CYBER SECURITY

UNIT I INTRODUCTION
Cyber Security – History of Internet – Impact of Internet – CIA Triad; Reason for Cyber Crime –
Need for Cyber Security – History of Cyber Crime; Cybercriminals – Classification of Cybercrimes –
A Global Perspective on Cyber Crimes; Cyber Laws – The Indian IT Act – Cybercrime and
Punishment.

What is Cyber Security?

The technique of protecting internet-connected systems such as computers, servers, mobile devices,
electronic systems, networks, and data from malicious attacks is known as cybersecurity. We can
divide cybersecurity into two parts one is cyber, and the other is security. Cyber refers to the
technology that includes systems, networks, programs, and data. And security is concerned with the
protection of systems, networks, applications, and information. In some cases, it is also
called electronic information security or information technology security.
Types of Cyber Security
Every organization's assets are the combinations of a variety of different systems. These systems have
a strong cybersecurity posture that requires coordinated efforts across all of its systems. Therefore, we
can categorize cybersecurity in the following sub-domains:
o Network Security: It involves implementing the hardware and software to secure a computer
network from unauthorized access, intruders, attacks, disruption, and misuse. This security
helps an organization to protect its assets against external and internal threats.
o Application Security: It involves protecting the software and devices from unwanted threats.
This protection can be done by constantly updating the apps to ensure they are secure from
attacks. Successful security begins in the design stage, writing source code, validation, threat
modeling, etc., before a program or device is deployed.
o Information or Data Security: It involves implementing a strong data storage mechanism to
maintain the integrity and privacy of data, both in storage and in transit.
o Identity management: It deals with the procedure for determining the level of access that
each individual has within an organization.
o Operational Security: It involves processing and making decisions on handling and securing
data assets.
o Mobile Security: It involves securing the organizational and personal data stored on mobile
devices such as cell phones, computers, tablets, and other similar devices against various
malicious threats. These threats are unauthorized access, device loss or theft, malware, etc.
o Cloud Security: It involves in protecting the information stored in the digital environment or
cloud architectures for the organization. It uses various cloud service providers such as AWS,
Azure, Google, etc., to ensure security against multiple threats.
o Disaster Recovery and Business Continuity Planning: It deals with the processes,
monitoring, alerts, and plans to how an organization responds when any malicious activity is
 causing the loss of operations or data. Its policies dictate resuming the lost operations after
any disaster happens to the same operating capacity as before the event.
o User Education: It deals with the processes, monitoring, alerts, and plans to how an
organization responds when any malicious activity is causing the loss of operations or data.
Its policies dictate resuming the lost operations after any disaster happens to the same
operating capacity as before the event.

What was the start of cybersecurity?

Cybersecurity history is interesting indeed. It is thought to have started in 1971 when Bob Thomas, a
computer programmer with BBN, created and deployed a virus that served as a security test. It was
not malicious but did highlight areas of vulnerability and security flaws in what would become “the
internet.”

The virus, named after a Scooby Doo villain, “Creeper,” was designed to move across ARPANET
(Advanced Research Projects Agency Network) – the forerunner to what we now call the internet.
ARPANET was established by the U.S. Department of Defense.

Thomas created the computer worm to be a non-harmful self-replicating experimental program. It was
intended to illustrate how mobile applications work, but instead, it corrupted the DEC PDP-10
mainframe computers at the Digital Equipment Corporation, interfering with the teletype computer
screens which were connected. All the users could see on the screen were the words “I’m the creeper,
catch me if you can!”

In response, Ray Tomlinson, Thomas’ colleague created the Reaper Program. It was similar to the
Creeper. It moves through the internet, replicating itself, and finds copies of the Creeper. When it
locates the copies, it logs them out, so they are rendered impotent. The Reaper was the first attempt at
cybersecurity – the first antivirus software program.

History of the Internet

Initially in the 1960s, the Internet was started as a medium for sharing information with government
researchers. During the time computers were larger in size and were immovable. In case anyone had
to access the information stored in any computer, they had to travel to the location of the computer or
the other way to have magnetic computer tapes that could be transported through the postal system of
that time.
Alongside, Escalated Cold War played a major role in the creation of the internet. The Soviet Union
had deployed the Sputnik satellite which led the Defense Department of the United States to examine
the possibilities of communicating information despite nuclear. The situation resulted in the
development of ARPANET (Advanced Research Projects Agency Network), which, later on, evolved
into the Internet. In the initial days, ARPANET became a huge success with restricted participation
where it was accessible to academic and research institutions that had contracts with the US Defense
Department. The scenario led to the formation of new networks in order to facilitate the need for
information sharing with other people.
Earlier there wasn’t any standard mechanism for the computer networks that would enable them to
communicate with each other. Transfer Control Protocol (TCP/IP) which was developed in 1970, was
adopted as a new communication protocol for ARPANET in 1983. The technology enabled various
computers on different networks to communicate with each other and this is how the Internet was
officially born on January 1, 1983.
An Overview From 1985 to 1995
The invention of DNS, the widespread usage of TCP/IP, and the popularity of email all contributed
to an increase in internet activity. Between 1986 and 1987, the network expanded from 2,000 to
30,000 hosts. People were increasingly using the internet to send messages, read news, and exchange
files. However, sophisticated computing knowledge was still required to dial into the system and use
it efficiently, and there was still no agreement on how documents on the network should be formatted.
The internet needed to be more user-friendly. In 1989, Tim Berners-Lee, a British computer scientist,
proposed a solution to his employer, CERN, the international particle-research facility in Geneva,
Switzerland. He proposed a new method for organizing and connecting all of the information
available on CERN’s computer network, making it quick and easy to access. His idea for a “network
of information” evolved into the World Wide Web.
The release of the Mosaic browser in 1993 introduced the web to a new non-academic audience, and
people began to learn how simple it was to make their own HTML websites. As a result, the number
of websites increased from 130 in 1993 to over 100,000 at the beginning of 1996.
By 1995, the internet and the World Wide Web had become an established phenomenon, with over
10 million global users using the Netscape Navigator. The Netscape Navigator was the most popular
browser at that point in time.
What is DNS?
DNS is short for Domain Name System. It functions as the internet’s version of a phone book,
converting difficult-to-remember IP addresses into simple names. Cheaper technology and the
introduction of desktop computers in the early 1980s facilitated the rapid development of local area
networks (LANs). As the number of machines on the network grew, it became impossible to keep
track of all the different IP addresses.
The development of the Domain Name System (DNS) in 1983 solved this problem. DNS was
invented at the University of Southern California by Paul Mockapetris and Jon Postel. It was one of
the breakthrough inventions that helped in paving the way for the World Wide Web.
TCP/IP or Transmission Control Protocol / Internet Protocol
TCP/IP is an acronym that stands for Transmission Control Protocol / Internet Protocol. The terms
refer to a set of protocols that regulate how data flows via a network.
Following the development of ARPANET, new computer networks began to join the network,
prompting the need for an agreed-upon set of data-handling standards. Bob Kahn and Vint Cerf, two
American computer scientists, in the year 1974 invented a new way of transmitting data packets in a
digital envelope known as ‘Datagram’. Any computer can read the datagram’s address, but only the
ultimate host system can open the envelope and read the message within.
This technology was dubbed the transmission-control protocol by Kahn and Cerf. TCP enabled
computers to communicate in the same language, allowing the ARPANET to evolve into a global
interconnected network of networks, an example of ‘internetworking’—written as the “internet” in
short.
IP stands for Internet Protocol and when paired with TCP, aids in the routing of internet data. Every
internet-connected device is assigned a unique IP address. The number, known as an IP address, can
be used to find out the location of any internet-connected device.

Impact of Internet
The internet has had an incredible impact on society since its inception. It has changed the way we
communicate, do business, learn, and even think. The internet has brought people from different parts
of the world together and has made information accessible to everyone with an internet connection.
One of the biggest impacts of the internet is on communication. Social media platforms like
Facebook, Twitter, and Instagram have made it easy for people to connect with others from anywhere
in the world. People can share their thoughts, ideas, and experiences instantly with their friends and
family. Video conferencing tools like Zoom have revolutionized remote communication, making it
possible for people to work and learn from anywhere in the world.
The internet has also had a significant impact on business. E-commerce websites like Amazon and
eBay have made it possible for people to shop from the comfort of their own homes. Small businesses
can now reach a global audience by creating an online presence. The internet has also made it easier
for people to work from home, which has become increasingly important during the COVID-19
pandemic.
Education is another area that has been greatly impacted by the internet. Online courses and tutorials
have made it possible for people to learn new skills from anywhere in the world. Massive open online
courses (MOOCs) like Coursera and edX have made higher education more accessible to people who
may not have the opportunity to attend a traditional university.
However, the internet has also had some negative impacts. Cyberbullying, online harassment, and
identity theft have become increasingly common. The internet has also made it easier for people to
access inappropriate content, which can have a negative impact on young children.
In conclusion, the internet has had a tremendous impact on society. It has changed the way we
communicate, do business, learn, and even think. While there are some negative impacts, the benefits
of the internet far outweigh the negatives. As the internet continues to evolve, it will be interesting to
see how it will shape our society in the future.

CIA Triad
When talking about network security, the CIA triad is one of the most important models which is
designed to guide policies for information security within an organization.
CIA stands for :
1. Confidentiality
2. Integrity
3. Availability
These are the objectives that should be kept in mind while securing a network.
Confidentiality
Confidentiality means that only authorized individuals/systems can view sensitive or classified
information. The data being sent over the network should not be accessed by unauthorized
individuals. The attacker may try to capture the data using different tools available on the Internet and
gain access to your information. A primary way to avoid this is to use encryption techniques to
safeguard your data so that even if the attacker gains access to your data, he/she will not be able to
decrypt it. Encryption standards include AES(Advanced Encryption Standard) and DES (Data
Encryption Standard). Another way to protect your data is through a VPN tunnel. VPN stands for
Virtual Private Network and helps the data to move securely over the network.

Integrity
The next thing to talk about is integrity. Well, the idea here is to make sure that data has not been
modified. Corruption of data is a failure to maintain data integrity. To check if our data has been
modified or not, we make use of a hash function.
We have two common types: SHA (Secure Hash Algorithm) and MD5(Message Direct 5). Now MD5
is a 128-bit hash and SHA is a 160-bit hash if we’re using SHA-1. There are also other SHA methods
that we could use like SHA-0, SHA-2, and SHA-3.
Let’s assume Host ‘A’ wants to send data to Host ‘B’ to maintain integrity. A hash function will run
over the data and produce an arbitrary hash value H1 which is then attached to the data. When Host
‘B’ receives the packet, it runs the same hash function over the data which gives a hash value of H2.
Now, if H1 = H2, this means that the data’s integrity has been maintained and the contents were not
modified.

Availability
This means that the network should be readily available to its users. This applies to systems and to
data. To ensure availability, the network administrator should maintain hardware, make regular
upgrades, have a plan for fail-over, and prevent bottlenecks in a network. Attacks such as DoS or
DDoS may render a network unavailable as the resources of the network get exhausted. The impact
may be significant to the companies and users who rely on the network as a business tool. Thus,
proper measures should be taken to prevent such attacks.
Reasons behind cyber attacks
Every business, regardless of its size, is a potential target of cyber attack. That is because every
business has key assets (financial or otherwise) that criminals may seek to exploit. By recognising the
common motives behind cyber attacks, you can build a better understanding of the risks you may
face, and understand how best to confront them.
Why do cyber attacks happen?
Most often, cyber attacks happen because criminals want your:
 business' financial details
 customers' financial details (eg credit card data)
 sensitive personal data
 customers' or staff email addresses and login credentials
 customer databases
 clients lists
 IT infrastructure
 IT services (eg the ability to accept online payments)
 intellectual property (eg trade secrets or product designs)
Cyber attacks against businesses are often deliberate and motivated by financial gain. However, other
motivations may include:
 making a social or political point - eg through hacktivism
 espionage - eg spying on competitors for unfair advantage
  intellectual challenge - eg 'white hat' hacking
The key point is that cyber security threats don't always come from anonymous hackers or online
criminal groups. Vulnerabilities can arise within your own business too.
How are cyber criminals motivated?
1. Financial Gain
The primary motivation of a hacker is money, and getting it can be done with a variety of methods.
They could directly gain entry to a bank or investment account; steal a password to your financial
sites and then transfer the assets over to one of their own; swindle an employee into completing a
money transfer through a complicated spear phishing technique, or conduct a ransomware attack on
your entire organization.
The possibilities are endless, but most hackers are out to make a profit.
2. Recognition & Achievement
Some hackers are motivated by the sense of achievement that comes with cracking open a major
system. Some may work in groups or independently, but, on some scale, they would like to be
recognized.
This also ties into the fact that cyber criminals are competitive by nature, and they love the challenge
their actions bring. In fact, they often drive one another to complete more complicated hacks.
3. Insider Threats
Individuals who have access to critical information or systems can easily choose to misuse that access
—to the detriment of their organization.
These threats can come from internal employees, vendors, a contractor or a partner—and are viewed
as some of the greatest cyber security threats to organizations.
However, not all insider threats are intentional, according to an Insider Threat Report from Crowd
Research Partners. Most (51%) are due to carelessness, negligence, or compromised credentials, but
the potential impact is still present even in an unintentional scenario.
4. Political Motivation – “Hacktivism”
Some cyber criminal groups use their hacking skills to go after large organizations. They are usually
motivated by a cause of some sort, such as highlighting human rights or alerting a large corporation to
their system vulnerabilities. Or, they may go up against groups whose ideologies do not align with
their own.
These groups can steal information and argue that they are practicing free speech, but more often than
not, these groups will employ a DDoS (Distributed Denial of Service) attack to overload a website
with too much traffic and cause it to crash.
5. State Actors
State-sponsored actors receive funding and assistance from a nation-state. They are specifically
engaged in cyber crime to further their nation’s own interests. Typically, they steal information,
including “intellectual property, personally identifying information, and money to fund or further
espionage and exploitation causes.”
However, some state-sponsored actors do conduct damaging cyberattacks and claim that their
cyberespionage actions are legitimate activity on behalf of the state.
6. Corporate Espionage
This is a form of cyber attack used to gain an advantage over a competing organization.
Conducted for commercial or financial purposes, corporate espionage involves:
 Acquiring property like processes or techniques, locations, customer data, pricing, sales,
research, bids, or strategies
 Theft of trade secrets, bribery, blackmail, or surveillance.

Importance of Cybersecurity (need of cybersecurity)

Protecting Sensitive Data:
With the increase in digitalization, data is becoming more and more valuable. Cybersecurity helps
protect sensitive data such as personal information, financial data, and intellectual property from
unauthorized access and theft.

Prevention of Cyber Attacks:

Cyber attacks, such as Malware infections, Ransomware, Phishing, and Distributed Denial of Service
(DDoS) attacks, can cause significant disruptions to businesses and individuals. Effective
cybersecurity measures help prevent these attacks, reducing the risk of data breaches, financial losses,
and operational disruptions.

Safeguarding Critical Infrastructure:

Critical infrastructure, including power grids, transportation systems, healthcare systems, and
communication networks, heavily relies on interconnected computer systems. Protecting these
systems from cyber threats is crucial to ensure the smooth functioning of essential services and
prevent potential disruptions that could impact public safety and national security.

Maintaining Business Continuity:

Cyber attacks can cause significant disruption to businesses, resulting in lost revenue, damage to
reputation, and in some cases, even shutting down the business. Cybersecurity helps ensure business
continuity by preventing or minimizing the impact of cyber attacks.

Compliance with Regulations:

Many industries are subject to strict regulations that require organizations to protect sensitive data.
Failure to comply with these regulations can result in significant fines and legal action. Cybersecurity
helps ensure compliance with regulations such as HIPAA, GDPR, and PCI DSS.

Protecting National Security:

Cyber attacks can be used to compromise national security by targeting critical infrastructure,
government systems, and military installations. Cybersecurity is critical for protecting national
security and preventing cyber warfare.

Preserving Privacy:
In an era where personal information is increasingly collected, stored, and shared digitally,
cybersecurity is crucial for preserving privacy. Protecting personal data from unauthorized access,
surveillance, and misuse helps maintain individuals’ privacy rights and fosters trust in digital services.

History of cyber crimes

 1940s: The time before crime
 1950s: The phone phreaks
 1960s: All quiet on the Western Front
 1970s: Computer security is born
 1980s: From ARPANET to internet
 1990s: The world goes online
 2000s: Threats diversify and multiply
 2010s: The next generation

cybercriminals
A cybercriminal is a person who conducts some form of illegal activity using computers or other
digital technology such as the Internet. The criminal may use computer expertise, knowledge of
human behavior, and a variety of tools and services to achieve his or her goal.
Types of Cyber Criminals:
1. Hackers: The term hacker may refer to anyone with technical skills, however, it typically refers to
an individual who uses his or her skills to achieve unauthorized access to systems or networks so as to
commit crimes. The intent of the burglary determines the classification of those attackers as white,
grey, or black hats. White hat attackers burgled networks or PC systems to get weaknesses so as to
boost the protection of those systems. The owners of the system offer permission to perform the
burglary, and they receive the results of the take a look at. On the opposite hand, black hat attackers
make the most of any vulnerability for embezzled personal, monetary or political gain. Grey hat
attackers are somewhere between white and black hat attackers. Grey hat attackers could notice a
vulnerability and report it to the owners of the system if that action coincides with their agenda.
 (a). White Hat Hackers – These hackers utilize their programming aptitudes for a good and
lawful reason. These hackers may perform network penetration tests in an attempt to
compromise networks to discover network vulnerabilities. Security vulnerabilities are then
reported to developers to fix them and these hackers can also work together as a blue team.
They always use the limited amount of resources which are ethical and provided by the
company, they basically perform pentesting only to check the security of the company from
external sources.
  (b). Gray Hat Hackers – These hackers carry out violations and do seemingly deceptive
things however not for individual addition or to cause harm. These hackers may disclose a
vulnerability to the affected organization after having compromised their network and they
may exploit it .
 (c). Black Hat Hackers – These hackers are unethical criminals who violate network security
for personal gain. They misuse vulnerabilities to bargain PC frameworks. theses hackers
always exploit the information or any data they got from the unethical pentesting of the
network.
2. Organized Hackers: These criminals embody organizations of cyber criminals, hacktivists,
terrorists, and state-sponsored hackers. Cyber criminals are typically teams of skilled criminals
targeted on control, power, and wealth. These criminals are extremely subtle and organized, and
should even give crime as a service. These attackers are usually profoundly prepared and well-
funded.
3. Internet stalkers: Internet stalkers are people who maliciously monitor the web activity of their
victims to acquire personal data. This type of cyber crime is conducted through the use of social
networking platforms and malware, that are able to track an individual’s PC activity with little or no
detection.
4. Disgruntled Employees: Disgruntled employees become hackers with a particular motive and also
commit cyber crimes. It is hard to believe that dissatisfied employees can become such malicious
hackers. In the previous time, they had the only option of going on strike against employers. But with
the advancement of technology there is increased in work on computers and the automation of
processes, it is simple for disgruntled employees to do more damage to their employers and
organization by committing cyber crimes. The attacks by such employees brings the entire system
down.

Classification of cybercrimes
It can be classified in to 4 major categories as
1. Cyber crime against Individual
2. Cyber crime Against Property
3. Cyber crime Against Organization
4. Cyber crime Against Society
1. Against Individuals
1. Email spoofing :
A spoofed email is one in which e-mail header is forged so that mail appears to
originate from one source but actually has been sent from another source
2. Spamming :
Spamming means sending multiple copies of unsolicited mails or mass e-mails such
as chain letters.
3. Cyber Defamation :
This occurs when defamation takes place with the help of computers and / or the
Internet. E.g. someone publishes defamatory matter about someone on a website or
sends e-mails containing defamatory information.
 4. Harassment & Cyber stalking :
Cyber Stalking Means following the moves of an individual’s activity over internet. It
can be done with the help of many protocols available such at e- mail, chat rooms,
user net groups.
2. Against Property:
1. Credit Card Fraud : As the name suggests, this is a fraud that happens by the use of
a credit card. This generally happens if someone gets to know the card number or the
card gets stolen.

2. Intellectual Property crimes : These include Software piracy: illegal copying of

programs, distribution of copies of software.
1. Copyright infringement:
2. Trademarks violations:
Theft of computer source code:
3. Internet time theft :
the usage of the Internet hours by an unauthorized person which is actually paid by
another person.
3. Against Organisation
1. Unauthorized Accessing of Computer:
Accessing the computer/network without permission from the owner.
it can be of 2 forms:
1. Changing/deleting data:
Unauthorized changing of data.
2. Computer voyeur:
The criminal reads or copies confidential or proprietary information, but the
data is neither deleted nor changed.
2. Denial Of Service:
When Internet server is flooded with continuous bogus requests so as to denying
legitimate users to use the server or to crash the server.
3. Computer contamination / Virus attack :
A computer virus is a computer program that can infect other computer programs by
modifying them in such a way as to include a (possibly evolved) copy of it.
Viruses can be file infecting or affecting boot sector of the computer.
Worms, unlike viruses do not need the host to attach themselves to.
4. Email Bombing :
Sending large numbers of mails to the individual or company or mail servers thereby
ultimately resulting into crashing.
5. Salami Attack :
When negligible amounts are removed & accumulated in to something larger. These
attacks are used for the commission of financial crimes.
 6. Logic Bomb :
Its an event dependent programme , as soon as the designated event occurs, it crashes
the computer, release a virus or any other harmful possibilities.
7. Trojan Horse :
an unauthorized program which functions from inside what seems to be an authorized
program, thereby concealing what it is actually doing.
8. Data diddling :
This kind of an attack involves altering raw data just before it is processed by a
computer and then changing it back after the processing is completed.
4. Against Society
1. Forgery: currency notes, revenue stamps, mark sheets etc can be forged using
computers and high quality scanners and printers.
2. Cyber Terrorism: Use of computer resources to intimidate or coerce others.
3. Web Jacking: Hackers gain access and control over the website of another, even they
change the content of website for fulfilling political objective or for money.

Cyber laws
Cyber law, also known as internet law or digital law, signifies the legal regulations and frameworks
governing digital activities. It covers a large range of issues, including online communication, e-
commerce, digital privacy, and the prevention and prosecution of cybercrimes.
Types of Cyber Law
 Privacy Laws:
Privacy laws focus on protecting individuals' personal information from unauthorized access and use.
They establish guidelines for the responsible handling of personal data by organizations, ensuring
individuals' privacy rights are upheld.
 Cybercrime Laws:
Cybercrime laws define and penalize various cybercrimes, ensuring legal consequences for offenders.
These laws play a crucial role in deterring individuals from engaging in illegal online activities and
provide a legal framework for prosecuting cybercriminals.
 Intellectual Property Laws:
Intellectual property laws in the digital domain protect patents, copyrights, and trademarks from
unauthorized use. They provide a legal foundation for creators and innovators to protect their digital
assets.
 E-commerce Laws:
E-commerce laws regulate online business transactions, defining rules for contracts, transactions, and
consumer protection. These laws contribute to the establishment of a secure and fair online
marketplace.
 Cyber Defamation Laws:
Cyber defamation laws address libel and slander in the digital space. They provide legal remedies for
individuals or entities whose reputations may be tarnished by false or damaging information
circulated online.
 Cybersecurity Laws:
Cybersecurity laws establish standards for securing digital systems and data. These laws mandate
organizations to implement measures to protect against cyber threats, contributing to the overall
resilience of digital infrastructure.
 Social Media Laws:
Social media laws address legal issues related to social media platforms, including user rights and
content regulations. These laws aim to strike a balance between freedom of expression and the
prevention of online abuse or misinformation.
 Cyber Contracts and E-signature Laws:
Governing the validity and enforceability of contracts formed online, cyber contracts and e-
signature laws provide legal certainty for electronic transactions. They facilitate the growth of online
commerce by ensuring the legal recognition of digital agreements.
 International Cyber Laws:
With the increasing prevalence of cross-border cybercrimes, international cyber laws address the need
for cooperation between nations. These laws facilitate collaboration in investigating and prosecuting
cybercriminals operating across borders.
 Data Breach Notification Laws:
Mandating organizations to inform individuals and authorities in the event of a data breach of data
breach notification laws enhances transparency and accountability. They ensure prompt action in
response to security incidents, minimizing the potential impact on individuals and businesses.

The Indian IT Act

The Information Technology Act, 2000 also Known as an IT Act is an act proposed by the Indian
Parliament reported on 17th October 2000. This Information Technology Act is based on the United
Nations Model law on Electronic Commerce 1996 (UNCITRAL Model) which was suggested by the
General Assembly of United Nations by a resolution dated on 30th January, 1997. It is the most
important law in India dealing with Cybercrime and E-Commerce.
The main objective of this act is to carry lawful and trustworthy electronic, digital and online
transactions and alleviate or reduce cybercrimes. The IT Act has 13 chapters and 94 sections. The last
four sections that starts from ‘section 91 – section 94’, deals with the revisions to the Indian Penal
Code 1860. The IT Act, 2000 has two schedules:
 First Schedule –
Deals with documents to which the Act shall not apply.
 Second Schedule –
Deals with electronic signature or electronic authentication method.
The offences and the punishments in IT Act 2000 :
The offences and the punishments that falls under the IT Act, 2000 are as follows :-
1. Tampering with the computer source documents.
2. Directions of Controller to a subscriber to extend facilities to decrypt information.
3. Publishing of information which is obscene in electronic form.
4. Penalty for breach of confidentiality and privacy.
5. Hacking for malicious purposes.
6. Penalty for publishing Digital Signature Certificate false in certain particulars.
7. Penalty for misrepresentation.
8. Confiscation.
9. Power to investigate offences.
10. Protected System.
11. Penalties for confiscation not to interfere with other punishments.
12. Act to apply for offence or contravention committed outside India.
13. Publication for fraud purposes.
14. Power of Controller to give directions.
15. Sections and Punishments under Information Technology Act, 2000 are as follows :
SECTION PUNISHMENT

This section of IT Act, 2000 states that any act of

destroying, altering or stealing computer
system/network or deleting data with malicious
intentions without authorization from owner of
the computer is liable for the payment to be made
Section 43 to owner as compensation for damages.

This section of IT Act, 2000 states that any

corporate body dealing with sensitive information
that fails to implement reasonable security
practices causing loss of other person will also
liable as convict for compensation to the affected
Section 43A party.

Hacking of a Computer System with malicious

intentions like fraud will be punished with 3 years
Section 66 imprisonment or the fine of Rs.5,00,000 or both.

Fraud or dishonesty using or transmitting

information or identity theft is punishable with 3
Section 66 B, C, D years imprisonment or Rs. 1,00,000 fine or both.

This Section is for Violation of privacy by

transmitting image of private area is punishable
with 3 years imprisonment or 2,00,000 fine or
Section 66 E both.

This Section is on Cyber Terrorism affecting

unity, integrity, security, sovereignty of India
through digital medium is liable for life
Section 66 F imprisonment.

This section states publishing obscene information

or pornography or transmission of obscene
content in public is liable for imprisonment up to
Section 67 5 years or fine of Rs. 10,00,000 or both.
UNIT II ATTACKS AND COUNTERMEASURES
OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security Breach –
Types of Malicious Attacks – Malicious Software – Common Attack Vectors – Social engineering
Attack – Wireless Network Attack – Web Application Attack – Attack Tools – Countermeasures.

What is OWASP?
The Open Web Application Security Project, or OWASP, is an international non-profit organization
dedicated to web application security. One of OWASP’s core principles is that all of their materials be
freely available and easily accessible on their website, making it possible for anyone to improve their
own web application security. The materials they offer include documentation, tools, videos, and
forums. Perhaps their best-known project is the OWASP Top 10.
What is the OWASP Top 10?
The OWASP Top 10 is a regularly-updated report outlining security concerns for web application
security, focusing on the 10 most critical risks. The report is put together by a team of security experts
from all over the world. OWASP refers to the Top 10 as an ‘awareness document’ and they
recommend that all companies incorporate the report into their processes in order to minimize and/or
mitigate security risks.

Security breach
A security breach is any incident that results in unauthorized access to computer data, applications,
networks or devices. It results in information being accessed without authorization. Typically, it
occurs when an intruder is able to bypass security mechanisms.
Technically, there's a distinction between a security breach and a data breach. A security breach is
effectively a break-in, whereas a data breach is defined as the cybercriminal getting away with
information. Imagine a burglar; the security breach is when he climbs through the window, and the
data breach is when he grabs your pocketbook or laptop and takes it away.
Confidential information has immense value. It's often sold on the dark web; for example, names and
credit card numbers can be bought, and then used for the purposes of identity theft or fraud. It's not
surprising that security breaches can cost companies huge amounts of money. On average, the bill is
nearly $4m for major corporations.
It's also important to distinguish the security breach definition from the definition of a security
incident. An incident might involve a malware infection, DDOS attack or an employee leaving a
laptop in a taxi, but if they don't result in access to the network or loss of data, they would not count
as a security breach.
Examples of a security breach
When a major organization has a security breach, it always hits the headlines. Security breach
examples include the following:
 Equifax - in 2017, a website application vulnerability caused the company to lose the personal
details of 145 million Americans. This included their names, SSNs, and drivers' license
numbers. The attacks were made over a three-month period from May to July, but the security
breach wasn't announced until September.
 Yahoo - 3 billion user accounts were compromised in 2013 after a phishing attempt gave
hackers access to the network.
 eBay saw a major breach in 2014. Though PayPal users' credit card information was not at
risk, many customers' passwords were compromised. The company acted quickly to email its
users and ask them to change their passwords in order to remain secure.
 Dating site Ashley Madison, which marketed itself to married people wishing to have affairs,
was hacked in 2015. The hackers went on to leak a huge number of customer details via the
internet. Extortionists began to target customers whose names were leaked; unconfirmed
reports have linked a number of suicides to exposure by the data breach.
 Facebook saw internal software flaws lead to the loss of 29 million users' personal data in
2018. This was a particularly embarrassing security breach since the compromised accounts
included that of company CEO Mark Zuckerberg.
 Marriott Hotels announced a security and data breach affecting up to 500 million customers'
records in 2018. However, its guest reservations system had been hacked in 2016 - the breach
wasn't discovered until two years later.
 Perhaps most embarrassing of all, being a cybersecurity firm doesn't make you immune
- Czech company Avast disclosed a security breach in 2019 when a hacker managed to
compromise an employee's VPN credentials. This breach didn't threaten customer details but
was instead aimed at inserting malware into Avast's products.
A decade or so ago, many companies tried to keep news of security breaches secret in order not to
destroy consumer confidence. However, this is becoming increasingly rare. In the EU, the GDPR
(General Data Protection Regulations) require companies to notify the relevant authorities of a breach
and any individuals whose personal data might be at risk. By January 2020, GDPR had been in effect
for just 18 months, and already, over 160,000 separate data breach notifications had been made - over
250 a day.
Types of security breaches
There are a number of types of security breaches depending on how access has been gained to the
system:
  An exploit attacks a system vulnerability, such as an out of date operating system. Legacy
systems which haven't been updated, for instance, in businesses where outdated and versions
of Microsoft Windows that are no longer supported are being used, are particularly vulnerable
to exploits.
 Weak passwords can be cracked or guessed. Even now, some people are still using the
password 'password', and 'pa$$word' is not much more secure.
 Malware attacks, such as phishing emails can be used to gain entry. It only takes one
employee to click on a link in a phishing email to allow malicious software to start spreading
throughout the network.
 Drive-by downloads use viruses or malware delivered through a compromised or spoofed
website.
 Social engineering can also be used to gain access. For instance, an intruder phones an
employee claiming to be from the company's IT helpdesk and asks for the password in order
to 'fix' the computer.
In the security breach examples we mentioned above, a number of different techniques were used to
gain access to networks — Yahoo suffered a phishing attack, while Facebook was hacked by an
exploit.
Though we've been talking about security breaches as they affect major organizations, the same
security breaches apply to individuals' computers and other devices. You're probably less likely to be
hacked using an exploit, but many computer users have been affected by malware, whether
downloaded as part of a software package or introduced to the computer via a phishing attack. Weak
passwords and use of public Wi-Fi networks can lead to internet communications being compromised.
What to do if you experience a security breach
As a customer of a major company, if you learn that it has had a security breach, or if you find out that
your own computer has been compromised, then you need to act quickly to ensure your safety.
Remember that a security breach on one account could mean that other accounts are also at risk,
especially if they share passwords or if you regularly make transactions between them.

 If a breach could involve your financial information, notify any banks and financial
institutions with which you have accounts.
 Change the passwords on all your accounts. If there are security questions and answers or
PIN codes attached to the account, you should change these too.
 You might consider a credit freeze. This stops anyone using your data for identity theft and
borrowing in your name.
 Check your credit report to ensure you know if anyone is applying for debt using your
details.
 Try to find out exactly what data might have been stolen. That will give you an idea of the
severity of the situation. For instance, if tax details and SSNs have been stolen, you'll need to
act fast to ensure your identity isn't stolen. This is more serious than simply losing your credit
card details.
 Don'trespond directly to requests from a company to give them personal data after a
data breach; it could be a social engineering attack. Take the time to read the news, check the
 company's website, or even phone their customer service line to check if the requests are
legitimate.
 Be on your guard for other types of social engineering attacks. For instance, a criminal
who has accessed a hotel's accounts, even without financial data, could ring customers asking
for feedback on their recent stay. At the end of the call, having established a relationship of
trust, the criminal could offer a refund of parking charges and ask for the customer's card
number in order to make the payment. Most customers probably wouldn't think twice about
providing those details if the call is convincing.
 Monitor your accounts for signs of any new activity. If you see transactions that you don't
recognize, address them immediately.

How to protect yourself against a security breach

Although no one is immune to a data breach, good computer security habits can make you less
vulnerable and can help you survive a breach with less disruption. These tips should help you prevent
hackers breaching your personal security on your computers and other devices.
 Use strong passwords, which combine random strings of upper and lower-case letters,
numbers, and symbols. They are much more difficult to crack than simpler passwords. Don't
use passwords that are easy to guess, like family names or birthdays. Use a Password
Manager to keep your passwords secure.
 Use different passwords on different accounts. If you use the same password, a hacker who
gains access to one account will be able to get into all your other accounts. If they have
different passwords, only that one account will be at risk.
 Close accounts you don't use rather than leaving them dormant. That reduces your
vulnerability to a security breach. If you don't use an account, you might never realize that it
has been compromised, and it could act as a back door to your other accounts.
 Change your passwords regularly. One feature of many publicly reported security breaches
is that they occurred over a long period, and some were not reported until years after the
breach. Regular password changes reduce the risk you run from unannounced data breaches.
 If you throw out a computer, wipe the old hard drive properly. Don't just delete files; use
a data destruction program to wipe the drive completely, overwriting all the data on the disk.
Creating a fresh installation of the operating system will also wipe the drive successfully.
 Back up your files. Some data breaches lead to the encryption of files and a ransomware
demand to make them available again to the user. If you have a separate backup on a
removable drive, your data is safe in the event of a breach.
 Secure your phone. Use a screen lock and update your phone's software regularly. Don’t root
or jailbreak your phone. Rooting a device gives hackers the opportunity to install their own
software and to change the settings on your phone.
 Secure your computer and other devices by using anti-virus and anti-malware software.
Kaspersky Antivirus is a good choice to keep your computer free from infection and ensure
that hackers can't get a foothold in your system.
 Be careful where you click. Unsolicited emails which include links to websites may be
phishing attempts. Some may purport to be from your contacts. If they include attachments or
 links, ensure they're genuine before you open them and use an anti-virus program on
attachments.
 When you're accessing your accounts, make sure you're using the secure
HTTPS protocol and not just HTTP.
 Monitoring your bank statements and credit reports helps keep you safe. Stolen data can
turn up on the dark web years after the original data breach. This could mean an identity theft
attempt occurs long after you've forgotten the data breach that compromised that account.
 Know the value of your personal information and don't give it out unless necessary. Too
many websites want to know too much about you; why does a business journal need your
exact date of birth, for instance? Or an auction site your SSN?
You'd never dream of leaving your house door open all day for anyone to walk in. Think of your
computer the same way. Keep your network access and your personal data tightly secured, and don't
leave any windows or doors open for a hacker to get through.

Types of malicious attacks

Any malicious software intended to harm or exploit any programmable device, service, or network is
referred to as malware. Cybercriminals typically use it to extract data they can use against victims to
their advantage in order to profit financially. Financial information, medical records, personal emails,
and passwords are just a few examples of the types of information that could be compromised.
In simple words, malware is short for malicious software and refers to any software that is designed
to cause harm to computer systems, networks, or users. Malware can take many forms. It’s important
for individuals and organizations to be aware of the different types of malware and take steps to
protect their systems, such as using antivirus software, keeping software and systems up-to-date, and
being cautious when opening email attachments or downloading software from the internet.
Malware is a program designed to gain access to computer systems, generally for the benefit of some
third party, without the user’s permission. Malware includes computer viruses,
worms, Trojan horses, ransomware, spyware, and other malicious programs.

Types of Malware
1. Viruses – A Virus is a malicious executable code attached to another executable file. The
virus spreads when an infected file is passed from system to system. Viruses can be harmless
or they can modify or delete data. Opening a file can trigger a virus. Once a program virus is
active, it will infect other programs on the computer.
2. Worms – Worms replicate themselves on the system, attaching themselves to different files
and looking for pathways between computers, such as computer network that shares common
file storage areas. Worms usually slow down networks. A virus needs a host program to run
but worms can run by themselves. After a worm affects a host, it is able to spread very
quickly over the network.
3. Trojan horse – A Trojan horse is malware that carries out malicious operations under the
appearance of a desired operation such as playing an online game. A Trojan horse varies from
a virus because the Trojan binds itself to non-executable files, such as image files, and audio
files.
 4. Ransomware – Ransomware grasps a computer system or the data it contains until the victim
makes a payment. Ransomware encrypts data in the computer with a key that is unknown to
the user. The user has to pay a ransom (price) to the criminals to retrieve data. Once the
amount is paid the victim can resume using his/her system
5. Adware – It displays unwanted ads and pop-ups on the computer. It comes along with
software downloads and packages. It generates revenue for the software distributer by
displaying ads.
6. Spyware – Its purpose is to steal private information from a computer system for a third
party. Spyware collects information and sends it to the hacker.
7. Logic Bombs – A logic bomb is a malicious program that uses a trigger to activate the
malicious code. The logic bomb remains non-functioning until that trigger event happens.
Once triggered, a logic bomb implements a malicious code that causes harm to a computer.
Cybersecurity specialists recently discovered logic bombs that attack and destroy the
hardware components in a workstation or server including the cooling fans, hard drives, and
power supplies. The logic bomb overdrives these devices until they overheat or fail.
8. Rootkits – A rootkit modifies the OS to make a backdoor. Attackers then use the backdoor to
access the computer distantly. Most rootkits take advantage of software vulnerabilities to
modify system files.
9. Backdoors – A backdoor bypasses the usual authentication used to access a system. The
purpose of the backdoor is to grant cyber criminals future access to the system even if the
organization fixes the original vulnerability used to attack the system.
10. Keyloggers – Keylogger records everything the user types on his/her computer system to
obtain passwords and other sensitive information and send them to the source of the
keylogging program.

Malwares – Malicious Software

Malware is a software that gets into the system without user consent with an intention to steal private
and confidential data of the user that includes bank details and password. They also generates
annoying pop up ads and makes changes in system settings
They get into the system through various means:
1. Along with free downloads.
2. Clicking on suspicious link.
3. Opening mails from malicious source.
4. Visiting malicious websites.
5. Not installing an updated version of antivirus in the system.
Types:
1. Virus
2. Worm
3. Logic Bomb
4. Trojan/Backdoor
 5. Rootkit
6. Advanced Persistent Threat
7. Spyware and Adware
What is computer virus:
Computer virus refers to a program which damages computer systems and/or destroys or erases data
files. A computer virus is a malicious program that self-replicates by copying itself to another
program. In other words, the computer virus spreads by itself into other executable code or
documents. The purpose of creating a computer virus is to infect vulnerable systems, gain admin
control and steal user sensitive data. Hackers design computer viruses with malicious intent and prey
on online users by tricking them.
Symptoms:
 Letter looks like they are falling to the bottom of the screen.
 The computer system becomes slow.
 The size of available free memory reduces.
 The hard disk runs out of space.
 The computer does not boot.
Types of Computer Virus:
These are explained as following below.
1. Parasitic –
These are the executable (.COM or .EXE execution starts at first instruction). Propagated by
attaching itself to particular file or program. Generally resides at the start (prepending) or at
the end (appending) of a file, e.g. Jerusalem.
2. Boot Sector –
Spread with infected floppy or pen drives used to boot the computers. During system boot,
boot sector virus is loaded into main memory and destroys data stored in hard disk, e.g.
Polyboot, Disk killer, Stone, AntiEXE.
3. Polymorphic –
Changes itself with each infection and creates multiple copies. Multipartite: use more than
one propagation method. >Difficult for antivirus to detect, e.g. Involutionary, Cascade, Evil,
Virus 101., Stimulate.
Three major parts: Encrypted virus body, Decryption routine varies from infection to infection, and
Mutation engine.
4. Memory Resident –
Installs code in the computer memory. Gets activated for OS run and damages all files opened
at that time, e.g. Randex, CMJ, Meve.
5. Stealth –
Hides its path after infection. It modifies itself hence difficult to detect and masks the size of
infected file, e.g. Frodo, Joshi, Whale.
6. Macro –
Associated with application software like word and excel. When opening the infected
document, macro virus is loaded into main memory and destroys the data stored in hard disk.
 As attached with documents; spreads with those infected documents only, e.g. DMV, Melissa,
A, Relax, Nuclear, Word Concept.
7. Hybrids –
Features of various viruses are combined, e.g. Happy99 (Email virus).
Worm:
A worm is a destructive program that fills a computer system with self-replicating information,
clogging the system so that its operations are slowed down or stopped.
Types of Worm:
1. Email worm – Attaching to fake email messages.
2. Instant messaging worm – Via instant messaging applications using loopholes in network.
3. Internet worm – Scans systems using OS services.
4. Internet Relay Chat (IRC) worm – Transfers infected files to web sites.
5. Payloads – Delete or encrypt file, install backdoor, creating zombie etc.
6. Worms with good intent – Downloads application patches.
Logical Bomb:
A logical bomb is a destructive program that performs an activity when a certain action has occurred.
These are hidden in programming code. Executes only when a specific condition is met, e.g.
Jerusalem.
Script Virus:
Commonly found script viruses are written using the Visual Basic Scripting Edition (VBS) and the
JavaScript programming language.
Trojan / Backdoor:
Trojan Horse is a destructive program. It usually pretends as computer games or application software.
If executed, the computer system will be damaged. Trojan Horse usually comes with monitoring tools
and key loggers. These are active only when specific events are alive. These are hidden with packers,
crypters and wrappers.< Hence, difficult to detect through antivirus. These can use manual removal or
firewall precaution.

RootKits:
Collection of tools that allow an attacker to take control of a system.
 Can be used to hide evidence of an attacker’s presence and give them backdoor access.
 Can contain log cleaners to remove traces of attacker.
 Can be divided as:
– Application or file rootkits: replaces binaries in Linux system
– Kernel: targets kernel of OS and is known as a loadable kernel module (LKM)
 Gains control of infected m/c by:
– DLL injection: by injecting malicious DLL (dynamic link library)
– Direct kernel object manipulation: modify kernel structures and directly target trusted part
of OS
– Hooking: changing applicant’s execution flow
Advanced Persistent Threat:
Created by well funded, organized groups, nation-state actors, etc. Desire to compromise government
and commercial entities, e.g. Flame: used for reconnaissance and information gathering of system.
Spyware and Adware:
Normally gets installed along with free software downloads. Spies on the end-user, attempts to
redirect the user to specific sites. Main tasks: Behavioral surveillance and advertising with pop up ads
Slows down the system.

Common Attack Vectors

In cybersecurity, an attack vector is a method of achieving unauthorized network access to launch a
cyber attack. Attack vectors allow cybercriminals to exploit system vulnerabilities to gain access
to sensitive data, personally identifiable information (PII), and other valuable information accessible
after a data breach.
An attack vector is a method of gaining unauthorized access to a network or computer system.
An attack surface is the total number of attack vectors an attacker can use to manipulate a network or
computer system or extract data.
Threat vector can be used interchangeably with attack vector and generally describes the potential
ways a hacker can gain access to data or other confidential information.
Examples
1. Compromised Credentials
‍ sernames and passwords are still the most common type of access credential and continue to be
U
exposed in data leaks, phishing scams, and malware. When lost, stolen, or exposed, credentials give
attackers unfettered access. This is why organizations are now investing in tools to continuously
monitor for data exposures and leaked credentials. Password managers, two-factor
authentication (2FA), multi-factor authentication (MFA), and biometrics can reduce the risk of leak
credentials resulting in a security incident too.
2. Weak Credentials
‍ eak passwords and reused passwords mean one data breach can result in many more. Teach your
W
organization how to create a secure password, invest in a password manager or a single sign-on tool,
and educate staff on their benefits.
3. Insider Threats
‍ isgruntled employees or malicious insiders can expose private information or provide information
D
about company-specific vulnerabilities.
4. Missing or Poor Encryption
‍ ommon data encryption methods like SSL certificates and DNSSEC can prevent man-in-the-middle
C
attacks and protect the confidentiality of data being transmitted. Missing or poor encryption for data at
rest can mean that sensitive data or credentials are exposed in the event of a data breach or data leak.
5. Misconfiguration
‍ isconfiguration of cloud services, like Google Cloud Platform, Microsoft Azure, or AWS, or using
M
default credentials can lead to data breaches and data leaks, check your S3 permissions or someone
else will. Automate configuration management where possible to prevent configuration drift.
6. Ransomware
‍ ansomware is a form of extortion where data is deleted or encrypted unless a ransom is paid, such
R
as WannaCry. Minimize the impact of ransomware attacks by maintaining a defense plan, including
keeping your systems patched and backing up important data.
7. Phishing
‍ hishing attacks are social engineering attacks where the target is contacted by email, telephone, or
P
text message by someone who is posing to be a legitimate colleague or institution to trick them into
providing sensitive data, credentials, or personally identifiable information (PII). Fake messages can
send users to malicious websites with viruses or malware payloads.
8. Vulnerabilities
‍ ew security vulnerabilities are added to the CVE every day and zero-day vulnerabilities are found
N
just as often. If a developer has not released a patch for a zero-day vulnerability before an attack can
exploit it, it can be hard to prevent zero-day attacks.
9. Brute Force
‍ rute force attacks are based on trial and error. Attackers may continuously try to gain access to your
B
organization until one attack works. This could be by attacking weak passwords or encryption,
phishing emails, or sending infected email attachments containing a type of malware.
10. Distributed Denial of Service (DDoS)
DDoS attacks are cyber attacks against networked resources like data centers, servers, websites, or
web applications and can limit the availability of a computer system. The attacker floods the network
resource with messages which cause it to slow down or even crash, making it inaccessible to users.
Potential mitigations include CDNs and proxies.
11. SQL Injections
‍ QL stands for a structured query language, a programming language used to communicate with
S
databases. Many of the servers that store sensitive data use SQL to manage the data in their database.
An SQL injection uses malicious SQL to get the server to expose information it otherwise wouldn't.
This is a huge cyber risk if the database stores customer information, credit card numbers, credentials,
or other personally identifiable information (PII).
12. Trojans
‍ rojan horses are malware that misleads users by pretending to be a legitimate program and are often
T
spread via infected email attachments or fake malicious software.
13. Cross-Site Scripting (XSS)
XSS attacks involve injecting malicious code into a website but the website itself is not being
attacked, rather it aims to impact the website's visitors. A common way attackers can deploy cross-site
scripting attacks is by injecting malicious code into a comment e.g. embedding a link to malicious
JavaScript in a blog post's comment section.
14. Session Hijacking
‍ hen you log into a service, it generally provides your computer with a session key or cookie so you
W
don't need to log in again. This cookie can be hijacked by an attacker who uses it to gain access to
sensitive information.
15. Man-in-the-Middle Attacks
‍ ublic Wi-Fi networks can be exploited to perform man-in-the-middle attacks and intercept traffic that
P
was supposed to go elsewhere, such as when you log into a secure system.
16. Third and Fourth-Party Vendors
‍ he rise in outsourcing means that your vendors pose a huge cybersecurity risk to your customer's
T
data and your proprietary data. Some of the biggest data breaches were caused by third parties.
How Do Hackers Exploit Attack Vectors?
Hackers use multiple threat vectors to exploit vulnerable systems, attack devices and networks, and
steal data from individuals. There are two main types of hacker vector attacks: passive attacks and
active attacks.
Passive Attack
A passive attack occurs when an attacker monitors a system for open ports or vulnerabilities to gain or
gather information about their target. Passive attacks can be difficult to detect because they do not
involve altering data or system resources. Rather than cause damage to an organization’s systems, the
attacker threatens the confidentiality of their data.
Passive attack vectors include passive reconnaissance, which sees the attacker monitor an
organization’s systems for vulnerabilities without interacting with them through tools like session
capture, and active reconnaissance, where the attacker uses methods like port scans to engage with
target systems.
Active Attack
An active attack vector is one that sets out to disrupt or cause damage to an organization’s system
resources or affect their regular operations. This includes attackers launching attacks against system
vulnerabilities, such as denial-of-service (DoS) attacks, targeting users’ weak passwords, or through
malware and phishing attacks.
A common example of an active attack is a masquerade attack, in which an intruder pretends to be a
trusted user and steals login credentials to gain access privileges to system resources. Active attack
methods are often used by cyber criminals to gain the information they need to launch a wider
cyberattack against an organization.

Social engineering attack

Social engineering is an attack vector that relies heavily on human interaction and often involves
manipulating people into breaking normal security procedures and best practices to gain unauthorized
access to systems, networks or physical locations or for financial gain.
Threat actors use social engineering techniques to conceal their true identities and motives, presenting
themselves as trusted individuals or information sources. The objective is to influence, manipulate or
trick users into releasing sensitive information or access within an organization. Many social
engineering exploits rely on people's willingness to be helpful or fear of punishment. For example, the
attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to
additional network resources.
Social engineering is a popular tactic among attackers because it is often easier to exploit people than
it is to find a network or software vulnerability. Hackers will often use social engineering tactics as a
first step in a larger campaign to infiltrate a system or network and steal sensitive data or
disperse malware.

A social engineering attack is a cybersecurity attack that relies on the psychological manipulation of
human behavior to disclose sensitive data, share credentials, grant access to a personal device or
otherwise compromise their digital security.
Social engineering attacks pose a great threat to cybersecurity since many attacks begin on a personal
level and rely on human error to advance the attack path. By invoking empathy, fear and urgency in
the victim, adversaries are often able to gain access to personal information or the endpoint itself. If
the device is connected to a corporate network or contains credentials for corporate accounts, this can
also provide adversaries with a pathway to enterprise-level attacks.
With cyber criminals devising ever-more manipulative methods for tricking people and employees,
organizations must stay ahead of the game. In this post, we will explore ten of the most common types
of social engineering attacks:
1. Phishing
2. Whaling
3. Baiting
4. Diversion Theft
5. Business Email Compromise (BEC)
6. Smishing
7. Quid Pro Quo
8. Pretexting
9. Honeytrap
10. Tailgating/Piggybacking

 Baiting. An attacker leaves a malware-infected physical device, such as a Universal Serial

Bus flash drive, in a place it is sure to be found. The target then picks up the device and
inserts it into their computer, unintentionally installing the malware.
 Phishing. When a malicious party sends a fraudulent email disguised as a legitimate email,
often purporting to be from a trusted source. The message is meant to trick the recipient into
sharing financial or personal information or clicking on a link that installs malware.
 Spear phishing. This is like phishing, but the attack is tailored for a specific individual or
organization.
  Vishing. Also known as voice phishing, vishing involves the use of social engineering over
the phone to gather financial or personal information from the target.
 Whaling. A specific type of phishing attack, a whaling attack targets high-profile employees,
such as the chief financial officer or chief executive officer, to trick the targeted employee
into disclosing sensitive information.

 Pretexting. One party lies to another to gain access to privileged data. For example, a
pretexting scam could involve an attacker who pretends to need financial or personal data to
confirm the identity of the recipient.
 Scareware. This involves tricking the victim into thinking their computer is infected with
malware or has inadvertently downloaded illegal content. The attacker then offers the victim a
solution that will fix the bogus problem; in reality, the victim is simply tricked into
downloading and installing the attacker's malware.
 Watering hole. The attacker attempts to compromise a specific group of people by infecting
websites they are known to visit and trust with the goal of gaining network access.
 Diversion theft. In this type of attack, social engineers trick a delivery or courier company
into going to the wrong pickup or drop-off location, thus intercepting the transaction.
 Quid pro quo. This is an attack in which the social engineer pretends to provide something in
exchange for the target's information or assistance. For instance, a hacker calls a selection
of random numbers within an organization and pretends to be a technical support specialist
responding to a ticket. Eventually, the hacker will find someone with a legitimate tech issue
whom they will then pretend to help. Through this interaction, the hacker can have the target
type in the commands to launch malware or can collect password information.
 Honey trap. In this attack, the social engineer pretends to be an attractive person to interact
with a person online, fake an online relationship and gather sensitive information through that
relationship.
 Tailgating. Sometimes called piggybacking, tailgating is when a hacker walks into a secured
building by following someone with an authorized access card. This attack presumes the
person with legitimate access to the building is courteous enough to hold the door open for
the person behind them, assuming they are allowed to be there.
 Rogue security software. This is a type of malware that tricks targets into paying for the fake
removal of malware.
 Dumpster diving. This is a social engineering attack whereby a person searches a company's
trash to find information, such as passwords or access codes written on sticky notes or scraps
of paper, that could be used to infiltrate the organization's network.
 Pharming. With this type of online fraud, a cybercriminal installs malicious code on a
computer or server that automatically directs the user to a fake website, where the user may
be tricked into providing personal information.

Preventing social engineering

There are a number of strategies companies can take to prevent social engineering attacks, including
the following:
  Make sure information technology departments are regularly carrying out penetration
testing that uses social engineering techniques. This will help administrators learn which
types of users pose the most risk for specific types of attacks, while also identifying which
employees require additional training.
 Start a security awareness training program, which can go a long way toward preventing
social engineering attacks. If users know what social engineering attacks look like, they will
be less likely to become victims.
 Implement secure email and web gateways to scan emails for malicious links and filter them
out, thus reducing the likelihood that a staff member will click on one.
 Keep antimalware and antivirus software up to date to help prevent malware in phishing
emails from installing itself.
 Stay up to date with software and firmware patches on endpoints.
 Keep track of staff members who handle sensitive information, and enable advanced
authentication measures for them.
 Implement 2FA to access key accounts, e.g., a confirmation code via text message or voice
recognition.
 Ensure employees don't reuse the same passwords for personal and work accounts. If a hacker
perpetrating a social engineering attack gets the password for an employee's social media
account, the hacker could also gain access to the employee's work accounts.
 Implement spam filters to determine which emails are likely to be spam. A spam filter might
have a blacklist of suspicious Internet Protocol addresses or sender IDs, or they might detect
suspicious files or links, as well as analyze the content of emails to determine which may be
fake.

Wireless Network Attacks

Wireless network attacks are deliberate and malicious actions aimed at exploiting vulnerabilities in
wireless communication systems to gain unauthorized access, intercept sensitive data, disrupt network
operations, or compromise the security of devices and users connected to the network. These attacks
target weaknesses in the protocols, configurations, or encryption mechanisms of wireless networks,
taking advantage of their inherent nature of broadcasting signals over the airwaves.
Types of Wireless Network Attacks
Wireless networks have undoubtedly revolutionized the way we communicate and conduct business,
offering unparalleled convenience and mobility. However, with this freedom comes the lurking threat
of malicious attackers seeking to exploit the vulnerabilities inherent in wireless technology. Here are
some of the common types of wireless network attacks:
1. Wireless Eavesdropping (Passive Attacks)
Attackers use tools like packet sniffers to intercept and monitor wireless communications between
devices. By capturing data packets transmitted over the air, they can potentially obtain sensitive
information, such as login credentials, financial data, or personal information.
2. Wireless Spoofing (Man-in-the-Middle Attacks)
In these attacks, the attacker positions themselves between the wireless client and the legitimate
access point, intercepting and manipulating data transmissions. The attacker may then relay the
information back and forth, making it appear as if they are the legitimate access point. This enables
them to snoop on data or perform other malicious actions unnoticed.
3. Wireless Jamming (Denial-of-Service Attacks)
Attackers flood the wireless frequency spectrum with interference signals, disrupting legitimate
communications between devices and access points. By creating excessive noise, they can render the
wireless network unusable for legitimate users.
4. Rogue Access Points
Attackers set up unauthorized access points, mimicking legitimate ones, to deceive users into
connecting to them. Once connected, the attacker can eavesdrop, capture data, or launch further
attacks on the unsuspecting users.
5. Brute-Force Attacks
Attackers try various combinations of passwords or encryption keys in rapid succession until they find
the correct one to gain unauthorized access to the wireless network.
6. WEP/WPA Cracking
Attackers exploit vulnerabilities in older wireless security protocols like Wired Equivalent Privacy
(WEP) and Wi-Fi Protected Access (WPA) to gain unauthorized access to encrypted wireless
networks.
7. Evil Twin Attacks
Attackers create fake access points with names similar to legitimate ones, tricking users into
connecting to the malicious network. Once connected, the attacker can intercept sensitive data or
execute further attacks.
8. Deauthentication/Disassociation Attacks
Attackers send forged deauthentication or disassociation frames to wireless devices, forcing them to
disconnect from the network, leading to service disruptions or potential vulnerabilities when devices
automatically reconnect.

Preventing Wireless Network Attacks: Safeguarding Your Digital Domain

Protecting your wireless network from potential threats is paramount, and we have compiled a
comprehensive list of preventive measures to ensure your digital domain remains secure. Follow these
essential tips to fortify your wireless network against attacks:
1. Update your computer often
Regularly update your operating system and applications to ensure you have the latest security
patches and fixes. Timely updates help address discovered vulnerabilities, making it harder for
attackers to exploit known weaknesses.
2. Use MAC filtering
Enable MAC filtering on your wireless router to control access to your network. By specifying which
devices are allowed to connect based on their unique MAC addresses, you can prevent unauthorized
access and enhance your network’s security.
3. Disable SSID broadcasting
Turn off SSID broadcasting to make your wireless network invisible to casual observers. This
prevents your network from being easily discoverable and adds an extra layer of obscurity for
potential attackers.
4. Use WPA2 encryption
Utilize WPA2 encryption, the latest and most secure protocol, to safeguard your data as it travels
between devices and access points. Encryption ensures that even if intercepted, your data remains
unintelligible to unauthorized entities.
5. Change the default SSID
Customize your router’s SSID to something unique and unrelated to personal information. Avoid
using common names like “Linksys” or “default” to deter attackers from identifying and targeting
your network.
6. Disable file sharing
Turn off file sharing on your network to prevent unauthorized users from accessing your sensitive
files. If file sharing is necessary, ensure you set up secure passwords to limit access to approved users
only.
7. Enable WEP encryption (only if using an older router)
If your router doesn’t support WPA2, use WEP encryption as a fallback option. However, keep in
mind that WEP is less secure than WPA2 and should only be considered if absolutely necessary.

Web Application Attacks

Web application attacks are malicious activities that target web applications by exploiting
vulnerabilities in their design or implementation. These attacks can result in unauthorized access, data
theft, or other harmful consequences.
Common types of web application attacks include SQL injection, cross-site scripting (XSS), cross-site
request forgery (CSRF), and file inclusion attacks. Attackers may use automated tools or manually
craft their attacks to bypass security measures and gain access to sensitive information or systems.
Organizations can prevent or mitigate web application attacks by implementing strong security
measures, such as input validation, user authentication, and regular vulnerability testing.
Common Types of Web Application Attacks
1. Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a type of web application attack that involves injecting malicious scripts
into web pages that are viewed by other users. This is typically accomplished by injecting the script
into a form input field or URL parameter that is then stored in the web application’s database.
When another user views the page that contains the malicious script, the script is executed in their
browser, allowing the attacker to steal data or perform other malicious actions on the user’s behalf.
XSS attacks can be prevented by properly sanitizing user input, using content security policy (CSP)
headers, and escaping untrusted data.
2. Cross-Site Request Forgery (CSRF)
Cross-site request forgery (CSRF) is a type of web application attack that tricks a user into executing
an unwanted action on a web application that they are already authenticated with. This is typically
accomplished by sending a specially crafted link or script to the user, which then performs the
unwanted action when clicked.
For example, a CSRF attack could be used to make unauthorized purchases or change account
settings. CSRF attacks can be prevented by using anti-CSRF tokens, which are unique tokens that are
generated by the web application for each user session and must be included in every request to the
application.
3. XML External Entity (XXE)
XML External Entity (XXE) is a type of web application attack that involves exploiting
vulnerabilities in XML parsers used by a web application. This can allow an attacker to read sensitive
data or execute unauthorized actions on the web application’s server.
XXE attacks typically involve injecting specially crafted XML payloads that exploit the XML parser’s
ability to read external entities. XXE attacks can be prevented by disabling external entity parsing or
using secure XML parsers that properly sanitize input data.
4. Injection Attacks
Injection attacks involve inserting malicious code into a web application, typically in the form of
input data such as SQL queries, commands, or scripts. Injection attacks are successful when an
application fails to properly validate and sanitize input data. These attacks can be prevented by
properly validating and sanitizing input data and using parameterized queries to access databases.
5. Fuzz Testing (Fuzzing)
Fuzz testing, also known as fuzzing, is a technique used to discover vulnerabilities in a web
application by sending it random or invalid input data. The goal of fuzz testing is to identify how the
web application responds to different inputs and to find errors and crashes.
Fuzz testing can be performed manually or with the help of automated tools. Fuzz testing can uncover
vulnerabilities that may not be detected by other security testing methods such as penetration testing.
To perform effective fuzz testing, a tester needs to understand the web application’s input and output
mechanisms and the types of data that the application processes.
6. DDoS (Distributed Denial-of-Service)
A Distributed Denial-of-Service (DDoS) attack is a type of web application attack that involves
overwhelming a web application with a large volume of traffic from multiple sources, such as botnets
or compromised devices. This can cause the web application to become unavailable to legitimate
users.
DDoS attacks can be prevented by using network security devices, such as firewalls and intrusion
prevention systems, that can detect and block malicious traffic. Additionally, web application
developers can use content delivery networks (CDNs) and load balancers to distribute traffic across
multiple servers to help mitigate the effects of DDoS attacks.
7. Brute Force Attack
A brute force attack is an automated method of guessing a username and password combination to
gain unauthorized access to a web application. Attackers use software tools to try different
combinations of usernames and passwords until they successfully guess the correct one.
To prevent brute force attacks, web applications can implement rate-limiting and account lockout
policies. Rate-limiting limits the number of login attempts from a single IP address, while account
lockout temporarily blocks access to an account after a certain number of failed login attempts.
8. Path Traversal
Path traversal is a type of web application attack that involves manipulating file paths in a web
application in order to access unauthorized files or directories on the server. Path traversal attacks
typically occur when a web application does not properly validate user input, allowing an attacker to
traverse up and down directory structures to access sensitive files.
Path traversal attacks can be prevented by properly validating user input and sanitizing file paths, as
well as using secure file access methods that restrict access to sensitive files and directories.
Web Application Security Strategies
Here are some web application security strategies that organizations can implement to protect their
web applications:
 Secure coding practices: Adopt secure coding practices, such as the OWASP Top 10
guidelines, to ensure that web applications are built with security in mind. This includes
measures like input validation, output encoding, and secure authentication mechanisms.
 Regular security testing: Perform regular security testing, such as penetration testing and
vulnerability scanning, to identify and address security vulnerabilities in web applications.
 Access control: Implement access controls to ensure that only authorized users can access
sensitive data or functionality within web applications. This includes measures like role-based
access control and multi-factor authentication.
 Secure communication: Use secure communication protocols, such as HTTPS, to ensure that
data transmitted between web applications and users is encrypted and protected from
interception.
 Server and network security: Implement server and network security measures, such as
firewalls and intrusion detection systems, to protect web applications from attacks like DDoS
and SQL injection.
 Regular updates and patches: Keep web applications and supporting software up-to-date
with the latest security patches and updates to address known vulnerabilities.
 User education: Educate users on best practices for safe web browsing, such as avoiding
clicking on suspicious links or downloading attachments from unknown sources.
 Incident response planning: Develop and test incident response plans to ensure that web
application security incidents are identified and addressed in a timely and effective manner.
UNIT III RECONNAISSANCE
Harvester – Whois – Netcraft – Host – Extracting Information from DNS – Extracting Information
from E-mail Servers – Social Engineering Reconnaissance; Scanning – Port Scanning – Network
Scanning and Vulnerability Scanning – Scanning Methodology – Ping Sweer Techniques – Nmap
Command Switches – SYN – Stealth – XMAS – NULL – IDLE – FIN Scans – Banner Grabbing and
OS Finger printing Techniques.

Harvester
Harvester is an information-gathering tool that is built by the guys at edge security and is included by
default in Kali Linux. The goal of this tool is to find and gather all email
addresses, subdomains, hosts, ports, employee names, and banners that can provide information about
the
target. This tool is intended to help Penetration testers in the early stages of the penetration test in orde
r to understand the customer footprint on the Internet. It is also useful for anyone that wants to know
what an attacker can see about their organization.
Note: But the unique part is that Harvester doesn’t use any advanced algorithms to crack passwords, t
est firewalls, or sniff data on networks. Instead, it gathers public information available on the internet
automatically.
# Why do we gather information?
Well, in any pentesting task, the first thing you need to do is know your target. The more information
we have about the target, the easier it is to hack the target victim. We can find useful information like t
he email address to target for phishing or which domains are vulnerable on the company network. We
can also use this information for social engineering attacks which are at the top of every hacker’s
arsenal By using this tool critical information that companies knowing or unknowingly disclose can
be obtained legally and used to understand the target.
This tool is designed to help the penetration tester on an earlier stage; it is effective, simple and easy
to use. The sources supported are:
1. Google – emails, subdomains
2. Google profiles – Employee names
3. Bing search – emails, subdomains/hostnames, virtual hosts
4. Pgp servers – emails, subdomains/hostnames
5. LinkedIn – Employee names
6. Exalead – emails, subdomains/hostname
# Usage of The Harvester Tool in linux with examples:
1.For finding Email Ids:
Command:
:
Result:

2. For gather employee names and then save it to file:

Command:

Whois Lookup
In this section, we are going to have a look at is Whois Lookup. It is a protocol that is used to find the
owners of internet resources, for example, a domain, a server, an IP address. In this, we are not
actually hacking, we are just retrieving information from a database about owners of stuff on the
internet. For example, if we wanted to register a domain name like zaid.com we have to supply
information about the person who is signing in like address, and then the domain name will be stored
in our name and people will see that Zaid owns the domain name. That is all we are going to do.

Extracting Information from DNS

DNS servers are an attractive target for attackers and penetration testers. They regularly include data
that is considered highly important to attackers. DNS is a core element of both our local networks and
the Internet. With other things, DNS is responsible for the process of translating domain names to IP
addresses. For humans, it is much simpler for them to remember “google.com” rather than
http://75.125.95.105. But, machines prefer the reverse. DNS serves as the middleman to make this
translation process. As penetration testers, it is necessary to concentrate on the DNS servers that
belong to our target. The reason is simple. In order for DNS to function correctly, it needs to be aware
of both the IP address and the corresponding domain name of each machine on its network. In terms
of reconnaissance, obtaining full access to an organization’s DNS server is like finding a pot of gold
at the end of a rainbow. Or perhaps, more correctly, it is like finding a blueprint for the organization.
But in this example, the blueprint includes a complete listing of private IP addresses that belong to our
target. Remember one of the key components of data gathering is to collect IP addresses that belong to
the target.

Extracting Info from DNS Servers

Another way for pen testers to learn more about their targets is through DNS servers and records.
DNS servers store a lot of useful information about their related networks, and there are a handful of
tools to use for extracting valuable information about a target.
What DNS does (or, why we care)
DNS is part of the TCP/IP protocol suite. It’s responsible for mapping user-friendly domain names
(like “google.com”) to an IP address (like “172.217.4.46”).
A domain name server is a server with a large database of these mappings. For pen testers, accessing
DNS servers provides them with a blueprint of the company’s infrastructure, via a list of internal IP
addresses and host names. As Engebretson notes in his book (The Basics of Hacking and Penetration
Testing), DNS servers are often poorly configured or maintained, making them easy targets.
As always, only use this for legal purposes, with authorization, etc etc.
Zone transfers
One particularly useful source of DNS information is a zone transfer (AXFR). Because networks
typically have two or more DNS servers for redundancy or load balancing, they need to communicate
with each other to share their host-to-IP mappings and stay in sync.
Host
If we have collected host names (for a given target) in previous reconnaissance steps, we need to
translate those into IP addresses for future steps. To do so, we can use host.
Host is built into most Linux systems (including Kali). I’m not sure what a Windows equivalent is,
besides maybe nslookup.
To use host, type host followed by the DNS server you are trying to find an IP address for. For
example:
host ns1.bluehost.com
Which returns
ns1.bluehost.com has address 162.159.24.80
NSLookup
Nslookup is a tool that queries DNS server for its host records. It’s available for Linux (including
Kali) and Windows. To use it, open up a command line and run:
nslookup
It will then show a >, and wait for you to enter in server and the IP address of the DNS server that you
want to learn about (if you only have the hostname, use host as shown in the previous section to get
the IP address).
server 8.8.8.8
Then, you’ll have to specify the type of DNS record. There are several different types:
 A Records point to a domain or subdomain of an IP address (for example, mapping
“172.217.4.46” to “google.com”).
 CNAME allows a machine to be known by the hostnames specified in the CNAME record.
 MX or Mail Exchanger is for routing email to the specified email server. There are priority
numbers given to specify which mail server should be contacted first.
 NS records map a domain name to their related DNS servers (i.e. google.com ->
ns1.google.com, ns2.google.com, etc.)
 TXT records are for text-based info. One example might be domain ownership verification.
A full list of DNS record types can be found here, on Wikipedia.
You can either ask for all DNS record types, or specify a certain type:
set type = any
or set type = a, set type = mx, and so on. The additional servers that you find from nslookup can be
added to the target list.
Email Servers
If we find an email server, this presents another opportunity to learn more about a target. Email
servers must allow outside traffic in to be useful as email servers. In The Basics of Hacking and
Penetration Testing, Engebretson says to send an email to the organization with an empty .bat or .exe
file. The goal is to get rejected, and then inspect the rejection email for anti-virus vendor and version
information, IP address of the server, software versions being used on the server, etc.
Zone transfers
Dig
If you want to attempt a zone transfer (Engebretson notes that your chances of success are pretty low),
you can use dig to do so:
dig @ip_address_here example.com -t AXFR
Fierce
If the zone transfer doesn’t work out for you, fierce can be your backup option. Fierce is a Perl-script
that comes pre-installed on Kali. To use:
cd /usr/bin/

./fierce -dns example.com

Fierce will lookup DNS servers for a given domain name, attempt a zone transfer, and then perform
hundreds (or thousands) of automated DNS scans for you.
-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile Use DNS servers provided by a file (one per line) for
 reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target). Fierce
uses your DNS server for the initial SOA query and then uses
the target's DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
A list of command line flags can be found here.
All together now!
Use whois to find the DNS servers for a given website. Next, use host to translate the hostname into
an IP address. Use nslookup to get the full set of related DNS records (for mail exchangers, etc).
Use dig or fierce to attempt a zone transfer, and/or look for related DNS servers.

Port scanning

A port scan is a common technique hackers use to discover open doors or weak points in a network. A
port scan attack helps cyber criminals find open ports and figure out whether they are receiving or
sending data. It can also reveal whether active security devices like firewalls are being used by an
organization.
When hackers send a message to a port, the response they receive determines whether the port is
being used and if there are any potential weaknesses that could be exploited.
Businesses can also use the port scanning technique to send packets to specific ports and analyze
responses for any potential vulnerability. They can then use tools like IP scanning, network mapper
(Nmap), and Netcat to ensure their network and systems are secure.
Port scanning can provide information such as:
1. Services that are running
2. Users who own services
3. Whether anonymous logins are allowed
4. Which network services require authentication

What is a Port?
A port is a point on a computer where information exchange between multiple programs and the
internet to devices or other computers takes place. To ensure consistency and simplify programming
processes, ports are assigned port numbers. This, in conjunction with an IP address, forms vital
information that each internet service provider (ISP) uses to fulfill requests.
Port numbers range from 0 through to 65,536 and are ranked in terms of popularity. Ports numbered 0
to 1,023 are called “well-known" ports, which are typically reserved for internet usage but can also
have specialized purposes. These ports, which are assigned by the Internet Assigned Numbers
Authority (IANA), are held by leading businesses and Structured Query Language (SQL) services.
Ports are generally managed by the Transmission Control Protocol (TCP), which defines how to
establish and maintain a network conversation between applications, and User Datagram Protocol
(UDP), which is primarily used for establishing low-latency and loss-tolerating connections between
applications. Some of the most popular and most frequently used ports include:
1. Port 20 (UDP): File Transfer Protocol (FTP) used for transferring data
2. Port 22 (TCP): Secure Shell (SSH) protocol used for FTP, port forwarding, and secure logins
3. Port 23 (TCP): The Telnet protocol used for unencrypted communication
4. Port 53 (UDP): The Domain Name System (DNS), which translates internet domain names
into machine-readable IP addresses
5. Port 80 (TCP): The World Wide Web Hypertext Transfer Protocol (HTTP)
Ports numbered from 1,024 to 49,151 are considered “registered ports,” and they are registered by
software companies. The ports numbered from 49,152 to 65,536 are considered dynamic and private
ports, which can be used by almost everyone on the internet.

What are the Port Scanning Techniques?

A port scan sees packets sent to destination port numbers using various techniques. Several of these
include:
1. Ping scans: A ping scan is considered the simplest port scanning technique. They are also
known as internet control message protocol (ICMP) requests. Ping scans send a group of
several ICMP requests to various servers in an attempt to get a response. A ping scan can be
used by an administrator to troubleshoot issues, and pings can be blocked and disabled by a
firewall.
2. Vanilla scan: Another basic port scanning technique, a vanilla scan attempts to connect to all
of the 65,536 ports at the same time. It sends a synchronize (SYN) flag, or a connect request.
When it receives a SYN-ACK response, or an acknowledgment of connection, it responds
with an ACK flag. This scan is accurate but easily detectable because a full connection is
always logged by firewalls.
3. SYN scan: Also called a half-open scan, this sends a SYN flag to the target and waits for a
SYN-ACK response. In the event of a response, the scanner does not respond back, which
means the TCP connection was not completed. Therefore, the interaction is not logged, but
the sender learns if the port is open. This is a quick technique that hackers use to find
weaknesses.
4. XMAS and FIN scans: Christmas tree scans (XMAS scans) and FIN scans are more discrete
attack methods. XMAS scans take their name from the set of flags that are turned on within a
packet which, when viewed in a protocol analyzer like Wireshark, appear to be blinking like a
Christmas tree. This type of scan sends a set of flags, which, when responded to, can disclose
insights about the firewall and the state of the ports. A FIN scan sees an attacker send a FIN
flag, often used to end an established session, to a specific port. The system’s response to it
 can help the attacker understand the level of activity and provide insight into the
organization's firewall usage.
5. FTP bounce scan: This technique enables the sender to disguise their location by using an
FTP server to bounce a packet.
6. Sweep scan: This preliminary port scanning technique sends traffic to a port across several
computers on a network to identify those that are active. It does not share any information
about port activity but informs the sender whether any systems are in use.

Different Types of Port Checker or Scanner

There are several different port scanning or checking techniques, including:
1. Ping scans: A ping is used to check whether a network data packet can reach an IP address
without any issues. Ping scans involve automated transmissions of several ICMP requests to
various servers.
2. Half-open or SYNC scans: Attackers can check the state of a port without creating a full
connection by using a half-open scan, often known as a SYN scan. This kind of scan just
transmits a SYN message and does not complete a connection with the recipient.
3. XMAS scans: XMAS scans send a number of packets to a port to check if it is open. If the
port is closed, the scanner gets a response. If it does not get a response, that means the port is
open and can be used to access the network.

What type of port scan results can you get from port scanning?
Port scan results reveal the status of the network or server and can be described in one of three
categories: open, closed, or filtered.
 Open ports: Open ports indicate that the target server or network is actively accepting
connections or datagrams and has responded with a packet that indicates it is listening. It also
indicates that the service used for the scan (typically TCP or UDP) is in use as well.
Finding open ports is typically the overall goal of port scanning and a victory for a
cybercriminal looking for an attack avenue. The challenge for IT administrators is trying to
barricade open ports by installing firewalls to protect them without limiting access for
legitimate users.
 Closed ports: Closed ports indicate that the server or network received the request, but there
is no service “listening” on that port. A closed port is still accessible and can be useful in
showing that a host is on an IP address. IT administrators should still monitor closed ports as
they could change to an open status and potentially create vulnerabilities. IT administrators
should consider blocking closed ports with a firewall, where they would then become
“filtered” ports.
 Filtered ports: Filtered ports indicate that a request packet was sent, but the host did not
respond and is not listening. This usually means that a request packet was filtered out and/or
blocked by a firewall. If packets do not reach their target location, attackers cannot find out
more information. Filtered ports often respond with error messages reading “destination
unreachable” or “communication prohibited.”
Network Scanning
Network scanning is the process of troubleshooting the active devices on your system for
vulnerabilities. It identifies and examines the connected devices by deploying one or more features in
the network protocol. These features pick up vulnerability signals and give you feedback on the
security status of your network.
Network scanning facilitates system maintenance, monitoring, and security assessments. When
implemented effectively, network scanning gives you insights into some of the best ways to protect
your network against cyberattacks.
How Does Network Scanning Work?
Network scanning is simplified with innovative solutions. One way to implement network scanning
without breaking your back is the use of network administrators.
Network administrators scan your network to evaluate IP addresses and detect live hosts connected to
it.
Keep in mind that cybercriminals use the same technique to spot weaknesses in your network. The
idea is to identify the loopholes before the bad guys discover them.
For network administrators to identify how IP addresses are mapped in the network, they may need to
use tools such as Nmap.
Nmap is an effective network scanning tool that uses IP packets to detect devices attached to a
network. It helps to simplify the mapping of IP addresses.
You can use network scanners to inspect where the network is stronger or weaker in your workplace
with the help of network administrators.
A basic working rule of network scanning is to identify all devices on a network and map their IP
addresses. To do this, you must use the network scanner to forward a packet to all available IP
addresses connected to the network.
After sending this ping, you need to wait for their response. Once the feedback arrives, the network
scanner uses them to measure the status and inconsistencies of the host or application. During this
process, the responding devices are active while the non-responding devices are inactive.
Network administrators can also use Address Resolution Protocol (ARP) scan to evaluate the system
manually. But if the goal of the network administrator is to reach all active hosts, it's advisable to use
tools that support automatic running scans.
One of the best tools that you can use to attain such a milestone is the Internet Control Message
Protocol (ICMP) scan. It helps you map the network accurately without failure.
Many security-conscious companies allocate high budgets to advanced network scanning tools to
secure their networking systems. But they may not get the desired results if they make the wrong
choice. The effective scanning tools you should consider include, Acunetix, Nikto, Spyse, Swascan, IP
Address Manager, and SolarWinds Network Performance Monitor.
Types of Network Scanners
Scanning your network properly requires using the right tools and methods. Each method is
determined by what you want to achieve with your scanning. There are two major kinds of network
scanning—port scanning and vulnerability scanning.
1. Port Scanning
Port scanning enables you to identify open ports in a network that can receive or send data. You can
use it to send packets to targeted ports on a device. This process highlights loopholes and analyzes
performance feedback.
Before implementing port scanning, you have to identify the list of active devices and maps to their IP
addresses.
The primary goal of port scanning is to use the data it acquires from active devices to diagnose
security levels.
2. Vulnerability Scanning
Vulnerability scanning helps you to detect vulnerabilities that exist on your network. Running a check
on your system exposes threats that were hidden away from you.
In most organizations, vulnerability scanning is conducted by the IT department. But if you want to
get thorough feedback, consider hiring a third-party security expert. Since they aren't familiar with
your network, they'll conduct an objective analysis from an outsider's perspective.
Vulnerability scanning can also be performed by cyberattackers intending to identify weak spots in
your network. Beat them to it by identifying and closing the weak links.
Besides identifying loopholes, vulnerability scanning also evaluates the security capacity of your
network against cyberattacks. It uses a database to analyze possible attacks. This database provides
the vulnerability scanner with packet construction anomalies, flaws, default configurations, paths to
sensitive data, and coding bugs that can enable cyber attackers to exploit your network.
What Are the Benefits of Network Scanning?
Like most innovative solutions, network scanning offers several benefits. One thing is certain—it
gives your system a better footing. In what ways exactly, though? Let's take a look.
1. Increased Network Performance
Network scanning plays a key role in increasing network performance and maximizing the speed of
network operations.
In a complex organizational network, multiple subnets of various IP addresses are assigned to several
devices to improve their performance on the system. Scanning these devices helps to remove clogs
and creates a free flow for optimal performance.
2. Protection Against Cyberattacks
Network scanning is so useful that cybercriminals also use it to discover vulnerabilities in a network.
When you fail to scan your network for threats and vulnerabilities, you're indirectly inviting attackers
for a visit.
Carrying out regular network scanning is an effective way to keep your system free from
cyberattacks. It's similar to implementing intrusion detection systems to spot emerging threats.
3. Save Time and Money
Scanning your network manually is tedious and time-consuming. The scanning process could linger
for long. Your work is on hold, making you lose money in the long run.
Network scanning is an automated process. It evaluates tons of data within a short time. You get it
over with as soon as possible and keep your workflow moving.
The purpose of network scanning is as follows:
 Recognize available UDP and TCP network services running on the targeted hosts
 Recognize filtering systems between the user and the targeted hosts
 Determine the operating systems (OSs) in use by assessing IP responses
 Evaluate the target host’s TCP sequence number predictability to determine sequence
prediction attack and TCP spoofing

What is Vulnerability Scanning?

Vulnerability scanning is the process of discovering, analyzing, and reporting on security flaws and
vulnerabilities. Vulnerability scans are conducted via automated vulnerability scanning tools to
identify potential risk exposures and attack vectors across an organization’s networks, hardware,
software, and systems. Vulnerability scanning and assessment is an essential step in the vulnerability
management lifecycle.
Once vulnerabilities have been identified through scanning and assessed, an organization can pursue a
remediation path, such as patching vulnerabilities, closing risky ports, fixing misconfigurations, and
even changing default passwords, such as on internet of things (IoT) and other devices.
The Benefits of Vulnerability Scanning
Vulnerability scanning is a vital part of your security team’s overall IT risk management approach for
several reasons
 Vulnerability scanning lets you take a proactive approach to close any gaps and maintain
strong security for your systems, data, employees, and customers. Data breaches are often the
result of unpatched vulnerabilities, so identifying and eliminating these security gaps,
removes that attack vector.
 Cybersecurity compliance and regulations demand secure systems. For instance, NIST, PCI
DSS, and HIPAA all emphasize vulnerability scanning to protect sensitive data.
 Cyber criminals also have access to vulnerability scanning tools, so it is vital to carry out
scans and take restorative actions before hackers can exploit any security vulnerabilities.
The Main Types of Vulnerability Scans
Some of vulnerability scanning tools are comprehensive in their coverage, able to perform multiple
types of scans across heterogeneous environments that include on-prem, Unix, Linux, Windows,
cloud, off-site, and onsite. Other scanning tools serve particular niches, so it’s always critical to
thoroughly explore your use cases before investing in a scanner.
Let’s now explore some different types of vulnerability scans, which each have their place, depending
on your use cases.
Credentialed Scans vs. Non-Credentialed Scans
Credentialed and non-Credentialed scans (also respectively referred to as authenticated and non-
authenticated scans) are the two main categories of vulnerability scanning.
Non-credentialed scans, as the name suggests, do not require credentials and do not get trusted access
to the systems they are scanning. While they provide an outsider’s eye view of an environment, they
tend to miss most vulnerabilities within a target environment. So, while they can provide some
valuable insights to a potential attacker as well as to a security professional trying to gauge risk from
the outside, non-credentialed scans give a very incomplete picture of vulnerability exposure.
On the other hand, credentialed scans require logging in with a given set of credentials. These
authenticated scans are conducted with a trusted user’s eye view of the environment. Credentialed
scans uncover many vulnerabilities that traditional (non-credentialed) scans might overlook. Because
credentialed scans require privileged credentials to gain access for scanning, organizations should
look to integrate an automated privileged password management tool with the vulnerability scanning
tool, to ensure this process is streamlined and secure (such as by ensuring scan credentials do not
grow stale).
Here are some other ways that scans may be categorized, based on use case.
External Vulnerability Scans
These scans target the areas of your IT ecosystem that are exposed to the internet, or are otherwise not
restricted to your internal users or systems. They can include websites, ports, services, networks,
systems, and applications that need to be accessed by external users or customers.
Internal Vulnerability Scans
These scan and target your internal corporate network. They can identify vulnerabilities that leave you
susceptible to damage once a cyberattacker or piece of malware makes it to the inside. These scans
allow you to harden and protect applications and systems that are not typically exposed by external
scans.
Environmental Scans
These scans are based on the environment that your technology operates in. Specialized scans are
available for multiple different technology deployments, including cloud-based, IoT devices, mobile
devices, websites, and more.
Intrusive Versus Non-Intrusive Scans
Non-intrusive scans simply identify a vulnerability and report on it so you can fix it. Intrusive scans
attempt to exploit a vulnerability when it is found. This can highlight the likely risk and impact of a
vulnerability, but may also disrupt your operational systems and processes, and cause issues for your
employees and customers — so use intrusive scanning with caution.
Vulnerability Scanning Challenges
There are several challenges that arise in conducting vulnerability scanning:
A scan only represents a moment in time
Most scans are “snapshots,” not continuous. Because your systems are changing all the time, you
should run scans regularly as your IT ecosystem changes
A scan may need human input or further integrations to deliver value
Although the scanning process itself is easily automated, a security expert may still need to review the
results, complete remediation, and follow-up to ensure risks are mitigated. Many organizations also
integrate vulnerability scanning with automated patch management and other solutions to help reduce
the human administrative burden. Regardless, the scan itself is only an early step in the vulnerability
management lifecycle.
A credentialed scan may require many privileged access credentials
Depending on how thorough a scan is desired. Therefore automating management and integration of
these credentials with scanner should be considered to maximize both the depth of the scan, and
privileged access security.
A scan only identifies known vulnerabilities
A vulnerability scanning tool is only as good as its database of known faults and signatures. New
vulnerabilities emerge all the time, so your tool will need to be continually updated.

Scanning methodology
1. Check for live systems. Something as simple as a ping can provide this. This gives you a list of
what’s actually alive on your network subnet.

2. Check for open ports. Once you know which IP addresses are active, find what ports
they’re listening on.

3. Scan beyond IDS. Sometimes your scanning efforts need to be altered to avoid those
pesky intrusion detection systems.

4. Perform banner grabbing. Banner grabbing and OS fingerprinting will tell you what operating
system is on the machines and which services they are running.

5. Scan for vulnerabilities. Perform a more focused look at the vulnerabilities these machines haven’t
been patched for yet.

6. Draw network diagrams. A good network diagram will display all the logical and physical
pathways to targets you might like.

7. Prepare proxies. This obscures your efforts to keep you hidden.

Scanning Methodology
  Check for Live Systems: Ping scan checks for the live system by sending ICMP echo request
packets. If a system is alive, the system responds with ICMP echo reply packet containing
details of TTL, packet size etc.
 Check for Open Ports: Port scanning helps us to find out open ports, services running on
them, their versions etc. Nmap is the powerful tool used mainly for this purpose.
We have various types of scan:
Connect scan: Identifies open ports by establishing a TCP handshake with the target.

Nmap command: nmap -sT -v -p- <TargetIP>

Half-open scan otherwise known as Stealth scan used to scan the target in a stealthy way by not
completing the TCP handshake by abruptly resetting the communication.

Source: https://www.safaribooksonline.com
Nmap command: nmap -sS -v <TargetIp>
XMAS scan: This is also called as inverse TCP scanning. This works by sending packets set with
PSH, URG, FIN flags. The targets do not respond if the ports are open and send a reset response if
ports are closed.

Source: https://www.information-security.fr
FIN scan: Fin flag is set in the TCP packets sent to the target. open ports doe does not respond while
closed ports send a reset response.

Source: https://securitcrs.wordpress.com
Nmap command: nmap -SF <targetIp>
ACK scan: Here the attacker sets the ACK flag in the TCP header and the target's port status is
gathered based on window size and TTL value of RESET packets received from the target.

Source: https://www.hackingloops.com
Nmap command: nmap -SA -v <targetip>
Null Scan: Works by sending TCP packets with no flags set to the target. Open ports do not respond
while closed ports respond with a RESET packet.

Nmap Command: nmap -sN -p- <targetIP>

Idle Scan: Here the attacker tries to mask his identity uses an idle machine on the network to probe
the status details of target ports.

Source: https://en.wikipedia.org/wiki/Idle_scan
Nmap command : nmap -Pn -sI ZombieIp TargetIp
Banner Grabbing
Banner grabbing is a process of collecting information like operating system details, the name of the
service running with its version number etc.
Vulnerability scanning:
Mainly automated tools are used for this purpose. These automated scanners scan the target to find out
vulnerabilities or weakness in the target organization which can be exploited by the attackers.
Vulnerabilities include application vulnerabilities, configuration vulnerabilities, network
vulnerabilities, operating system vulnerabilities etc.
Some examples include operating system is not updated, default passwords used, plain text protocols
used, vulnerable protocols running etc.
Tools: Nessus, Acunetix
Draw Network Diagrams
With the information gathered, the attacker can come up with a network diagram which might give
him information about network and architecture of the target organization helping him to identify the
target easily
Tools: Network View, Opmanager etc
Prepare Proxies
Proxies can use to maintain the anonymity of the attacker by masking the IP address. It can capture
information passing through it since it acts as an intermediary between client and server and the
attacker can access the resources remotely using the proxies.
Eg: TOR browsers, Onion sites etc, Proxify, Psiphon etc
Countermeasures:
 Configure IDS and firewall to block probes.
 Keep firewall, routers, IDS firmware update
 Run port scanners to verify the security of the target.
 Add rules in firewall restricting access to ports.
 Disable ICMP based scanning at firewall.

What is Ping Sweep?

The IP address has many functionalities. Ping sweep is a term related to it. Scanning ping is one of the
most efficient ways to find network vulnerabilities and tackle network-related discoveries. It also
saves lots of time because the procedure related to ping sweep is pretty simple. Pinging a simple
service similar to google.com gives back many results and we can learn our situation depending on
the result we get back.Pinging a network or system allows us to determine if a host is alive or dead.
This network-based utility can ping one simple IP or brute check a list of IPs in a single or continuous
scan. In response to pinging a host, we get back data as an echo. By calling it alive, we can identify if
the system is active and what is the network-based status around it. And dead means the host is either
inactive or non-responsive or in shutdown mode. Hosts can be the network servers, computers,
websites, printers, or any remote network device.
Ping Sweep is an information-gathering technique used to identify live hosts by pinging them. In
more technical terms it is also known as Ping scan, or Internet Control Message Protocol (ICMP).
One host like the user requests data and the receiver host accepts it, furthermore sends back packets of
information in bytes. In between these packets they get validated and a response comes back to the
sender host. For this reason, ping sweep or ping scan is also known as a two-way handshake protocol.
Ping and Ping Sweep are not the same
The use of ping system first began with sonar technology. There are numerous numbers of submarines
that go deep into the ocean and visibility is zero there. No light can pass, but the sound waves can. As
water is a great conductor of sound. What sonar technology does is, sends signals in all directions.
The sonar signal bounces back from obstacles on all sides, making it possible to map live data from
around the area. The system was called pinging and thus we got the name, but in computing, it is used
as an IP network utility tool and called pinging.
Network administrators have the capability to ping devices connected to a specific network. Of
course, that has to be on a network. On the other hand, as we’ve talked about ICMP, ping sweep, we
can help diagnose a network issue quickly and find what’s going on with the host. Even remote
devices on different IPs can be accessed by sweeping ping.
Purpose of Ping Sweep
Ping sweep is used to gain various information over the host. It has the potential to address a range of
IPs for live mapping. In regular pinging, we have echo request and echo-response functions. It’s a way
of data request and gaining sufficient knowledge on a network device. It can also map a range of IPs.
Echo request reveals information regarding the IP we ping. Local pinging directs via local DNS server
and input has a round-trip time (RTT). But ping sweep uses ICMP echo request. It can send packets of
data to reveal in-depth information about a host or range of hosts. Finding out live and dead Ips,
detecting bad traffic and rogue network devices, and matching only permitted IPs on the network are a
few results that can be documented by ping sweeping. Regular pinging can be done on console
command on admin devices but ICMP echoing requires advanced software packages. Same reason
they can be manipulated any way the admin wants to achieve live mapping a DHCP environment.
Generally, we can either conduct a Normal Ping Sweep or Flood Pinging. Once we have the target IP
address of the host, we can ping that IP address and determine whether the host is alive or not. Once
packets are received correctly, then we can confirm host stats. The data will help in conducting further
work on the host. This is a normal ping sweep.
On the other hand, flood pinging is quite like a denial-of-service attack. It occurs when a website or
host is flooded with lots of pings. The result of it is pretty serious. Regular legitimate users may not
use the service or host at the time of flood pinging moment. Every website or victim network has a
maximum capacity and when flood pinging crosses that limit, it jams the network and the host stops
responding. Automated scripts or flood pinging software are used for this kind of experiment. Flood
pinging is sometimes called a “Ping of Death” as it makes the host behave like a dead host. Flood
pinging is mostly used for session hijacking.
Best tools for Ping Sweep
Since there are many tools to map Ping Sweep, we are only highlighting the best ones. They are
simple to use and can perform all the advanced tasks easily that an admin may require. As ping sweep
requires packages and special features, it is important to use tools. It saves time and the display
systems in tolls are well thought out. Reveling and going through data becomes easier for anyone
looking to find a situation of network or finding vulnerabilities. Our top pick consists of:
1. SolarWinds IP Address Manager (IPAM)
2. SolarWinds Engineer’s Toolset (ETS)
3. ManageEngine OpManager
4. Advanced IP Scanner
5. Paessler PRTG Network Monitor

Nmap command switches

Nmap is probably the most famous reconnaissance tool among Pentesters and Hacker. It is essentially
a port scanner that helps you scan networks and identify various ports and services available in the
network, besides also providing further information on targets, including reverse DNS names,
operating system guesses, device types, and MAC addresses. It also comes in handy during network
auditing!
The barebone syntax of Nmap is:
$ nmap [FLAGS] [IP]
Copy
Note that you may also need to run it with sudo privileges at times to perform some particular types
of scans,
Nmap Switches
Nmap is strong and powerful networking scanning to tool which allows for customizing our scans
with the help of flags passed via the command line. Some of the important flags are :
 -h: Print a help summary page
 -sS: Perform a TCP SYN scan
 -sU: Perform a UDP scan
 -sV: Probe open ports to determine service/version info
 -O: Enable OS detection
 -v: Enable verbosity. You can even set the verbosity level as such :
 -vv: Level 2 verbosity. The minimum level of verbosity advised for use.
 -v3: Level 3 verbosity. You can always specify the verbosity level by specifying a
number like this.
 -oA: Same Nmap output in “normal”, XML and grepable formats. However you can specify
the format of your choice with :
 -oN: Redirect normal output to a given filename
 -oX: Produce output in a clean, XML format and store it in a given file
 -oG: Produce “grepable” output and store it to a file. Deprecated format as users are
now moving towards XML outputs.
 -A: Enables “aggressive” scanning. Presently this enables OS detection (-O), version scanning
(-sV), script scanning (-sC) and traceroute (–traceroute)
 -p: Specify the ports to scan. It can be a single port as well as a range of ports. For Example :
 nmap -p 80 127.0.0.0.1: This scans port 80 on localhost
 nmap -p 1-100 127.0.0.1: This scans ports from 1 to 100 on localhost
 nmap -p- 127.0.0.1: This scans all the ports on the localhost
Scan Types in Nmap
Nmap supports a lot of different scan types. However the most popular ones are:
1. TCP Connect Scans (-sT)
In this type of scan, Nmap sends a TCP packet to a port with the SYN flag set. In this scenario two
things can occur :
 The target responds with an RST packet that signifies that the port is closed.
 Target doesn’t respond at all, probably due to a firewall dropping all incoming packets in
which case the port will be considered filtered
 The target responds back with a TCP packet with the SYN/ACK flags set which would
signify that the port is open and then Nmap would respond with a TCP packet with the ACK
flag set and hence would complete the TCP 3-way handshake.
This is not a very reliable scan technique as it is easy to configure a firewall rule to respond back with
RST packets or drop all incoming packets. Also this method is extremely slow as it waits for the entire
TCP 3 way handshake.
2. SYN “Half-open” Scans (-sS)
SYN scans, also known as “Half-Open” or “Stealth Scan” are an improvement over the previous
method. In the previous method where we were sending back a TCP packet with the ACK flag set
after receiving an SYN/ACK packet, now we would be sending an RST packet. This prevents the
server from repeatedly trying to make the requests and massively reduces scan times.
This method is an improvement on the previous ones because:
 They are faster
 They might be able to bypass some primitive firewalls
 Often, SYN Scans are not logged by applications running on the ports as most applications
start logging a connection only after it has been fully established which is not the case with
SYN Scans
However, it is not advisable to run SYN Scans on production environments as it might break certain
unstable applications. It is also to be noted that SYN scans also require sudo privileges because it
needs to craft raw packets.
Infact, when run with sudo privileges, nmap defaults to SYN Scans, otherwise it defaults to TCP scan.
3. UDP Scans (-sU)
UDP scans are much less reliable than the previous two as UDP connections are stateless by nature.
This means that there’s no “feedback mechanism” like TCP. UDP works on the principle “Fire and
Forget” which means that it sends packets directed to targets at certain ports and hopes that they
would make it. This gives more emphasis on speed than quality. However, the lack of a feedback
mechanism makes it difficult to identify open ports.
When an UDP packet is sent to a target port, there might be three scenarios :
 Usually there is no response received in which case nmap marks the port as open|filtered. If
no response is received yet, it sends another UDP packet to double check and if yet again no
response is received, it marks the port as open|filtered and moves on
 It might get a UDP response back which is very rare. In such a scenario, the port is marked
open
  If the port is closed and it receives an ICMP echo request back which signifies that the port is
unreachable.
Special Scans in Nmap
Apart from these, some less popular scan types which are even “stealthier” than a TCP SYN scan.
These are as follows :
1. TCP Null Scans (-sN)
In TCP Null Scans, the TCP packets sent don’t have any of the flags set. According to RFC, under
such a circumstance, the target should respond back with an RST if the port i s closed
2. TCP FIN Scans (-sF)
This is very similar to the TCP Null Scan except for the fact that instead of sending a completely
empty TCP packet, it sends a packet with the FIN flag set which is used to gracefully close a
connection. Accordingly the target must respond back with an RST for closed ports as per RFC.
3. TCP Xmas Scans (-sX)
TCP Xmas Scans is also very similar to the last two scan techniques except for the fact that they use
TCP packets with the PSH, URG and FIN flags set. Like the last two scan types, this too expects RST
packets for closed ports under RFC.
Limitations
As these scans are of a similar nature, they also have similar outputs which is very similar to that of
UDP Scans. In this case, we can only have the following three responses :
 open|filtered : When no response is received then the port is categorized as this this because
no response can mean only two things :
 The port is open
 The port is protected behind a firewall hence filtered
 filtered : When the port is protected behind a firewall which sends an ICMP ping back
 closed : When it receives and RST packet
It is also to be note that though RFC 793 mandates that network hosts respond to malformed packets
with a RST TCP packet for closed ports, and don’t respond at all for open ports, some systems reject
this convention. This behaviour is mostly observed in Microsoft Windows Servers and some CISCO
devices where all malformed packets are dropped by default.
Scanning A Network For Hosts using Nmap
One of the most important things to do on connecting to a network is to obtain a list of all active hosts
on the network before further probing. This can be done via an “Ping Sweep”, which as the name
implies, involves sending ICMP packet to all the IPs in the network and await for responses. The
hosts which reply back with an ICMP packet are considered active in this case.
You can specify your target IP ranges by using hypens or via CIDR as follows :
$ nmap -sn 192.168.0.1-254
Copy
Or,
$ nmap -sn 192.168.0.0/24
Copy
The -sn flag suppresses any port scans, and forces nmap to rely solely on ICMP echo packets (or ARP
requests if run with superuser privileges) to identify active hosts in the network. It also sens a TCP
SYN packet to the target’s port 443 and a TCP ACK request ( TCP SYN if run with superuser
privileges) to the target’s port 80.
Nmap Scripting Engine
The Nmap Scripting Engine(NSE) is a powerful addition to Nmap which allows us to even further
extend its functionality. Written in Lua, we can use it to write our scripts and automate a lot of our
work like testing for vulnerabilities and exploitation.
There are many categories available. Some useful categories include:
 safe:- Won’t affect the target
 intrusive:- Not safe: likely to affect the target
 vuln:- Scan for vulnerabilities
 exploit:- Try to exploit a vulnerability
 auth:- Attempt to bypass authentication for running services
 brute:- Try to brute force credentials for running services
 discovery:- Attempt to query running services for further information about the network (
To run a script, we need to specify it as --script=<script-name>
You can also specify multiple scripts to run at the same time by separating the script names like --
script=<script-name1>,<script-name2>
Some scripts also require an argument which can be specified with --script-args <args>
Some scripts have an built-in help menus which can be referred with :
$ nmap --script-help <script-name>

SYN – Stealth – XMAS – NULL – IDLE – FIN Scans

SYN - A SYN or stealth scan is also called a half-open scan because it doesn’t complete the TCP
three-way handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received
back, then it’s assumed the target would complete the connect and the port is listening. If an RST is
received back from the target, then it’s assumed the port isn’t active or is closed. The advantage of the
SYN stealth scan is that fewer IDS systems log this as an attack or connection attempt.

XMAS - XMAS scans send a packet with the FIN, URG, and PSH flags set. If the port is open, there
is no response; but if the port is closed, the target responds with a RST/ACK packet. XMAS scans
work only on target systems that follow the RFC 793 implementation of TCP/IP and don’t work
against any version of Windows.

FIN - A FIN scan is similar to an XMAS scan but sends a packet with just the FIN flag set. FIN scans
receive the same response and have the same limitations as XMAS scans. FIN A FIN scan is similar
to an XMAS scan but sends a packet with just the FIN flag set. FIN scans receive the same response
and have the same limitations as XMAS scans.

NULL - A NULL scan is also similar to XMAS and FIN in its limitations and response, but it just
sends a packet with no flags set.

IDLE - An IDLE scan uses a spoofed IP address to send a SYN packet to a target. Depending on the
response, the port can be determined to be open or closed. IDLE scans determine port scan response
by monitoring IP header sequence numbers.

IPEye is a TCP port scanner that can do SYN, FIN, Null, and XMAS scans. It’s a commandline tool.
IPEye probes the ports on a target system and responds with closed, reject, drop, or open. Closed
means there is a computer on the other end, but it doesn’t listen at the port. Reject means a firewall is
rejecting the connection to the port (sending a reset back). Drop means a firewall is dropping
everything to the port, or there is no computer on the other end. Open means some kind of service is
listening at the port. These responses help a hacker identify what type of system is responding.

IPSecScan is a tool that can scan either a single IP address or a range of addresses looking for systems
that are IPSec enabled.

NetScan Tools Pro, hping2, KingPingicmpenum, and SNMP Scanner are all scanning tools and can
also be used to fingerprint the operating system (discussed later).

Icmpenum uses not only ICMP Echo packets to probe networks, but also ICMP Timestamp and ICMP
Information packets. Furthermore, it supports spoofing and sniffing for reply packets. Icmpenum is
great for scanning networks when the firewall blocks ICMP Echo packets but fails to block
Timestamp or Information packets.

The hping2 tool is notable because it contains a host of other features besides OS fingerprinting such
as TCP, User Datagram Protocol (UDP), ICMP, and raw-IP ping protocols, traceroute mode, and the
ability to send files between the source and target system.

SNMP Scanner allows you to scan a range or list of hosts performing ping, DNS, and Simple Network
Management Protocol (SNMP) queries.

Banner grabbing
Banner grabbing is a method used by attackers and security teams to obtain information about
network computer systems and services running on open ports. A banner is a text displayed by a host
that provides details such as the type and version of software running on the system or server. The
screen displays the software version number on the network server and other system information,
giving cybercriminals an advantage in cyber attacks. Banner grabbing considers collecting software
banner information such as name and version. Hackers can use the OSINT tool to get the banners
manually or automatically. Banner capture is one of the essential steps in both offensive and defensive
penetration testing environments.
Types of Banner Grabbing:
 1. Active Banner Grabbing: In this method, Hackers send packets to a remote server and
analyze the response data. The attack involves opening a TCP or similar connection between
the origin and the remote server. An Intrusion Detection System (IDS) can easily detect an
active banner.
2. Passive Banner Capture: This method allows hackers and security analysts to get the same
information while avoiding disclosing the original connection. In passive banner grabbing, the
attackers deploy software and malware as a gateway to prevent direct connection when
collecting data from the target. This technique uses third-party network tools and services to
capture and analyze packets to identify the software and version being used. run on the server.
Usage:
Hackers can perform a banner-grabbing attack against various protocols to discover insecure and
vulnerable applications and exploits. There are many services, protocols, and types of banner
information that you can collect using banner grabbing. You can develop various methods and tools
for the discovery process. In general, banner grab allows an attacker to discover network servers and
services running along with their instances on open ports, as well as the operating system. Given the
type and version of an application, a hacker, or pen tester, can quickly scan for known and exploitable
vulnerabilities in that version.
Service Ports:
 Port 80 is running on Hypertext Transfer Protocol (HTTP) service.
 Port 21 is running on the File Transfer Protocol (FTP) service.
 Port 25 runs on the Simple Mail Transfer Protocol (SMTP) service.
Important Points:
 Banner Grabbing is used in Ethical Hacking to gather information about a target system
before launching an attack.
 In order to gather this information, the Hacker must choose a website that displays banners
from affiliate sites and navigate from the banner to the site served by the affiliate website.
 Banner Grabbing can be done through manual means or through the use of automated tools
such as web crawlers, which search websites and download everything on them, including
banners and files.

OS Fingerprinting
If a hacker can determine what type of operating system a targeted computer is running, he or she can
work to exploit the vulnerabilities present in that operating system. OS Fingerprinting is used by
security professionals and hackers for mapping remote networks and determining which
vulnerabilities might be present to exploit. In fact, it is a tactic used by cyber-criminals and even
ethical hackers to figure out what type of operating system is being used by a target computer on a
network. In fact, by analyzing certain protocol flags, options, and data in the packets a device sends
onto the network, hackers can make relatively accurate guesses about the OS that sent those packets.
OS Fingerprinting works only for packets that contain a full-fledged TCP connection; that is the TCP
connection should have a SYN, SYN/ACK, and ACK connection.
There are two Fingerprinting:
  Active
 Passive

Active OS Fingerprinting
Active OS fingerprinting involves actively determining a targeted PC’s OS by sending carefully
crafted packets to the target system and examining the TCP/IP behavior of received responses. The
main reason why an attacker may prefer a passive approach is to reduce the risk of being caught by an
IDS, IPS, or a firewall. Properly configured, implemented, and maintained IDSes, IPSes,
and firewalls can mitigate active fingerprinting. In other words, active fingerprinting is challenging
the target machine to see what happens.
Active fingerprinting works by sending packets to a target and analyzing the packets that are sent
back. Almost all active fingerprinting these days is done with Nmap.
Nmap is usually used by network administrators to monitor the security of their networks. In fact,
Nmap is an effective application for both admins and attackers. Nmap sends probes to lots of different
TCP/IP ports, and analyzes what returned. Nmap utilizes scripting that analyzes that data to print out
results that are useful for OS fingerprinting. Running an OS fingerprinting scan in Nmap is as simple
as typing:
“nmap -A ip_address_or_domain_name_of_target”.
Source: infosecinstitute.com

Passive OS Fingerprinting
Passive OS fingerprinting is a more effective way of avoiding detection or being stopped by a firewall
and it examines of passively collected sample of packets from a host. Passive fingerprinting uses a
pcap (packet capture) API. In GNU/Linux and BSD/Unix operating systems, pcap can be found in the
libpcap library, and for Windows, there’s a port of libpcap called WinPcap. Passive fingerprinting can
make a guess of a target’s OS, because different OSes have different TCP/IP implementations.
Passive OS fingerprinting is less accurate than active OS fingerprinting, but may be a technique
chosen by an attacker or penetration tester who wants to avoid detection. Passive fingerprinting can be
mitigated by assuring that NICs (network interface cards) don’t operate in promiscuous mode.
There are following four important elements that we will look at to determine the operating system
 TTL: What the operating system sets the Time-To-Live on the outbound packet.
 Window Size: What the operating system sets the Window Size at.
 DF: Does the operating system set the Don’t Fragment bit?
 TOS: Does the operating system set the type of Service?
Source: zerosuniverse.com and infosecinstitute.com

Tools Used for OS Fingerprinting

P0f – passive: This tool is an OS Fingerprinting tool that utilizes an array of sophisticated, purely
passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP
communications (often as little as a single normal SYN) without interfering in any way.
Website: http://lcamtuf.coredump.cx/p0f3/
Ettercap – passive: This tool is a comprehensive suite for man in the middle attacks. It features
sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports
active and passive dissection of many protocols.
Website: http://ettercap.github.io/ettercap/
XProbe2 – active: This tool is an active OS Fingerprinting tool with a different approach to operating
system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses and multiple
simultaneous matches, and a signature database.

UNIT IV INTRUSION DETECTION

Host -Based Intrusion Detection – Network -Based Intrusion Detection – Distributed or Hybrid
Intrusion Detection – Intrusion Detection Exchange Format – Honeypots – Example System Snort.

Intrusion Detection System (IDS)

A system called an intrusion detection system (IDS) observes network traffic for malicious
transactions and sends immediate alerts when it is observed. It is software that checks a network or
system for malicious activities or policy violations. Each illegal activity or violation is often recorded
either centrally using a SIEM system or notified to an administration. IDS monitors a network or
system for malicious activity and protects a computer network from unauthorized access from users,
including perhaps insiders. The intrusion detector learning task is to build a predictive model (i.e. a
classifier) capable of distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good (normal)
connections’.

How does an IDS work?

 An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect
any suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.
 The IDS compares the network activity to a set of predefined rules and patterns to identify
any activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it sends an alert to the
system administrator.
 The system administrator can then investigate the alert and take action to prevent any damage
or further intrusion.
Classification of Intrusion Detection System
IDS are classified into 5 types:
 Network Intrusion Detection System (NIDS): Network intrusion detection systems (NIDS)
are set up at a planned point within the network to examine traffic from all devices on the
network. It performs an observation of passing traffic on the entire subnet and matches the
traffic that is passed on the subnets to the collection of known attacks. Once an attack is
identified or abnormal behavior is observed, the alert can be sent to the administrator. An
example of a NIDS is installing it on the subnet where firewalls are located in order to see if
someone is trying to crack the firewall.
 Host Intrusion Detection System (HIDS): Host intrusion detection systems (HIDS) run on
independent hosts or devices on the network. A HIDS monitors the incoming and outgoing
packets from the device only and will alert the administrator if suspicious or malicious
activity is detected. It takes a snapshot of existing system files and compares it with the
previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the
administrator to investigate. An example of HIDS usage can be seen on mission-critical
machines, which are not expected to change their layout.

 Protocol-based Intrusion Detection System (PIDS): Protocol-based intrusion detection

system (PIDS) comprises a system or agent that would consistently reside at the front end of a
server, controlling and interpreting the protocol between a user/device and the server. It is
trying to secure the web server by regularly monitoring the HTTPS protocol stream and
accepting the related HTTP protocol. As HTTPS is unencrypted and before instantly entering
its web presentation layer then this system would need to reside in this interface, between to
use the HTTPS.
  Application Protocol-based Intrusion Detection System (APIDS): An application
Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally
resides within a group of servers. It identifies the intrusions by monitoring and interpreting
the communication on application-specific protocols. For example, this would monitor the
SQL protocol explicitly to the middleware as it transacts with the database in the web server.
 Hybrid Intrusion Detection System: Hybrid intrusion detection system is made by the
combination of two or more approaches to the intrusion detection system. In the hybrid
intrusion detection system, the host agent or system data is combined with network
information to develop a complete view of the network system. The hybrid intrusion detection
system is more effective in comparison to the other intrusion detection system. Prelude is an
example of Hybrid IDS.
Detection Method of IDS
1. Signature-based Method: Signature-based IDS detects the attacks on the basis of the
specific patterns such as the number of bytes or a number of 1s or the number of 0s in the
network traffic. It also detects on the basis of the already known malicious instruction
sequence that is used by the malware. The detected patterns in the IDS are known as
signatures. Signature-based IDS can easily detect the attacks whose pattern (signature)
already exists in the system but it is quite difficult to detect new malware attacks as their
pattern (signature) is not known.
2. Anomaly-based Method: Anomaly-based IDS was introduced to detect unknown malware
attacks as new malware is developed rapidly. In anomaly-based IDS there is the use of
machine learning to create a trustful activity model and anything coming is compared with
that model and it is declared suspicious if it is not found in the model. The machine learning-
based method has a better-generalized property in comparison to signature-based IDS as these
models can be trained according to the applications and hardware configurations.

What is HIDS (Host-Based Intrusion Detection System)

A Host-Based Intrusion Detection System, or HIDS, is a type of cybersecurity solution that monitors
IT systems for signs of suspicious activity to detect unusual behaviors or patterns associated either
with human users or applications that could be a sign of a security breach or attempted attack.
HIDS systems are so-named because they operate on individual host systems. In this context, a host
could be a server, a PC, or any other type of device that produces logs, metrics, and other data that can
be monitored for security purposes.
Keep reading for everything you need to know about what a HIDS is, how HIDS solutions work, and
how HIDS compares to other types of security tools.
HIDS vs. NIDS
Host-Based Intrusion Detection Systems are similar in some ways to Network Intrusion Detection
Systems, or NIDS, but they are not the same type of solution.
A NIDS monitors for suspicious activity from the perspective of the network, using data sources like
network switch logs. By analyzing this data, a NIDS can look for suspicious activity.
A HIDS may also monitor network activity, but it does so from the perspective of individual hosts, not
centralized networking equipment like switches. In addition, for a HIDS, network data is just one of
many data sources used for security analysis purposes.
How does Host-Based Intrusion Detection work?
Host-Based Intrusion Detection works by collecting data from servers, computers, and other host
systems, then analyzing the data for anomalies or suspicious activity.
The data that HIDS tools analyze may include security-centric data sources, such as authentication
logs (which record login events). However, a HIDS typically also analyzes other types of data, like
application and operating system logs. Even though the latter types of data are not related to security
specifically, unusual patterns within those data sets could be linked to security issues.
For example, a HIDS could monitor network traffic flows to detect that an application has suddenly
begun receiving high volumes of requests from previously unknown external IP addresses. This
activity could be the sign of a brute-force login attempt or an effort to probe the application for
vulnerabilities that attackers could exploit. With this information, security teams could block the
offending IP addresses.
To deliver results that are as accurate as possible, a HIDS should link and correlate different types of
data sources, which makes it possible to gain deeper context on potential security events.
For instance, network traffic logs can be analyzed in conjunction with application event logs so that
the HIDS can determine whether unusual activity on the network correlates with unusual activity by
the application.
In the former case, it’s possible that attackers are trying to find a vulnerability in the application but
have not yet succeeded. In the latter, it’s possible that they have breached the application, which is
why the HIDS detects anomalous behavior by the application as well as unusual traffic patterns on the
network.

Types of HIDS
Host-Based Intrusion Detection Systems can be broken into two main categories based on how they
are deployed:
 Agent-based HIDS: An agent-based HIDS relies on software agents that are installed on each
host to collect information from the host. This is a “heavier-weight” approach because
running agents on hosts increases the resource utilization of the hosts.
 Agentless HIDS: With an agentless HIDS, information from hosts is collected without
relying on agents, such as by streaming the data over the network. This type of HIDS is more
complex to implement, and agentless HIDS sometimes can’t access as much data as agent-
based solutions, but the agentless approach offers the benefit of consuming fewer resources.
HIDS components
No matter which type of HIDS you deploy, your HIDS solution will typically include three main
components:
 Data collectors: Using either agents or an agentless approach, your HIDS deploys sensors
that collect data from hosts.
 Data storage: After being collected, the data is usually aggregated and stored in a central
location. The data is retained at least as long as is necessary to analyze it, although
organizations may also choose to keep the data on hand so they can reference it at a later time
if desired.
  Analytics engine: The HIDS uses an analytics engine to process and evaluate the various data
sources that it collects. The purpose of analytics is to look for patterns or anomalies, then
assess the likelihood that they are the result of security risks or attacks.
HIDS capabilities
After a HIDS detects potential security problems, it can do three main things.
Alerting
The first is alerting. Alerting is the process of informing IT and/or security teams about a potential
security issue.
Ideally, HIDS alerting features should be capable of assessing the severity of each security risk the
HIDS identifies, then generating alerts accordingly. For example, low-risk security events should be
labeled as such so that engineers are aware that those alerts are not likely to require immediate
attention.
Reporting
HIDS platforms can generate reports about the overall state of security within an IT environment. The
data included in reports can vary, but it may include the number and types of security risks identified
by a HIDS over time, for instance, or how security issues vary across different types of hosts (such as
Windows-based hosts versus Linux-based systems).
Reporting is useful for assessing security trends over time, as well as for demonstrating the security
posture of an organization.
Response
In some cases, HIDS tools are capable of carrying out certain automated response activities to help
remediate risks. For example, if a HIDS determines that a particular external endpoint is trying to
probe a company’s servers, it could automatically generate firewall rules to block the probes.
Automated remediation like this not only saves time and effort on the part of engineers, but also
ensures that security risks can be blocked immediately.
HIDS security considerations and best practices
To get the most value out of a HIDS, consider best practices like the following:
 Monitor all hosts: A HIDS is of limited value if it only monitors some hosts. To gain the
broadest possible context on security risks, your HIDS should monitor all hosts. That way,
you’ll know whether and how quickly security issues spread among hosts, as well as how
many of your hosts are targeted by attacks. You’ll also be able to detect attacks that target just
one host rather than attempts to reach many hosts at once.
 Contextualize data: As noted above, the more data sources your HIDS analyzes collectively,
the greater the context it has on potential security risks. Context is critical for distinguishing
actual risks from false positives and generating accurate alerts.
 Configure smart alerts: To avoid distracting engineers with “alert fatigue,” a HIDS should
be configured to alert only on events that require a response. Alerts should also be categorized
based on severity level so that engineers know which ones to prioritize.
 Consider agentless HIDS: While an agent-based HIDS has its advantages (such as easier
access to host-based data), agentless HIDS solutions are easier to deploy and manage in many
 respects because they don’t require installing software agents on each host. They are also
lighter on resource consumption.
These practices help ensure that your HIDS delivers the most actionable security insights at the lowest
total cost.
Limitations and challenges of HIDS
While a HIDS provides one layer of defense against security threats, it’s just that – one layer.
Since HIDS platforms specialize only in host-based security, they’re of limited use for addressing
other types of threats, such as vulnerabilities within application source code or public cloud
workloads.
That’s why it’s important to deploy additional security tools and services alongside a HIDS in order to
gain comprehensive protection against potential security risks across all facets of your environment.

What is NIDS?
NIDS is a security tool designed to detect, monitor, and analyze traffic for suspicious activity or
malicious attacks. It is essential to a larger security infrastructure and prevents network breaches and
data theft.
As mentioned, NIDS (Network Intrusion Detection System) is a security technology that monitors and
analyzes network traffic for signs of malicious activity, unauthorized access, or security policy
violations. The primary function of a NIDS is to detect and alert network administrators of any
potential or ongoing attacks on the network.
NIDS works by examining data packets for specific patterns and behaviors that indicate the presence
of an attack. It can detect and alert network administrators of attacks such as DoS (Denial of Service),
port scanning, virus and malware infections, and unauthorized access attempts.
NIDS is an essential component of a comprehensive network security strategy. It helps to identify and
respond to threats quickly before they can cause significant damage or compromise sensitive data.
How Does NIDS Work?
Network-based Intrusion Detection System analyzes the network traffic and looks for behavior
patterns indicative of an intrusion or attack. It typically operates in a passive or inline mode, and they
use different detection methods to identify network intrusions.
In passive mode, the NIDS monitors outgoing network traffic without interfering with it. In inline
mode, the NIDS can modify network traffic to detect intrusions or block malicious activities.
However, the active mode may increase the risk of disrupting legitimate network traffic, and it is
usually not recommended.
When a NIDS detects a potential network threat, it generates an alert. The alert includes information
such as the type of attack, the source and destination IP addresses, and the time of the attack. The
NIDS may also take action to prevent the attack, such as blocking the source IP address or modifying
current network traffic.
Methods of NIDS Detection
Network Intrusion Detection Systems are designed to detect network-based attacks and intrusions.
They use different detection methods to identify suspicious traffic and abnormal behavior. There are
three primary detection methods used by NIDS: signature-based detection, anomaly-based detection,
and hybrid detection.
1. Signature-Based Detection
This method compares traffic passing through the network against known attack signatures or
patterns. Attack signatures are predefined network traffic patterns associated with specific types of
attacks.
The NIDS alerts the network administrator if the traffic matches a known signature. Signature-based
detection is effective at identifying known attacks, but it cannot detect new or unknown attacks.
2. Anomaly-Based Detection
This method involves detecting traffic that deviates from the normal network behavior. NIDS
monitors network traffic and generates an alert if it detects any activity outside the expected range.
Anomaly-based detection is useful in detecting new or unknown attacks but can generate many false
positives.
3. Hybrid Detection
This method combines signature-based and anomaly-based detection methods. The NIDS first uses
signature-based detection to identify known attacks and then anomaly-based detection to identify
unknown attacks. By combining both methods, hybrid detection can provide high accuracy and
minimize the false positive rate.
Others
In addition to these three primary methods, NIDS can use other techniques, such as protocol and
heuristic analysis. Protocol analysis involves examining network traffic to detect protocol violations
and abnormal behavior. The heuristic analysis involves identifying patterns of behavior that are
associated with attacks.
Technologies That a Network-Based Intrusion Detection System Can Monitor
NIDS systems can monitor network technologies and protocols to detect potential security breaches.
Here are some of the technologies that these systems can monitor:
1. Network Protocols
NIDS systems can monitor network protocols such as TCP/IP, HTTP, FTP, DNS, SMTP, and SNMP to
detect anomalous behavior that might indicate a network attack. For example, the system can detect
any attempts to exploit vulnerabilities in the protocol to gain unauthorized access.
2. Network Devices
NIDS systems can monitor network devices such as routers, switches, and firewalls to detect
unauthorized access or configuration changes. The system can also detect any attempts to exploit
vulnerabilities in the devices to gain access to the network.
3. Applications
NIDS systems can monitor network applications such as email servers, web servers, and databases to
detect any unusual activity that might indicate a security breach. For example, the system can detect
attempts to access sensitive information or execute malicious code.
4. Operating Systems
NIDS systems can monitor the operating systems of network devices and servers to detect any
security vulnerabilities or malicious activity. The system can detect any attempts to exploit
vulnerabilities in the operating system to gain unauthorized access.
5. Wireless Networks
NIDS can monitor wireless networks to detect any unauthorized access or malicious activities. The
system can monitor the wireless traffic and identify rogue access points, unauthorized connections, or
denial of service attacks.
Advantages of Network Intrusion Detection System
Network Intrusion Detection Systems (NIDS) are essential to network security infrastructure. Here are
some of the vital advantages of using NIDS:
1. Prevention of Network Attacks
NIDS actively monitors the network traffic for any suspicious activities and potential threats. It can
detect and block any unauthorized attempts to access the network, such as port scanning, password
guessing, and other attacks. By preventing these attacks, NIDS can help maintain network security
and prevent data breaches.
2. Identification of Vulnerabilities
NIDS can scan for vulnerabilities in the network, such as misconfigured devices, outdated software,
and unsecured network connections. Once these vulnerabilities are detected, they can be addressed
before attackers can exploit them, preventing potential security breaches.
3. Protection of Sensitive Information
NIDS can help protect sensitive information, such as customer data, financial records, and intellectual
property, by monitoring the network for any unauthorized access attempts. If an attempt is detected,
NIDS can alert security personnel, who can take appropriate action to prevent data loss or theft.
4. Real-Time Monitoring
NIDS provides real-time network monitoring, allowing security personnel to respond to any threats or
attacks quickly. This quick response can help prevent any potential damage caused by the attack and
minimize downtime.
5. Compliance with Regulations
NIDS can help organizations comply with various regulations such as HIPAA, PCI-DSS, and GDPR,
which require organizations to have proper security measures to protect sensitive data.
Limitations of Network Intrusion Detection Systems
1. Need for Frequent Updating
This is because new attack methods are constantly being developed, and NIDS must be able to detect
these new threats. NIDS typically uses signature-based detection methods, which must be updated
with new signatures to detect new attacks. If the system is not updated regularly, it may miss new
threats.
2. Time-Consuming Process
NIDS requires extensive configuration to ensure it is tailored to the organization’s needs. The
configuration of NIDS includes defining the types of traffic that should be monitored, setting the
detection thresholds, and configuring the alerting and reporting mechanisms.
This can be time-consuming and requires a skilled technician to ensure the system is optimized for the
organization’s needs.
3. Regular Maintenance
NIDS requires maintenance to ensure that it is functioning properly. This includes monitoring the
system to ensure it generates alerts correctly, responds promptly, and addresses any issues. Regular
maintenance is essential to ensure that the system functions at peak performance and provides the
level of protection the organization requires.
Who is NIDS For?
Network Intrusion Detection Systems are for any individual, organization, or business that needs to
ensure the security of their network. This includes government agencies, large and small businesses,
educational institutions, and individuals with sensitive information on their networks.
NIDS is essential for organizations that handle sensitive data, such as personal, financial, or
confidential business information. It can detect and alert system administrators to potential threats,
allowing them to take action to prevent or minimize damage to the network.
Moreover, NIDS can be used by security professionals, network administrators, and IT teams to
monitor network traffic and identify potential security issues before they can cause harm. It can also
help with compliance requirements for certain industries, such as healthcare or financial services,
which are required to protect sensitive data.

Intrusion Detection Message Exchange Format

Used as part of computer security, IDMEF (Intrusion Detection Message Exchange Format) is a
data format used to exchange information between software enabling intrusion detection, intrusion
prevention, security information collection and management systems that may need to interact with
them. IDMEF messages are designed to be processed automatically. The details of the format are
described in the RFC 4765. This RFC presents an implementation of the XML data model and the
associated DTD. The requirements for this format are described in RFC 4766, and the recommended
transport protocol (IDXP) is documented in RFC 4767
IDMEF
The purpose of IDMEF is to define data formats and exchange procedures for sharing information of
interest to intrusion detection and response systems and to the management systems that may need to
interact with them. It is used in computer security for incidents reporting and exchanging. It is
intended for easy automatic processing.
IDMEF is a well-structured object-oriented format, which consists of 33 classes containing 108 fields,
including three mandatory:
 The classification
 The unique login
 The date of creation of the alert.
There are currently two types of IDMEF messages that can be created, Heartbeat or Alert
Heartbeat
The Heartbeats are sent by the analyzers to indicate their status. These messages are sent at regular
intervals which period is defined in the Heartbeat Interval Field. If none of these messages are
received for several periods of time, consider that this analyzer is not able to trigger alerts.
Alert
Alerts are used to describe an attack that took place, the main areas that create the alert are:
 CreateTime: Date of creation of the alert
 DetectTime: alert detection time by the analyzer
 AnalyzerTime: The time the alert was sent by the analyzer
 Source: Details about the origin of the attack can be a service, a user, a process and / or a
node
 Target: Details on the target of the attack can be a service, a user, a process and / or a node
and a file
  Classification: Name of the attack and references, as CVEs
 Assessment: Evaluation of the attack (severity, potential impact, etc.)
 AdditionalData: Additional information on the attack
There are three other alert types that inherit from this scheme:
 CorrelationAlert: Grouping of alerts related to one another
 ToolAlert: alerts from the same Grouping tool
 OverflowAlert: Alert resulting from attack so-called buffer overflow

Honeypot
Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study the
tricks and types of attacks used by hackers. It acts as a potential target on the internet and informs the
defenders about any unauthorized attempt to the information system.
Honeypots are mostly used by large companies and organizations involved in cybersecurity. It helps
cybersecurity researchers to learn about the different type of attacks used by attackers. It is suspected
that even the cybercriminals use these honeypots to decoy researchers and spread wrong information.
The cost of a honeypot is generally high because it requires specialized skills and resources to
implement a system such that it appears to provide an organization’s resources still preventing attacks
at the backend and access to any production system.
A honeynet is a combination of two or more honeypots on a network.
Types of Honeypot:
Honeypots are classified based on their deployment and the involvement of the intruder.
Based on their deployment, honeypots are divided into :
1. Research honeypots- These are used by researchers to analyze hacker attacks and deploy
different ways to prevent these attacks.
2. Production honeypots- Production honeypots are deployed in production networks along
with the server. These honeypots act as a frontend trap for the attackers, consisting of false
information and giving time to the administrators to improve any vulnerability in the actual
system.
Based on interaction, honeypots are classified into:
1. Low interaction honeypots:Low interaction honeypots gives very little insight and control to
the hacker about the network. It simulates only the services that are frequently requested by
the attackers. The main operating system is not involved in the low interaction systems and
therefore it is less risky. They require very fewer resources and are easy to deploy. The only
disadvantage of these honeypots lies in the fact that experienced hackers can easily identify
these honeypots and can avoid it.
2. Medium Interaction Honeypots: Medium interaction honeypots allows more activities to
the hacker as compared to the low interaction honeypots. They can expect certain activities
and are designed to give certain responses beyond what a low-interaction honeypot would
give.
 3. High Interaction honeypots:A high interaction honeypot offers a large no. of services and
activities to the hacker, therefore, wasting the time of the hackers and trying to get complete
information about the hackers. These honeypots involve the real-time operating system and
therefore are comparatively risky if a hacker identifies the honeypot. High interaction
honeypots are also very costly and are complex to implement. But it provides us with
extensively large information about hackers.
Advantages of honeypot:
1. Acts as a rich source of information and helps collect real-time data.
2. Identifies malicious activity even if encryption is used.
3. Wastes hackers’ time and resources.
4. Improves security.
Disadvantages of honeypot:
1. Being distinguishable from production systems, it can be easily identified by experienced
attackers.
2. Having a narrow field of view, it can only identify direct attacks.
3. A honeypot once attacked can be used to attack other systems.
4. Fingerprinting(an attacker can identify the true identity of a honeypot ).

Types of Honeypots
Honeypots can also be broken down by the type of activity they detect.
Email trap or spam trap
An email or spam trap will implant a fictitious email address in a hidden field that can only be
detected by an automated address harvester or site crawler. Since the address is not visible to
legitimate users, the organization can categorize all correspondence delivered to that inbox as spam.
The organization can then block that sender and its IP address, as well as any messages that match its
content.
Decoy Database
A decoy database is an intentionally vulnerable fictitious data set that helps organizations monitor
software vulnerabilities, architecture insecurities or even nefarious internal actors. The decoy database
will gather information about injection techniques, credential hijacking or privilege abuse used by an
attacker that can then be built into system defenses and security policies.
Malware Honeypot
A malware honeypot mimics a software app or an application programming interface (API) in an
attempt to draw out malware attacks in a controlled, non-threatening environment. In doing so, the
infosec team can then analyze the attack techniques and develop or enhance anti-malware solutions to
address these specific vulnerabilities, threats or actors.
Spider Honeypot
Similar to the spam honeypot, a spider honeypot is designed to trap web crawlers, sometimes called
spiders, by creating web pages and links only accessible to automated crawlers. Identifying these
spiders can help organizations understand how to block malicious bots, as well as ad-network
crawlers.

SNORT Definition
SNORT is a powerful open-source intrusion detection system (IDS) and intrusion prevention
system (IPS) that provides real-time network traffic analysis and data packet logging. SNORT
uses a rule-based language that combines anomaly, protocol, and signature inspection methods to
detect potentially malicious activity.
Using SNORT, network admins can spot denial-of-service (DoS) attacks and distributed DoS (DDoS)
attacks, Common Gateway Interface (CGI) attacks, buffer overflows, and stealth port scans. SNORT
creates a series of rules that define malicious network activity, identify malicious packets, and send
alerts to users.
SNORT is a free-to-use open-source piece of software that can be deployed by individuals and
organizations. The SNORT rule language determines which network traffic should be collected and
what should happen when it detects malicious packets. This snorting meaning can be used in the same
way as sniffers and network intrusion detection systems to discover malicious packets or as a full
network IPS solution that monitors network activity and detects and blocks potential attack vectors.
What Are the Features of SNORT?
There are various features that make SNORT useful for network admins to monitor their systems and
detect malicious activity. These include:
Real-time Traffic Monitor
SNORT can be used to monitor the traffic that goes in and out of a network. It will monitor traffic in
real time and issue alerts to users when it discovers potentially malicious packets or threats on Internet
Protocol (IP) networks.
Packet Logging
SNORT enables packet logging through its packet logger mode, which means it logs packets to the
disk. In this mode, SNORT collects every packet and logs it in a hierarchical directory based on the
host network’s IP address.
Analysis of Protocol
SNORT can perform protocol analysis, which is a network sniffing process that captures data in
protocol layers for additional analysis. This enables the network admin to further examine potentially
malicious data packets, which is crucial in, for example, Transmission Control Protocol/IP
(TCP/IP) stack protocol specification.
Content Matching
SNORT collates rules by the protocol, such as IP and TCP, then by ports, and then by those with
content and those without. Rules that do have content use a multi-pattern matcher that increases
performance, especially when it comes to protocols like the Hypertext Transfer Protocol (HTTP).
Rules that do not have content are always evaluated, which negatively affects performance.
OS Fingerprinting
Operating system (OS) fingerprinting uses the concept that all platforms have a unique TCP/IP stack.
Through this process, SNORT can be used to determine the OS platform being used by a system that
accesses a network.
Can Be Installed in Any Network Environment
SNORT can be deployed on all operating systems, including Linux and Windows, and as part of all
network environments.
Open Source
As a piece of open-source software, SNORT is free and available for anyone who wants to use
an IDS or IPS to monitor and protect their network.
Rules Are Easy to Implement
SNORT rules are easy to implement and get network monitoring and protection up and running. Its
rule language is also very flexible, and creating new rules is pretty simple, enabling network admins
to differentiate regular internet activity from anomalous or malicious activity.
What Are the Different SNORT Modes?
There are three different modes that SNORT can be run in, which will be dependent on the flags used
in the SNORT command.
Packet Sniffer
SNORT’s packet sniffer mode means the software will read IP packets then display them to the user
on its console.
Packet Logger
In packet logger mode, SNORT will log all IP packets that visit the network. The network admin can
then see who has visited their network and gain insight into the OS and protocols they were using.
NIPDS (Network Intrusion and Prevention Detection System)
In NIPDS mode, SNORT will only log packets that are considered malicious. It does this using the
preset characteristics of malicious packets, which are defined in its rules. The action that SNORT
takes is also defined in the rules the network admin sets out.
What Are the Uses of SNORT Rules?
The rules defined in SNORT enable the software to carry out a range of actions, which include:
Perform Packet Sniffing
SNORT can be used to carry out packet sniffing, which collects all data that transmits in and out of a
network. Collecting the individual packets that go to and from devices on the network enables
detailed inspection of how traffic is being transmitted.
Debug Network Traffic
Once it has logged traffic, SNORT can be used to debug malicious packets and any configuration
issues.
Generate Alerts
SNORT generates alerts to users as defined in the rule actions created in its configuration file. To
receive alerts, SNORT rules need to contain conditions that define when a packet should be
considered unusual or malicious, the risks of vulnerabilities being exploited, and may violate the
organization’s security policy or pose a threat to the network.
Create New Rules
SNORT enables users to easily create new rules within the software. This allows network admins to
change how they want SNORT conversion to work for them and the processes it should carry out. For
example, they can create new rules that tell SNORT to prevent backdoor attacks, search for specific
content in packets, show network data, specify which network to monitor, and print alerts in the
console.
Differentiate Between Normal Internet Activities and Malicious Activities
Using SNORT rules enables network admins to easily differentiate between regular, expected internet
activity and anything that is out of the norm. SNORT analyzes network activity in real time to sniff
out malicious activity, then generates alerts to users.

UNIT V INTRUSION PREVENTION

Firewalls and Intrusion Prevention Systems: Need for Firewalls – Firewall Characteristics and Access
Policy – Types of Firewalls – Firewall Basing – Firewall Location and Configurations – Intrusion
Prevention Systems – Example Unified Threat Management Products.

A firewall is a network security device, either hardware or software-based, which monitors all
incoming and outgoing traffic and based on a defined set of security rules it accepts, rejects or drops
that specific traffic. Accept : allow the traffic Reject : block the traffic but reply with an “unreachable
error” Drop : block the traffic with no reply A firewall establishes a barrier between secured internal
networks and outside untrusted network, such as the Internet.
Before Firewalls, network security was performed by Access Control Lists (ACLs) residing on
routers. ACLs are rules that determine whether network access should be granted or denied to specific
IP address. But ACLs cannot determine the nature of the packet it is blocking. Also, ACL alone does
not have the capacity to keep threats out of the network. Hence, the Firewall was introduced.
Connectivity to the Internet is no longer optional for organizations. However, accessing the Internet
provides benefits to the organization; it also enables the outside world to interact with the internal
network of the organization. This creates a threat to the organization. In order to secure the internal
network from unauthorized traffic, we need a Firewall.
How does Firewall work?
Firewall match the network traffic against the rule set defined in its table. Once the rule is matched,
associate action is applied to the network traffic. For example, Rules are defined as any employee
from HR department cannot access the data from code server and at the same time another rule is
defined like system administrator can access the data from both HR and technical department. Rules
can be defined on the firewall based on the necessity and security policies of the organization. From
the perspective of a server, network traffic can be either outgoing or incoming. Firewall maintains a
distinct set of rules for both the cases. Mostly the outgoing traffic, originated from the server itself,
allowed to pass. Still, setting a rule on outgoing traffic is always better in order to achieve more
security and prevent unwanted communication. Incoming traffic is treated differently. Most traffic
which reaches on the firewall is one of these three major Transport Layer protocols- TCP, UDP or
ICMP. All these types have a source address and destination address. Also, TCP and UDP have port
numbers. ICMP uses type code instead of port number which identifies purpose of that
packet. Default policy: It is very difficult to explicitly cover every possible rule on the firewall. For
this reason, the firewall must always have a default policy. Default policy only consists of action
(accept, reject or drop). Suppose no rule is defined about SSH connection to the server on the firewall.
So, it will follow the default policy. If default policy on the firewall is set to accept, then any
computer outside of your office can establish an SSH connection to the server. Therefore, setting
default policy as drop (or reject) is always a good practice.
Generation of Firewall
Firewalls can be categorized based on their generation.
1. First Generation- Packet Filtering Firewall: Packet filtering firewall is used to control
network access by monitoring outgoing and incoming packets and allowing them to pass or
stop based on source and destination IP address, protocols, and ports. It analyses traffic at the
transport protocol layer (but mainly uses first 3 layers). Packet firewalls treat each packet in
isolation. They have no ability to tell whether a packet is part of an existing stream of traffic.
Only It can allow or deny the packets based on unique packet headers. Packet filtering
firewall maintains a filtering table that decides whether the packet will be forwarded or
 discarded. From the given filtering table, the packets will be filtered according to the
following rules:

1. Incoming packets from network 192.168.21.0 are blocked.

2. Incoming packets destined for the internal TELNET server (port 23) are blocked.
3. Incoming packets destined for host 192.168.21.3 are blocked.
4. All well-known services to the network 192.168.21.0 are allowed.
5. Second Generation- Stateful Inspection Firewall: Stateful firewalls (performs Stateful
Packet Inspection) are able to determine the connection state of packet, unlike Packet filtering
firewall, which makes it more efficient. It keeps track of the state of networks connection
travelling across it, such as TCP streams. So the filtering decisions would not only be based
on defined rules, but also on packet’s history in the state table.
6. Third Generation- Application Layer Firewall : Application layer firewall can inspect and
filter the packets on any OSI layer, up to the application layer. It has the ability to block
specific content, also recognize when certain application and protocols (like HTTP, FTP) are
being misused. In other words, Application layer firewalls are hosts that run proxy servers. A
proxy firewall prevents the direct connection between either side of the firewall, each packet
has to pass through the proxy. It can allow or block the traffic based on predefined
rules. Note: Application layer firewalls can also be used as Network Address
Translator(NAT).
7. Next Generation Firewalls (NGFW): Next Generation Firewalls are being deployed these
days to stop modern security breaches like advance malware attacks and application-layer
attacks. NGFW consists of Deep Packet Inspection, Application Inspection, SSL/SSH
inspection and many functionalities to protect the network from these modern threats.
What is Magic Firewall?
“Magic Firewall” is a term used to describe a security feature provided by the web hosting and
security company Cloudflare. It is a cloud-based firewall that provides protection against a wide range
of security threats, including DDoS attacks, SQL injections, cross-site scripting (XSS), and other
types of attacks that target web applications.
The Magic Firewall works by analyzing traffic to a website and using a set of predefined rules to
identify and block malicious traffic. The rules are based on threat intelligence from a variety of
sources, including the company’s own threat intelligence network, and can be customized by website
owners to meet their specific security needs.
The Magic Firewall is considered “magic” because it is designed to work seamlessly and invisibly to
website visitors, without any noticeable impact on website performance. It is also easy to set up and
manage, and can be accessed through Cloudflare’s web-based control panel.
Overall, the Magic Firewall is a powerful security tool that provides website owners with an
additional layer of protection against a variety of security threats.
Types of Firewall
Firewalls are generally of two types: Host-based and Network-based.
1. Host- based Firewalls : Host-based firewall is installed on each network node which controls
each incoming and outgoing packet. It is a software application or suite of applications,
comes as a part of the operating system. Host-based firewalls are needed because network
firewalls cannot provide protection inside a trusted network. Host firewall protects each host
from attacks and unauthorized access.
2. Network-based Firewalls : Network firewall function on network level. In other words,
these firewalls filter all incoming and outgoing traffic across the network. It protects the
internal network by filtering the traffic using rules defined on the firewall. A Network firewall
might have two or more network interface cards (NICs). A network-based firewall is usually a
dedicated system with proprietary software installed.
Advantages of using Firewall
1. Protection from unauthorized access: Firewalls can be set up to restrict incoming traffic
from particular IP addresses or networks, preventing hackers or other malicious actors from
easily accessing a network or system. Protection from unwanted access.
2. Prevention of malware and other threats: Malware and other threat prevention: Firewalls
can be set up to block traffic linked to known malware or other security concerns, assisting in
the defense against these kinds of attacks.
3. Control of network access: By limiting access to specified individuals or groups for
particular servers or applications, firewalls can be used to restrict access to particular network
resources or services.
4. Monitoring of network activity: Firewalls can be set up to record and keep track of all
network activity. This information is essential for identifying and looking into security
problems and other kinds of shady behavior.
5. Regulation compliance: Many industries are bound by rules that demand the usage of
firewalls or other security measures. Organizations can comply with these rules and prevent
any fines or penalties by using a firewall.
6. Network segmentation: By using firewalls to split up a bigger network into smaller subnets,
the attack surface is reduced and the security level is raised.
Disadvantages of using Firewall
1. Complexity: Setting up and keeping up a firewall can be time-consuming and difficult,
especially for bigger networks or companies with a wide variety of users and devices.
2. Limited Visibility: Firewalls may not be able to identify or stop security risks that operate at
other levels, such as the application or endpoint level, because they can only observe and
manage traffic at the network level.
 3. False sense of security: Some businesses may place an excessive amount of reliance on their
firewall and disregard other crucial security measures like endpoint security or intrusion
detection systems.
4. Limited adaptability: Because firewalls are frequently rule-based, they might not be able to
respond to fresh security threats.
5. Performance impact: Network performance can be significantly impacted by firewalls,
particularly if they are set up to analyze or manage a lot of traffic.
6. Limited scalability: Because firewalls are only able to secure one network, businesses that
have several networks must deploy many firewalls, which can be expensive.
7. Limited VPN support: Some firewalls might not allow complex VPN features like split
tunneling, which could restrict the experience of a remote worker.
8. Cost: Purchasing many devices or add-on features for a firewall system can be expensive,
especially for businesses.
Real-Time Applications of Firewall
1. Corporate networks: Many businesses employ firewalls to guard against unwanted access
and other security risks on their corporate networks. These firewalls can be set up to only
permit authorized users to access particular resources or services and to prevent traffic from
particular IP addresses or networks.
2. Government organizations: Government organizations frequently employ firewalls to
safeguard sensitive data and to adhere to rules like HIPAA or PCI-DSS. They might make use
of cutting-edge firewalls like Next-generation firewalls (NGFW), which can detect and stop
intrusions as well as manage access to particular data and apps.
3. Service providers: Firewalls are used by service providers to safeguard their networks and
the data of their clients, including ISPs, cloud service providers, and hosting firms. They
might make use of firewalls that accommodate enormous volumes of traffic and support
advanced features such as VPN and load balancing.
4. Small enterprises: Small firms may use firewalls to separate their internal networks, restrict
access to specific resources or applications, and defend their networks from external threats.
5. Networks at home: To guard against unwanted access and other security risks, many home
users employ firewalls. A firewall that many routers have built in can be set up to block
incoming traffic and restrict access to the network.
6. Industrial Control Systems (ICS): Firewalls are used to safeguard industrial control systems
against illegal access and cyberattacks in many vital infrastructures, including power plants,
water treatment facilities, and transportation systems.

Need of firewall
A firewall is a firmware or software that is an essential part of a computer network’s security system.
In simple terms, it acts as an intermediary or wall of separation between the insecure internet and
secure internal network which may be a computer, company network, or home network. Separating
the internet from your internal network traffic is the default function of most firewalls. However, you
can change the default settings to allow selected trustworthy networks through the firewall thus
creating controlled openings that don’t compromise the network’s safety but at the same time allow
the passage of certain network traffic.
Importance of Using a Firewall :
The following points listed below are the most relevant in explaining the importance of firewalls is as
follows.
Feature-1 :
Monitoring Network Traffic –
Firewall security starts with effective monitoring of network traffic based on pre-established rules and
filters to keep the systems protected. Monitoring of network traffic involves the following security
measures.
1. Source or destination-based blocking of incoming network traffic –
This is the most common feature of most firewalls, whereby the firewalls block the incoming
traffic by looking into the source of the traffic.

2. Outgoing network traffic can be blocked based on the source or destination –

Many firewalls can also filter data between your internal network and the Internet. You might,
for example, want to keep employees from visiting inappropriate websites.

3. Block network traffic based on content –

More modern firewalls can screen network traffic for inappropriate content and block traffic
depending on that. A firewall that is integrated with a virus scanner, for example, can prevent
virus-infected files from entering your network. Other firewalls work in tandem with e-mail
services to filter out unwanted messages.

4. Report on network traffic and firewall activities –

When filtering network traffic to and from the Internet, it’s also crucial to know what your
firewall is doing, who tried to break into your network, and who tried to view prohibited
information on the Internet. A reporting mechanism of some sort is included in almost all
firewalls.
Feature-2 :
Stops Virus Attacks and spyware –
With cyber thieves creating hundreds of thousands of new threats every day, including spyware,
viruses, and other attacks like email bombs, denial of service, and malicious macros, it’s critical that
you put protections in place to keep your systems safe. The number of entry points criminals can
exploit to get access to your systems grows as your systems become more complicated and strong.
Spyware and malware programs designed to penetrate your networks, manage your devices, and steal
your data are one of the most common ways unwelcome persons obtain access. Firewalls are a
crucial line of defense against malicious software.
Feature-3 :
Preventing Hacks –
Cyber threats are evolving at a fast pace and are widespread. Firewalls keep hackers out of your data,
emails, systems, and other sensitive information. A firewall can either entirely block a hacker or push
them to choose a more vulnerable target.
Feature-4 :
Promotes Privacy –
Having a firewall keeps the data safe and builds an environment of privacy that is trustworthy and a
system without a firewall is accepting every connection into the network from anyone. Without a
firewall, there would be no way to detect incoming threats. As a result, malicious users may be able to
gain access to your devices and thereby compromising privacy. It’s critical to take advantage of
existing defenses to safeguard your network and the personal information stored on your computer
against cybercrime.

Characteristics of Firewall
1. Physical Barrier: A firewall does not allow any external traffic to enter a system or a
network without its allowance. A firewall creates a choke point for all the external data trying
to enter the system or network and hence can easily block access if needed.
2. Multi-Purpose: A firewall has many functions other than security purposes. It configures
domain names and Internet Protocol (IP) addresses. It also acts as a network address
translator. It can act as a meter for internet usage.
3. Flexible Security Policies: Different local systems or networks need different security
policies. A firewall can be modified according to the requirement of the user by changing its
security policies.
4. Security Platform: It provides a platform from which any alert to the issue related to security
or fixing issues can be accessed. All the queries related to security can be kept under check
from one place in a system or network.
5. Access Handler: Determines which traffic needs to flow first according to priority or can
change for a particular network or system. specific action requests may be initiated and
allowed to flow through the firewall.

Firewall Design Principles

1. Developing Security Policy
Security policy is a very essential part of firewall design. Security policy is designed according to the
requirement of the company or client to know which kind of traffic is allowed to pass. Without a
proper security policy, it is impossible to restrict or allow a specific user or worker in a company
network or anywhere else. A properly developed security policy also knows what to do in case of
a security breach. Without it, there is an increase in risk as there will not be a proper implementation
of security solutions.
2. Simple Solution Design
If the design of the solution is complex. then it will be difficult to implement it. If the solution is easy.
then it will be easier to implement it. A simple design is easier to maintain. we can make upgrades in
the simple design according to the new possible threats leaving it with an efficient but more simple
structure. The problem that comes with complex designs is a configuration error that opens a path for
external attacks.
3. Choosing the Right Device
Every network security device has its purpose and its way of implementation. if we use the wrong
device for the wrong problem, the network becomes vulnerable. if the outdated device is used for a
designing firewall, it exposes the network to risk and is almost useless. Firstly the designing part must
be done then the product requirements must be found out, if the product is already available then it is
tried to fit in a design that makes security weak.
4. Layered Defense
A network defense must be multiple-layered in the modern world because if the security is broken, the
network will be exposed to external attacks. Multilayer security design can be set to deal with
different levels of threat. It gives an edge to the security design and finally neutralizes the attack on
the system.
5. Consider Internal Threats
While giving a lot of attention to safeguarding the network or device from external attacks. The
security becomes weak in case of internal attacks and most of the attacks are done internally as it is
easy to access and designed weakly. Different levels can be set in network security while designing
internal security. Filtering can be added to keep track of the traffic moving from lower-level security
to higher level.

Types of Firewalls
1.Packet-filtering firewall
A Packet-filtering firewall filters all incoming and outgoing network packets. It tests them based on a
set of rules that include IP address, IP protocol, port number, and other aspects of the packet. If the
packet passes the test, the firewall allows it to proceed to its destination and rejects those that do not
pass it.
Benefits of a Packet-filtering
 Quick and inexpensive
 Oldest and most fundamental firewall
 Protection against advanced threats is limited
2. Stateful Multi-Layer Inspection (SMLI)
Stateful Multi-Layer Inspection firewall employs packet inspection technology and TCP handshake
verification to provide protection. These firewalls, also known as dynamic packet filtering, examine
each network packet to determine whether it belongs to an existing TCP or another network session.
The SMLI firewall creates a state table to store session information like source and destination IP
address, port number, destination port number, etc.
Benefits of Stateful inspection
 Reduced traffic flow
 High-level protection
 Consumed significant system resources
 Provides extensive logging capabilities
3. Stateless firewall
Stateless firewalls monitor the network traffic and analyze each data packet’s source, destination, and
other details to determine whether a threat is present. These firewalls can recognize packet state and
TCP connection stages, integrate encryption, and other essential updates.
Benefits of Stateless firewall
 Less complex
 Easy to implement
 Fast performance delivery
 Performs effectively in heavy traffic situations
4. Application-level gateway (Proxy firewall)
Application-level gateway, also called Proxy firewall, is used to protect data at the application level. It
protects from potential internet hackers by not disclosing our computer’s identity (IP address). Proxy
firewalls analyze the context and content of data packets and compare them to a set of previously
defined rules using stateful and deep packet inspection. They either permit or reject a package based
on the outcome. Because this firewall checks the payload of received data packets, it is much slower
than a packet-filtering firewall.
Benefits of Application-level gateways
 Safest firewall
 Deep packet inspection
 Significant slowdowns
 Safeguard resource identity and location
5. Circuit-level gateway
Circuit-level gateway validates established Transmission Control Protocol (TCP) connections. These
firewalls typically operate at the OSI model’s session level, verifying Transmission Control Protocol
(TCP) and User Datagram Protocol (UDP) connections and sessions. These firewalls are implemented
as security software or as pre-installed firewalls. Like packet filtering firewalls, these firewalls do not
examine the actual data packet but observe the information about the transaction.
Benefits of Circuit-level gateway
 Simple and inexpensive
 A single form of protection is insufficient
 Setup and management are simple
6. Next-Generation Firewall (NGFW)
The most common type of firewall available today is the Next-Generation Firewall (NGFW), which
provides higher security levels than packet-filtering and stateful inspection firewalls. An NGFW is a
deep-packet inspection firewall with additional features such as application awareness and control,
integrated intrusion prevention, advanced visibility of their network, and cloud-delivered threat
intelligence. This type of firewall is typically defined as a security device that combines the features
and functionalities of multiple firewalls. NGFW monitors the entire data transaction, including packet
headers, contents, and sources.
Benefits of Next-Generation Firewall
 Block malware
 Recognizing Advanced Persistent Threats (APTs)
 Less expensive
 Financially beneficial
7. Cloud firewall
A Cloud firewall, also known as FaaS (firewall-as-service), is a firewall that is designed using a cloud
solution for network protection. Third-party vendors typically manage and operate cloud firewalls on
the internet, and they are configured based on the requirements. Today, most businesses use cloud
firewalls to protect their private networks or overall cloud infrastructure.
Benefits of Cloud firewall
 Unified security policy
 Flexible deployment
 Simplified deployment and maintenance
 Improved scalability
 Automatic updates

1. Packet Filters –
It is a technique used to control network access by monitoring outgoing and incoming packets
and allowing them to pass or halt based on the source and destination Internet Protocol (IP)
addresses, protocols, and ports. This firewall is also known as a static firewall.

2. Stateful Inspection Firewalls –

It is also a type of packet filtering which is used to control how data packets move through a
firewall. It is also called dynamic packet filtering. These firewalls can inspect that if the
packet belongs to a particular session or not. It only permits communication if and only if, the
session is perfectly established between two endpoints else it will block the communication.

3. Application Layer Firewalls –

These firewalls can examine application layer (of OSI model) information like an HTTP
request. If finds some suspicious application that can be responsible for harming our network
or that is not safe for our network then it gets blocked right away.

4. Next-generation Firewalls –
These firewalls are called intelligent firewalls. These firewalls can perform all the tasks that
are performed by the other types of firewalls that we learned previously but on top of that, it
includes additional features like application awareness and control, integrated intrusion
 prevention, and cloud-delivered threat intelligence.

5. Circuit-level gateways –
A circuit-level gateway is a firewall that provides User Datagram Protocol (UDP) and
Transmission Control Protocol (TCP) connection security and works between an Open
Systems Interconnection (OSI) network model’s transport and application layers such as the
session layer.

6. Software Firewall –
The software firewall is a type of computer software that runs on our computers. It protects
our system from any external attacks such as unauthorized access, malicious attacks, etc. by
notifying us about the danger that can occur if we open a particular mail or if we try to open a
website that is not secure.

7. Hardware Firewall –
A hardware firewall is a physical appliance that is deployed to enforce a network boundary.
All network links crossing this boundary pass-through this firewall, which enables it to
perform an inspection of both inbound and outbound network traffic and enforce access
controls and other security policies.

8. Cloud Firewall –
These are software-based, cloud-deployed network devices. This cloud-based firewall
protects a private network from any unwanted access. Unlike traditional firewalls, a cloud
firewall filters data at the cloud level.

FIREWALL BASING
It is common to base a firewall on a stand-alone machine running a common oper- ating system,
such as UNIX or Linux. Firewall functionality can also be imple- mented as a software module in a ro
uter or LAN switch. In this section, we look at some additional firewall basing considerations.

Bastion Host
A bastion host is a system identified by the firewall administrator as a critical strong
point in the network’s security. Typically, the bastion host serves as a platform for an application-
level or circuit-level gateway. Common characteristics of a bastion host are as follows:

• The bastion host hardware platform executes a secure version of its operating
system, making it a hardened system.
• Only the services that the network administrator considers
essential are installed on the bastion host. These could include proxy applications for DNS, FTP, HTT
P, and SMTP.
• The bastion host may require additional authentication before a user is allowed
access to the proxy services. In addition, each proxy
service may require its own authentication before granting user access.
• Each proxy is configured to support only a subset of the standard application’s
command set.
• Each proxy is configured to allow access only to specific host systems. This
means that the limited command/feature set may be applied only to a subset of systems on the
protected network.
• Each proxy maintains detailed audit information by logging all traffic, each
connection, and the duration of each connection. The audit log is an essential
tool for discovering and terminating intruder attacks.
• Each proxy module is a very small software package specifically designed for network
security. Because of its relative simplicity, it is easier to check such
modules for security flaws. For example, a typical UNIX mail application may contain over 20,000
lines of code, while a mail proxy may contain fewer than 1000.
• Each proxy is independent of other proxies on the bastion host. If there is a
problem with the operation of any proxy, or if a future vulnerability is discov- ered, it can be
uninstalled without affecting the operation of the other proxy applications. Also, if the user population
requires support for a new service, the network administrator can easily install the required
proxy on the bastion host.
• A proxy generally performs no disk access other than to read its initial config-
uration file. Hence, the portions of the file system containing executable code
can be made read only. This makes it difficult for an intruder to install Trojan horse sniffers or other d
angerous files on the bastion host.
• Each proxy runs as a nonprivileged user in a private and secured directory on the
bastion host.

Host-Based Firewalls
A host-based firewall is a software module used to secure an individual host. Such modules are
available in many operating systems or can be provided as an add-on package. Like conventional
stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets. A common location
for such firewalls is a server. There are several advantages to the use of a server-based or
workstation- based firewall:
• Filtering rules can be tailored to the host environment. Specific corporate security
policies for servers can be implemented, with different
filters for servers used for different application.
• Protection is provided independent of topology. Thus both internal and exter-
nal attacks must pass through the firewall.
• Used in conjunction with stand-alone firewalls, the host-based firewall pro- vides an
additional layer of protection. A new type of server can be added to the network, with its own firewall,
without the necessity of altering the net- work firewall configuration.
Personal Firewall
A personal firewall controls the traffic between a personal computer or workstation on one side and
the Internet or enterprise network on the other side. Personal fire-
wall functionality can be used in the home environment and on corporate intranets. Typically, the pers
onal firewall is a software module on the personal computer. In a home environment with multiple
computers connected to
the Internet, firewall functionality can also be housed in a router that connects all of the home comput
ers to a DSL, cable modem, or other Internet interface.
Personal firewalls are typically much less complex than either server-based firewalls or stand-
alone firewalls. The primary role of the personal firewall is to deny
unauthorized remote access to the computer. The firewall can also monitor outgoing
activity in an attempt to detect and block worms and other malware.
An example of a personal firewall is the capability built in to the Mac OS X operating
system. When the user enables the personal firewall in Mac OS X, all inbound connections are denied
except for those the user explicitly permits. Figure 22.2 shows this simple interface.
The list of inbound services
that can be selectively reenabled, with their port numbers, includes the following:
• Personal file sharing (548, 427)
• Windows sharing (139)
• Personal Web sharing (80, 427)
• Remote login - SSH (22)
• FTP access (20-21, 1024-64535 from 20-21)
• Remote Apple events (3031)
• Printer sharing (631, 515)
• IChat Rendezvous (5297, 5298)
• ITunes Music Sharing (3869)
• CVS (2401)
• Gnutella/Limewire (6346)
• ICQ (4000)
• IRC (194)
• MSN Messenger (6891-6900)
• Network Time (123)
• Retrospect (497)
• SMB (without netbios-445)
• Timbuktu (407)
• VNC (5900-5902)
• WebSTAR Admin (1080, 1443)

When FTP access is enabled, ports 20 and 21 on the local machine are opened for FTP; if others
connect to this computer from ports 20 or 21, the ports 1024 through 64535 are open.
For increased protection, advanced firewall features are available through easy-to-
configure checkboxes. Stealth mode hides the Mac on the Internet by drop- ping unsolicited
communication packets, making it appear as though no Mac is present. UDP packets can be blocked,
restricting network traffic to TCP packets only for open ports. The fire
wall also supports logging, an important tool for checking on unwanted activity.

FIREWALL LOCATION AND CONFIGURATIONS

As Figure 22.1a indicates, a firewall is positioned to provide a protective barrier
between an external, potentially untrusted source of traffic and an internal network. With that general
principle in mind, a security administrator must decide on the location and on the number of firewalls
needed. In this section, we look at some common options.

DMZ Networks
Figure 22.3 suggests the most common distinction, that between an internal and an external firewall.
An external firewall is placed at the edge of a local or enterprise
network, just inside the boundary router that connects to the Internet or some wide area
network (WAN). One or more internal firewalls protect the bulk of the enter- prise network. Between
these two types of firewalls are one or more networked devices in a region referred to as a DMZ
(demilitarized zone) network. Systems that are externally accessible but need some
protections are usually located on DMZ networks. Typically, the systems in the DMZ require or foster
external con- nectivity, such as a corporate Web site, an e-mail server, or a DNS (domain name
system) server.
The external firewall provides a measure of access control and protection for
the DMZ systems consistent with their need for external connectivity. The external
firewall also provides a basic level of protection for the remainder of the enterprise
network. In this type of configuration, internal firewalls serve three purposes:
1. The internal firewall adds more stringent filtering capability, compared to the
external firewall, in order to protect enterprise servers and workstations from external attack.
2. The internal firewall provides two-
way protection with respect to the DMZ. First, the internal firewall protects the remainder of the netw
ork from attacks launched
from DMZ systems. Such attacks might originate from worms, rootkits, bots, or other malware lodged
in a DMZ system. Second, an internal firewall can protect the DMZ systems from attack from the inte
rnal protected network.

3. Multiple internal firewalls can be used to protect portions of the internal network from
each other. For example, firewalls can be configured so that internal servers are protected from
internal workstations and vice versa. A common practice is to place the DMZ on a different network
interface on the external firewall from that used to access the internal networks.
Virtual Private Networks
In today’s distributed computing environment, the virtual private network (VPN) offers an attractive
solution to network managers. In essence, a VPN consists of a set of computers that interconnect by
means of a relatively unsecure network and that
make use of encryption and special protocols to provide security. At each corporate site, workstations,
servers, and databases are linked by one or more local area net-
works (LANs). The Internet or some other public network can be used to intercon-
nect sites, providing a cost savings over the use of a private network and offloading
the wide area network management task to the public network provider. That same public network
provides an access
path for telecommuters and other mobile employees to log on to corporate systems from remote sites.
But the manager faces a fundamental requirement: security. Use of a public
network exposes corporate traffic to eavesdropping and provides an entry point for unauthorized
users. To counter this problem, a VPN is needed. In essence, a VPN
uses encryption and authentication in the lower protocol layers to provide a secure
connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper
than real private networks using private lines but rely on having
the same encryption and authentication system at both ends. The encryption may be
performed by firewall software or possibly by routers. The most common protocol
mechanism used for this purpose is at the IP level and is known as IPsec.
An organization maintains LANs at dispersed locations. A logical means of implementing an IPsec is
in a firewall, as shown in Figure 22.4, which essentially repeats Figure 19.1. If IPsec is implemented
in a separate box behind (internal to) the firewall, then VPN traffic passing
through the firewall in both directions is encrypted. In this case, the firewall is unable to perform its
filtering function or other security functions, such as access control, logging, or scanning for viruses.
IPsec could be implemented in the boundary router, outside the firewall. However, this device is
likely to be less secure than the firewall and thus less desirable as an IPsec platform.

Distributed Firewalls
A distributed firewall configuration involves stand-alone firewall devices plus host-
based firewalls working together under a central administrative control. Figure 22.5 suggests a
distributed firewall configuration. Administrators can configure host- resident
firewalls on hundreds of servers and workstations as well as configure personal firewalls on local and
remote user systems. Tools let the network adminis- trator set policies and monitor security across the
entire network. These firewalls
protect against internal attacks and provide protection tailored to specific machines
and applications. Stand-alone firewalls provide global protection, including internal
firewalls and an external firewall, as discussed previously.
With distributed firewalls, it may make sense to establish both an internal and an external
DMZ. Web servers that need less protection because they
have less critical information on them could be placed in an external DMZ, outside the exter-
nal firewall. What protection is needed is provided by host-based firewalls on these servers.
An important aspect of a distributed firewall configuration is security moni- toring. Such monitoring
typically includes log aggregation and analysis, firewall statistics, and fine-grained remote monitoring
of individual hosts if needed.

Summary of Firewall Locations and Topologies

We can now summarize the discussion from Sections 22.4 and 22.5 to define a spectrum of firewall
locations and topologies. The following alternatives can be identified:

• Host-resident firewall: This category includes personal firewall software and

firewall software on servers. Such firewalls can be used alone or as part of an in-
depth firewall deployment.
• Screening router: A single router between internal and external networks with stateless or full
packet filtering. This arrangement is typical for small office/home office (SOHO) applications.
Single bastion inline: A single firewall device between an internal and external router (e.g., Figure
22.1a). The firewall may implement stateful filters and/or application proxies. This is the typical
firewall appliance configuration for small to medium-sized organizations.

• Single bastion T: Similar to single bastion inline but has a third network interface on bastion to a
DMZ where externally visible servers are placed. Again, this is a common appliance
configuration for medium to large organizations.
• Double bastion inline: Figure 22.3 illustrates this configuration, where the DMZ is sandwiched bet
ween bastion firewalls. This configuration is common
for large businesses and government organizations.
• Double bastion T: The DMZ is on a separate network interface on the bastion
firewall. This configuration is also common for large businesses and govern- ment organizations and
may be required. For example, this configuration is
required for Australian government use (Australian Government Information Technology Security Ma
nual - ACSI33).
• Distributed firewall configuration: Illustrated in Figure 22.5. This configura- tion is used by some
large businesses and government organizations.

Intrusion Prevention System (IPS)

Intrusion Prevention System is also known as Intrusion Detection and Prevention System. It is a
network security application that monitors network or system activities for malicious activity. Major
functions of intrusion prevention systems are to identify malicious activity, collect information about
this activity, report it and attempt to block or stop it.
Intrusion prevention systems are contemplated as augmentation of Intrusion Detection Systems
(IDS) because both IPS and IDS operate network traffic and system activities for malicious activity.
IPS typically record information related to observed events, notify security administrators of
important observed events and produce reports. Many IPS can also respond to a detected threat by
attempting to prevent it from succeeding. They use various response techniques, which involve the
IPS stopping the attack itself, changing the security environment or changing the attack’s content.
How Does an IPS Work?
An IPS works by analyzing network traffic in real-time and comparing it against known attack
patterns and signatures. When the system detects suspicious traffic, it blocks it from entering the
network.
Types of IPS
There are two main types of IPS:
1. Network-Based IPS: A Network-Based IPS is installed at the network perimeter and
monitors all traffic that enters and exits the network.
2. Host-Based IPS: A Host-Based IPS is installed on individual hosts and monitors the traffic
that goes in and out of that host.
Why Do You Need an IPS?
An IPS is an essential tool for network security. Here are some reasons why:
 Protection Against Known and Unknown Threats: An IPS can block known threats and also
detect and block unknown threats that haven’t been seen before.
 Real-Time Protection: An IPS can detect and block malicious traffic in real-time, preventing
attacks from doing any damage.
 Compliance Requirements: Many industries have regulations that require the use of an IPS to
protect sensitive information and prevent data breaches.
  Cost-Effective: An IPS is a cost-effective way to protect your network compared to the cost of
dealing with the aftermath of a security breach.
 Increased Network Visibility: An IPS provides increased network visibility, allowing you to
see what’s happening on your network and identify potential security risks.
Classification of Intrusion Prevention System (IPS):
Intrusion Prevention System (IPS) is classified into 4 types:

1. Network-based intrusion prevention system (NIPS):

It monitors the entire network for suspicious traffic by analyzing protocol activity.

2. Wireless intrusion prevention system (WIPS):

It monitors a wireless network for suspicious traffic by analyzing wireless networking
protocols.

3. Network behavior analysis (NBA):

It examines network traffic to identify threats that generate unusual traffic flows, such as
distributed denial of service attacks, specific forms of malware and policy violations.

4. Host-based intrusion prevention system (HIPS):

It is an inbuilt software package which operates a single host for doubtful activity by scanning
events that occur within that host.

Comparison of Intrusion Prevention System (IPS) Technologies:

The Table below indicates various kinds of IPS Technologies:

IPS Types of
Scope per
Technology Malicious Activity Strengths
Sensor
Type Detected

Multiple
Network, transport, network Only IDPS which can analyze the
Network- subnets
and application widest range of application
Based
TCP/IP layer activity and groups protocols;
of hosts

Wireless protocol Multiple

activity; unauthorized WLANs and
wireless Only IDPS able to predict wireless
Wireless groups of protocol activity
local area networks wireless
(WLAN) in use clients
 Typically more effective than the
others at
Network, transport, Multiple
and application network identifying reconnaissance scanning
NBA TCP/IP layer activity subnets and
that causes anomalous and groups DoS attacks, and at reconstructing
network flows of hosts major
malware infections

Host application and

operating system (OS) Can analyze activity that
activity; network, Individual
Host-Based transport, was transferred in end-to-end
host
and application encrypted communications
TCP/IP layer activity

Detection Method of Intrusion Prevention System (IPS):

1. Signature-based detection:
Signature-based IDS operates packets in the network and compares with pre-built and
preordained attack patterns known as signatures.

2. Statistical anomaly-based detection:

Anomaly based IDS monitors network traffic and compares it against an established baseline.
The baseline will identify what is normal for that network and what protocols are used.
However, It may raise a false alarm if the baselines are not intelligently configured.

3. Stateful protocol analysis detection:

This IDS method recognizes divergence of protocols stated by comparing observed events
with pre-built profiles of generally accepted definitions of not harmful activity.

Comparison of IPS with IDS:

The main difference between Intrusion Prevention System (IPS) with Intrusion Detection Systems
(IDS) are:
1. Intrusion prevention systems are placed in-line and are able to actively prevent or block
intrusions that are detected.
2. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting
a connection or blocking traffic from the offending IP address.
3. IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams,
mitigate TCP sequencing issues and clean up unwanted transport and network layer options.

Unified Threat Management Definition

Unified threat management (UTM) refers to when multiple security features or services are combined
into a single device within your network. Using UTM, your network’s users are protected with several
different features, including antivirus, content filtering, email and web filtering, anti-spam, and more.
UTM enables an organization to consolidate their IT security services into one device, potentially
simplifying the protection of the network. As a result, your business can monitor all threats and
security-related activity through a single pane of glass. In this way, you attain complete, simplified
visibility into all elements of your security or wireless architecture.
Unified threat management (UTM) offers a product approaching total security in a box, ideal for
small and midsize enterprises (SMEs). UTMs combine multiple network security functions in a single
appliance. Typical solutions of UTM devices include intrusion prevention, antivirus, URL filtering,
and VPN functionality.
Many products that were once labeled UTM are now marketed as firewalls, but they still serve a
similar purpose. We’ve compiled our list of the six best UTM products for businesses and also
provide a guide for buyers to narrow down their options and select the best product for their team.
 SonicWall TZ Series Gen 7: Best overall
 WatchGuard Firebox M590/M690: Best for value
 Fortigate 900G: Best for enterprises
 Barracuda CloudGen Firewall F12A: Best for public cloud management
 Juniper Networks SRX2300: Best for edge networks
 Sophos XGS Desktop: Best for SMBs looking to scale