet command and control (C&C) updates occur. The attacker is separated
from the bots by multiple layers, making the attacker difficult to trace. Multiple redundant systems are built in
so that if one master or C&C node is taken down, the bots can continue to connect to the botnet.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 34

Security Countermeasures
• Cryptography in Network Security
• Network Encryption – Key points
• Encryption protects only what is encrypted and during the session
• Designing encryption algorithms is left for professionals
• Encryption is no more secure than key management
• Encryption is not a silver bullet – A flawed system with good
encryption scheme is still a flawed system design
• Modes of Encryption:
• Link Encryption
• End-to-End Encryption

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 35

Link Encryption
7 M M 7
6 M M 6
5 M M 5
4 M M 4
3 M 3 M M 3 M 3
2 M 2 M M 2 M 2
1 M 1 M M 1 M 1

Sender Intermediate node Receiver

M Encrypted

M Plaintext

In link encryption, data are encrypted just before the system places them on the physical
communications link and are decrypted just as they arrive at the destination system. In this
graphic, we see that the data is encrypted only at layer 1 of the previously discussed OSI stack.
If the data is communicated through an intermediate node, that intermediate node will decrypt
the data when it arrives, and then may re-encrypt it for the next link. Link encryption is
appropriate when the transmission line is the point of greatest vulnerability, such as in wireless
scenarios.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 36

End-to-End Encryption
7 M M 7
6 M M 6
5 M M 5
4 M M 4
3 M 3 M M 3 M 3
2 M 2 M M 2 M 2
1 M 1 M M 1 M 1

Sender Intermediate node Receiver

M Encrypted

M Plaintext

In contrast with the previous slide, this end-to-end encryption diagram shows our data encrypted all the way
up to OSI layer 7, the application layer. The important element is that intermediate nodes cannot decrypt the
data. End-to-end encryption is appropriate whenever sending sensitive data through untrustworthy
intermediate nodes, such as over the Internet.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 37

Link vs. End-to-End

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 38

Secure Shell (SSH)

• Originally developed for UNIX but now available on most
OSs
• Provides an authenticated, encrypted path to the OS
command line over the network
• Replacement for insecure utilities such as Telnet, rlogin,
and rsh
• Protects against spoofing attacks and modification of data
in communication

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 39

SSL and TLS

• Secure Sockets Layer (SSL) was designed in the 1990s
to protect communication between a web browser and
server
• In a 1999 upgrade to SSL, it was renamed Transport
Layer Security (TLS)
• While the protocol is still commonly called SSL, TLS is the
modern, and much more secure, protocol
• SSL is implemented at OSI layer 4 (transport) and
provides
• Server authentication
• Client authentication (optional)
• Encrypted communication

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 40

SSL Cipher Suites

• At the start of an SSL session, the client and server
negotiate encryption algorithms, known as the “cipher
suite”
• The server sends a list of cipher suite options, and the
client chooses an option from that list
• The cipher suite consists of
• A digital signature algorithm for authentication
• An encryption algorithm for confidentiality
• A hash algorithm for integrity

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 41

SSL Cipher Suites (Partial List)

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 42

SSL Session Established

In this dialog, we see that the site is verified, who the certificate authority is,
and the choice of encryption algorithm.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 43

SSL Certificate

In this dialog, we see the certificate details: the domain name being certified, the
company that owns the site, the CA that issued the certificate, and the relevant
dates.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 44

Onion Routing
• Onion routing prevents an eavesdropper from learning
source, destination, or content of data in transit in a
network
• This is particularly helpful for evading authorities, such as
when users in oppressive countries want to communicate
freely with the outside world
• Uses asymmetric cryptography, as well as layers of
intermediate hosts, so that
• The intermediate host that sends the message to the ultimate
destination cannot determine the original sender, and
• The host that received the message from the original sender
cannot determine the ultimate destination

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 45

Virtual Private Networks (VPN)

A1 A2 A3 A4
To other
sites

Office A
Firewall A

B1 B2 B3 B4

Office B
Firewall B

Encrypted

In this picture, a VPN—an encrypted tunnel that provides confidentiality and integrity for communication
between two sites over public networks—connects Office A to Office B over the Internet so they appear
to their users as one seamless, private network. The VPN is terminated by firewalls at both ends, which
is often the case in the real world.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 46

Firewalls
• A device that filters all traffic between a protected or
“inside” network and less trustworthy or “outside” network
• Most firewalls run as dedicated devices
• Easier to design correctly and inspect for bugs
• Easier to optimize for performance

• Firewalls implement security policies, or set of rules that

determine what traffic can or cannot pass through
• A firewall is an example of a reference monitor, which
means it should have three characteristics:
• Always invoked (cannot be circumvented)
• Tamperproof
• Small and simple enough for rigorous analysis

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 47

Firewall Security Policy

In this example firewall configuration,

• External traffic can reach the entire internal network on TCP/25 and UDP/69.
• Internal traffic can go out to port 80 on the external network.
• External traffic can reach TCP/80 on one internal server.
• All other traffic from external to internal is disallowed.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 48

Types of Firewalls
• Packet filtering gateways or screening routers
• Stateful inspection firewalls
• Application-level gateways, also known as proxies
• Circuit-level gateways
• Guards
• Personal or host-based firewalls

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 49

Packet-Filtering Gateways

HTTP

Telnet

A packet-filtering gateway controls access on the basis of packet address and specific transport protocol
type (e.g., HTTP traffic). The example firewall configuration table on a previous slide was in relation to a
packet-filtering gateway. In the image on this slide, the firewall is filtering out Telnet traffic but allowing
HTTP traffic in. There is a second packet-filtering gateway image on the next slide.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 50

Packet-Filtering Gateways (cont.)

Src: other addresses

Src: 100.50.25.x 100.50.25.x Network

In this image, the firewall is filtering traffic on the basis of source IP rather than port. Filtering rules can
also be based on combinations of addresses and ports/protocols.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 51

Stateful Inspection Firewall

10.1.3.1:4→ 10.1.3.1:3→ 10.1.3.1:2→
10.1.3.1:1

10.1.3.1
Further
10.1.3.1:x
traffic

Packet-filtering gateways maintain no state from one packet to the next. They simply look at each packet’s IP
addresses and ports and compare them to the configured policies. Stateful inspection firewalls, on the other
hand, maintain state information from one packet to the next.
In the example in the image, the firewall is counting the number of systems coming from external IP 10.1.3.1;
after the external system reaches out to a fourth computer, the firewall hits a configured threshold and begins
filtering packets from that address. In real life, it can be difficult to define rules that require state/context and
that attackers cannot circumvent.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 52

Application Proxy
Filtered
commands

Results

Logging
File
cache

An application proxy simulates the behavior of an application at OSI layer 7 so that the real application
receives only requests to act properly. Application proxies can serve a number of purposes:
• Filtering potentially dangerous application-layer requests
• Log requests/accesses
• Cache results to save bandwidth
Perhaps the most common form of application proxies in the real world is a web proxy, which companies
often use to monitor and filter employee Internet use.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 53

Circuit-Level Gateway
100.1.1.x network

Circuit
gateway

To Yes
200.1.1.x?
Encryption
No

Main
firewall

A circuit-level gateway is a firewall that essentially allows one network to be an

extension of another. It operates at OSI layer 5, the session layer, and it functions
as a virtual gateway between two networks. One use of a circuit-level gateway is to
implement a VPN.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 54

Guard
• A sophisticated firewall that, like an application proxy, can
interpret data at the protocol level and respond
• The distinction between a guard and an application proxy
can be fuzzy; the more protection features an application
proxy implements, the more it becomes like a guard
• Guards may implement any programmable set of rules;
for example:
• Limit the number of email messages a user can receive
• Limit users’ web bandwidth
• Filter documents containing the word “Secret”
• Pass downloaded files through a virus scanner

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 55

Comparison of Firewall Types

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 56

Demilitarized Zone (DMZ)

DMZ

Firewall Web page server Email server FTP server

Firewall
Database
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 57

What Firewalls Can and Cannot Do

• Firewalls can protect an environment only if they control
the entire perimeter
• Firewalls do not protect data outside the perimeter
• Firewalls are the most visible part of an installation to the
outside, so they are an attractive target for attack
• Firewalls must be correctly configured, that configuration
must be updated as the environment changes, and
firewall activity reports must be reviewed periodically for
evidence of attempted or successful intrusion
• Firewalls exercise only minor control over the content
admitted to the inside, meaning that inaccurate or
malicious code must be controlled by means inside the
perimeter
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 58

Data Loss Prevention (DLP)

• DLP is a set of technologies that can detect and possibly
prevent attempts to send sensitive data where it is not
allowed to go. For example, someone inside leaking
classified information to an outsider
• Can be implemented as
• Agent installed as an OS rootkit
• Guard
• Indicators DLP looks for:
• Keywords – Look for sensitive or classified keywords
• Traffic patterns
• Encoding/encryption
• DLP is best for preventing accidental incidents, as
malicious users will often find ways to circumvent it
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 59

Intrusion Detection System (IDS)

• IDSs complement preventative controls as a next line of
defense. IDSs monitor activity to identify malicious or
suspicious events. IDSs may
• Monitor user and system activity
• Audit system configurations for vulnerabilities and
misconfigurations
• Assess integrity of critical system and data files
• Recognize known attack patterns in system activity
• Identify abnormal activity through statistical analysis
• Manage audit trails and highlight policy violations
• Install and operate traps to record information about intruders

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 60

Intrusion Detection Systems (IDS)

Raw event source

(E)

Ra ev
Events

w en
or t d
lo ata
w-
lev
el
(A) (S)
Analysis Storage
in
te Hig
rp h-
re le
te ve
d
ev l
en
ts

Reactions to
(C) events
Countermeasures

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 61

Types of IDS
• Detection method
• Signature-based
• Heuristic
• Location
• Front end
• Internal
• Scope
• Host-based IDS (HIDS)
• Network-based IDS (NIDS)
• Capability
• Passive
• Active, also known as intrusion prevention systems (IPS**)
** https://ubiquity.acm.org/article.cfm?id=1071927

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 62

Summary
• Networks are threatened by attacks aimed at interception,
modification, fabrication, and interruption
• WPA2 has many critical security advantages over WEP
• DoS attacks come in many flavors, but malicious ones are
usually either volumetric in nature or exploit a bug
• Network encryption can be achieved using specialized tools—
some for link encryption and some for end-to-end—such as
VPNs, SSH, and the SSL/TLS protocols
• A wide variety of firewall types exist, ranging from very basic
IP-based functionality to complex application-layer logic, and
both on networks and hosts
• There are many flavors of IDS, each of which detects different
kinds of attacks in very different parts of the network
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.