Cyber Security III

Access Control and Intrusion

Detection

Dr. Smita Kachole

 Information and network Security

• Chapter 1: Access Control and Intrusion

Detection
• Overview of Identification and Authorization
• 2. Overview of IDS
• 3. Intrusion Detection Systems and Intrusion
Prevention Systems
Information and network Security
• Chapter 2: Server Management and
Firewalls
• 1. User Management
• 2. Overview of Firewalls
• 3. Types of Firewalls
• 4. DMZ and firewall features
 Information and network Security

• Chapter 3: Security for VPN and Next

Generation Technologies
• 1. VPN Security
• 2. Security in Multimedia Networks
• 3. Various Computing Platforms: HPC,
Cluster and Computing Grids
• 4. Virtualization and Cloud Technology and
Security
 Subject and Object
• Subject. A subject is the active entity that
accesses an object. For example, when a user
accesses a file, the user is the subject. Other
subjects include programs, processes, and any
entity that can access a resource.
• Object. An object is a passive entity that is
being accessed by a subject. For example, when
a user accesses a file, the file is the object.
Other objects include databases, computers,
printers, or any other resource that can be
accessed by a subject.
 Identification
• Identification occurs when a user (or any
subject) claims or professes an identity. This
can be accomplished with a username, a
process ID, a smart card, or anything else
that can uniquely identify a subject.
Security systems use this identity when
determining if a subject can access an
object.
 Authentication
• Authentication is the process of proving an
identity and it occurs when subjects provide
appropriate credentials to prove their identity.
• Providing correct password with a username
• The authentication provides proof of a
claimed identity.
 Authentication
• Methods of authentication :
• Something you know -password or PIN
• Something you have- such as a smart card
• Something you are - using biometrics
• Once a user is identified and authenticated,
they can be granted authorization based on
their proven identity.
• Different users- access to different resources
 Authentication implementation
• Basic authentication- involves a server which
maintains a user file -passwords and
usernames.
• Challenge- response authentication
• Centralized authentication is when a central
server authenticates, authorizes, and audits all
network users.
 Types of authentication
• Non-Repudiable Authentication - Something
you are involves physical characteristics that
cannot be denied, therefore, authentication
based on it cannot be denied.
• Biometrics /digital signatures/ confirmer
signatures / chameleon signatures
• Repudiable Authentication-
 Methods of Authentication
• Password Authentication- passwords
• OTPs – discarded after session
• Challenge-response passwords- user needs to
provide password / number etc.
 Methods of Authentication
• Public Key Authentication-the process of public-
key authentication requires each user of the
scheme to first generate a pair of keys and store
each in a file. Each key is usually between 1,024
and 2,048 bits in length. Public- private key
pairs are typically created using a key
generation utility.
• The server knows the user’s public key because
it is published widely. However, only the user
has the private key.
 Methods of Authentication
• The centralized authentication server commonly
known as the access control server (ACS), is in
charge of authentication using public key systems.
• When a user tries to access an ACS, it looks up the
user’s public key and uses it to send a challenge to
the user.
• The server expects a response to the challenge
where the user must use his or her private key. If
the user then signs the response using his or her
private key, he or she is authenticated as
legitimate.
 Methods of Authentication
• The private key never leaves the user’s
machine, and therefore, cannot be stolen or
guessed like a password.
• In addition, the private key has a passphrase
associated with it, so even if the private key is
stolen, the attacker must still guess the
passphrase in order to gain access.
 Methods of Authentication
• Secure Sockets Layer (SSL) authentication-
• Based on PKI
• Uses cryptography
• uses a public/private key pair
• Communicating elements acquire verification
certificates from a certificate authority (CA)
 Methods of Authentication
• Kerberos authentication - A network
authentication protocol that provides strong
authentication for client/server applications by
using PKI technology.
• Kerberos is typically used when a user on a net
work is attempting to make use of a network
service and the service wants assurance that the
user is who he says he is.
• Kerberos derives its name from the three-headed
dog of Greek mythology that guarded the gates to
Hades.
 Methods of Authentication
• Kerberos was developed at MIT to provide secure
authentication for UNIX networks.
• Now an Internet standard supported by Microsoft
Windows 2000.
• Kerberos uses temporary certificates called tickets,
containing the credentials to identify the user to the
servers on the network.
• In the current version of Kerberos, v5, the data
contained in the tickets is encrypted, including the
user’s password.
 Methods of Authentication
• MD5 authentication – In MD5 authentication, each user
has a file containing a set of keys that are used as input
into an MD5 hash.
• The information being supplied to the authenticating
server, like passwords, has its MD5 checksum calculated
using these keys, and is then transferred to the
authenticating server, along with the MD5 hash result.
• The authenticating server then gets user identity
information like a password, obtains the user’s set of
keys from a key file, and then calculates the MD5 hash
value. If the two are in agreement, authentication is
successful
 Methods of Authentication
• Remote Authentication -Remote authentication
is used to authenticate those users who dial
• in to the ACS from a remote host.
• This can be done several ways including using
secure remote procedure call, dial- up, and
remote authentication dial-in user services
authentication
 Methods of Authentication
• Secure Remote Procedure Call (RPC) authentication - is
used by clients who do not need to identify themselves
to the server, and the server does not require any
identification from the client.
• Services falling in this category, like the Network File
System (NFS), require stronger security than the other
services and RPC authentication provides that degree of
security.
• Different forms and multiple types of authentication can
be used by RPC including: NULL authentication, UNIX
authentication, data encryption standard (DES)
authentication, DES Authentication Protocol, and Diffie-
Hellman Encryption.
 Methods of Authentication
• Dial-up authentication - authenticates a remote
user, who is usually on a serial line or ISDN. The
most common dial- up connection is the Point-
to-Point Protocol (PPP). These authenticate the
peer device, not the user of the device.
• PPP authentication mechanisms.:
• Password Authentication Protocol (PAP)
Challenge Handshake Protocol (CHAP)
Extensible Authentication Protocol (EAP)
 Methods of Authentication
• Remote Authentication Dial- in User Services
(RADIUS) - is a common user protocol that
provides user dial- in to the ACS which does
the user authentication. Because all
information from the remote host travels in
the clear, RADIUS is considered to be
vulnerable to attacks and, therefore, not
secure.
 Methods of Authentication
• Anonymous Authentication -
• There are many times a system administrator may
want outside users to access public areas of the
network without accessing the entire system. Clients
who need this type of access typically use
anonymous authentication. In order to give them
access to some system resources, for example to a
company Website, these users, usually customers,
are given access to the resources via a special
anonymous account.
 Methods of Authentication
• Digital Signature- Based Authentication-
• A digital signature is a cryptographic scheme
used by the message recipient and any third
party to verify the sender’s identity and/or
message for authenticity.
• It consists of an electronic signature that uses
public key infrastructure (PKI) to verify the
identity of the sender of a message or the
signer of a document.
 Methods of Authentication
• Wireless Authentication - Because of the growing use
of wireless technology, mobile computing has
skyrocketed in the last several years.
• There is a growing need for wireless network
authentication for mobile devices.
• The IEEE 802.1X, through its Extensible
Authentication Protocol (EAP), has built- in
authentication for mobile unit users. This
authentication requires Wi- Fi mobile units to
authenticate with the network servers that they seek
to connect to.
 Identification, Authentication and Authorization

• Identification occurs when a subject claims an

identity (such as with a username)
• Authentication occurs when a subject proves
their identity (such as with a password).
• Once the subject has a proven identity,
authorization techniques can grant or block
access to objects based on their proven
identities.
 Intrusion detection
• Intrusion detection (ID) is a new technology
that detects the characteristic signatures of
software used in cyber attacks.
• The detection software uses the signatures to
determine the nature of the attacks.
• At each different level of network
investigative work, there is a different
technique of network traffic information
gathering, analysis, and reporting.
 Intrusion detection
• Intrusion detection operates on network traffic
entering or already within the network.
• Anomalies in the traffic lead to distinguishing between
intruders and legitimate users of the network.
• The anomalies are actually large and noticeable
deviations from historical patterns of usage. ID
systems are to identify three categories of users:
– Legitimate users,
– Legitimate users performing unauthorized activities,
– Intruders who have illegally acquired the required
identification and authentication.
 Intrusion detection
• ID sensors are commonly placed on the perimeter
of a private network, outside the organization’s
firewalls. It is common to have sensors on the
same machine as the firewall.
• This location is good as the first line of defense
since all possible attacks coming into the
organization network pass through this point.
• Other good locations - inside the network on
network subnets and on network hosts to monitor
inside activities
 Intrusion detection
• An intrusion-detection system as a
• detector that processes information coming from
system that is to be protected.
• This detector uses three kinds of information:
• - technique used to detect intrusion (for example
signature database),
• - configuration information about the current state
of system,
• - audit trail
Intrusion detection
 Intrusion detection
• Artificial Intelligence in IDS
• The scope of ID systems
• Protect network systems from outside ?
• The primary focus of ID systems is on the network as a
unit
• Network packet data is collected by watching network
packet traffic - analyzed based on network protocol
pattern norms, normal network traffic signatures, and
network traffic anomalies
• The ID systems look for three things: signatures of
known attacks, anonymous behaviour, and misuse
patterns.
 Intrusion detection
• Signatures of known attacks usually involve one of three
common types:
• String: These signatures are used to monitor text strings
that may indicate a possible attack.
• Port: These signatures are used to monitor for
applications that make port connection attempts. The
monitoring is usually done on well-known and frequently
attacked ports. Most attacked ports include port 20 for
TCP, port 21 for FTP, and port 23 for telnet.
• Header: These signatures monitor abnormal
combinations in packet headers for a number of known
signatures like the IP address and sequence number
signatures.
 Intrusion detection
• Anonymous behaviours are detected when
the ID tools take observed activities and
compare them to the rule- based profiles for
significant deviations.
• The profiles are commonly for individual
users, groups of users, system resource
usages, and a collection of others
 Intrusion detection
• An individual profile - collection of common
activities a user is expected to do, with little
deviation from the expected norm.
• Time being longer than usual usage
• Recent changes in user work patterns, and
significant or irregular user requests.
 Intrusion detection
• A group profile covers a group of users with
common work patterns, resource requests and
usage, and historic activities. It is expected
that each individual user in the group follows
the group activity patterns.
 Intrusion detection
• A resource profile includes the monitoring of
the use patterns of the system resources like
applications, accounts, storage media,
protocols, communications ports, and a list of
many others the system manager may wish to
include.
• It is expected, depending on the rule- based
profile, that common uses will not deviate
significantly from these rules
 Intrusion detection
• Other profiles-
• Executable profiles that monitor how
executable programs use the system resources.
This, for example, may be used to monitor
strange deviations of an executable program if
it has an embedded Trojan worm or a trapdoor
virus.
• work profile- which includes monitoring the
ports
 Intrusion detection
• Static profile -which monitors other profiles,
periodically updating them so that those
profiles cannot slowly expand to sneak in
intruder behaviour
• Adaptive profile-which monitors work profiles
automatically updating them to reflect recent
upsurges in usage
• Adoptive rule- based profile which monitors
historic usage patterns of all other profiles and
uses them to make updates to the rule base
 Intrusion detection
• Misuse patterns—that is, patterns of known misuse
of system resources— are also an effective focus for
ID tools.
• These patterns, once observed, are compared to
those in the rule base that describe “bad” or
“undesirable” usage of resources.
• To achieve this, a knowledge database and a rule
engine must be developed to work together. Misuse
pattern analysis is best done by expert systems,
model- based reasoning, or neural networks.
 Intrusion detection
• Networks are getting larger and traffic heavier,
it is becoming more and more difficult for the
ID system to “see” all traffic. on a switched
network like an Ethernet.
• ID systems fall into two categories: host based
and network based.
 Intrusion Detection Systems
• The goal of Intrusion Detection System (IDS) is
to monitor network assets to detect
anomalous behaviour and misuse.
 Host-Based Intrusion Detection Systems
• HIDS techniques focus on the network server to monitor
specific user and application traffic handled by that server.
• It tracks log files and audits traffic in and out of this one
machine.
• HIDS also check on the integrity of system files and watch
the activities of all processes on the machine for abnormal
process behaviour.
• They are either personal firewalls or sensor agents.
Personal firewalls, sometimes called wrappers, are
configured to look at all network packets, connection
attempts, login attempts and non-network
communications.
Host-Based Intrusion Detection Systems

• Agents are configured to monitor accesses

and changes to critical system files and
changes in user privileges.
• Whether personal firewalls or agents, host-
based ID tools are good for monitoring a
network system for intrusion from insiders.
Host based IDS
 Advantages of HIDS
• Faster than their cousins the network- based
intrusion detection systems (NIDS)
• The ability to verify success or failure of an
attack quickly. Because they log continuing
events that have actually occurred, HIDS have
information that is more accurate and less
prone to false positives than the NIDS.
• This information can accurately and quickly
infer whether an attack was successful or not
and a response can be started early.
 Advantages of HIDS
• Low-level monitoring.
• Because HIDS monitor at a local host, they
• are able to “see” low- level local activities such as
– file accesses,
– changes to file permissions,
– attempts to install new executables,
– attempts to access privileged services,
– changes to key system files and executables,
– attempts to overwrite vital system files
– attempts to install Trojan horses or backdoors.

• These low- level activities can be detected very quickly and the
reporting is quick and timely, giving the administrator time for
an appropriate response. Some of these low- level attacks are
so small that no NIDS can detect them.
 Advantages of HIDS
• Near real- time detection and response. HIDS
have the ability to detect minute activities at
the target hosts and to report them to the
administrator very quickly—at a rate near real-
time.
• This is possible because the operating system
can recognize the event before any IDS can, in
which case, an intruder can be detected and
stopped before substantial damage is done.
 Advantages of HIDS
• The ability to deal with encrypted and switched
environments.
• Large networks are routinely switch chopped into many
smaller network segments. Each one of these smaller
networks is then tagged with a NIDS. In a heavily switched
network, it can be difficult to determine where to deploy a
network- based IDS to achieve sufficient network coverage.
• HID provides the needed greater visibility into these
switched environments by residing on as many critical
hosts as needed.
• HIDS that monitor the operating systems can deal with
encryptions better than NIDS
 Advantages of HIDS
• Cost effectiveness.
• No additional hardware is needed to install
HIDS
• Installing NIDS requires dedicated and
expensive servers.
 Disadvantages of HIDS
• Since HIDS are deployed at a host, they have a
very limited view of the network.
• Since HIDS are close to users, they are more
susceptible to illegal tampering.
 Network-Based
Intrusion Detection Systems
• NIDS are network sensors configured to monitor
all network traffic including traffic on the
communication media and on all network servers
and firewalls.
• They monitor the traffic on the network to detect
intrusions. They are responsible for detecting
anomalous, inappropriate, or other data that may
• be considered unauthorized and harmful
occurring on a network.
 Network-Based
Intrusion Detection Systems
• NIDS may or may not run with firewalls.
• There are several ways an NIDS sensor may be
placed and run.
• It can either be placed and run as an
independent stand- alone machine where it
watches over all traffic entering the network from
the outside, watches traffic entering a subnet,
• Or monitors itself as the target machine to watch
over its own traffic
 Network-Based
Intrusion Detection Systems
• It is possible that an attacker can evade this
detection by NIDS exploiting ambiguities in the
traffic stream
• Ambiguities-
– Many NIDS do not have the capabilities to analyze
the full range of behaviour that can be exposed by
the user and allowed by a particular protocol.
– Since NIDS are far removed from individual hosts,
they do not have full knowledge of each host’s
protocol implementation.
 Network-Based
Intrusion Detection Systems
• Anomalies-
– NIDS do not have a full picture of the network
topology between the NIDS and the hosts, the
NIDS may be unable to determine whether a given
packet will even be seen by the hosts.
 Advantages of NIDS
• NIDS focus, placement, running, and requirements,
give them advantages over firewalls and host- based
IDS
• The ability to detect attacks that a host- based system
would miss because NIDS monitor network traffic at a
Transport Layer
• At this level, NIDS are able to look at, not only the
packet addresses, but also the packet port numbers
from the packet headers.
• HIDS which monitor traffic at a lower Link Layer may
fail to detect some types of attack.
 Advantages of NIDS
• A difficulty removing evidence. Because NIDS
are on dedicated machines that are routinely
protected, it is more difficult for an attacker to
remove evidence.
• Also, since NIDS use live network traffic and it
• is this traffic that is captured by NIDS when
there is an attack, this also makes it difficult
for an attacker to remove evidence.
 Advantages of NIDS
• Real-time detection and response.
• Because NIDS are at the most opportune and
strategic entry points in the network, they are
able to detect foreign intrusions into the network
in real- time and report as quickly as possible to
the administrator for a quick and appropriate
response.
• Real- time notification, allows for a quick and
appropriate response and can even let the
administrators allow the intruder more time as
they do more and targeted surveillance.
 Advantages of NIDS
• The ability to detect unsuccessful attacks and malicious
intent.
• Because the HIDS are inside the protected internal network,
they never come into contact with many types of attack,
since such attacks are often stopped by the outside firewall.
• NIDS, especially those in the DMZ, come across these
attacks (those that escape the first firewall) that are later
rejected by the inner firewall and those targeting
• the DMZ services that have been let in by the outer firewall.
• Besides showing these attacks, NIDS can also record the
frequency of these attacks.
 Disadvantages of NIDS
• Blind spots: Deployed at the borders of an
organization’s network, NIDS are blind to the
whole inside network. As sensors are placed in
designated spots, especially in switched
networks, NIDS have blind spots—sometimes
whole network segments they cannot see.
• Encrypted data: One of the major weaknesses of
NIDS is on encrypted data. They have no
capabilities to decrypt encrypted data. They can
• only scan unencrypted parts of the packets such
as headers.
 Challenges to Intrusion Detection
• False alarms-
• Technology is not yet ready to handle a large
scale attack-
• The technology, while good, is not a cure for
all computer network problems-
• An example of a widely used IDS is Snort
• ACARM-ng
• Bro NIDS
 Evolution IDS
• IDS have a large amount of false positives.
• Intrusion Prevention System provides improvement
• IPS objective is to anticipate hacker’s attacks as soon
as a “footprint” is known. It must not only react to
an attack in progress, but also prevent the attack
that begins. An IPS is put inline and examines all
in/out packets, and can affect the speed of the
network (bottleneck) if it is underpowered.
 Intrusion Prevention Systems
• Intrusion Prevention Systems (IPS) are the latest
in a line of products created to counter network
attacks
• IPS encompasses aspects of many well-known,
existing security technologies including anti-
virus, software, intrusion detection and firewalls.
• In the IPS model, instead of developing reactive
security policies, security policy becomes a
proactive tool to protect an organisation
 Intrusion Prevention Systems
• To achieve the ideal of self-protection, all attacks
against any part of the protected environment will
be deflected by IPS.
• Because IPS are secure they can take any stream of
network packets and make the determination of
intent – whether it is an attack or legitimate use –
then take appropriate action with complete
perfection.
• In reality it is incredibly difficult because new attacks
strategies are constantly evolving. To combat new
attacks, IPS must constantly update their attack
library in a similar way to anti-virus scanners
 Intrusion Prevention Systems
• IPS must be deterministic in all of its decisions in
order to perform its function of scrubbing traffic.
• An IPS is supposed to work all of the time, and
make access control decisions on the network.
• Firewalls provided the first deterministic
approach to access control on the network,
providing basic IPS capability.
• IPS devices add next-generation capability to
these firewalls
 How IPS work
• IPS are network devices that can accept or deny
traffic based on IP addresses, protocol/service,
application level analysis and verification.
• IPS receive traffic from the network, reassemble
traffic streams and look at application protocols
and commands to detect suspicious fields that
warrant some predefined action.
• These actions vary from logging suspicious
events to dropping the connection completely
 How IPS work
• An IPS inspects all layers of packet information
that travel on the network (except for the
physical layer), rather than only the first 4 layers
traditionally inspected by a firewall.
• A six-layer inspection method, commonly called
“deep packet” inspection, allows an IPS to run
signatures against packets up to an application
level.
• The result is a highly accurate filtering device
that, unlike a NIDS, has minimal false positives.
 How IPS work
• As with a typical firewall, the IPS has at least two network
interfaces; one designated as internal and one as external.
• As packets appear at either interface they are passed to the
detection engine, at which point the IPS device determines, (as
any IDS would) whether or not the packet being examined
poses a threat.
• However, if it should detect a malicious packet, in addition to
raising an alert, it will discard the packet and mark that flow as
“bad”.
• As the remaining packets that make up that particular TCP
session arrive at the IPS device, they are discarded
immediately.
• Legitimate packets are passed through to the second interface
and on to their intended destination.
 How IPS work
• The hardware component of an IPS is based on
multiple server processor technology so the
device can sit almost invisibly within a network.
• These processors process millions of
instructions simultaneously each second in
order to handle a much larger volume of traffic
than a single processor.
• In fact, most IPS attain minimal to unnoticeable
latency sitting in-line on a network as they can
analyse traffic at up to gigabit speeds.
 How IPS work

• IPS devices are required to perform the following

tasks in order to avoid the same issues faced by
IDS:
• In-line operations: Only by operating in-line can
an IPS device perform true protection, discarding
all suspect packets immediately and blocking the
remainder of that flow.
 How IPS work
• Unquestionable detection accuracy: It is imperative
that the quality of the signatures is beyond
question, since false positives can lead to a DoS
condition.
• The user must be able to be sure that the IPS is
blocking only malicious traffic.
• New signatures should be made available on a
regular basis, and applying them should be quick
(applied to all sensors in one operation via a central
console) and seamless (no sensor reboot required).
 How IPS work

• Advanced alert handling and forensic analysis

capabilities: Once the alerts have been raised at
the sensor and passed to a central console,
someone has to examine them, correlate where
necessary, investigate, and eventually decide on
an action.
• The capabilities offered by the console in terms
of alert viewing (real time and historic) and
reporting are the key to determine the
effectiveness of the IPS.
 How IPS work
• Reliability and availability: Should an in-line device
fail, it has the potential to close a vital network path
and cause a DoS condition. An extremely low failure
rate is very important in order to maximize up-time.
• In addition, to reduce downtime for signature and
protocol coverage updates, an IPS must support the
ability to receive these updates without requiring a
device reboot.
• When operating in-line, sensors rebooting across
the enterprise effectively translate into network
downtime for the duration of the reboot.
 How IPS work
• High performance: Packet processing rates
must be at wire speed under real-life traffic
conditions.
• The device must meet the stated performance
with all signatures enabled. Headroom should
be built into the performance capabilities to
enable the device to handle any increases in
size of signature packs that may occur over the
few years.
 How IPS work
• Low latency: When a device is placed in-line, it is
essential that its impact on overall network
performance is minimal. Packets should be processed
quickly enough such that the overall latency of the
device is as close as possible to that offered by a layer
four device like a firewall.
• IPS support a wide range of protocols and applications,
including those required to protect the network
against attacks from the Internet. New applications can
be allowed through an IPS without requiring changes
to the user workstations.
• IPS devices are more transparent to the network
 How IPS work
• IPS should rapidly detect and stop four major types of
attacks and nuisance activities that plague today's data
networks:
• It should block pre-attack probes and scans to deny
attackers valuable information about the network’s services
and potential vulnerabilities.
• It should be an essential front-line of defence in mitigating
DoS and distributed denial-of-service attacks.
• It should detect and block dictionary attacks, brute force
attacks and attempts to access protected Web servers.
• It should be able to absolutely stop the distribution of
server-to-server worms such as SQL Slammer, Code Red and
Nimda.
 IPS examples
• Network Associates Inc. - Entercept Standard Edition
• McAfee IntruShield Global Manager
• Citadel – Hercules
• High Tower Software – TowerView
• Argus Systems - PitBull LX
• Sana Security - Primary Response
• Symantec - Symantec Event Manager
• Sonic Wall Inc. - Sonic WALL
• Okena - StormWatch