Module V

Network Security and Application

 vulnerabilities in TCP/IP
“TCP/IP” refers to an entire suite of data communications protocols. The suite gets its name
from two of the protocols that belong to it: the Transmission Control Protocol (TCP) and the
Internet Protocol (IP).
vulnerabilities in TCP/IP
Network Attacks
packet sniffing :
• The act of capturing data packet across the computer network is called packet sniffing.
• It is mostly used by crackers and hackers to collect information illegally about network.
It is also used by ISPs, advertisers and governments.
• Packet sniffing is done by using tools called packet sniffer. It can be either filtered or
unfiltered.
• Filtered is used when only specific data packets have to be captured and Unfiltered is
used when all the packets have to be captured.
• WireShark, SmartSniff are examples of packet-sniffing tools
Common Attacks
• Capturing sensitive information
• Analyse communication patterns
• Learn about network infrastructure

Protection

• Encrypting data you send or receive.

• using trusted Wi-Fi networks.
• Scanning your network for dangers or issues.
ARP spoofing
• Spoofing is a type of attack in which hackers gain access to the victim’s system by
gaining the trust of the victim (target user) to spread the malicious code of the malware
and steal data such as passwords and PINs stored in the system.
• ARP(Address Resolution Protocol) is a communication protocol that is one of the
important network layer protocols in the OSI model and is used to determine a device’s
Media Access Control (MAC) address based on its Internet Protocol (IP) address in order
to communicate with other devices on the network .
• ARP spoofing is a cyber attack that allows hackers to intercept communications
between network devices on a network.
• Hackers can also use ARP spoofing to alter or block all traffic between devices on the
network.
ARP spoofing
• The attacker maliciously provides
MAC address of his device so that
the wrong mapping of target IP
address to target MAC is created .

• Once the attacker’s MAC address

is linked to the target IP address,
the attacker will begin receiving
any data that is intended for that
IP address .
• ARP spoofing can enable malicious
parties to intercept, modify or
even stop data in transit.
• ARP spoofing attacks can only
occur on local area networks that
utilizes ARP.
Types of ARP Spoofing

• Man-in-the-Middle: hackers use ARP spoofing to intercept communications that occur

between devices on a network to steal information that is transmitted between devices.
Sometimes, hackers also use man-in-the-middle to modify traffic between network
devices.
• Session hijacking: With the help of ARP spoofing hackers are able to easily extract the
session ID or gain inauthentic access to the victim’s private systems and data.
• Denial-of-service attacks: it is a type of attack in which one or more victims deny to
access the network. With the help of ARP spoofing, A single target victim’s mac address
is linked with multiple IP addresses. Due to this whole traffic is shifted toward the target
victim’s mac address which causes overloading of the network of the target victim with
traffic.
Protection

Cryptographic Network Protocols: With the help of encrypted communication protocols

like Transport Layer Security (TLS), HTTP Secure (HTTPS), and Secure Shell (SSH), We are
able to reduce the chance of an ARP Spoofing attack.
Packet Filtering: With the help of packet filters, we can protect the network from
maliciously transmitted packets on the network as well as suspicious IP addresses.
Virtual Private Network: The most useful preventive measure against ARP spoofing attacks
is to use a VPN (Virtual Private Network).
ARP Spoofing Detection Software: With the help of ARP Spoofing Detection Software it is
easier to detect ARP spoofing attacks as it helps in inspecting and certifying data before
data is transmitted.
port scanning
• A port is a point on a computer where information exchange between multiple programs
and the internet to devices or other computers takes place.
• Port numbers range from 0 through to 65,535 and are ranked in terms of popularity. Ports
numbered 0 to 1,023 are called “well-known" ports, typically reserved internet usage
• Port 20 (UDP): File Transfer Protocol (FTP) used for transferring data
• Port 22 (TCP): Secure Shell (SSH) protocol used for FTP, port forwarding, and secure logins
• Port 23 (TCP): The Telnet protocol used for unencrypted communication
• Port 53 (UDP): The Domain Name System (DNS) which translates internet domain names
into machine-readable IP addresses
• Port 80 (TCP): The World Wide Web Hypertext Transfer Protocol (HTTP)
port scan
• A port scan is a common technique hackers use to discover open doors or weak points in
a network.
• A port scan attack helps cyber criminals find open ports and figure out whether they are
receiving or sending data.
• It can also reveal whether active security devices like firewalls are being used by an
organization.
Different Types of Port Checker or Scanner

• Ping scans: A ping is used to check whether a network data packet can reach an IP
address without any issues. Ping scans involve automated transmissions of several ICMP
requests to various servers.
• 2Half-open or SYNC scans: Attackers can check the state of a port without creating a full
connection by using a half-open scan, often known as a SYN scan. This kind of scan just
transmits a SYN message and does not complete a connection with the recipient.
• XMAS scans: XMAS scans send a number of packets to a port to check if it is open. If the
port is closed, the scanner gets a response. If it does not get a response, that means the
port is open and can be used to access the network.
Protection

• A strong firewall: A firewall can prevent unauthorized access to a business’s private

network. It controls ports and their visibility, as well as detects when a port scan is in
progress before shutting it down.
• TCP wrappers: These enable administrators to have the flexibility to permit or deny
access to servers based on IP addresses and domain names.
• Monitor network using .network monitoring tools ,IDS etc.
IP Spoofing
• Spoofing is a specific type of cyber-attack in
which someone attempts to use a
computer, device, or network to trick other
computer networks by masquerading as a
legitimate entity.
• It's one of many tools that hackers use to
gain access to computers to mine them for
sensitive data, turn them into zombies
(computers taken over for malicious use), or
launch Denial-of-Service (DoS) attacks. Of
the different types of spoofing, IP spoofing
is the most common.
• IP spoofing, or IP address spoofing, refers
to the creation of Internet Protocol (IP)
packets with a false source IP address to
impersonate another computer system.
A hacker uses tools to modify the
source address in the packet header
to make the receiving computer
system think the packet is from a
trusted source, such as another
computer on a legitimate network,
and accept it. This occurs at the
network level, so there are no
external signs of tampering

IP spoofing allows cybercriminals to

carry out malicious actions, often
without detection. This might include
stealing your data, infecting your
device with malware, or crashing
server.
Protection

• Deploying packet filtering to detect inconsistencies (such as outgoing packets with

source IP addresses that don't match those on the organization's network).
• Using robust verification methods (even among networked computers).
• Authenticating all IP addresses and using a network attack blocker.
• Placing at least a portion of computing resources behind a firewall. A firewall will help
protect your network by filtering traffic with spoofed IP addresses, verifying traffic, and
blocking access by unauthorized outsiders.
Denial of Service
DOS attacks:
• A denial-of-service (DoS) attack occurs when legitimate users are unable to access
information systems, devices, or other network resources due to the actions of a
malicious cyber threat actor.
• Services affected may include email, websites, online accounts (e.g., banking), or other
services that rely on the affected computer or network.
• A denial-of-service condition is accomplished by flooding the targeted host or network
with traffic until the target cannot respond or simply crashes, preventing access for
legitimate users.
• DoS attacks can cost an organization both time and money while their resources and
services are inaccessible.
• For example: GitHub Attack: In 2018, GitHub, a popular platform for software
developers, experienced a DoS attack that momentarily disrupted its service.
DOS attacks:

DoS attacks can be classified into several types based on the techniques used. Here are four
of the most common ones:
• Volume-Based Attacks: The aim here is to saturate the bandwidth of the targeted site.
Examples include ICMP floods and UDP floods.
• Protocol Attacks: These attacks focus on exploiting vulnerabilities in the target's
resources, like servers or load balancers. Examples include SYN floods and Ping of Death.
• Application Layer Attacks: These attacks target specific aspects of an application or
service. HTTP floods are a common example.
• Advanced Persistent DoS (APDoS): This is a more advanced form of DoS, where the
attacker uses multiple attacking systems and different attack vectors.
Types of DOS Attacks: ICMP flood
A ping(Packet Internet or Inter-Network Groper) which is also known as (ICMP)flood is
a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with
ICMP echo-request packets, causing the target to become inaccessible to normal traffic.
When the attack traffic comes from multiple devices, the attack becomes a DDoS or distributed
denial-of-service attack.
Types of DOS Attacks: SYN flood
A SYN flood is a form of denial-of-service attack on data communications in which an
attacker rapidly initiates a connection to a server without finalizing the connection.
By repeatedly sending initial connection request (SYN) packets, the attacker is able to
overwhelm all available ports on a targeted server machine, causing the targeted device to
respond to legitimate traffic sluggishly or not at all.
 Types of DOS Attacks
A UDP flood is a type of denial-of-service attack in which a large number of User Datagram
Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s
ability to process and respond.
The firewall protecting the targeted server can also become exhausted as a result of UDP flooding,
resulting in a denial-of-service to legitimate traffic.
 DDOS
• Distributed Denial of Service (DDoS) is a type of
DOS attack where multiple systems, which are
trojan infected, target a particular system which
causes a DoS attack.
• A DDoS attack uses multiple servers and Internet
connections to flood the targeted resource.
• A DDoS attack is one of the most powerful
weapons on the cyber platform.
• When a website being brought down, it generally
means it has become a victim of a DDoS attack
• This means that the hackers have attacked
website or PC by imposing heavy traffic. Thus,
crashing the website or computer due to
overloading.
• In 2016, Dyn was hit with a massive DDoS attack
that took down major websites and services such
as Netflix, PayPal, Amazon, and GitHub.
 DDOS
• A botnet refers to group of computers which have been
infected by an attacker and is under his complete
control.
• The hacker starts to build the botnet by exploiting a
vulnerability in a computer, called the DDoS master, to
infect it with malware.
• The DDoS master then starts to spread the malware,
infecting other vulnerable devices to make them join the
botnet. The devices in the botnet are often called
zombies or bots.
• Each infected device spreads the malware further,
gathering more and more devices to the botnet.
• The number of devices in a botnet can be extremely
high with no known upper limit. Once the attacker is
ready to launch the attack, the amount of attack traffic
from the botnet has been known to exceed 1 Tbps.
 Types
• HTTP flood
An HTTP flood attack is a type of volumetric distributed denial-of-service (DDoS) attack designed
to overwhelm a targeted server with HTTP requests .Once the target has been saturated with
requests and is unable to respond to normal traffic, denial-of-service will occur for additional
requests from actual users..
• PING(ICMP) flood
The target machine is sent so many ping requests that it is overwhelmed and fails to respond
• ping of death attack
A Ping of death (PoD) attack is a denial-of-service (DoS) attack, in which the attacker aims to disrupt
a targeted machine by sending a packet larger than the maximum allowable size, causing the
target machine to freeze or crash. The original ping of death attack is less common today. A related
attack known as an ICMP flood attack is more prevalent.
Types
Smurf Attack:
A Smurf attack is a distributed denial-of-service (DDoS) attack in which an attacker attempts
to flood a targeted server with Internet Control Message Protocol (ICMP)packets. By
making requests with the spoofed IP address of the targeted device to one or more
computer networks, the computer networks then respond to the targeted server,
amplifying the initial attack traffic and potentially overwhelming the target, rendering it
inaccessible. This attack vector is generally considered a solved vulnerability and is no
longer prevalent.
• DNS Amplification:
DNS server resolves domain name to IP address, the attacker crafts a DNS request( with the
target’s IP address) such that DNS server responds with a large amount of data and crashes
the target
• SYN Flood :
The attacker sends multiple SYN packets until the resources on target are totally consumed
and the target can no more receive any SYN packets further.
 Preventing DDOS Attacks

• Take quick action

• Configure firewalls and routers
• Consider artificial intelligence
• Secure your Internet of Things devices:
PGP(Pretty Good Privacy)
• PGP stands for Pretty Good Privacy (PGP) which is invented by Phil Zimmermann.
• PGP was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email.
• PGP uses a digital signature (a combination of hashing and public key encryption) to
provide integrity, authentication, and non-repudiation.
• PGP uses a combination of secret key encryption and public key encryption to provide
privacy. Therefore, we can say that the digital signature uses one hash function, one
secret key, and two private-public key pairs.
• PGP is an open source and freely available software package for email security.
• PGP provides authentication through the use of Digital Signature.
• It provides confidentiality through the use of symmetric block encryption.
• It provides compression by using the ZIP algorithm, and EMAIL compatibility using the
radix-64 encoding scheme.
Following are the steps taken by PGP to create secure e-mail at the sender site

• The e-mail message is hashed by using

a hashing function to create a digest.
• The digest is then encrypted to form a
signed digest by using the sender's
private key, and then signed digest is
added to the original email message.
• The original message and signed digest
are encrypted by using a one-time
secret key created by the sender.
• The secret key is encrypted by using a
receiver's public key.
• Both the encrypted secret key and the
encrypted combination of message and
digest are sent together.
• The receiver receives the combination of
encrypted secret key and message digest is
received.

• The encrypted secret key is decrypted by

using the receiver's private key to get the
one-time secret key.
• The secret key is then used to decrypt the
combination of message and digest.
• The digest is decrypted by using the
sender's public key, and the original
message is hashed by using a hash function
to create a digest.
• Both the digests are compared if both of
them are equal means that all the aspects of
security are preserved
Key Rings:

• Keys are stored in encrypted form.

• PGP stores the keys in two files on hard disk; one for public keys and one for private
keys.
• These files are called keyrings. As we use PGP, we will typically add the public keys of
recipients to public keyring.
• private keys are stored on private keyring. If we lose our private keyring, we will be
unable to decrypt any information encrypted to keys on that ring.
Key Ring
Key Ring
Disadvantages of PGP Encryption

• The Administration is difficult:

• Compatibility issues
• Complexity:
• No Recovery:
Secure Socket Layer
Architecture(SSL)
• SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol.
• It was first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication,
and data integrity in Internet communications.
• The current version is 3.0 is released by Netscape in 1999.
• SSL is the predecessor to the modern TLS encryption used today.
• A website that implements SSL/TLS has "HTTPS" in its URL instead of "HTTP."

Secure Socket Layer Protocols:

• SSL record protocol
• Handshake protocol
• Change-cipher spec protocol
• Alert protocol
Working

• In order to provide a high degree of privacy SSL encrypts data that is transmitted across
the web.
• SSL initiates an authentication process called a handshake between two communicating
devices to ensure that both devices are really who they claim to be.
• SSL also digitally signs data in order to provide data integrity, verifying that the data is
not tampered with before reaching its intended recipient.
• There have been several iterations of SSL, each more secure than the last.
• In 1999 SSL was updated to become TLS.
SSL Protocol Stack:
SSL Record Protocol:

• SSL Record provides two services to SSL

connection: Confidentiality & Message
integrity
• In the SSL Record Protocol application
data is divided into fragments.
• The fragment is compressed and then
encrypted MAC (Message Authentication
Code) generated by algorithms like SHA
(Secure Hash Protocol) and MD5
(Message Digest) is appended.
• After that encryption of the data is done
and in last SSL header is appended to the
data.
Handshake Protocol is used to establish
sessions. This protocol allows the client and
server to authenticate each other by sending a
series of messages to each other. Handshake
protocol uses four phases to complete its cycle.
• Phase-1: In Phase-1 both Client and Server
send hello-packets to each other. In this IP
session, cipher suite and protocol version are
exchanged for security purposes.
• Phase-2: Server sends his certificate and
Server-key-exchange. The server end phase-2
by sending the Server-hello-end packet.
• Phase-3: In this phase, Client replies to the
server by sending his certificate and Client-
exchange-key.
• Phase-4: In Phase-4 Change-cipher suite
occurs and after this the Handshake Protocol
ends.
Change-cipher Protocol:

• This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the
SSL record Output will be in a pending state.
• After the handshake protocol, the Pending state is converted into the current state.

• Change-cipher protocol consists of a single message which is 1 byte in length and can
have only one value.
• This protocol’s purpose is to cause the pending state to be copied into the current state.
 Alert Protocol
This protocol sends error ,problems or warnings about the connection between the two
parties.
This layer is formed with two fields: Severity level and Alert Description.
Severity Level:
• The severity level sends message with a ‘1’ or ‘2’ value, depending on the level of concern.
• A message with a value of ‘1’ is a cautionary or warning message, suggesting that the
parties discontinue their session and reconnect using a new handshake.
• A message with a value of ‘2’ is a fatal alert message, and requires that the parties
discontinue their session.
Alert Description:
• The Alert Description field indicates that the specific error that caused the Alert message
to be sent from a party.
• This field is one byte ,mapped to one of twelve specific numbers, and can take on one of
the following meaning.
• Those descriptions that always follows a fatal alert message are(level=‘2’) : Handshake
failure, Decompression failure, Illegal parameters, Bad record MAC, Unexpected
message.
• Warning Messages(level=‘1’) :Bad certificate, No certificate, Certificate expired,
Certificate unknown, Close notify, Certificate revoked, Unsupported certificate
IPsec (Internet Protocol Security)

• Internet Protocol Security is a suite of protocols and algorithms for securing data transmitted
over the internet or any public network.
• The Internet Engineering Task Force, or IETF, developed the IPsec protocols in the mid-1990s to
provide security at the IP layer through authentication and encryption of IP network packets
• IP-level security encompasses three functional areas: authentication, confidentiality, and key
management.
• The IP security capabilities were designed to be used for both with the current IPv4 and the
future IPv6 protocols
• .IPsec helps keep data sent over public networks secure. It is often used to set up VPNs and it
works by encrypting IP packets, along with authenticating the source where the packets come
from.
• Within the term "IPsec," "IP" stands for "Internet Protocol" and "sec" for "secure." The Internet
Protocol is the main routing protocol used on the Internet; it designates where data will go
using IP addresses.
• IPsec is secure because it adds encryption and authentication to this process.
• Networking protocol suites like TCP/IP are only concerned with connection and
delivery, and messages sent are not concealed.
• Anyone in the middle can read them. IPsec, and other protocols that encrypt data,
essentially put an envelope around data as it traverses networks, keeping it secure.
• The IPSec networking device will typically encrypt and compress all traffic going into
the WAN, and decrypt and decompress traffic coming from the WAN; these
operations are transparent to workstations and servers on the LAN.
Components of IP Security
Encapsulating Security Payload (ESP):
• It provides data integrity, encryption, authentication, and anti-replay. It also provides
authentication for payload.

Authentication Header (AH):

• It also provides data integrity, authentication, and anti-replay and it does not provide encryption.
• The anti-replay protection protects against the unauthorized transmission of packets. It does not
protect data confidentiality.

.
Components of IP Security

• Internet Key Exchange (IKE): It is a network security protocol designed to dynamically

exchange encryption keys and find a way over Security Association (SA) between 2
devices.
• Internet Key Exchange (IKE) provides message content protection and also an open frame
for implementing standard algorithms such as SHA and MD5.
• The algorithm’s IP sec users produce a unique identifier for each packet. This identifier
then allows a device to determine whether a packet has been correct or not. Packets that
are not authorized are discarded and not given to the receiver.
IP Security Architecture
• Two protocols to secure the traffic
or data flow. These protocols are
ESP (Encapsulation Security
Payload) and AH (Authentication
Header .
Authentication Header The Authentication Header consists of the
following fields :
• Next Header (8 bits): Identifies the type of
header immediately following this header.
• Payload Length : Length of Authentication
Header in 32-bit words, minus 2.
• Reserved (16 bits): For future use.
• Security Parameters Index (32 bits):It is an
arbitrary 32- bit value that is in combination
with the destination IP address and security
protocol(AH) uniquely Identifies a security
association
• Sequence Number (32 bits): A
monotonically increasing counter
value.
• Authentication Data (variable): A
variable-length field (must be an
integral number of 32-bit words) that
contains the Integrity Check Value
(ICV), or MAC, for this packet .
 Encapsulated Security
Payload(ESP)
• ESP is used to provide security
services in IPv4 and IPv6. It can be
used alone or in union with an
AH.
• It can provide either
confidentiality (i.e., encryption)
or integrity protection (i.e.,
authentication), or both. ESP can
operate in transport mode and in
tunnel mode.

• The SPI – a unique and random 32-bit value that, together with the destination IP address and
security protocol, uniquely identifies the SA for the packet.
• The sequence number – a monotonically increasing 32-bit counter used to protect
against replay attacks. When an SA is established the sequence number is reset to 0.
 Encapsulated Security Payload(ESP)
• Payload data – a variable length field that typically contains the data payload, whose type
is denoted by the next header field. It may also contain cryptographic synchronization data,
such as an IV.
• Padding – used to fill the payload data to a specific block size multiple required by a
particular encryption algorithm, or to randomize the length of the payload in order to
protect against traffic flow analysis.
• Pad length – an 8-bit field whose value indicates in bytes the length of the padding field.
• Next header – an 8-bit field that identifies the type of data contained in the payload Data
Field
IPsec tunnel mode and IPsec transport mode?

• IPsec tunnel mode is used between two dedicated routers, with each router acting as
one end of a virtual "tunnel" through a public network.
• In IPsec tunnel mode, the original IP header containing the final destination of the
packet is encrypted, in addition to the packet payload.
• To tell intermediary routers where to forward the packets, IPsec adds a new IP header.
• At each end of the tunnel, the routers decrypt the IP headers to deliver the packets to
their destinations.

• In transport mode, the payload of each packet is encrypted, but the original IP header is
not.
• Intermediary routers are thus able to view the final destination of each packet.
Advantages of IPSec:

• Strong security: IPSec provides strong cryptographic security services that help protect
sensitive data and ensure network privacy and integrity.
• Wide compatibility: IPSec is an open standard protocol that is widely supported by
vendors and can be used in heterogeneous environments.
• Flexibility: IPSec can be configured to provide security for a wide range of network
topologies, including point-to-point, site-to-site, and remote access connections.
• Scalability: IPSec can be used to secure large-scale networks and can be scaled up or
down as needed.
• Improved network performance: IPSec can help improve network performance by
reducing network congestion and improving network efficiency.
IDS(Intrusion Detection System)

• An Intrusion Detection System (IDS) is a monitoring system that detects suspicious

activities and generates alerts when they are detected.
• Based upon these alerts, a security operations center (SOC) analyst or incident
responder can investigate the issue and take the appropriate actions to remediate the
threat.
• An intrusion detection system's prime benefit is ensuring that the respective person is
notified when the attack happens.
• In addition, a network intrusion detection system keeps a check on both inbound and
outbound traffic on the network and monitors data traversing between the system and
the network.
Working
•An IDS (Intrusion Detection System)
monitors the traffic on a computer
network to detect any suspicious
activity.
•It analyzes the data flowing
through the network to look for
patterns and signs of abnormal
behavior.
•The IDS compares the network
activity to a set of predefined
rules and patterns to identify any
activity that might indicate an attack
or intrusion.
•If the IDS detects something that
matches one of these rules or
patterns, it sends an alert to the
system administrator.
Classification of Intrusion Detection System(IDS)

Network Intrusion Detection System (NIDS):

• Network intrusion detection systems (NIDS) are set up at a planned point within the
network to examine traffic from all devices on the network.
• An example of a NIDS is installing it on the subnet where firewalls are located in order to
see if someone is trying to crack the firewall.

Host Intrusion Detection System (HIDS):

• Host intrusion detection systems (HIDS) run on independent hosts or devices on
the network.
• A HIDS monitors the incoming and outgoing packets from the device only and
will alert the administrator if suspicious or malicious activity is detected.
 Classification of Intrusion Detection System(IDS)

application protocol-based IDS (APIDS)

• works at the application layer, monitoring application-specific protocols.
• An APIDS is often deployed between a web server and an SQL database to detect SQL
injections.
Protocol-based Intrusion Detection System (PIDS):
• Protocol-based intrusion detection system (PIDS) comprises a system or agent that would
consistently reside at the front end of a server, controlling and interpreting the protocol
between a user/device and the server.

Hybrid Intrusion Detection System:

• Hybrid intrusion detection system is made by the combination of two or more approaches to
the intrusion detection system.
• In the hybrid intrusion detection system, the host agent or system data is combined with
network information to develop a complete view of the network system.
Detection Methods
Signature Based intrusion detection systems-
• Signature-based intrusion detection systems use fingerprints of known threats to keep a
check on them.
• Once the malicious traffic or packets are detected, the IDS generates a signature to scan
the incoming traffic to detect known malicious patterns.
• The signature-based IDS can detect the attacks whose patterns are already present in
the system but are unable to detect new or unknown malicious or attack network traffic.
Anomaly Detection:
• The anomaly-based intrusion detection system was introduced to detect unknown
malicious attacks as new attack methods are developed quickly
• This detection method uses machine learning to create a trustful activity model, and
anything that comes is compared with that model to detect malicious traffic or patterns
Detection Methods

Hybrid Detection:
This IDS uses both signature-based as well as anomaly-based
detection system and enable it to detect potential threats with a
minimum error rate
Advantages
• It keeps a check on the routers, firewalls, key servers, and files and uses its database to
raise the alarm and send notifications.
• Offer centralized management for the correlation of the attack.
• Act as an additional layer of protection for the company.
• It analyzes different attacks, identifies their patterns, and helps the administrator to
organize and implement effective control.
• Provide system administrators the ability to quantify the attack.
• An intrusion detection system in cyber security help detects cyber security problems.
Firewall

• A Firewall is a network security device that monitors and filters incoming and outgoing
network traffic based on an organization’s previously established security policies.
• At its most basic, a firewall is essentially the barrier that sits between a private internal
network and the public Internet.
• A firewall’s main purpose is to allow non-threatening traffic in and to keep dangerous
traffic out.
• Firewalls are designed with modern security techniques that are used in a wide range of
applications.
• A firewall can be hardware, software or both.
Working
• A firewall system analyzes network traffic based on pre-defined rules. It then filters the
traffic and prevents any such traffic coming from unreliable or suspicious sources.
• It only allows incoming traffic that is configured to accept.
• Typically, firewalls intercept network traffic at a computer's entry point, known as a port.
• Incoming traffic is allowed only through trusted IP addresses, or sources.
Firewall Characteristics
• Physical Barrier: A firewall does not allow any external traffic to enter a system or a
network without its allowance.
• Multi-Purpose: A firewall has many functions other than security purposes. It configures
domain names and Internet Protocol(IP) addresses. It also acts as a network address
translator.
• Flexible Security Policies: Different local systems or networks need different security
policies. A firewall can be modified according to the requirement of the user by changing
its security policies.
• Security Platform: All the queries related to security can be kept under check from one
place in a system or network.
• Access Handler: Determines which traffic needs to flow first according to priority or can
change for a particular network or system. specific action requests may be initiated and
allowed to flow through the firewall.
Firewall
Host-based Firewalls
• A host-based firewall is installed on each network node, which controls each incoming and
outgoing packet.
• is a software application or suite of applications that come as a part of the operating system. Host
firewall protects each host from attacks and unauthorized access.

Network-based Firewalls
Network firewall function on network level. These firewalls filter all incoming and outgoing traffic
across the network. It protects the internal network by filtering the traffic using rules defined on the
firewall. A Network firewall might have two or more network interface cards (NICs). A network-based
firewall is usually a dedicated system with proprietary software installed.

A Packet filtering firewall

• Most basic & oldest type of firewall architecture, creates a checkpoint at a traffic router or
switch.
• Controls the data flow to and from a network.
• These firewalls don’t route packets but compare each packet to a set of established criteria such
as the allowed IP addresses, packet type, port number, and other aspects of the packet protocol
headers.
• Packets that are flagged as troublesome are dropped.
Circuit-level gateways
• This can be a stand alone system or it can be the specialized functions performed by an
application –level gateway for certain application.
• Monitor TCP handshakes and other network protocol session initiation messages across the
network as they are established between the local and remote hosts to determine whether the
session being initiated is legitimate, whether the remote system is considered trusted.
• They don’t inspect the packets themselves. However, they provide a quick way to identify
malicious content.

Stateful infection firewall

• State-aware devices examine each packet and keep track of whether that packet is part of an
established TCP or other network sessions.
• Such provision offers more security than packet filtering or circuit filtering .
• Another variant of stateful inspection is the multilayer inspection firewall, which considers the
flow of transactions in process across multiple protocol layers of the seven-layer open systems
interconnection (OSI) model.
Application-level gateway
• It also known as a proxy or a proxy firewall, combines some of the attributes of packet filtering
firewalls with those of circuit-level gateways.
• They filter packets according to the service they are intended for (specified by the destination
port) and certain other characteristics, such as the HTTP request string.

Next-generation firewall (NGFW)

It combines packet inspection with stateful inspection, including a variety of deep packet inspection,
along with other network security systems, such as intrusion detection/prevention, malware
filtering, and antivirus.
Network scanning is a process that identifies a list of active hosts on a network and maps
them to their IP addresses, which need to be compiled before running a port scan.

The network scanning process is also known as host discovery, which is often the first step
hackers take in staging an attack. They use two primary protocols: Address Resolution
Protocol (ARP) scans and various ICMP scans. An ARP scan maps IP addresses to media access
control (MAC) addresses and can be used to determine hosts that are active. It only works
within a local-area network (LAN), so the attacker must be connected to the internal network.

Various ICMP packets can be used to conduct a network scan outside the LAN, such as
address mark, echo, and timestamp requests. Discovering hosts depends on receiving a reply
from targeted hosts. Not receiving a response means there is no host at the target address or
the request was blocked by a firewall or packet filter.

Once the network scan has been scanned and a list of available hosts compiled, port checker
or port scanner attack can identify the usage of specific ports. It will typically classify ports as
open, closed, or filtered.