Unit 3 SECURITY ISSUES

1 What is firewall? Explain each types of firewall in network communication.

In computing, a firewall is a network security system that controls the incoming
and outgoing network traffic based on applied rule set. A firewall establishes a
barrier between a trusted, secure internal network and another network (e.g.,
the Internet) that is not assumed to be secure and trusted.
Types
There are different types of firewalls depending on where the communication is
taking place, where the communication is intercepted and the state that is being
traced.[14]
Network layer or packet filters[edit]
Network layer firewalls, also called packet filters, operate at a relatively low level
of the TCP/IPprotocol stack, not allowing packets to pass through the firewall
unless they match the established rule set. The firewall administrator may define
the rules; or default rules may apply. The term "packet filter" originated in the
context of BSD operating systems.
Network
layer
firewalls
generally
fall
into
two
subcategories, stateful and stateless. Stateful firewalls maintain context about
active sessions, and use that "state information" to speed packet processing. Any
existing network connection can be described by several properties, including
source and destination IP address, UDP or TCP ports, and the current stage of the
connection's lifetime (including session initiation, handshaking, data transfer, or
completion connection). If a packet does not match an existing connection, it will
be evaluated according to the ruleset for new connections. If a packet matches
an existing connection based on comparison with the firewall's state table, it will
be allowed to pass without further processing.
Stateless firewalls require less memory, and can be faster for simple filters that
require less time to filter than to look up a session. They may also be necessary
for filtering stateless network protocols that have no concept of a session.
However, they cannot make more complex decisions based on what stage
communications between hosts have reached.
Newer firewalls can filter traffic based on many packet attributes like source IP
address, source port, destination IP address or port, destination service
like WWW or FTP. They can filter based on protocols, TTL values, netblock of
originator, of the source, and many other attributes.
Commonly
used
packet
filters
on
various
versions
ofUnix are IPFilter (various), ipfw (FreeBSD/Mac
OS
X), NPF (NetBSD), PF (OpenBSD, and some otherBSDs), iptables/ipchains (Linux).
Application-layer[edit]
Main article: Application layer firewall
Application-layer firewalls work on the application level of the TCP/IP stack (i.e.,
all browser traffic, or all telnet or ftp traffic), and may intercept all packets
traveling to or from an application. They block other packets (usually dropping
them without acknowledgment to the sender).

On inspecting all packets for improper content, firewalls can restrict or prevent
outright the spread of networked computer worms and trojans. The additional
inspection criteria can add extra latency to the forwarding of packets to their
destination.
Application firewalls function by determining whether a process should accept
any given connection. Application firewalls accomplish their function by hooking
into socket calls to filter the connections between the application layer and the
lower layers of the OSI model. Application firewalls that hook into socket calls are
also referred to as socket filters. Application firewalls work much like a packet
filter but application filters apply filtering rules (allow/block) on a per process
basis instead of filtering connections on a per port basis. Generally, prompts are
used to define rules for processes that have not yet received a connection. It is
rare to find application firewalls not combined or used in conjunction with a
packet filter.[15]
Also, application firewalls further filter connections by examining the process ID
of data packets against a ruleset for the local process involved in the data
transmission. The extent of the filtering that occurs is defined by the provided
ruleset. Given the variety of software that exists, application firewalls only have
more complex rulesets for the standard services, such as sharing services. These
per process rulesets have limited efficacy in filtering every possible association
that may occur with other processes. Also, these per process rulesets cannot
defend against modification of the process via exploitation, such as memory
corruption exploits. Because of these limitations, application firewalls are
beginning to be supplanted by a new generation of application firewalls that rely
on mandatory access control(MAC), also referred to as sandboxing, to protect
vulnerable services.[16]
Proxies[edit]
Main article: Proxy server
A proxy server (running either on dedicated hardware or as software on a
general-purpose machine) may act as a firewall by responding to input packets
(connection requests, for example) in the manner of an application, while
blocking other packets. A proxy server is a gateway from one network to another
for a specific network application, in the sense that it functions as a proxy on
behalf of the network user.[1]
Proxies make tampering with an internal system from the external network more
difficult and misuse of one internal system would not necessarily cause a
security breach exploitable from outside the firewall (as long as the application
proxy remains intact and properly configured). Conversely, intruders mayhijack a
publicly reachable system and use it as a proxy for their own purposes; the proxy
thenmasquerades as that system to other internal machines. While use of
internal address spaces enhances security, crackers may still employ methods
such as IP spoofing to attempt to pass packets to a target network.

2 What is web-server? Name each type of web server and explain the
architecture of any one of them.

A web server is a computer system that processes requests viaHTTP, the

basicnetwork protocolused to distribute information on the World Wide Web.
1.

Apache HTTP Server

Developed by Apache Software Foundation, the Apache HTTP server is the most
popular web hosting server in the world today. This open source software can
be installed on virtually all operating systems including Windows, Linux, Mac OS
X, Unix, etc. 60% of server machines functional today run on the apache web
server.

2.

Internet Information Services

Internet Information Services (IIS) is a product of Microsoft and is considered to

be a very high-performanceweb hosting server. It is integrated with the
windows platforms and hence is easily administrable.

3.

Lighttpd

This is a free web hosting server software distributed along with the FreeBSD
operating system. The Lighttpd is considered fast, reliable and secure. It also
consumes lesser CPU power. Lighttpd web servers are also compatible with
Windows, Linux, Mac OS X, and Solaris operating systems.

4.

Sun Java System Web Server

This server is a product of Sun Microsystems. Although it is not an open source

server, it supports Windows, Linux, and Unix. This web hosting server is suitable
for medium and large website hosting. It supports many different
technologies, scripts and languages including PHP, Perl, ASP, Coldfusion, etc.

5.

Jigsaw Server

This is a free open source server for website hosting that comes straight from
the World Wide Web association. The Jigsaw web hosting server is written in

Java and supports both PHP programs and CGI scripts. It supports different
platforms like Linux, Mac OS X, Windows, Unix, FreeBSD, etc.

Although there are many other website hosting servers, the five mentioned
above are reputed for being most reliable and commonly used.

3 What are the types of attacks in terms of security? Explain DOS attack on
server.
Types of attack:
Classes of attack might include passive monitoring of communications, active
network attacks, close-in attacks, exploitation by insiders, and attacks through
the service provider. Information systems and networks offer attractive targets
and should be resistant to attack from the full range of threat agents, from
hackers to nation-states. A system must be able to limit damage and recover
rapidly
when
attacks
occur.
There are five types of attack:
Passive Attack
A passive attack monitors unencrypted traffic and looks for clear-text
passwords and sensitive information that can be used in other types of
attacks. Passive attacks include traffic analysis, monitoring of unprotected
communications, decrypting weakly encrypted traffic, and capturing
authentication information such as passwords. Passive interception of network
operations enables adversaries to see upcoming actions. Passive attacks result in
the disclosure of information or data files to an attacker without the consent or
knowledge of the user.
Active Attack
In an active attack, the attacker tries to bypass or break into secured systems.
This can be done through stealth, viruses, worms, or Trojan horses. Active
attacks include attempts to circumvent or break protection features, to introduce
malicious code, and to steal or modify information. These attacks are mounted
against a network backbone, exploit information in transit, electronically
penetrate an enclave, or attack an authorized remote user during an attempt to
connect to an enclave. Active attacks result in the disclosure or dissemination of
data files, DoS, or modification of data.
Distributed Attack
A distributed attack requires that the adversary introduce code, such as a
Trojan horse or back-door program, to a trusted component or software that
will later be distributed to many other companies and users Distribution attacks
focus on the malicious modification of hardware or software at the factory or
during distribution. These attacks introduce malicious code such as a back door
to a product to gain unauthorized access to information or to a system function
at a later date.
Insider Attack

An insider attack involves someone from the inside, such as a disgruntled

employee, attacking the network Insider attacks can be malicious or no
malicious. Malicious insiders intentionally eavesdrop, steal, or damage
information; use information in a fraudulent manner; or deny access to other
authorized users. No malicious attacks typically result from carelessness, lack of
knowledge, or intentional circumvention of security for such reasons as
performing a task
Close-in Attack
A close-in attack involves someone attempting to get physically close to
network components, data, and systems in order to learn more about a network
Close-in attacks consist of regular individuals attaining close physical proximity
to networks, systems, or facilities for the purpose of modifying, gathering, or
denying access to information. Close physical proximity is achieved through
surreptitious entry into the network, open access, or both.
One popular form of close in attack is social engineering in a social
engineering attack, the attacker compromises the network or system through
social interaction with a person, through an e-mail message or phone. Various
tricks can be used by the individual to revealing information about the security of
company. The information that the victim reveals to the hacker would most likely
be used in a subsequent attack to gain unauthorized access to a system or
network.
Phishing Attack
In phishing attack the hacker creates a fake web site that looks exactly like a
popular site such as the SBI bank or paypal. The phishing part of the attack is
that the hacker then sends an e-mail message trying to trick the user into
clicking a link that leads to the fake site. When the user attempts to log on with
their account information, the hacker records the username and password and
then tries that information on the real site.
Hijack attack
Hijack attack In a hijack attack, a hacker takes over a session between you and
another individual and disconnects the other individual from the communication.
You still believe that you are talking to the original party and may send private
information to the hacker by accident.
Spoof attack
Spoof attack In a spoof attack, the hacker modifies the source address of the
packets he or she is sending so that they appear to be coming from someone
else. This may be an attempt to bypass your firewall rules.
Buffer overflow
Buffer overflow A buffer overflow attack is when the attacker sends more data to
an application than is expected. A buffer overflow attack usually results in the
attacker gaining administrative access to the system in a ommand prompt or
shell.
Exploit attack
Exploit attack In this type of attack, the attacker knows of a security problem
within an operating system or a piece of software and leverages that knowledge
by exploiting the vulnerability.
Password attack

Password attack An attacker tries to crack the passwords stored in a network

account database or a password-protected file. There are three major types of
password attacks: a dictionary attack, a brute-force attack, and a hybrid attack.
A dictionary attack uses a word list file, which is a list of potential passwords. A
brute-force attack is when the attacker tries every possible combination of
characters.

Incomputing,
adenial-of-service(DoS)
ordistributed
denial-ofservice(DDoS)attack is an attempt to make a machine or network resource
unavailable to its intended users.
Although the means to carry out, the motives for, and targets of a DoS attack
vary, it generally consists of efforts to temporarily or indefinitely interrupt or
suspend services of a host connected to the Internet.
As clarification, distributed denial-of-service attacks are sent by two or more
persons, or bots, and denial-of-service attacks are sent by one person or system.
As of 2014, the frequency of recognized DDoS attacks had reached an average
rate of 28 per hour. [1]
Perpetrators of DoS attacks typically target sites or services hosted on highprofile web servers such as banks, credit card payment gateways, and even root
nameservers.
Denial-of-service threats are also common in business, [2] and are sometimes
responsible for website attacks. [3]
This technique has now seen extensive use in certain games, used by server
owners, or disgruntled competitors on games, such as popular Minecraftservers.
Increasingly, DoS attacks have also been used as a form of resistance. Richard
Stallman has stated that DoS is a form of 'Internet Street Protests. [4] The term is
generally used relating tocomputer networks, but is not limited to this field; for
example, it is also used in reference to CPU resource management.[5]
One common method of attack involves saturating the target machine with
external communications requests, so much so that it cannot respond to
legitimate traffic, or responds so slowly as to be rendered essentially unavailable.
Such attacks usually lead to a server overload. In general terms, DoS attacks are
implemented by either forcing the targeted computer(s) to reset, or consuming
itsresources so that it can no longer provide its intended service or obstructing
the communication media between the intended users and the victim so that
they can no longer communicate adequately.
Denial-of-service attacks are considered violations of the Internet Architecture
Board's Internet proper use policy, and also violate the acceptable use policies of
virtually all Internet service providers. They also commonly constitute violations
of the laws of individual nations. [citation needed]
The first demonstrated DDos attack was introduced by well known hacker Khan
C. Smith during a 1998 illegal Defcon event and later exposed for its use Botnet
mechanisms during a lawsuit filed by Earthlink [6] which claims has caused billions
in economic damages.

Prevent Denial of Service (DoS) Attacks

Denial of Service (DoS) attacks against web sites occur when an attacker
attempts to make the web server, or servers, unavailable to serve up the web
sites they host to legitimate visitors. For some time, it was thought that these
types of attacks were generally used against large corporations, government
sites, and activist sites as a form of protest to disrupt their web presence.

4 Explain X.509? also explain structure of it.

In cryptography, X.509 is an ITU-T standard for apublic key infrastructure (PKI)
and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other
things, standard formats for public key certificates, certificate revocation
lists, attribute certificates, and a certification path validation algorithm.
An X.509 certificate usually contains information about the certificate holder, the
signer, a unique serial number, expiration dates and some other fields [PKIX] as
shown in Table 4.2.
Field

version

Description
The field that indicates
the version of the
certificate.

This field holds a

serialNumb
unique serial number
er
per certificate.

signature

The issuing authoritys

signature.

issuer

Holds the issuers

distinguished name.

validity

The activation and

expiration dates.

subject

The subjects
distinguished name of
the certificate.

extensions The extensions are

Field

Description
fields only present in
version 3 certificates.

Table 4.2: X.509 certificate fields.

The certificates subject or issuer name is not just a single string. It is a
Distinguished name and in the ASN.1 notation is a sequence of several object
identifiers with their corresponding values. Some of available OIDs to be used in
an X.509 distinguished name are defined in gnutls/x509.h.
The Version field in a certificate has values either 1 or 3 for version 3 certificates.
Version 1 certificates do not support the extensions field so it is not possible to
distinguish a CA from a person, thus their usage should be avoided.
The validity dates are there to indicate the date that the specific certificate was
activated and the date the certificates key would be considered invalid.
In GnuTLS the X.509 certificate structures are handled using
the gnutls_x509_crt_ttype and the corresponding private keys with
the gnutls_x509_privkey_t type. All the available functions for X.509 certificate
handling have their prototypes ingnutls/x509.h. An example program to
demonstrate the X.509 parsing capabilities can be found in ex-x509-info.
5 Explain SSL and TLS with their working and security measures.
What Is SSL?
SSL (Secure Sockets Layer) is a standard security technology for establishing an
encrypted link between a server and a clienttypically a web server (website)
and a browser; or a mail server and a mail client (e.g., Outlook).
SSL allows sensitive information such as credit card numbers, social security
numbers, and login credentials to be transmitted securely. Normally, data sent
between browsers and web servers is sent in plain textleaving you vulnerable
to eavesdropping. If an attacker is able to intercept all data being sent between a
browser and a web server they can see and use that information.
More specifically, SSL is a security protocol. Protocols describe how algorithms
should be used; in this case, the SSL protocol determines variables of the
encryption for both the link and the data being transmitted.
What is an SSL Certificate and How Does it Work?

SSL Certificates have a key pair: a public and a private key. These keys work
together to establish an encrypted connection. The certificate also contains what
is called the subject, which is the identity of the certificate/website owner.
To get a certificate, you must create a Certificate Signing Request (CSR) on your
server. This process creates a private key and public key on your server. The CSR
data file that you send to the SSL Certificate issuer (called a Certificate Authority
or CA) contains the public key. The CA uses the CSR data file to create a data
structure to match your private key without compromising the key itself. The CA
never sees the private key.
Once you receive the SSL Certificate, you install it on your server. You also install
a pair of intermediate certificates that establish the credibility of your SSL
Certificate by tying it to your CAs root certificate. The instructions for installing
and testing your certificate will be different depending on your server.
Transport Layer Security (TLS) and its predecessor, Secure Sockets
Layer (SSL), arecryptographic protocols designed to provide
communication security over the Internet.[1] They useX.509 certificates and
hence asymmetric cryptography to authenticate the counterparty with whom
they are communicating, and to exchange asymmetric key. This session key is
then used to encrypt data flowing between the parties. This allows for
data/message confidentiality, and message authentication codes for message
integrity and as a by-product, message authentication. Several versions of the
protocols are in widespread use in applications such as web browsing, electronic
mail,Internet faxing, instant messaging, and voice-over-IP(VoIP). An important
property in this context isforward secrecy, so the short-term session key cannot
be derived from the long-term asymmetric secret key. [2]
As a consequence of choosing X.509 certificates,certificate authorities and
a public key infrastructureare necessary to verify the relation between a
certificate and its owner, as well as to generate, sign, and administer the validity
of certificates. While this can be more beneficial than verifying the identities via
a web of trust, the 2013 mass surveillance disclosures made it more widely
known that certificate authorities are a weak point from a security standpoint,
allowing man-in-the-middle attacks(MITM).[3][4]
In the Internet Protocol Suite, TLS and SSL encryptthe data
of network connections in the application layer. In OSI model equivalences,
TLS/SSL is initialized at layer 5 (session layer) and works at layer 6
(the presentation layer).[citation needed] The session layer has a handshake using an
asymmetric cipher in order to establish cipher settings and a shared key for that
session; then the presentation layer encrypts the rest of the communication
using a symmetric cipher and that session key. In both models, TLS and SSL work
on behalf of the underlying transport layer, whose segments carry encrypted
data.

TLS is an Internet Engineering Task Force (IETF)standards track protocol, first

defined in 1999 and last updated in RFC 5246 (August 2008) and RFC
6176 (March 2011). It is based on the earlier SSL specifications (1994, 1995,
1996) developed byNetscape Communications[5] for adding the HTTPSprotocol to
their Navigator web browser.
6 Differentiate Digital Signature and hashing. Explain use of Digital Certificate in
web application.
Integrity: Can the recipient be confident that the message has not been
accidentally modified?

Authentication: Can the recipient be confident that the message

originates from the sender?

Non-repudiation: If the recipient passes the message and the proof to a

third party, can the third party be confident that the message originated
from the sender? (Please note that I am talking about non-repudiation in the
cryptographic sense, not in the legal sense.)
Also important is this question:

Keys: Does the primitive require a shared secret key, or public-private

keypairs?
I think the short answer is best explained with a table:
Cryptographic primitive | Hash | MAC | Digital
Security Goal
|
|
| signature
------------------------+------+-----------+------------Integrity
| Yes | Yes | Yes
Authentication
| No | Yes | Yes
Non-repudiation
| No | No
| Yes
------------------------+------+-----------+------------Kind of keys
| none | symmetric | asymmetric
|
| keys | keys
Please remember that authentication without confidence in the keys used is
useless. For digital signatures, a recipient must be confident that the verification
key actually belongs to the sender. For MACs, a recipient must be confident that
the shared symmetric key has only been shared with the sender.

The longer answer:

A (unkeyed) hash of the message, if appended to the message itself, only
protects against accidental changes to the message (or the hash itself), as an
attacker who modifies the message can simply calculate a new hash and use it
instead of the original one. So this only gives integrity.