LECTURE NOTES

ON

NETWORK SECURITY
 POSSIBLE ATTACKS ON COMPUTERS

INTRODUCTION:

➢ Computer data often travels from one computer to another, leaving the safety of its
protected physical surroundings.
➢ Once the data is out of hand, people with bad intention could modify or forge your data,
either for enjoyment or for their own benefit.
➢ Cryptography can reformat and transform our data, making it safer on its trip between
computers.
➢ The technology is based on the secret codes, modern mathematics that protects our data
in powerful ways.
➢ Computer Security - generic name for the collection of tools designed to protect data
and to prevent hackers.
➢ Network Security - measures to protect data during their transmission.
➢ Internet Security - measures to protect data during their transmission over a collection
of interconnected networks.

NEED FOR SECURITY:

Computer security basically is the protection of computer systems and information from harm,
theft, and unauthorized use. It is the process of preventing and detecting unauthorized use of
your computer system. Cyber security is defined as protecting computer systems, which
communicate over the computer networks.

Computer security is important because it keeps your information protected. It's

also important for your computer's overall health; proper computer security helps prevent viruses
and malware, which allows programs to run quicker and smoother.

SECURITY ATTACKS, SERVICES AND MECHANISMS:

To assess the security needs of an organization effectively, the manager responsible for security
needs some systematic way of defining the requirements for security and characterization of
approaches to satisfy those requirements. One approach is to consider three aspects of
information security:

➢ Security attack – Any action that compromises the security of information owned by an
organization.
➢ Security mechanism – A mechanism that is designed to detect, prevent or recover from a
security attack.
➢ Security service – A service that enhances the security of the data processing systems and

1
 the information transfers of an organization. The services are intended to counter security
attacks and they make use of one or more security mechanisms to provide the service.
➢ Security mechanisms have been defined by ITU-T (X 800). They used to implement
security services. Some of the security mechanisms defined by ITU-T (X 800) are shown
in the figure.

Encipherment: This refers to the transformation of the message or data with the help of
mathematical algorithms. The main aim of this mechanism is to provide confidentiality.
The two techniques that are used for encipherment are cryptography and steganography.

Data integrity: This refers to the method of ensuring the integrity of data. For this, the
sender computes a check value by applying some process over the data being sent, and
then appends this value to the data. On receiving the data, the receiver again computes the
check value by applying the same process over the received data. If the newly computed
check value is same as the received one, then it means that the integrity of data is
preserved.

Digital signature: This refers to the method of electronic signing of data by the sender
and electronic verification of the signature by the receiver. It provides information about
the author, date and time of the signature, so that the receiver can prove the sender's
identity.

Authentication exchange: This refers to the exchange of some information between two
communicating parties to prove their identity to each other.
Traffic padding: This refers to the insertion of extra bits into the stream of data traffic to
prevent traffic analysis attempts by attackers.

2
 Routing control: This refers to the selection of a physically secured route for data
transfer. It also allows changing of route if there is any possibility of eavesdropping on a
certain route.

Notarization: This refers to the selection of a trusted third party for ensuring secure
communication between two communicating parties.

Access control: It refers to the methods used to ensure that a user has the right to access
the data or resource.

PRINCIPLES OF SECURITY/ SECURITY SERVICES:

The classification of security services are as follows:

Confidentiality:

➢ The principle of confidentiality specifies that only the sender and the intended
recipient(s) should be able to access the contents of a message.
➢ Confidentiality gets compromised if an unauthorized person is able to access a
message.
➢ Unauthorized party could be a person, a program or a computer.
➢ Example: Suppose a confidential email message sent by user A to user B, which is
accessed by user C without the permission or knowledge of A and B. This type of
attack is called interception.
➢ Interception causes loss of message confidentiality.

Authentication
➢ Authentication mechanism helps to establish proof of identities.
➢ The authentication process ensures that the origin of a electronic message or
document is correctly identified. This concept is shown in figure.
➢ Fabrication is possible in absence of proper authentication mechanisms.

3
Integrity
➢ When the contents of a message are changed after the sender sends it, but before it
reaches the intended recipient, we say that the integrity of the message is lost. It is
shown in figure.
➢ For example, consider that user A sends message to user B. User C tampers with a
message originally sent by user A, which is actually meant for user B. User C
change its contents and send the changed message to user B. User B has no way of
knowing that the contents of the message changed after user A had sent it. User A
also does not know about this change. This type of attack is called modification.
➢ Modification causes of loss of message integrity.

Non repudiation
Requires that neither the sender nor the receiver of a message be able to deny the
transmission.
Access control:
Access control determines and controls who can access what. It regulates which user has access
to the resource, under what circumstances.
Availability:
➢ The principle of availability is that resources should be available to authorized
parties at all times.
➢ For example, due to the intentional actions of an unauthorized user C, an authorized
user A may not be able to contact a server B. This would defeat the principle of
availability. Such an attack is called interruption.
➢ Interruption causes loss of availability.

4
 TYPES OF SECURITY ATTACK:
There are two types of attacks.
1. Active attacks
2. Passive attacks

Active attacks
An active attack is an attempt to alter system resources or affect their operation.
I.e., these attacks involve in some modification to the original message in some manner or the
creation of a false stream.
These attacks can be classified in to four categories:

Masquerade:
One entity pretends to be a different entity.
It is generally done by using stolen IDs and passwords or through bypassing authentication
mechanism.

5
Replay:
This attack involves capturing a copy of the message sent by the original sender and
retransmitting it later to bring an unauthorized result.

Modification of messages:
➢ Some portion of message is altered or the messages are delayed or recorded, to produce
an unauthorized effect.
➢ For example, a message meaning "Allow John Smith to read confidential file accounts" is
modified to mean "Allow Fred Brown to read confidential file accounts."

Denial of service:

➢ A denial-of-service (DoS) is a form of cyberattack that prevents legitimate users from

accessing a computer or network.
➢ In a DoS attack, rapid and continuous online requests are sent to a target server in order
to overload the server’s bandwidth.
➢ Prevents the normal use or management of communication facilities.
➢ Another form of service denial is the disruption of an entire network, either by disabling
the network or overloading it with messages so as to degrade performance.

6
Passive Attacks:
➢ Passive attacks are those where the attacker indulges in eavesdropping or
monitoring of data transmission.
➢ Passive attacks do not involve any modifications to the contents of an original
message. There are two types of passive attacks.
1. Release of message contents and
2. Traffic analysis.
Release of message contents:
➢ The release of message contents is a type of attack that analyzes and read the
message delivered between senders to receiver.
➢ A telephone conversation, an electronic mail message, or a transferred file may
contain sensitive or confidential information.
➢ We would like to prevent an opponent from getting the contents of these transmissions.

Traffic analysis.
➢ The attacker simply listens to the network communication to perform traffic
analysis to determine the location of key nodes, the routing structure, and even
application behavior patterns.
➢ In this type of attack, an intruder observes the frequency and length of msg.
being exchanged between communicating nodes.
➢ Attacker can then use this information for guessing the nature of communication
that was taking place.

Passive attacks are very difficult to detect because they do not involve any alteration of the
data. Typically, the messages are sent and received in normal fashion. Neither the sender
nor receiver is aware that a third party has read the messages or observed the traffic

7
 pattern. However, message encryption is a simple solution to prevent passive attacks.
Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.

Also known as the OSI reference model, it divides the technologies used in networks into seven parts, also
called layers. You may have heard people say something like, “That’s a Layer 3 problem.” They are referring
to the third layer in this model. The seven layers of the OSI reference model, starting from the lowest layer,
are:

1. Physical layer
2. Data Link layer
3. Network layer
4. Transport Layer
5. Session
6. Presentation Layer
7. Application

The TCP/IP model, like the OSI reference model, separates technologies into layers. However, the TCP/IP
model only uses 4 layers. Depending on the source, you may also find this model referred to as the TCP/IP
stack or the Internet protocol suite. The layers for the TCP/IP model are:

1. Connection
2. Internet
3. Transport
4. Application

The TCP/IP model was developed before the OSI Model, so by the time the OSI model was finished, the
TCP/IP model had already gained traction and acceptance from different organizations like the Department of
Defense and IBM.

The TCP/IP model became the standard for modern networks and is the model that we all use now on the
modern Internet. But the OSI model was used to influence the improvement of the TCP/IP model and is still
used for academic purposes and as a reference model.

The OSI model is so prevalent, that in the IT field when we refer to a layer with a number, like Layer 7, we are
referring to the OSI Model and not the TCP/IP model.

But both models, in general terms, are not that different. This is how they compare to each other.

8
The first two layers on the OSI model (Physical and Data Link) are equivalent to the Link Layer on the TCP/IP
Stack. The 3rd layer (Network Layer) is equivalent to the Internet Layer, the Transport layer stays the same,
and the last three layers (Session, Presentation and Application) are merged into one single layer called
Application.

Since this is a Networking Fundamentals course, we will be covering from layer 1 to 4, on the OSI model. As
the TCP/IP stack shows, the last 3 layers are considered the Application layer, so we will only briefly mention
those last 3 layers in this course, and will instead focus most of our time on the first 4.

9
10
 Firewall:
Firewalls can be used to protect a local system or network of systems (Internal
Network) from Out-side networks (Internet) from security threats.
➢ Special type of router.
➢ Frequently used to prevent unauthorized internet users from accessing private
networks connected to the internet, especially intranets.
➢ Controls transmission between internal and external networks. i.e. All
messages entering or leaving the intranet pass through the firewall, which
examines each message and blocks those that do not meet the specified
security criteria.
➢ It is essentially a barrier between two networks that evaluates all incoming or
outgoing traffic to determine whether or not it should be permitted to pass to
the other network. i.e. decides what to allow/disallow.
➢ Can be implemented in both hardware and software, or a combination of both.
➢ At broad level, there are two kind of attacks:
• Most corporations have large amounts of valuable and confidential
data in their networks. Leaking of this critical information to
competitors can be a great setback.
• Apart from the danger of the insider information leaking out, there is a
great danger of the outside elements (such as viruses and worms)
entering a corporate network to create disaster.

11
Firewall characteristics/ Design Goals of Firewalls:
A firewall is defined as collection of components placed between two networks that
collectively have Following characteristics:
All traffic from inside to outside, and vice versa, must pass through the firewall.

This is achieved by physically blocking all access to the local network except via the
firewall. Only authorized traffic, as defined by the local security policy, will be allowed to
pass.
Limitations of Firewalls:

The firewall itself must be strong enough, so as to render attacks on it useless.

o Firewalls cannot stop users from accessing malicious websites, making it vulnerable to
internal threats or attacks.
o Firewalls cannot protect against the transfer of virus-infected files or software.
o Firewalls cannot prevent misuse of passwords.
o Firewalls cannot protect if security rules are misconfigured.
o Firewalls cannot protect against non-technical security risks, such as social engineering.
o Firewalls cannot stop or prevent attackers with modems from dialing in to or out of the
internal network.
o Firewalls cannot secure the system which is already infected.

How Firewall Works

➢ Firewall match the network traffic against the rule set defined in its table. Once the
rule is matched, associate action is applied to the network traffic.

➢ For example, Rules are defined as any employee from HR department cannot access
the data from code server and at the same time another rule is defined like system
administrator can access the data from both HR and technical department.

➢ Rules can be defined on the firewall based on the necessity and security policies of
the organization.
From the perspective of a server, network traffic can be either outgoing or incoming.
Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing
traffic, originated from the server itself, allowed to pass.
➢ Still, setting a rule on outgoing traffic is always better in order to achieve more
security and prevent unwanted communication.

➢ Incoming traffic is treated differently. Most traffic which reaches on the firewall is
one of these three major Transport Layer protocols- TCP, UDP or ICMP. All these

12
 types have a source address and destination address. Also, TCP and UDP have port
numbers. ICMP uses type code instead of port number which identifies purpose of that
packet.
Types of Firewall
Firewalls are generally of two types: Host-based and Network-based.
1. Host- based Firewalls : Host-based firewall is installed on each network node which
controls each incoming and outgoing packet. It is a software application or suite of applications,
comes as a part of the operating system. Host-based firewalls are needed because network
firewalls cannot provide protection inside a trusted network. Host firewall protects each host
from attacks and unauthorized access.
2. Network-based Firewalls: Network firewall function on network level. In other words, these
firewalls filter all incoming and outgoing traffic across the network. It protects the internal network
by filtering the traffic using rules defined on the firewall. A Network firewall might have two or
more network interface cards (NICs). A network-based firewall is usually a dedicated system with
proprietary software installed.

CRYPTOGRAPHY CONCEPTS

CRYPTOGRAPHY TECHNIQUES

From the beginning any era, human being has two natural needs:
To communicate and share information and
To communicate selectively.
These two needs gave rise to the art of coding the messages in such a way that only the intended
people could have access to the information. Unauthorized people could not extract any
information.
The word “cryptography‟ is the combination of two Greek words, “Krypto” meaning hidden or
secret and “graphene” meaning writing.

Cryptography: It is the art of achieving security by encoding messages to make them non-
readable format.
It is a method of protecting information and communications through the use of codes, so that
only those for whom the information is intended can read and process it.

Cryptanalysis:

➢ It is the technique of decoding messages from a non-readable format back to a

13
 readable format.
➢ It is done without knowing how they were initially converted from readable format to
non-readable format. Also called code breaking.

Cryptology: Cryptology is a combination of Cryptography and Cryptanalysis.

Plain Text: Clear text, or plain text, signifies a message that can be understood by the sender,
the recipient, and also by anyone else who gets access to that message.
Cipher text:-When a plain text message is codifies using any suitable scheme, the resulting
message is called as cipher text.
There are two types of techniques used to covert plain text to cipher text.
• Substitution Techniques
• Transposition Techniques

Substitution-cipher technique:
In the substitution-cipher technique, the each characters of a plain-text message are
replaced byother characters, numbers or symbols.

There are several techniques. They are:

➢ Caesar Cipher
➢ Modified version of Caesar Cipher
➢ Monoalphabetic Cipher
➢ Polyalphabetic Cipher
➢ Homophonic Substitution Cipher
➢ Polygram Substitution Cipher
➢ Playfair Cipher
➢ Hill Cipher
Caesar Cipher
➢ Proposed by Julius Caesar.
➢ Mechanism to make a plaintext message into ciphertext message.
➢ It replacing each letter of the alphabet with the letter standing 3 places
further down the alphabet.
➢ Example: Replace each A with D, B with E, etc.

ABCDEFGHIJKLMNOPQRSTUVYZ
DEFGHIJKLMNOPQRSTUVWXYZC
14
PT: KIIT
CT: NLLW

Modified version of Caesar Cipher

The Caesar cipher is very simple and very easy to break. To make it complicated the
modified version of Caesar cipher comes into play.
Let us assume that the cipher-text alphabets corresponding to the original plain-text alphabets
may not necessarily be three places down the order, but instead, can be any places down the
order.
As we know, the English language contains 26 alphabets. Thus, an alphabet A can be
replaced by any other alphabet in the English alphabet set, (i.e. B through Z). Of course, it
does not make sense to replace an alphabet by itself (i.e. replacing A with A).
Thus, for each alphabet, we have 25 possibilities of replacement. Hence, to break a message
in the modified version of Caesar cipher, our earlier algorithm would not work.

Mono-alphabetic Cipher
➢ A monoalphabetic cipher is a substitution cipher where a symbol in the plaintext
has a one-to-one relationship with a symbol in the ciphertext.
➢ It means that a symbol in the plaintext is always replaced with the same
symbol in theciphertext, irrespective of its position in the plaintext.
➢ It uses random substitution.
➢ This means that in a given plain-text message, each A can be replaced by any other
alphabet(B through Z), each B can also be replaced by any other random alphabet (A
or C through Z), and so on. The crucial difference being, there is no relation between
the replacement ofB and replacement of A. That is, if we have decided to replace each
A with D, we need notnecessarily replace each B with E—we can replace each B with
any other character!

Polyalphabetic Substitution Cipher

➢ Leon Battista invented the polyalphabetic substitution cipher in 1568.
➢ This cipher uses multiple one-character keys. Each of the keys encrypts one plain-
text character. The first key encrypts the first plain-text character; the second key
encrypts the second plain-text character, and so on.
➢ After all the keys are used, they are recycled. Thus, if we have 30 one-letter
keys, every 30th character in the plain text would be replaced with the same key.
Homophonic Substitution Cipher
➢ This substitution cipher is very similar to mono-alphabetic cipher.
➢ However, the difference between the two techniques is in homophonic
substitution cipher, one plain-text alphabet can map to more than one cipher-text
alphabet.
➢ For instance, A can be replaced by <D, H, P, R>; B can be replaced by <E, I, Q, S>
etc.
Polygram Substitution Cipher
➢ Polygram substitution cipher technique replaces one block of plain text with another
block of cipher text—it does not work on a character-by-character basis.
➢ For instance, HELLO could be replaced by YUQQW, but HELL could be replaced by a
totally different cipher text block TEUI,as shown in Fig.
15
 ➢ This is true in spite of the first four characters of the two blocks of text (HELL) being the
same. This shows that in the polygram substitution cipher, the replacement of plain text
happens block by block, rather than character by character.

Playfair Cipher:
➢ The Playfair cipher scheme was invented in 1854 by Charles Wheatstone but was named
after Lord Playfair who promoted the use of the cipher. In playfair cipher unlike
traditional cipher we encrypt a pair of alphabets(digraphs) instead of a single alphabet.
➢ It was used for tactical purposes by British forces in the Second Boer War and in World
War I and for the same purpose by the Australians during World War II. This was
because Playfair is reasonably fast to use and requires no special equipment.
The Playfair encryption scheme uses two main processes.
> Creation and population of matrix
> Encryption process
Step 1: Creation and Population of Matrix
• The Playfair cipher makes use of a 5
x 5 matrix (table), which is used to
store a keyword or phrase that
becomes the key for encryption and
decryption.
• The way this is entered into the 5 x 5
matrix is based on some simple rules:
1. Enter the keyword in the matrix row-wise: left-to-right, and then top-to-bottom.
2. Drop duplicate letters.
3. Fill the remaining spaces in the matrix with the rest of the English alphabets (A-Z)
that werenot a part of our keyword. While doing so, combine I and J in the same cell of
the table.
In other words, if I or J is a part of the keyword, disregard both I and J while filling the
remainingslots.

EXAMPLE OF ENCRYPTION AND DECRYPTION IN PLAYFAIR:

For example, suppose that our keyword=PLAYFAIR EXAMPLE
Then, the 5 x 5 matrix containing our keyword will look
as shownLet us say, our Plaintext= “MY NAME IS
ATUL”

Encryption process – it consists of following steps:

16
 1. Before initiating the encryption, break the plain text in
pair of 2letters.
For ex. if our message is MY NAME IS ATUL, it becomes MY NA ME IS AT UL.
2. If both the alphabets are same or 1 letter is remaining, add X after the first alphabet.
3. After the initial process, take the pairs for encryption.
4. If the alphabets of the pair appear in same row of the matrix, then substitute them
with their immediate right letter. If the alphabets of the plain text is itself the
rightmost, then wrap it up with the left letter of the row it happens.

5. If the alphabets of the pair appear in same column of the matrix, then substitute
them withtheir immediate below alphabets. If the letter of the plain text is itself
below, then wrap it up with the top letter of the column it happens.
6. If the alphabets of the pair are not in same row or column then define a rectangle
with theoriginal pair and substitute them with other corners of the rectangle.
Example

1) Message is: MY NAME IS ATUL It

becomes MY NA ME IS AT UL.

Hill Cipher
The Hill cipher works on multiple letters at the same time.

17
Lester Hill invented this in 1929. The Hill cipher uses the matrix theory of mathematics.

Working:
• Treat each letter with a number like A=0, B=1, C=2…… Z=25.
• Let us say, our original message is “TAJ”
• As per the rule, T=19 A=0 J=9

• Convert it into matrix form as:

Now multiply the plain text matrix with any number as keys. The multiplying matrix
should beof n x n where n is the number of rows of original matrix

Now compute mod 26 on resultant matrix i.e. take the remainder after dividing by 26.

Now translating numbers into alphabets, we get:

19=T 25= Z 21=V
Therefore our cipher text is TZV
To decrypt hill cipher, follow the steps:
1.) Take cipher text matrix and multiply it by inverse of original
key matrix2.) Again perform mod by 26.
Thus we get our original text.
Transposition techniques:
Transposition technique is an encryption method which is achieved by
performing permutation over the plain text.
Rail-Fence Technique
This technique is a type of Transposition technique which involves writing the plain text as a
sequence of diagonals and then reading row-by-row to produce cipher text.

It uses a simple algorithm,

1. Writing down the plaintext message into a sequence of diagonals.

2. Read the plain text in step-1 as a sequence of rows.

Example:

Plain Text: meet me Tomorrow

Now, we will write this plain text sequence wise in a diagonal form as you can see below:
18
Cipher Text: m e m t m r o e t e o o r w

Simple Columnar Transposition Technique:

A. Basic Technique
It is a slight variation to the Rail-fence technique, let’s see its algorithm:
1. In a rectangle of pre-defined size, write the plain-text message row by row.
2. Read the plain message in random order in a column-wise fashion. It can be any order
such as 2, 1, 3 etc.
3. Thus Cipher-text is obtained.

Let’s see an example:

Original message: "INCLUDEHELP IS AWESOME".
Now we apply the above algorithm and create the rectangle of 4 columns (we decide to make a
rectangle with four column it can be any number.)

Now let’s decide on an order for the column as 4, 1, 3 and 2 and now we will read the text in
column-wise.
Cipher-text: LHIEEIUESSCEPWMNDLAO
B. Columnar Technique with multiple rounds

In this method, we again change the chipper text we received from a Basic technique that is in
round 1 and again follows the same procedure for the cipher-text from round 1.
Algorithm:
1. In a rectangle of pre-defined size, write the plain-text message row by row.
2. Read the plain message in random order in a column-wise fashion. It can be any order
such as 2, 1, 3 etc.
3. Thus, Cipher-text of round 1 is obtained.
4. Repeat from step 1 to 3.
Example:
Original message: "INCLUDEHELP IS AWESOME".
Now we apply the above algorithm and create the rectangle of 4 column (we decide to make a
rectangle with four column it can be any number.)

19
Now let’s decide on an order for the column as 4, 1, 3 and 2 and now we will read the text in
column-wise.
Cipher-text of round 1: LHIEEIUESSCEPWMNDLAO
Round 2:

Now, we decide to go with a previous order that is 4,1,3,2.

Cipher-text: EEENLESPICUMHISW
These multi-round columnar techniques are harder to crack as compared to methods seen earlier.
Vernam Cipher (one time pad):
The Vernam Cipher has a specific subset one-time pad, which uses input ciphertext as a random
set of non-repeating character. The thing to notice here is that, once an input cipher text gets used
it will never be used again hence one-time pad and length of cipher-text is the size that of
message text.
Algorithm:
1. Plain text character will be represented by the numbers as A=0, B=1, C=2,... Z=25.
2. Add each corresponding number of a plain text message to the input cipher text alphabet
numbers.
3. If the sum is greater than or equal to 26, subtract 26 from it.
4. Translate each number back to corresponding letters and we got our cipher text.
Example: Our message is "INCLUDEHELP" and input cipher text is "ATQXRZWOBYV"

20
 One time pad should be discarded after every single use and this technique is proved
highly secure and suitable for small messages but illogical if used for long messages.

Encryption and Decryption:-

Encryption:-The process of encoding plain text messages into cipher text messages is
called as encryption.

Decryption:-The reverse process of transforming cipher text messages back to

plain text messages is called as decryption.

Symmetric and Asymmetric Key Cryptography:

Symmetric key Cryptography:-

Symmetric key cryptography (or symmetric encryption) is a type of encryption scheme in

which the same key is used both to encrypt and decrypt messages.

Asymmetric key Cryptography:-

Asymmetric encryption uses the public key for the encryption, and a private key is
used for decryption.

Or

Asymmetric cryptography, also known as public-key cryptography, is a process that uses

a pair of related keys -- one public key and one private key .

INTERNET SECURITY PROTOCOL

Basic concept

In computing, Internet Protocol Security (IPSec) is a secure network protocol suite that
authenticates and encrypts the packets of data to provide secure encrypted communication
between two computers over an Internet Protocol network. It is used in virtual private networks
(VPNs).

Static Web page

Static web pages are also known as flat or stationary web page. They are loaded on the client’s
browser as exactly they are stored on the web server. Such web pages contain only static
information. User can only read the information but can’t do any modification or interact with
the information.

Static web pages are created using only HTML. Static web pages are only used when the
information is no more required to be modified.

21
Dynamic Web page

Dynamic web page shows different information at different point of time. It is possible to
change a portion of a web page without loading the entire web page. It has been made possible
using Ajax technology.

Server-side dynamic web page

It is created by using server-side scripting. There are server-side scripting parameters that
determine how to assemble a new web page which also includes setting up of more client-side
processing.

Client-side dynamic web page

It is processed using client side scripting such as JavaScript. And then passed in to Document
Object Model (DOM).

A static web page (sometimes called a flat page or a stationary page) is a web page that is
delivered to the user's web browser exactly as stored,[1] in contrast to dynamic web pages which
are generated by a web application.

Consequently, a static web page displays the same information for all users, from all contexts,
subject to modern capabilities of a web server to negotiate content-type or language of the
document where such versions are available and the server is configured to do so.

Secure Socket Layer

➢ World’s most widely used security mechanism on the Internet.

➢ Secures communication between a client and a server.
22
 ➢ Located between the Application and Transport Layers of TCP/IP protocol suite.
SSL Architecture:

SSL is designed to make use of TCP to provide a reliable end-to-end secure service.
SSL is not a single protocol but rather two layers of protocols.
The SSL Record Protocol provides basic security services to various higher-layer protocols.
The HTTP which provides the transfer service for Web client/server interaction, can operate on
top of SSL.

SSL consists of three higher-layer protocols:

➢ Handshake Protocol
➢ the Change CipherSpec Protocol
➢ Alert Protocol.
SSL consists of one lower-layer protocols:
SSL Record Protocol
SSL Record Protocol Operation:
The SSL Record Protocol provides two services for SSL connection:
Confidentiality: The original data and the MAC are encrypted using secret key cryptography to
provide confidentiality.
Message Integrity: The Hash function is applied on compressed data to compute a MAC. This
provides integrity.
Fragmentation: each upper layer message is fragmented into block of 214 bytes (16384bytes) or
less.
Compression: must be lossless and may not increase the content length by more than 1024 bytes.
Message Authentication Code: it is compute a code over the compressed data. For this purpose a
shared secret key is used.
Next, the compressed message plus the MAC are encrypted using symmetric encryption.
Handshake Protocol:
This protocol allows the server and client to authenticate each other.
Used to negotiate an encryption and MAC algorithm and cryptographic keys to be used to
encrypt data in an SSL record.
In this protocol several msg. are exchanged between client and server.
All of these messages have a fixed format with three fields.

23
Change CipherSpec protocol:
The cryptographic secret (encrypted data) is generated, once the handshake protocol is over.
It is used to signal that cryptographic secret is ready to use.
This protocol consists of a single message, which consists of a single byte with the value 1.
The sole purpose of this message is to cause the pending state to be copied to into the current
state.
Alert Protocol:
The alert protocol is Used to signal errors or any abnormal condition.
Each message in this protocol consists of two bytes.
The first byte takes the value warning(1) or fatal(2) to convey the severity of the Message.
In case of fatal error, the connection is immediately terminated.
SECURE HYPER TEXT TRANSFER PROTOCOL (SHTTP)
➢ The Secure Hyper Text Transfer Protocol (SHTTP) is a set of security mechanisms
defined for protecting the Internet traffic.
➢ This includes the data-entry forms and Internet-based transactions.
➢ The services offered by SHTTP are quite similar to those of SSL. However, SSL has
become highly successful—SHTTP has not.

➢ SHTTP works at the application layer, and so it is tightly coupled with HTTP, unlike
SSL.
➢ SHTTP supports both authentication and encryption of HTTP traffic between the client
and the server.
➢ The key difference between SSL and SHTTP is that SHTTP works at the level of
individual messages.
➢ It can encrypt and sign individual messages. On the other hand, SSL does not
differentiate between different messages.
➢ It aims at making the connection between a client and the server, regardless of the
messages that they are exchanging.
➢ Not as popular as SSL
➢ Almost obsolete.

SET (Secure Electronic Transaction):

➢ SET is an open encryption and security specification designed to protect
credit cardtransactions on the internet.
➢ It is developed by VISA and MasterCard for securing credit card
transactions overinsecure networks, specifically, the internet.
➢ SET was not itself a payment system. It provides a set of security protocols and
formatsthat enable users to do credit card payment on an open network in secure
fashion.
➢ Merchant does not get to know the credit card details of the cardholder.
➢ It requires software set up on both client and server.
SET specification:

➢ Uses public key cryptography and digital certificates for validating both
consumers andmerchants.
➢ It provides the four security requirements – confidentiality, data integrity, user
24
 andmerchant authentication, and consumer non-repudiation.
Architecture OR participants of SET:
The SET protocol coordinates the activities of:
1. Card Holder (Consumer) – he is the buyer who is the registered holder of the credit card.
2. Card Issuer(Consumer’s Bank) – bank that issues the credit card to card holder.
3. Merchant – refers to the seller who is connected to an acquirer.
4. Acquirer (Merchant’s Bank) – bank that serves as an agent to link a merchant to
multipleissuers(customer’s banks).
5. Payment Gateway – this is connected to acquirer. It is situated between the SET
systemand the financial network of the credit card system for processing
the credit card payment.
6. Certification Authority (CA) – Issues digital signatures to concerned parties.

Working/ Process of SET

Before using SET, both the cardholder and the merchant must register with the CA.
After theregistration process, the working of SET involves many steps, which are as
follows:

l. The customer browses the merchant's website to evaluate the products offered by the
merchant. He or she then selects the products to be purchased and adds them to the
shopping cart.
2. The customer then uses a single message to communicate with the merchant and
payment gateway. The message has two parts, namely, purchase order, which is used by
the merchant, and card information, which is used by the merchant's bank (acquirer).
3. The card information is then forwarded to the acquirer authorization.
5. If the purchase is authorized, the issuer sends the authorization to the acquirer.
6. A copy of the authorization is also forwarded to the merchant.
7. The merchant completes the order and informs the customer about it.
8. Merchant captures the transaction from its bank.
9. Finally, the credit card invoice is printed by the issuer and provided to the customer.

Time Stamping Protocol (TSP)

➢ It is a Digital version of a notary service.
25
 ➢ It proves that a document existed at a specific date and time.
➢ Time Stamping Authority (TSA) is used.

USER AUTHENTICATION

Authentication Basics:

Authentication

26
 ➢ Proof of identity or we can say that “who is Who”.
➢ It is the process of giving someone identity so that he or she can access that particular
application or data.
➢ For e.g.: giving identity-card to a student of an institute.
➢ Authentication is the first step in any cryptographic solution
o –Because unless we know who is communicating, there is no point in
encryption what is being communicated.
➢ Authentication is any process by which a system verifies the identity of a user who
wishes to access it.
➢ Establish trust before communication takes place.
Passwords:
➢ A password is a string of alphabets, numbers and special characters, which is supposed
to be known only to the entity (usually person) that is being authenticated.
➢ Password Based Authentication
o –Clear Text Passwords is the Simplest Password based Authentication
Mechanism.
➢ How it works?
o –Prompt for user ID and Password
o –User enters user ID and Password
o –User ID and Password Validation i.e user-id and password are validated.
o –Authentication Result: Inform user accordingly.
Password Based Authentication:

Problems with Clear Text/plain-text Passwords:

i) Database contains Passwords in clear text
• It is advised that password should not be stored in clear text in databases.
• The passwords should be stored in encrypted form in database.
ii)Password travel in clear text/ plain-text from user’s computer to the server
• If the attacker breaks into the communication link, he can easily obtain the
clear text password.
Message Digests of the Passwords

27
• Adding Randomness
To improve the security and to detect a replay attack we need to add a bit of randomness to the
earlier schemes.
Steps
1. Storing Message Digests as derived passwords in the user database.
2. User sends a login request
3. Server creates a random Challenge
4. User Signs the Random Challenge with the Message Digest of the Password
5. Server Verifies the Encrypted Random Challenge from the user
Server returns an appropriate message back to the user

28
Authentication Tokens:
• It is an extremely useful alternative to a password
•These small devices are usually of the size of a small key chain.
•Usually an authentication Token has the following features
–Processor
–LCD for displaying outputs
–Battery
–Optionally a small keypad for entering information
–Optionally a real-time clock

Each Authentication Token is pre-programmed with a unique number called as a random

seed or justseed.
Step Involved in Authentication Token:

1. Creation of a Token
–Created by the Authentication servers that are designed to use with authentication tokens.
–A unique value i.e. a seed is automatically placed or pre-programmed inside each token by
the server.
–Server also keeps a copy of the seed against the user ID in the user database.
–Seed can be conceptually considered as a user password.
–Difference is that the user password is known to the user, seed value remains unknown to the
user.
2. Use of the Token
–An Authentication Token automatically generates pseudorandom numbers called one- time
passwords.
–One-time passwords are generated randomly by authentication tokens using seed value.
–When a user wants to be authenticated by any server, the user will get a screen to enter user ID
and the latest one-time password.
–The users enter its ID and gets is latest one-time password from the authentication token.
–The user ID and password travels to the server as a part of the login request
–Server verifies using some mechanism that this one-time password is created using the valid
seed value.
3: Server Returns an Appropriate Message back to the User
Finally, the server sends an appropriate message back to the user, depending on whether the
previous operations yielded success or failure.

29
Authentication Token Types:
1. Challenge/Response Tokens
2. Time-based Tokens

1. Challenge/Response Tokens:
Step 1: User Sends a Login Request.
In this technique, the user sends the login request only with his/her user id (and
not the one-time password).
Step 2: Server Creates a Random Challenge
If the user id is valid, the server now creates a random challenge (a random number,
generated using a pseudo-random number generation technique), and sends it back to
the user.
Step 3: User Signs the Random Challenge with the Message Digest of the Password
This request is then sent to the server as the login request.
Step 4: Server Verifies the Encrypted Random Challenge Received from the User
The server receives the random challenge, which was encrypted with the seed by the
user’s authentication token. In order to verify that the random challenge, the server must
perform an identical operation.
Step 5: Server Returns an Appropriate Message Back to the User
Finally, the server sends an appropriate message back to the user, depending on whether
the operation is success or failure.
2. Time-based Tokens:
Step 1: Password Generation and Login Request:
The seed value and the system time of token, together perform cryptographic algorithm
to generate a password automatically.
Step 2: Server-side Verification:
The server receives the password. It also performs an independent cryptographic
function on the user’s seed value and the current system time to generate its version of
the password. If the two values match, it considers the user as a valid one.
Step 3: Server Returns an Appropriate Message Back to the User:
Finally, the server sends an appropriate message back to the user, depending on
whether the operation is success or failure.

Certificate Based Authentication:

This is based on the Digital Certificates of the user.
• In PKI, the digital certificates are used for secure digital transactions.
•This can be re-used for user authentication as well.
•This is a stronger mechanism as compared to password based authentication
How does Certificate Based Authentication works?
1. Creation, Storage and Distribution of Digital Certificates.
–Certificates are created by CA ( Certificate Authority), sent to user as well as a copy to the
server.

30
 2. Login Request
–User sends its ID only.
3. Server Creates a Random Challenge
–User ID validity is checked.
–Sends random challenge in plain text to user.
4. User Signs the Random Challenge
–User signs the random challenge received from Server by using its Private Key
–User’s private key is stored in a file in user computer
–To access its private key file, user has to give a correct password
–User sends the signed random challenge to the server
5. Server returns an appropriate message back to the user

Smart Cards:
➢ A smart card is a security token that has an embedded chip.
➢ Smart cards are typically the same size as a driver's license and can be made out
of metal or plastic.
➢ They connect to a reader either by direct physical contact (also known as chip
and dip) or through a short-range wireless connectivity standard such as Near Field
Communication (NFC).
➢ It is Portable.
➢ Used to perform cryptographic mechanisms
Use of Smart Cards:
➢ The use of Smart Cards is related to Certificate Based Authentication
➢ This is because the smart cards allows the generation of public-private key pairs within
the card
➢ They also support the storage of digital certificates within the card.
➢ The private key always remain in the smart card in a secure fashion
➢ The public key and the certificate is exposed outside
➢ Also the smart cards are capable of performing cryptographic functions such as
encryption, decryption, message digest creation and signing within the card
➢ Thus during the certificate based authentication, the signing of random challenge sent
by the server can be performed inside the card

31
 Problems and issues in Smart Cards:
➢ Lack of standardization and inter-operability between smart cards vendors
➢ Smart card reader are not yet a part of a desktop computer like hard disk drive or floppy
drives
➢ Non-availability of smart card reader driver software
➢ Non-availability of smart card aware cryptographic service software
➢ cost of smart cards and card reader is high.
Biometric Authentication:

Definition:
Biometrics refers to the automatic identification of a person based on his or her
physiological or behavioral characteristics.
➢
A biometric device works on the basis of some human characteristics, such as finger
prints, voice or the pattern of lines in the iris of your eye
➢ The user database contains a sample of user’s biometric characteristics
➢ During the authentication, the user is required to provide another sample of the
users’ biometric characteristic.
➢ This is matched with the one in the database, and if the two samples are same, the user is
considered to be a valid one.
➢ The samples produced during every authentication process can vary slightly. (e.g. cuts on
the finger)
➢ An approximate match can be acceptable.
Any Biometric Authentication System defines two configurable parameters:
False Accept Ratio (FAR):
• It is a measurement of the chance that a user who should be rejected is actually
accepted by a system as good enough.
–False Reject Ratio (FRR):
• It is a measurement of the chance that a user who should be accepted as valid
is actually rejected by a system as not good enough
•Thus FAR and FRR are exactly opposite to each other.
Biometric characteristics:
1) Physiological
2) Behavioral

Physical biometrics:
➢ Fingerprint
➢ Facial recognition/face location
➢ Hand geometry
➢ Iris scan
➢ Retina scan
Fingerprint recognition
➢ A live acquisition of a person’s fingerprint.
➢ Dots (very small ridges),
➢ Space between two temporarily divergent ridges),
➢ Spurs (a notch protruding from a ridge),

32
 ➢ Bridges (small ridges joining two longer adjacent ridges), crossovers (two ridges that
cross each other).

Facial Recognition
1. Capture image
2. Find face in image
3. Extract features (store template)
4. Compare templates
5. Declare matches
Hand Geometry
Hand or finger geometry is an automated measurement of many dimensions of the hand and
fingers.
Iris recognition
Iris scanning measures the iris pattern in the colored part of the eye.
Retina recognition
Images back of the eye and compares blood vessels with existing data.
Behavioral biometrics
➢ Speaker/ voice recognition.
➢ Signature/ handwriting.
➢ Keystroke/ patterning.
Speaker / Voice Recognition
➢ Voice or speaker recognition uses vocal characteristics to identify individuals
using a pass-phrase.
➢ A telephone or microphone can serve as a sensor.
Signature Verification
➢ An automated method of measuring an individual’s signature.
➢ This technology examines speed, direction, and pressure of writing; the time that the
stylus is in and out of contact with the “paper’’.
Keystroke dynamics
➢ It is an automated method of examining an individual’s keystrokes on a keyboard.
➢ This technology examines such dynamics as speed and pressure, the total time
taken to type particular words, and the time elapsed between hitting certain keys.

APPLICATIONS:
➢ Prevent unauthorized access to ATMs, Cellular phones Desktop PCs.
➢ Criminal identification.
➢ In automobiles biometrics can replace keys with keyless entry devices.
➢ Airport security.

33
 NETWORK SECURITY AND VPN

TCP/IP Protocol Suite:

•The TCP/IP protocol suite was developed prior to the OSI model. Therefore,
the layers in the TCP/IP protocol suite do not exactly match those in the OSI
model.
• TCP/IP protocol suite is made of five layers: Application Layer,
Transport Layer,Internet Layer, Network Access Layer
• TCP/IP is a hierarchical protocol made up of interactive modules, each of
which provides a specific functionality; however, the modules are not
necessarily interdependent.
• At the transport layer, TCP/IP defines three protocols: Transmission
Control Protocol (TCP), User Datagram Protocol (UDP), and Stream
Control Transmission Protocol (SCTP).
• At the Internet layer, the main protocol defined by TCP/IP is the Internet
Protocol (IP);there are also some other protocols that support data movement
in this layer.
TCP/IP Layers:

TCP segment format:

A packet in TCP is called a segment. The segment consists of a header of 20 to 60

34
bytes, followed by data from the application program. The header is 20 bytes if there
are no options and up to 60 bytes if it contains options.
Source port address:
This is a 16-bit field that defines the port number of the application program in the
host that is sending the segment. This serves the same purpose as the source port
address in the UDP.

Destination port address:

This is a 16-bit field that defines the port number of the application program in the
host that is receiving the segment. This serves the same purpose as the destination
port address in the UDP.

Sequence number:
This 32-bit field defines the number assigned to the first byte of data contained in this
segment. As TCP is a stream transport protocol. To ensure connectivity, each byte to
be transmitted is numbered. The sequence number tells the destination which byte in
this sequence is the first byte in the segment. During connection establishment each
party uses a random number generator to create an initial sequence number (ISN),
which is usually different in each direction.
Acknowledgment number:
This 32-bit field defines the byte number that the receiver of the segment is expecting
to receive from the other party. If the receiver of the segment has successfully
received byte number x from the other party, it Returns x+1 as the acknowledgment
number.
Header length:
This 4-bit field indicates the number of 4-byte words in the TCP header. The length
of the header can be between 20 and 60 bytes. Therefore, the value of this field is
always between 5 (5 *4=20) and 15 (15*4=60).
Reserved: This is a 6-bit field reserved for future use.
Control:
This field defines 6 different control bits or flags . One or more of these bits can be
set at a time. These bits enable flow control, connection establishment and
termination, connection abortion, and the mode of Flags from left to right:
Window size:
This field defines the window size of the sending TCP in bytes. Note that the length
of this field is 16 bits, which means that the maximum size of the window is 65,535
bytes.
Checksum:
The 16-bit checksum field is used for error-checking of the header and data.
Urgent pointer:

if the URG flag is set, then this 16-bit field is an offset from the sequence number

35
 indicating the last urgent data byte.

IP DATAGRAM FORMAT:
• Packets in the network (internet) layer are called datagram.
• A datagram is a variable-length packet consisting of two parts: header and data.
• The header is 20 to 60 bytes in length and contains information essential
to routing and delivery.
IP header format:

Version (VER):
This 4-bit field defines the version of the IP protocol. Currently the version is 4(IPv4).

36
Header length (HLEN):
This 4-bit field defines the total length of the datagram header in 4-byte words. This
field is needed because the length of the header is variable (between 20 and 60 bytes).
When there are no options, the header length is 20 bytes, When the option field is at
its maximum size(i.e. 60)
Service type (TOS):
It defines how the datagram should be handled. Part of the field was used to define
the precedence of the datagram; the rest defined the type of service (low delay, high
throughput, and so on).
Total length:
It defines the total length of the datagram including the header in bytes. It is a 16-bit
number so maximum IP size is 216 bytes.
Identification:
This 16-bit field identifies a datagram originating from the source host. The
combination of the identification and source IP address must uniquely define a datagram as
it leaves the source host.

Flags:
This is a three-bit field. The first bit is reserved (not used). The second bit is called
the do not fragment bit. If its value is 1, the machine must not fragment the datagram.
If its value is 0, the datagram can be fragmented if necessary. The third bit is called
the more fragment bit. If its value is 1, it means the datagram is not the last fragment;
there are more fragments after this one. If its value is 0, it means this is the last or
only fragment.
Fragmentation offset:
This 13-bit field shows the relative position of this fragment with respect to the whole
datagram.
Time to live:
A datagram has a limited lifetime in its travel through an internet. This field was
originally designed to hold a timestamp, which was decremented by each visited
router. The datagram was discarded when the value became zero.
Protocol:
This 8-bit field defines the higher-level protocol that uses the services of the
IP layer. An IP datagram can encapsulate data from several higher level protocols
such as TCP, UDP, ICMP, and IGMP. This field specifies the final destination
protocol to which the IP datagram should be delivered.

37
 Header Checksum:
This fields represents a value that is calculated using an algorithm covering all the
fields in header. This field is used to check the integrity of an IP datagram.
Source address:
This 32-bit field defines the IP address of the source. This field must remain
unchanged during the time the IP datagram travels from the source host to the
destination host.
Destination address:
This 32-bit field defines the IP address of the destination. This field must remain
unchanged during the time the IP datagram travels from the source host to the
destination host.
Virtual Private Network (VPN):
➢ A VPN is thus a mechanism to simulate a private network over a public
network, such as the Internet.
➢ The term virtual signifies that it depends on the use of virtual connections.
➢ These connections are temporary and do not have any Physica1 presence.
They are made up of packets.
➢ Uses the Internet as if it is a private network.
➢ Far less expensive than a leased line.
➢ Uses IPSec protocol.

VPN Architecture:

38
We have shown two networks, Network I and Network 2. Network l connects to the
Internet via a firewall named Firewall I. Similarly, Network 2 connects to the Internet with
its own firewall 2.

The two firewalls are virtually connected to each other via the Internet. We have shown
this with the help of a VPN tunnel between the two firewalls.

Let us understand how the VPN protects the traffic passing between any two hosts on the
two different networks. For this, let us assume that host X on Network 1 wants to send a
data packet to host Y on Network 2. This transmission would work as follows.

1. Host X creates the packet, inserts its own IP address as the source address and the IP
address of host Y as the destination address. This is shown in figure. It sends the packet
using the appropriate mechanism.

2. The packet reaches firewall 1. As we know, firewall 1 now adds new headers to the
packet. In these new headers, it changes the source IP address or the packet from that of
host X to its own address (i.e. the IP address of Firewall 1, say F1). It also changes the
destination IP address of the packet from that of host Y to the IP address of Firewall 2. say
F2). This is shown in Fig. It also performs the packet encryption and authentication,
depending on the settings and sends the modified packet over the Internet.

39
40
3. The packet reaches firewall1 2 over the internet, via one more routers, as usual, Firewall
2 discards the outer header and performs the outer header and performs appropriates
decryption and other cryptographic functions as necessary. This yields the original packets,
as was created by host X in step 1. This is shown in fig. It then takes a look the plain text
contents of the packets and realizes that the packet is meant for host Y. Therefore, it
delivers the packet to host Y.

IP Security (IPSec) Protocols:

➢ Before IPSec was initiated, the IP packets were prone to security failure.
➢ The technology that brings secure communications to the internet protocol
layer or network layer is called IP Security, commonly abbreviated IPSec.
➢ IPSec is a set of services and protocols that provide a complete security
solution for an IP network.
➢ It is a collection of protocols designed by the Internet Engineering Task
Force (IETF) to provide security in the internet layer.
➢ It can be used in protecting data flows between a pair of host(host-to-host),
between a pair of security gateways(network-to-network), or between a
security and a host(network-to-host).

Applications of IP security: (Important)

➢ IPSec provides the capability to secure communications across a LAN, across

private and public WANs, and across the Internet. Examples of its use
include:
Secure remote access over the Internet:
➢ An end user whose system is equipped with IP security protocols can make a
local call to an Internet Service Provider (ISP) and gain secure access to a
company network. This reduces travelling cost and time wastage of
41
employees and telecommuters.

42
 Secure branch office connectivity over the Internet:
➢ A company can build a secure virtual private network over the Internet or
over a public WAN. This enables connecting all the branches of company.
That will save the costs of creating a private network and network
management overhead.
Establishing extranet and intranet connectivity with partners:
➢ IPSec can be used to secure communication with other organizations,
ensuring authentication and confidentiality and providing a key exchange
mechanism.
Enhancing electronic commerce security:
➢ Even though some Web and electronic commerce applications have built-in
security protocols, the use of IPSec enhances that security.

Benefits of IP security: (Important)

➢ IPSec can be transparent to end users.

• There is no need to train users on security mechanisms.
• No need to issue or cancel keys to and from the users.
➢ When IPSec is implemented in a firewall or router, it provides strong
security that can be applied to all traffic crossing the perimeter.
• Traffic within a company or workgroup does not have to use IPSec,
thus it minimize the overhead of security-related processing.
➢ IPSec in a firewall is resistant to bypass if all traffic from the outside must
use IP and the firewall is the only means of entrance from the Internet into the
organization.
➢ Since IPSec is implemented at network layer, there is no need to make any
changes at the upper layers such as transport layer (TCP, UDP) and
application layer.
➢ IPSec can provide security for individual users if needed. Individuals can
set up a secure virtual sub-network within an organization for sensitive
applications.

43
 IP security services: (Important)

➢ IPSec provides security services at the IP layer.

➢ Two protocols are used to provide security:
▪ An authentication protocol designated by the
header of the protocol, AuthenticationHeader
(AH).
▪ And a combined encryption/ authentication
protocol designated by the format of the
packet for that protocol, Encapsulating
Security Payload (ESP).

➢ Lists the following services:

1. Access control
2. Connectionless integrity
3. Data origin authentication
4. Rejection of replayed packets (a form of partial sequence integrity)
5. Confidentiality (encryption)

Constructing network security monitoring systems

1.1 The purposes of network security monitoring systems

The basic reasons or objectives of particular network security monitoring

system may include a wide variety of different purposes for an
organization. Some or- ganizations might just need to follow up that their
current security enforcement systems are fully operational. Much on the
contrary, other organizations might even collect special background
information for the purposes of planned risk analyses in the future.
The purposes of network security monitoring systems may include, for
example:
• Network security & continuity level or status monitoring
• Security attack detection & defence
• Security enforcement system follow up
• Security related event monitoring
• Attack or problem alarming
• Security vulnerability identification
• Security vulnerability or risk mitigation
• 44
Risk analysis information gathering
 • Gathering experience for protection development
• Follow up of configuration conformance.
When considering the procurement process for network security
monitoring systems or elements, the organization should consider
defining the feasibility criteria for vendors and service providers. Such
criteria could include wide variety of special topics, such as (not a
complete list):

• System security requirements, product security certifications

• System performance requirements, scalability issues
• Costs of purchases, licenses & continuous operation
• Operation and maintenance support & services,
upgrading & updating
• Extension capabilities & services, future proof system architecture
• Deployment & commissioning issues, recovery from failures
• Security of communication and database services & techniques.

1.2 Basic principles

The construction of a network security monitoring system shall vary a lot

de- pending on the operational or organizational case. For example, in
some cases the security monitoring may be focused more on tracking of
system logs but not so much on the network data traffic analysis.
Naturally, this will affect strongly to the needed investments for
monitoring equipment & software. Also, the reults of security risk
analysis, operational needs & limitations will affect strongly to the
construction and technical properties needed to fulfil the security moni-
toring need for a particular case. To summarize, the main reasons for the
large variability of technical requirements include:
• Different security needs and capabilities in
organizations & operations
• Different assets and valuables to protect
• Different threat environments against the networked systems.

Design principles of network security monitoring

Someone may claim that securing a network doesn’t require much more
than someone to manage the firewall rules and access control lists, and to
45
maintain and update such rules whenever needed. They might continue
perhaps by claiming that the network security monitoring is a rather
simple task. However, we don’t agree with such claims for any operating
networks with some reasonable business value, mostly because those few
simple security solutions are only providing network protection in one or
two different layers of security. For ex- ample, the lack of layered
protection often leaves plenty of unguarded room for
e.g. an insider to prepare & operate some malicious tasks.

In order to successfully design a network security monitoring system

for a specific purpose, we need to write down and take into use some
basic principles and tasks that shall guide us through the process. A
typical process constitute of feasibility analysis, design, procurement,
implementation, configuration, deployment, operation & maintenance
(O&M) and even disposal of such a monitoring system. Note that the
party who should carry out each task below might be the operator of the
network, but depending on the case, often the relevant ICT support
personnel, representative of vendor, system integrator, developer, etc.,
should be invited to participate in such a process as well. The basic
principles or tasks to apply in each step for successfully designing a
feasible network security monitoring system shall include:

Feasibility analysis

The feasibility of a network security monitoring system is mainly

dependent on the value of operation & assets, which shall require security
guarding in some level. The requirements for continuous operation & the
value of related assets must be balanced with the security assurance
efforts & investments. However, the budget is not the only limiting factor
here, also the legal and regulatory requirements and restrictions must be
resolved for the country or region where the security monitoring system is
to be planned for.
Of course, the technical & operational risk landscape must be
investigated for the planned networked system, its operation & personnel.
This threat & risk analysis should be carried out by a wide interest group
that allocates team mem- bers e.g. from the company’s management,
production, operator, security, ad- min, IT, acquisition, and also possibly
appropriate vendors & service providers.
The essential issues in the feasibility analysis & design phases are the
46 assurance in all layers of the
motiva- tion for (proactive) security
organization, and the adequate competence & security training programs
for personnel and at partners and subcontractors. The motivation starts
from the management’s commitment to systematic security improvement.
The feasibility analysis work for a network security monitoring system
should also include the tasks listed in following table:

47
 Table 2. Feasibility analysis for network security monitoring system.

Area Principles/Tasks
Feasibility First, clarify and list the main assets, goals
analysis and critical operational criteria of the
networked system & data to be protected
using monitoring and other controls.
Ensure the sufficient intake and
implementation of critical requirements, e.g.
protection against new risks & threats, during
the whole lifecycle of the system. Invite
participants from all relevant areas for the risk
& requirement analysis work.
Define the major things that need to be
monitored in the network. Divide these into
the baseline attributes that are continuously
monitored, filtered and prioritized, but also to
detailed logs that shall constitute the basis for
forensic analysis (e.g. of information leaks).
Identify the best products & references of
security monitoring and analyse how these
match to your goals for monitoring.
Analyse the feasibility of candidate
monitoring platforms according to your
critical operational criteria.
Decide whether the required security
monitoring in- vestments & operating costs
are in balance with the benefits of operation
continuity and the value of business assets.

Design

If the previous feasibility analysis proved that the networked system

should be complemented with a security monitoring system, how such a
monitoring should be designed? The most important point is, of course,
that the designed system shall be reliable and practical enough for
effective network security monitoring within the organization. Because
the networked environment is often 48 rather complex and difficult to
maintain, other important design requirements include the simplicity of
operation & maintenance and standard extensibility/upgrading
capabilities, which enable for future-proof security monitoring
functionality.
The architectural design of the monitoring system is a key factor for its
continued success. The standard communication architecture, including
the specification for protocol stacks and data presentation formats, shall
ensure the scalability of the solution also in the cases of competitor
acquisition, etc. For example, web-based architectures and messaging
applications independent from underlying communication technology are
probably very feasible solutions also for

49
large scale security monitoring data exchanges. Data storage, on the other
hand, should be designed with enough redundancy, backup, and recovery
capabilities in mind. Single points of failure are to be avoided, even in
centralized solutions.
Last but not least, it is very essential how the selected mature
monitoring technology (hardware and software) platforms & standards
shall be applied into practise. E.g. what security properties are utilized?
What kind of authentication and authorization systems shall be taken into
use for secure access and maintenance? What security protocols shall be
used? Using which algorithms & key lengths? Standard, publicly assessed
standards should be selected and certified vendors selected.
In addition, during the design phases of your network security
monitoring sys- tem, you should consider to carry out the following tasks:

Table 3. Design of network security monitoring system.

Area Principles/Tasks
Design Ensure the scalability of your security
monitoring system & operation using open
standards and scalable architectures that have
proven cost efficiency
Divide the analysis tasks of monitoring results
based on your strengths and topology, e.g. using
local internal analysis and suitable external
services for your particular security monitoring
goals
Ensure the secure design of the monitoring
system elements by using & mandating defined
security assurance methods, tools & processes
for the monitoring platforms and products
Ensure the correct focus for the security
monitoring functionality by carrying out
repetitive reviews with users and process
owners

50
Procurement

The networked systems constitute of various devices, hardware,

middleware, system software, management software, application software
and perhaps involve usage of outsourced services, as well. Therefore, it is
crucial to consider the security requirements before committing to large
scale network infrastructure investments. Organizations should define
“baseline” security requirements and capabilities that any purchased item
should fulfil, while feasible. The security requirements concerning
procurement include such areas as logging functionality, log format & -
capacity, secure SW updating & maintenance, strong device & user
authentication, security protocol support, vulnerability follow up and per-
haps 24/7 support for continuous operation. The mutual contracting about
the key service elements is important in ensuring the security and
continuity of de- livered network products & services.
Especially, the critical area of subcontractor management has turned out
rather problematic in many organizations. There is a clear need to
synchronize the operation and maintenance policies and procedures
according to user organizaion’s requirements. However, often the secure
management requirements and practices are not adequately defined and
mandated for partners by the user organizations. Also, the penalty driven
contracting using e.g. service level agreements (SLA) which include
security, continuity & recovery requirements attain today too little
emphasis. There is a real lack of security emphasis in many of the
contracting cases for provisioning of network services or Infrastructure as
a ser- vice (IaaS) contracts.
When considering company’s procurement process from the viewpoint
of network security monitoring, one should consider involving the
following tasks:

Table 4. Procurement for network security monitoring.

Area Principles/Tasks
Procurement Define the baseline requirements for the
security monitoring functionality that shall be
used in purchasing network equipment,
systems and software. Follow the standards
and your targeted needs for the requirement
baseline creation
51
Estimate your future monitoring needs and
question & explore the candidate vendor
system’s extension possibilities
Question with each of your network product
vendor about the security monitoring
capabilities in their cur- rent & future
networking products
Ensure that also the status of load or load
balancing of any procured critical network
service can be monitored when needed. Load
monitoring capability should exist in network
devices as well
Avoid any proprietary solutions and
protocols when implementing security
monitoring. Avoid vendor dependence
whenever possible

52
Implementation

Usually, implementation is the problem phase in the development process,

where most of the mistakes and errors to the system shall be made.
Therefore, lots of quality assurance and security assurance effort should
be spent to ensure that the implementation errors, flaws and
vulnerabilities shall be detected and removed before the coming
deployment phases. In practice, the checklists used for documentation &
source code reviews should include security specific ques- tions and the
programmers should be trained to apply secure coding rules in all of their
implementation efforts. Standard or tailored source code analysis soft-
ware should be run before module testing. Also, the security related
testing (e.g. fuzz testing) should be run during the system testing phase.
Another important way to ensure the security and quality of the
purchased network software modules and devices is to require security
certified products.
E.g. Common Criteria (CC) certified products may exist within your
functional interest area of products, and those can often be used as good
reference products, or at least a starting point for further exploration of
vendors that can support your special requirements.
The implementation related tasks to be applied for network security
monitoring products & functionality should include:

Table 5. Implementation of network security monitoring

functionality.

Area Principles/Tasks
Implementation Ensure that security monitoring
functionality shall not interfere with the
basic objective of the networked system,
even under exceptional circumstances
Separate the network management,
monitoring & control equipment from your
other networked systems
Implement also the management of your
network security controls in a way which
enables you53to minimize the damage done
soon after identifying a probem in some
network location via monitoring

Review and test repetitively the quality and

security of your monitoring system
implementation
In addition to protecting the secrecy of your
secret security keying material and
credentials (exchangeable), protect the
implementation details of your security
monitoring system from potential attackers

54
Configuration

Today, it is admitted that the installed security systems & solutions may
also bring vulnerabilities or continuation risks to the target system that
was supposed to be protected. The understanding of these risks is
extremely important for systems which have high availability and
dependability requirements. Therefore, good service and configuration
management practices must also be employed to security (monitoring)
systems. Specifically, the security system’s maintenance must be well
coordinated with the critical services of company’s business operations,
for the purpose of producing continuously value for the stakeholders. Of
course, the main task for security maintenance is to maintain the risk-free
con- figuration in security systems, which shall be in compliance with the
security & continuity requirements for the operation.
When the deployment scale is large, implying that there are hundreds or
thou- sands of devices or systems to be monitored, an automated security
configuration compliance tool shall often be necessary. These tools
should utilize well established standards such as Security Content
Automation Protocol (SCAP) for automated follow up of vulnerability &
security configuration. This may also guide the security monitoring
implementation into more future-proof and extensible direction.
An important viewpoint is also the physical configuration, which shall
define the safe locations and positioning of monitoring equipment for
reliable operations. Then, what is the complete set up constituting from
essential appliances, power, backup devices & media, cabling, etc, shall
complete the secure configuration of a monitoring system. Also the
physical system inventory & set up should be well managed, controlled,
and documented for always being up-to- date after any approved change.
Finally, the baseline data groups (e.g. normal, malicious, abnormal and
un- classified), and the signatures of rule based systems, must be
established, preset & maintained for the secure configuration.
Configuration security related tasks for the network security monitoring
sys- tem include:

55
 Table 6. Configuration of network security monitoring system.

Area Principles/Tasks
Configuration Ensure that the configuration of your security
monitor- ing system shall not change
unintended. Manage the configuration of
each device or virtual system using a well
controlled change management process
Test the feasibility of any changes to the
monitoring configuration before applying,
when possible. Do not test new
configurations in the production system
In addition to protecting the integrity of your
configura- tion information, do not disclose
the detailed configura- tion information of
your security monitoring system to potential
attackers

Deployment, O&M and disposal

Both the deployment process and the operations & maintenance (O&M)
of net- work security monitoring systems are rather broad topics to be
discussed here extensively, but a few advices may be given, anyhow.
The device and software installation procedures and the bootstrapping
of trust & secure channels between the monitoring components require
good deployment plans and some compact guidance for the field install
crew. For example, the credential and certificate installation tasks by the
field crew shall be usually out of question. Such functions must be carried
out before installation, or at least installed automatically during the field
installation process. A rather big issue may also be to successfully and
securely integrate the security monitoring systems to the existing network
environment. For example, often some new rules, data mirroring, log
memory, and access rights need to be defined for the switch- es, firewalls,
access control systems, and perhaps even some application service
configurations.
For O&M, perhaps the most import issue is to define accurately the
56
roles & responsibilities for the operations & maintenance personnel. It
must be clear which authorization procedures are mandated for upgrading
and updating the systems, hardware and software. This includes patching,
vulnerability fixes, firmware upgrades, etc. In the case of service
agreement, it must be contracted with the service provider that how, when
and by whom their systems shall be updated & configured.

The deployment, operation & maintenance and disposal activities of

network security monitoring system should consider the following:

Table 7. Deployment, O&M & disposal of network security

monitoring system.

Area Principles/Tasks
Deployment Ensure that the possible remote
configuration process and access control are
secure before deploying a network- or
monitoring device
Keep the elementary system operations, such
as in- formation generation & bulk data
transfer, rather simple & basic for the most of
the networked devices. Allow for more
flexible configuration and online adjustment
for higher level devices and monitoring
systems
O&M Ensure simple & understandable usage,
update and maintenance process for the
security monitoring system
Update and reconfigure your security
monitoring system according to
continuously identified new vulnerabilities
and risks targeting your network
Disposal Ensure that the confidential information is
saved and destroyed from any of your
monitoring equipment be- fore disposal.
Preserve the identification information of any
monitoring HW & software product versions
that you may need e.g. for spare part &
upgrade acquisition

57
Assessing and selecting the basic indicators of an attack

As in any other (automated) supervision system, also concerning network

security monitoring systems perhaps the most important starting point for
accurate observations are the identification of basic attributes that should
be followed up more closely. Obtaining an optimal attribute- or parameter
set for a specific monitoring purpose shall not, however, always be a
simple task. On the contrary, many IDS vendors for example may suggest
that their system shall monitor all those attributes and all related
behaviour that is needed to capture any kind of attacker. Unfortunately,
this rarely is the whole truth in many cases.

Workflow for deducing the security monitoring attributes

In order to solve this “attribute selection problem” fully in advance, we should
have a clear overview of all the concurrent and future attacks and other abuse,
including their implementation details. Obviously this is an impossible task.
What we can realistically do, however, is that we select such solution
components which allow for flexible attribute and method selection, in addition
to the capability to monitor the currently known attacks & abuse types. Note
however that added system flexibility often adds also complexity and
vulnerability, which means that the components and solutions must be
implemented very carefully using secure development processes. Also the
baseline- and trend analysis may suffer if the monitored attributes are to be
changed too often. Therefore, the best way to apply these attributes is a
compromise between flexibility and simplicity, and also many other issues, of
course.
In an ideal world, we should create and maintain a mapping between
the various attack and abuse types and the list of attributes to be
monitored for capturing each of them. Actually, we should also have a list
of analysis methods to apply, using the captured attribute values, and
perhaps also a visualization scheme for each abuse. But we shall go
wrong if we believe that this approach and even very flexible security
monitoring system in general shall always be able to identify any new
abuse and the suspected subsystems related to it. Clearly, the re- quired
security data collection & analysis functionality shall grow when we add
a new feature to the networked system, and this emphasize also, e.g., the
in- crease of performance and configuration problems towards our
security monitoring systems.
In high level, the principal monitoring attributes of a network security
monitoring system for each case should be identified according to the
following workflow. NOTE: In the 58 presented workflow the network
security monitoring functionality is added to an existing networked
system. In an ideal world, how- ever, all security monitoring systems
should be planned and built-in already during the construction of the
networked system.

Figure 1. The developed workflow for deduction of the monitoring

attributes.

Table 8. The steps for deducing the principal security monitoring

attributes to existing network.

Ste Task description

p
#
1 Characterization of the system to be monitored
2 Analysis of security controls in the current system
3 Threat vulnerability identification of the system
4 Sorting out the relevant attacks, criminal activity &
abuse against the system
5 Analysis of impact & probability of each relevant abuse
case
6 Estimation of risk levels – costs & benefits calculation
of resolving abuse
7 Selection of the attributes for security monitoring
59
according to abuse risk levels
8 Testing & selection of the analysis methods for
processing the attribute flow
9 Testing & selection of the visualization schemes &
tools of analysis results
10 Return to earlier steps & continue the deduction
iteratively (at any step)

60
Unfortunately, the above workflow that we have developed seems to be
rather wide-ranging and extensive. However, this is in line with our
findings that per- haps the most difficult problem in network security
monitoring is the questions – What should be monitored? and What really
pays off to monitor?
In next subsections, we clarify each of these deduction steps, together
with few examples.

Step # 1: Characterization of the system to be monitored

First, we need to understand the basic operation of our current networked

system. Clarification is often needed to properly appreciate the basic
objectives & operation of the system that should be protected and
potentially monitored. In many cases, the best way to do this is to arrange
a meeting where the experts & key persons (who contributed into the
requirements & development of the sys- tem from different aspects) shall
explain the current system and the design- and operational choices made.
The system characterization should include the following topics:
• Main objectives for the system operation
o Why this system exists? What purposes it serves
according to contracts?
o What are the objectives and goals of the system?
o Which customers are served? Which stakeholders are
affected if the system fails?
• Description of basic system operation & employee tasks
o The operating environment
o Main operations
o The most important functionality
o Support operations
• Results of already conducted risk- and vulnerability analyses
should be recalled
o Organization initiated self-analysis results (e.g. standard
risk- & vulnerability analysis methods)
o Results should have included the prioritized listing of risks
& reasoning
61
o The weak spots of the system have been identified.
Step # 2: Analysis of security controls in the current system

All serious security work starts from ensuring that we understand not only
the current system operation but also the security controls already put in
place to protect the system from unwanted disturbances & potential
malicious activity. This analysis is needed to properly understand the
meaning and capabilities of the existing security solutions & security
controls currently planned or in use for our system. The security controls
should typically include:
• Enforced security policies (administrative & technical policies)
• Instructions for secure operations & secure ways of working
• Security requirements for systems and subsystems development
• Instructions of work and defence in the cases of emergency,
security incident & updating/upgrading
• Processes for establishing & maintaining the security of
outsourced systems.
Another task related with the security controls analysis should be to the
map security controls with the capabilities of feasible security monitoring
systems. Which of our security policies and requirements can be
supported in meaningful ways using some security monitoring methods?
At this point, we could even have first ideas that what kind of security
monitoring functionalities could be realistic and meaningful for our
system?

Step # 3: Threat & vulnerability identification of the system (targeted

attacks)

Threat identification & analysis is a process where the system is analysed

and estimated from the perspective of external or internal threats. A threat
may be kind of a traditional criminal activity such as theft of information,
software or equipment, or intentional harm to the system such as
weakening the service or causing the denial of services and/or data.
Threat vector is a path or tool used to attack towards target.
Vulnerability identification & analysis involves a systematic investigation of the
62
target system’s security and quality properties. Vulnerability is a flaw or weakness in
the system (or its O&M), which could be exploited. Often, vulnerability scanners, such
as port scanners, network enumerators, network vulnerability scanners and database
security scanners are used as automated tools during vulnerability analysis process.
However, a very important part of the threat analysis is to analyse what kind of
activities the potential attacker is allowed to perform in our environment (with
prerequisites). Often, the attackers (insiders and outsiders) may utilize multitude of
methods & practices to plan and execute a partial or full abuse of the target system, its
assets or data. The generic attack/abuse ingredients may include:
i. Information gathering (if information available)
ii. Learning of a system (if time & motive exist)
iii. Searching of vulnerabilities (if information available)
iv. Identifying ways to attack/abuse (if competence available)
v. Planning of attacks/abuse (if time & motive exist)
vi. Development of exploits (if tool & competence available)
vii. Planning the destruction of abuse traces (if competence available)
viii. Initiation of abuse (if motive & opportunity exist)
ix. Reactive actions against defense (if tool & competence available).
Using the learned attack background information and previous abuse case
experiences, the (professional) attacker may develop even better abuse
capabilities for future use:
• Identifying new asset types that are worth to be targeted and abused
• Identifying the vulnerabilities and/or persons that might enable
a new attack/abuse in the future
• Resolving the technical interfaces & human
relations/intercourse that successful abuse requires
• Collecting the vulnerable configuration data
• Clarifying the capabilities required for successful abuse in each case
o Attacker competence requirements
o Access permissions (legal & illegal) required for
initiating or enabling abuse

63
 o Best attack/abuse tools for the purpose (e.g. tool
evaluation for criminal motives)
o Listing the available exploits for entering to abuse case.

Step # 4: Sorting out the relevant attacks, criminal activity & abuse
against the system

Using the threats and vulnerabilities identified for the system, we need to
ana- lyse which of the potential attacks or abuse cases are really relevant
against our system and its current protection. In practise, this means that
we should combine the information attained in previous Steps (2) and (3).
Following example clarifies what kind of attack vectors might be possible
within organization, if not extra-guarded. Specifically, such lists should
help us in concluding which of the hypothetical abuse cases seem realistic
against our system. In other words, we would need to sort out the
irrelevant cases and concentrate only on really potential abuse cases.
Example - Insider abuse: We might conclude during our case analysis
that the following attack vectors might be relevant against our system:
• An employee (insider) uses social engineering to collect
unauthorized information (All our employees are not trained
against social engineering)
• A user bluffs administrator to reveal his administration
practices (Our administrators lack precaution or responsibility)
• An employee uses other person’s user account (Our users commit
insecure user account practices)
• An employee uses other person’s user rights (Employee can stole
session or user credentials)
• An employee exploits system’s internal vulnerability (Mole or ex
employee present in premises?)
• An employee manipulates system log files (Might we
possess a wounded administrator, log files are stored
insecurely)
• An employee generates system error to hide unauthorized
access (Might we have an improper configuration of logging
system? Do we really keep track of log files systematically in
all cases?). 64
Typically, the number & exploitation potential of attack vectors depend
much on the weaknesses that specifically exist in common working
processes and personnel’s ways of working. Of course, sometimes a
companion of technical fault or vulnerability is also required to enable the
enemy to finalize the abuse, who may then commit “a perfect crime”
without perception.

Step # 5: Analysis of impact & probability of each relevant abuse

case

For this step there should be a standard practice in each organization, in

which the company’s critical operations are analysed against relevant
security abuse cases, possible attacks and incidents. Such an analysis
requires profound system & business knowhow (e.g. for impact analysis)
and also feasible expertise of information security & value management
(e.g. for probability analysis). The impact and probability analysis tasks
for security are briefly introduced in the following:
Impact analysis has few profound questions to be answered for each
relevant abuse case:
• What is the value of the affected asset? What is the value of
potential loss?
o Value of protected information
o Value of missed production
o Value of lost company image/brand
• What kind of behaviour the system and related systems shall
undergo due to the attack/abuse?
o What are the direct and indirect consequences of an abuse case?
• What it requires to restore the normal operation after
realized at- tack/abuse case?
o How long does the restoration to normal takes?
o Value of required extra effort & equipment due to realized
security incident
The probability analysis for each abuse case has also specific questions to be
answered:
65
• Technical & operational difficulty of abuse? Division to abuse lasses such as:
 o Abuse is available/obvious (1: Easy)
o Abuse requires basic engineering skills (2: Basic)
o Abuse with professional attitude & skills (3: Professional)
o Organized professional abuse planning & design (4: Organized)
• Direct & indirect expenses to the abuser? How big value can
be attained by the abuser?
o Expenses to abuser. Classes, e.g.: < 1000 €, < 10 000 €,
< 100 000 €, > 100 000 €
o Value to abuser. Classes, e.g.: < 10 000 €, < 100 000 €,
< 1 000 000 €,
> 1 000 000 €
• How easily the results of abuse can be exploited? E.g. Ease
of exploit -classes (from easy towards more difficult) such
as:
o Can be easily exploited in public marketplace (Easy)
o Can be exploited in public marketplace with preparations
(Exploitable)
o Requires a sort of launderer or mediator (Mediator)
o Suitable for criminal usage only (Criminal).

Step # 6: Estimation of risk levels – costs & benefits calculation of

resolving abuse

Next we need to continue with the estimation of risk levels. We need to

compare the endangered value of assets and (business) operations with the
costs of protection mechanisms & processes. Obviously, the continuity &
other benefits of protection must overweight the cumulative costs of
protection. So, we should carry out the following activities to complete
the estimation of risk levels.
Estimating the costs of elimination & mitigation of each relevant abuse case:

66
 • Costs of doing efficiently the following:
o Abuse & attack identification
o Abuse block out
o Incident reporting
o Abuse prevention planning & management.
Estimating the benefits of preventing an abuse case. To accomplish this
task, we may simply recall the results of previous step: impact analysis
(costs of lost value, production & brand, restoration costs) and probability
analysis.
Finally, we should to carry out the comparison of costs & benefits for
each abuse case. Obviously, this could be done according to each
company’s preferences, but e.g. 3–5 different abuse risk criticality levels
could be defined, for example:
• Critical risk (critical benefits in prevention, at feasible
prevention costs)
• High risk (benefits in prevention, at feasible prevention costs)
• Medium risk (benefits in prevention, at probably non-feasible
preven- tion costs)
• Low risk (uncertain benefits in prevention, at non-feasible
prevention costs).

Step # 7: Selection of the attributes for security monitoring according

to abuse risk levels

Eventually, the security monitoring attributes for abuse monitoring may

be (initially) selected using the estimated risk levels. Being an
organizational and extremely case dependent issue, the monitored
attributes may be selected, for ex- ample, only for the Critical- & High
risk abuse cases. While identifying & selecting the monitoring attributes,
consider the following:
• From each relevant abuse case, identify the key information &
data, assets, and system services & states that needs to be
guarded 67
• Identify the attributes that should be monitored from the key
information & data, assets, and system services & states. For
attribute examples, see subsection “Examples of security
monitoring attributes”. The critical topics to be monitored
include:

o Key information (business secrets, credentials, emergency

system controls, maintenance- and updating information)
o Key data (log data, access control data, network management
data, control & signalling data, routing tables, hardware-,
equipment- & software specifications, system configuration,
network topology, firewall configuration & rules, etc.)
o Assets (network equipment, workstations, cables, switches,
base stations, communication channels, application software,
databases, configuration files, partners & subcontractors)
o System services (operating system services, application
software services, maintenance services, user authentication,
access control, audit trail, diagnostics, analysis, updates,
backup & recovery, re- mote monitoring, system
development)
o System states (states of memory & CPU, network interfaces,
enterprise service bus, configuration, updating, reboot,
filtering, error, recovery)
• Analyse the identified attributes in detail to understand which of
these are practical to be automatically recorded by the local
system:
o Is it possible to automatically record the attribute?
o Is it practical & cost effective to arrange for secure attribute
data re- cording, storage and data transfer?
o Are there any legal or regulatory obstacles in the attribute
data col- lection?
o Note: Sometimes it may require an expert to estimate which
of the attribute recordings require a new system or software to
be installed
• Estimate whether the practically recordable monitoring attribute
data shall be enough for reliable abuse case identification (or to
complement it) 68
 o Consult a security (solution) expert about the reliable
security monitoring analysis methods and input
requirements
• Clarify the maturity, availability & overall costs of each
analysis method to your available attribute data
o For scalability reasons, prefer using & recording such attribute
data that are supported by (standard) local devices, if there are no
special reasons such as suspected industrial espionage, for the
usage of tailored attributes.

Step # 8: Testing & selection of the analysis methods for processing

the attribute flow

The feasible analysis of attribute data can usually contain two principal
method families. When there are lots of data to be analysed, together with
modest computing and memory capabilities, then the “statistical analysis”
methods may be feasible. Statistical analysis methods are feasible for
identifying suspect behavior in the network, but they are not 100 %
accurate.
On the other hand, the “distinct analysis” methods are feasible against
known attacks. However, the drawbacks include a mandatory data
inspection system, which often requires e.g. powerful processing, lots of
memory, and also some manual maintenance work for its rule-base
updates.
More of the analysis method selection is discussed in subchapter “3.4
Data analysis methods”.

Step # 9: Testing & selection of the visualization schemes & tools of

analysis results

After the attribute data flow has been processed, it needs to be combined
& correlated with the previously preset data and visualized to the user.
The presentation of the aggregated results can be done, for example,
visualizing the:
• malicious data groups (match to malicious)
• abnormal data groups (match to abnormal), and
• unclassified data groups (no match)
in different ways than the normal data groups (match to normal). The
optimal, automated way to recognize 69& formulate these groups should be
tested using various visualization tools. These results, the best tools &
their visualization schemes, should then be mapped to the relevant abuse
cases.
More of the data aggregation topic is discussed in section “3.4.2 About
net- work data aggregation methods”.

High level monitoring scope to be deployed

Each of the various operators of the networks and systems should be able
to develop a reasonable monitoring deployment with a feasible direct
scope for them. Of course, this should not exclude the co-operation and
exchange of relevant monitoring information between the (interoperating)
network & system operators, while still working according to laws &
regulations. Next, there are presented some examples of various high
level monitoring scopes of interest.

Example scopes for Enterprise systems monitoring

Table 9. Example scopes for Enterprise systems monitoring.

High level moni- Examples of high level Event types

toring scope monitoring scope to be
monitored
Enterprise Status of various enterprise & System events
systems engineering systems (e.g.
operation, con- figuration,
upgrading)
Status of business processes Process
per user (access log, events
application log, messaging
status, presence)
Updates to business Proces
processes (e.g. a new s
instruction/module taken into change
use) s
Status of assets & inventory System
systems, system general events,
properties Physical
70 events
Employee status (e.g. role, System
access control status, work events,
tasks/activities, user Physical
rights/permissions) events
Officer & partner clearance Human
actions
Other human actions & context Human
of action actions

71
Example scopes for Outsourced systems monitoring

Table 10. Example scopes for Outsourced systems monitoring.

High level moni- Examples of high level Event types

toring scope monitoring scope to be
monitored
Outsourced Outsourced system’s System
systems (e.g. operation: requests, responses, events, etc.
cloud SLA monitors
services) Outsourcing resource System events
allocation & demolition
Load balancer operation, load System events,
monitoring, usage profiling Network
events
Changes in outsourced System events,
configuration & environment Network
events
System health-, availability-, System events,
and performance trends, Network
triggers & thresholds of the events
system

Example scopes for Production systems monitoring

Table 11. Example scopes for Production systems monitoring.

High level moni- Examples of high level Event types

toring scope monitoring scope to be
monitored
Production Status of production systems Process
sys- tems (operat- ing mode, system events,
services, system states, usage System
history, maintenance cases, events,
diagnostics, configuration) Physical
events
Safety & security systems status System events,
72 Physical
 events

Operations management (e.g. System

control centre events, operation events,
control status) Process
changes

73
Example scopes for Network systems monitoring

Table 12. Example scopes for Network systems monitoring.

High level Examples of high level moni- Event types

moni- toring toring scope to be
scope monitored
Network Network management system Network
systems operations events,
System
events
Network device status & Network
(remote) management events,
System
events
Network border/gateway Network
device status events,
System
events
Application service interfaces Network
within network system events,
System
events
Status of network service Network
interfaces, changes in status events,
System
events
Filtering- & access control System
rules and log files events,
Security
events
Network bindings & actual System
connection flows events,
Network
events
Protocol messaging between Network events
end-points
Parameter messaging between Network events
endpoints 74
Example scopes for Control systems monitoring

Table 13. Example scopes for Control systems monitoring.

High level moni- Examples of high level Event types

toring scope monitoring scope to be
monitored
Control Security control (room) Any event
systems events & alarms
Status of security Security
monitoring, anti- malware events
& IDS & SIEM systems
Activation or deactivation of System events,
monitoring data collection Network
& related systems events
User account management System events
events
Access control systems System events
status, usage profiling
Logging systems, audit trail, System events
log monitoring
Configuration control events System events
Control of other changes System events
(incl. any software,
firmware, hardware)
Session control events System events,
Network
events
Keep-alive messaging follow Network
up events

Examples of security monitoring attributes

We are also aiming to give some concrete support for the detailed attribute selection
task. Therefore, we introduce and assess briefly below some indicators & attributes,
which could be captured and analysed to effectively recognize the potentially malicious
phenomena, for the purposes of network
75 security monitoring.
 Unfortunately, more concrete case studies are needed that should enable us for
presenting even more extensive attribute lists. Each network operator or administrator
shall define a list of their own, according to feasible risks and limitations of their
networked technological environment. The deployed (risky) software applications shall
probably affect a lot into the selection of the most relevant security monitoring
attributes.
See a table below as a simple example list.

76
 Table 14. Some possible attributes for security attack & abuse
analyses.

Type Indicators Attribute type Notes about

capturing /
processing
Unusual Sudden network # of frames / time Network traffic
load traffic load unit analyser probes or
MIBs of devices
Slower access to Round-trip time ICMP (ping), test
net- work (RTT) data transfers,
devices than other RTT
normally monitors
Sudden problems % of free disk System status
with disk space space monitoring SW
High CPU load % of CPU usage System status
without reason monitoring SW
Usage of New user accounts Account log entry Log monitoring
user Unexpected Account log entry Log monitoring
accounts use of admin-
user accounts
User accounts Account log entry Log monitoring
locked
Deviation Log files or System log entry Log monitoring,
s in log entries deleted system status
entries monitoring SW
Sudden bulk of System log entry Log monitoring
log entries
Unusual Boom of alerts AV & IDS events Typically vendor
device/serv from antivirus & specific events and
er activity IDS software formats
Errors in servers Thrown Monitoring of
exceptions & application
error messages, specific error
TCP/HTTP messages, protocol
keepalives specific keepalives
Sudden changes in Filenames Tracking the file
files and and system changes
directories directories
Unexpected OFF Security
77
software Tracking the
of security & configuration changes in security
 controls status configuration and
status
Sudden changes in Patch changes Tracking the patch
patches changes in system
Unexpected System Tracking the
shutdowns shutdown system shutdown
event events
Unexpecte Unexpected Configuration Remote
d con- change configuration
configurati figuration attestation,
on changes changes configuration
follow-up
Unexpected Installed SW Tracking the
embedded software that are
software installed and
running
Disabled Logging settings Systems that
logging validate logging
functionalit correctness.
y Secured logging
follow up
Deleted Status of recovery Systems that
recovery systems validate
systems recovery
functions and
data

78
Suspicious More data sent Alteration Flow analyzer
network towards external in data emphasizing
behavior networks flows, FW applications,
logs & protocols,
events conversations,
endpoints
More data sent Alteration Firewall log
from external in data analysis tool. Or
networks flows, FW flow analyzer
logs & emphasizing
events applications,
proto- cols,
conversations,
end- points
Unexpected data Alteration Flow analyzer
flows in data emphasizing the
flows, FW flows (NetFlow,
logs & cFlow, jFlow,
events sFlow)
Unexpected Faulty messages Analysis of error
behavior similar or sent error codes or diagnostic
to device error codes tool results
Social Unexpected Junk emails, Following up the
engineerin information phone calls, activities that were
g activities requests queries, social not related to
abuse assigned tasks
Suspicious content Suspect text Content based
strings or data filtering &
formats alarming systems
Applicatio “Various “Application Application
n specific application specific monitoring systems.
indicators specific abuse attributes” Also following up
indications” the implications of
application usage,
etc.

Few concerns about data network architecture

In today’s ICT networks, it is essential that the network architecture is

designed & constructed according to79the critical protection needs of each
operating site. For example, the server cluster should often be separated
into its own subnetwork so that any user device malfunction doesn’t
propagate risky data traffic to application or infrastructure services
provisioning segments. Some general principles include:
• Design LAN topology by separating the critical & non-critical functions.
• Isolate logically the critical (or vulnerable) protocols to
segregated sub- networks.
• Use the DMZ and firewalls between the separated subnetworks,
if some connectivity is needed.
• Prepare for the alternative communication paths that protect
against sudden data media errors.
• Select the feasible user data & content segregation mechanisms.
• Maintain separate test subnetworks, where e.g. new device
configurations can be tested before installation to the
production network.

Typically, the edges f such deployed LAN shall be the potential physical loca-
tions for installing the major security monitoring probes or SIEM. This is
due to better potential of capturing larger amounts of data with
representative scope for further analysing the incoming & outgoing data,
traffic, flows, etc.

About security monitoring data communication architecture

While the physical data network architecture might explain the wiring, node
location, network topology and other such issues, it may not clarify how the
different devices should communicate with each other. For communicating the data
that shall be used as input for the security monitoring systems, there are few
basic alternatives on ow the transfer of such data may be arranged. These alter-
natives are discussed briefly in below subsections.

Local monitoring data collection

In the next figure, a local network monitoring data information collection

is presented in a generic case (not including peer-networking cases).

80
 Figure 2. Communicating the local network monitoring data to local monitoring
g service.

NOTE: It is NOT a good design principle to allow the transfer of detail

monitoring data from each client to site major monitor ng data server
through firewalls or DMZs. The local serving node should instead send
the local subnetwork’s aggregated data to the higher layers of the
monitoring solution. This reduces the risk of (site-level) monitoring data
flooding.

Within the local subnetwork, the communication alternatives include:

• Server broadcasting a request for monitoring data to all
devices, the clients shall respond when available.

• Server polling each client individually using request/reply messaging, each

client responds to the request when available.
• Each client is independently and periodically pushing monitoring data
batches to the server.
• Each client is pushing monitoring data to the server
independently, but only after any important event/alarm at the
client.
• Each client is publishing monitoring data independently (e.g.
using RSS feed, messaging application, etc.).
• A database synchronization of monitored data is run between
server and the clients. Each client has its own entry in the
server database.
In the subnet level, it might not always be necessary to use open standards for
81
transferring the monitoring data, for example in such cases where the local
equipment is very proprietary or a standard communication solution is not feasible.
In below, there is a table about the Pros & Cons of each local
communication alternative.

Table 15. Comparison of local monitoring data communication

choices.

Communication
alter- native for Pros Cons
monitoring data
Server broadcasting Simple Broadcast signalling
Server polling Proven, de-facto Limited
scalability,
state-based
Client Distributed Not real-time
pushing operation,
batches scalable
Client pushing at Distributed Bulk of events
events operation, real-
time
Client publishing Distributed Web service risks
operation,
scalable
DB Functionality, Database system
synchronization flexible risks

82
About corporate level monitoring data collection

The cost-effective arrangements for monitoring data transfer at corporation level shall depend
largely, of course, on the corporation’s common data communication architecture. While these
architectures may be based on various communication technologies, we would still like to try
and give couple of security advices at this level also.
Applying for corporation & group levels, the necessary data collection facilities for the
network security monitoring purposes should be planned, managed & maintained in secure
ways, such as:
• The basic topics to be monitored shall be defined in the planning phase. Risk analysis
for the necessary information transfers should be made.
• It should be agreed about the usage of common corporate level communication
standards for monitoring supervision data – which may often be Internet based for cost-
efficiency.
• It should be planned and arranged for the centralized monitoring data services where all
(summary) data is collected to and from where it may be further analysed. Also, one
alternative might be to contract with the (outsourced) security service provider, when
feasible.
• By default, all the network management & monitoring data connections should be
authenticated, integrity, replay & confidentiality protected.
• Network administrator’s system access should be restricted – e.g. only allowing access
from network supervision & management workstations.
• User accounts for network supervision should only allow the reading of log files, not
modification. Modification of log files should be made impossible by default.
Note that the global network security co-operation- & data collection principles are
currently as work-in-progress in various global research & standardization communities.
Unfortunately, it has not often been possible to arrange truly open security information
exchange networks, due to risks for attacker community follow up. Where applicable,
however, feasible secure Internet standard proto- cols should be used for the security
information exchanges due to fast interworking, security and integration capabilities

83