BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

COMPUTER SYSTEM SECURITY

(KNC301)
UNIT -5

Internet Infrastructure: Basic security problems,

Routing security, DNS revisited, Summary of weaknesses
of internet security, Link layer connectivity and TCP IP
connectivity, Packet filtering firewall, Intrusion detection.

1
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

1. Internet Infrastructure
Generally speaking, infrastructures are the frameworks or
architectures that systems are made of. For example, a nation's
transportation infrastructure consists of roadways, railroads,
airports, ocean ports, and rivers.
The Internet also has an infrastructure consisting of many
different elements, each of which plays a critical role in the
delivery of information/data from one point to another.
Internet infrastructure is the physical hardware, transmission
media, and software used to interconnect computers and users
on the Internet. Internet infrastructure is responsible for
hosting, storing, processing, and serving the information that
makes up websites, applications, and content.

1.1 Elements of the Internet Infrastructure

At the most basic levels of the Internet infrastructure are
endless miles of telephone lines and fiber optic cable. These
cables connect millions of individual users and businesses to
other parties, transmitting data at varying speeds, depending
on the types of cabling used.
Here we discuss three important internet infrastructure
components are:
 TCP/IP-Used for routing & messaging
 BGP (Border Gateway Protocol) –Used for routing
announcement.
 DNS (Domain Name System): Translating a host name
like google.com into network address that can be used to
actually connect to the host.
2
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

 TCP/IP (Transmission Control Protocol/Internet

Protocol)
The Internet works by using a protocol called TCP/IP, or
Transmission Control Protocol/Internet Protocol. TCP/IP is
the underlying communication language of the Internet. In
base terms, TCP/IP allows one computer to talk to another
computer via the Internet through compiling packets of data
and sending them to right location.
Defining TCP
There are two layers to TCP/IP. The top layer, TCP, is
responsible for taking large amounts of data, compiling it into
packets and sending them on their way to be received by a
fellow TCP layer, which turns the packets into useful
information/data.

Defining IP
The bottom layer, IP, is the location aspect of the pair allowing
the packets of information to be sent and received to the
correct location. If you think about IP in terms of a map, the
IP layer serves as the packet GPS to find the correct
destination. Much like a car driving on a highway, each packet
passes through a gateway computer (signs on the road), which
serve to forward the packets to the right destination.
“In summary, TCP is the data. IP is the Internet location
GPS.”

3
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

 BGP
Border Gateway Protocol (BGP) is the postal service of the
Internet. When someone drops a letter into a mailbox, the
postal service processes that piece of mail and chooses a fast,
efficient route to deliver that letter to its recipient. Similarly,
when someone submits data across the Internet, BGP is
responsible for looking at all of the available paths that data
could travel and picking the best route, which usually means
hopping between autonomous systems.
 DNS (Domain Name System)
The Domain Name System (DNS) is the phonebook of the
Internet. Humans access information online through domain
names, like nytimes.com or espn.com. Web browsers interact
through Internet Protocol (IP) addresses. DNS translates
domain names to IP addresses so browsers can load Internet
resources.

4
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

2. BASIC SECURITY PROBLEMS

i. Network packets pass through the untrusted
host(Because they follow different-2 network during
transmission of message from source to destination )
 Eavesdropping, Packet sniffing
 Especially easy when attacker control a
machine(computer) closed to victim(Wi-Fi Router)
ii. TCP state easily obtained by Eavesdropping
 Enable spoofing and session hijacking
iii. Distributed Denial of Services(DDoS) Vulnerability
iv. Duplicate IP Addresses
v. DNS Problems
vi. Single Workstation Unable to Connect to the
Network
vii. Unable to Connect to Local File or Printer Shares
viii. Local Network is Unable to Connect to the internet
ix. Slow Internet Performance

3. Routing Security
Routing is fundamental to how the Internet works. Routing
protocols direct the movement of packets between your
computer and any other computers it is communicating with.
The Internet’s routing protocol (Border Gateway Protocol or
BGP) is considered as very sensitive for attacking.

5
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

Routing security has received varying levels of attention over

the past several years and has recently begun to attract more
attention specifically around Border Gateway Protocol
(BGP) on the public Internet. Despite this new attention,
however, the area most open to attack. Because of some of the
sniffing-based attacks, an enterprise routing infrastructure can
easily be attacked with man-in-the-middle and other attacks
designed to corrupt or change the routing tables with the
following results:
 Traffic redirection—In this attack, the adversary is able
to redirect traffic, enabling the attacker to modify traffic in
transit or simply sniff packets.
 Traffic sent to a routing black hole—Here the attacker
is able to send specific routes to null0, effectively kicking IP
addresses off of the network.
 Router denial-of-service (DoS)—Attacking the routing
process can result in a crash of the router or a severe
degradation of service.
 Routing protocol DoS—Similar to the attack previously
described against a whole router, a routing protocol attack
could be launched to stop the routing process from functioning
properly.

6
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

 Unauthorized route prefix origination—This attack

aims to introduce a new prefix into the route table that
shouldn't be there. The attacker might do this to get a covert
attack network to be routable throughout the victim network.
4. DNS Revisited
The Domain Name System resolves the names of internet sites
with their underlying IP addresses adding efficiency and even
security in the process.
At its most basic, DNS is a directory of names that match with
numbers. The numbers, in this case are IP addresses, which
computers use to communicate with each other.
When the internet was very, very small, it was easier for
people to correspond specific IP addresses with specific
computers, but that didn't last for long as more devices and
people joined the growing network. In addition to creating a
directory for all of these devices, words were used to let people
connect to different sites; for most people, remembering
words is easier than remembering specific sets of numbers. It
is still possible to type in a specific IP address into a browser
to reach a website.

7
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

How DNS Adds Efficiency

DNS is organized in a hierarchy that helps keep things running
quickly and smoothly. To illustrate, let's pretend that you
wanted to visit networkworld.com.
The initial request for the IP address is made to a recursive
resolver, a server that is usually operated by an ISP or other
third-party provider. The recursive resolver knows which
other DNS servers it needs to ask to resolve the name of a site
(networkworld.com) with its IP address. This search leads to
a root server, which knows all the information about top-level
domains, such as .com, .net, .org and all of those country
domains like .cn (China) and .uk (United Kingdom). Root
servers are located all around the world, so the system usually
directs you to the closest one geographically.
Once the request reaches the correct root server, it goes to a
top-level domain (TLD) name server, which stores the
information for the second-level domain, the words used
before you get to the .com, ,org, .net (for example, that
information for networkworld.com is "network world"). The
request then goes to the Domain Name Server, which holds
the information about the site and its IP address. Once the IP
address is discovered, it is sent back to the client, which can

8
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

now use it to visit the website. All of this takes mere

milliseconds.

5. Summary Of Weaknesses Of Internet Security

i. Unauthenticated Protocols
When protocol lacks authentication, any computer on the
network can send commands that alter the physical process.
This may lead to incorrect process operation, which damages
goods, destroys plant equipment, harms personnel, or
degrades the environment.
ii. Outdated Hardware
Hardware can be operational for decades. This hardware may
operate too simplistically or lack the processing power and
memory to handle the threat environment presented by
modern network technology.
iii. Weak User Authentication
User authentication weaknesses in legacy control systems
often include hard-coded passwords, easily cracked
passwords, passwords stored in easily recoverable formats,
and passwords sent in clear text. An attacker who obtains these
passwords can often interact with the controlled process at
will, the report said.

9
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

iv. Weak File Integrity Checks

Lack of software signing that confirms the software author and
guarantee that the code has not been altered or corrupted
allows attackers to mislead users into installing software that
did not originate from the vendor. It also allows attackers to
replace legitimate files with malicious ones.
v. Vulnerable Windows Operating Systems
Industrial systems often run unpatched Microsoft Windows
operating systems, leaving them exposed to known
vulnerabilities.
6. Link Layer Connectivity And TCP IP Connectivity

6.1 Link Layer

 The link layer is responsible for transporting information
from one host (or router) to another over a single link
 Each network-layer datagram is encapsulated in a link-
layer frame
 Two fundamentally different types of link-layer channels:
a) Broadcast channels
b) Point-to-point communications link

10
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

a) Broadcast channels
 Common in local area networks (LANs), wireless LANs, etc.
 Many hosts connected to the same communications channel
 Medium access protocol is needed to coordinate
transmissions
b)Point-to-point communications link
 Used between two routers or home dial-up modem and ISP
router
 coordination is trivial
 Still issues around framing, reliable transfer etc.
6.2 Link Layer Services
 Framing: encapsulation of network datagram within a link-
layer frame
 Link Access: a medium access (MAC) protocol specifies the
rules by which a frame is transmitted onto the link
 Reliable Delivery: useful for links prone to high error rates;
avoids cost of end-to-end retransmission at transport or
application layer
 Flow Control: frames can be lost if buffering capacity is
exceeded

11
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

 Error Detection: usually more sophisticated than Internet

checksum and implemented in hardware
 Error Correction: possible to correct errors as well as detect
them
6.3 TCP/IP Model

 The TCP/IP model consists of five layers:

a) Application Layer
b) Transport Layer
c) Network Layer
d) Data Link Layer
e) Physical Layer

 The first four layers provide physical standards, network

interface, internetworking, and transport functions that
correspond to the first four layers of the OSI model and these
four layers are represented in TCP/IP model by a single layer
called the application layer.
 TCP/IP is a hierarchical protocol made up of interactive
modules, and each of them provides specific functionality.

12
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

6.4 Transmission Control Protocol (TCP):

It provides a full transport layer services to applications. It
creates a virtual circuit between the sender and receiver, and
it is active for the duration of the transmission.
TCP is a reliable protocol as it detects the error and
retransmits the damaged frames. Therefore, it ensures all the
segments must be received and acknowledged before the
transmission is considered to be completed and a virtual
circuit is discarded.
At the sending end, TCP divides the whole message into
smaller units known as segment, and each segment contains
a sequence number which is required for reordering the
frames to form an original message. At the receiving end,
TCP collects all the segments and reorders them based on
sequence numbers.
13
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

6.5 IP Protocol: IP protocol is used in this layer, and it is the

most significant part of the entire TCP/IP suite. Following are
the responsibilities of this protocol:
 IP Addressing: This protocol implements logical host
addresses known as IP addresses. The IP addresses are used
by the internet and higher layers to identify the device and to
provide internetwork routing.
 Host-to-host communication: It determines the path
through which the data is to be transmitted.
 Data Encapsulation and Formatting: An IP protocol
accepts the data from the transport layer protocol. An IP
protocol ensures that the data is sent and received securely, it
encapsulates the data into message known as IP datagram.
 Fragmentation and Reassembly: The limit imposed on the
size of the IP datagram by data link layer protocol is known
as Maximum Transmission unit (MTU). If the size of IP
datagram is greater than the MTU unit, then the IP protocol
splits the datagram into smaller units so that they can travel
over the local network. Fragmentation can be done by the
sender or intermediate router. At the receiver side, all the
fragments are reassembled to form an original message.

14
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

 Routing: When IP datagram is sent over the same local

network such as LAN, MAN, WAN, it is known as direct
delivery. When source and destination are on the distant
network, then the IP datagram is sent indirectly. This can be
accomplished by routing the IP datagram through various
devices such as routers.
7. PACKET FILTERING FIREWALL
Introduction of Firewall: A firewall is a network security
device, which isolates organization’s internal network from
larger outside network/Internet. It can be a hardware or
software-based or combination of both ,which monitors all
incoming and outgoing traffic based on a predefined set of
security rules it accepts, rejects that specific traffic.
“A firewall is a network security system that monitors and
controls incoming and outgoing network traffic based on
predetermined security rules. A firewall typically establishes
a barrier between a trusted internal network and untrusted
external network, such as the Internet.”
A firewall establishes a barrier between secured internal
networks and outside untrusted network, such as the Internet.

15
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

Types of Firewall - There are three basic types of firewalls

that are used by companies to protect their data & devices to
keep destructive elements out of network, viz. Proxy Server,
Stateful Inspection and Packet Filters Firewalls.

16
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

 Proxy firewall: Also called the application level gateways.

Proxy Server Firewalls are the most secured type of firewalls
that effectively protect the network resources by filtering
messages at the application layer. It works only for the
protocols which are configured such as HTTP and FTP.
Application level firewalls can also be configured as Caching
Servers which in turn increase the network performance and
makes it easier to log traffic.
 Stateful inspection firewall: Stateful inspection, also known
as dynamic packet filtering. Stateful inspection firewalls are
often thought of as a “traditional” firewall as it allows or
blocks traffic based on state, port, and protocol. These
firewalls work to monitor all activity from the moment a
connection is opened until it’s fully closed.
 Packet Filtering Firewall: As the most “basic” and oldest
type of firewall architecture, packet-filtering firewalls
basically create a checkpoint at a traffic router or switch.
Packet filtering firewall is used to control network access by
monitoring outgoing and incoming packet and allowing them
to pass or stop based on source and destination IP address,
protocols and ports. It analyses traffic at the transport
protocol layer (but mainly uses first 3 layers). Filtering rules

17
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

are based on information contained in a network packet like

source IP address, destination IP address etc.
Packet firewalls treat each packet in isolation. They have no
ability to tell whether a packet is part of an existing stream of
traffic. Only it can allow or deny the packets based on unique
packet headers.
8. INTRUSION DETECTION
Intrusion: It is any unauthorized access to the system.
Intrusion is the one that try to intrude into the privacy of the
network.
8.1 Types of Intrusion:
i. Masquerader Intrusion: User with authority to use the
system but penetrate the security as the legitimate user.
ii. Misfeasor Intrusion: Legitimate user with no permission to
access the application but misuse the privileges.
iii. Clandestine Intrusion: It may be internal or external. They
try to steal & use the credential of their supervisor.
8.2 Intrusion Detection:
A. Statistical Anomaly Detection: Behavior of user is analyzed
over a period of time & rules are created to differentiate
between legitimate and illegal user.

18
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

1) Threshold Based Detection: Certain threshold is defined

for each user, if that threshold is cross it considers as
intrusion.
2) Profile Based detection: Profile is created for each user
& they are match for any illegal activity.
For example Ram often uses 2 hours of internet (Threshold)
& he visited educational & engineering website (Profile
Based).
Let us suppose that Mohan Steal the identity of Ram & use 4
hours of internet (here it is detected because Ram uses only
2 hours of internet)-THRESHOLD BASED DETECTION
Let us suppose that Mohan Steal the identity of Ram & visited
other than educational & engineering website (here it is
detected because Ram uses only educational & engineering
website)-PROFILE BASED DETECTION
B. Rule Based Detection
a) Anomaly Based Detection: Here we detect the unauthorized
use who break the rule
Rule: User uses only 3 hours of internet
If someone is use the internet more than three hours they will
be in category of anomaly detection.

19
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

b) Penetration Identification Based Detection: Here we use

Expert intelligence system for monitoring the data packet
over the network on the behalf of that it decide which one is
legitimate user and which one is bad user.
8.3 IDS (Intrusion Detection Systems)
An intrusion detection system (IDS) examines system or
network activity to find possible Intrusions or attacks.
Intrusion detection systems are either network-based or host-
based; vendors are only beginning to integrate the two
technologies.
8.4 Types of IDS
a) Network-based IDS: A network-based IDS usually
consists of a network appliance (or sensor) with a
Network Interface Card (NIC) operating in promiscuous
mode and a separate management interface.
b) Host-based IDS: A host-based IDS requires small
programs (or agents) to be installed on individual
systems to be monitored. The agents monitor the
operating system and write data to log files and/or
trigger alarms.

20
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

8.5 Categories of IDS

 Signature-Based IDS: This IDS verifies signatures of data
packets in the network traffic. Basically, it finds the data
packets and uses their signatures to confirm whether they are
a threat or not. Such signatures are commonly known for
intrusion-related signatures or anomalies related to internet
protocol. Intruders such as computer viruses, etc, always
have a signature, therefore, it can be easily detected by
software IDS. As it uses signatures to identify the threats.
 Anomaly Based IDS: This IDS usually detects if a data
packet behaves anomaly. It issues an alert if packet anomalies
are present in protocol header parts. This system produces
better results in some cases than signature-based IDS.
Normally such IDS captures data from the network and on

21
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 5

these packets, it then applies the rules to it in order to detect

anomalies.

22