Semester - 5

Computer Network
Security(3350704)

Unit - V Material (ENG)

Web Security
(12 Marks)

Ms. Aditiba R. Raol

Lecturer (DCE)

Atmiya Institute of Technology and Science for Diploma Studies

(603)
Yogidham Gurukul, Kalawad Road, Rajkot - 360005 (Gujarat), India
www.aitsds.edu.in
Atmiya Institute of Technology and Science for Diploma Studies Unit - V

Q - 1 Intruders
 Now a day, due to the heavy usage of internet, more and more numbers of people are being in
touch and the systems are connected to one another, and due to that security concern comes in
picture. Everyone wants to keep their data safe and secure.
 No matter how your much system is secure, there would be attackers who constantly try to find
the way to evade the security of your system. They are intruders.
 Intrude: put oneself intentionally into a place or situation where one is unwelcome or uninvited.
 Intrusion: Attempting to break into or misuse your system policy. Intrusion can be physical,
system or remote access.
 Intruders may be from outside the network or legitimate users of the network (insider).
 They try to intrude the privacy of the network.
 Intruders may be insiders or outsiders.
 They are identified in three classes:
 Masquerader: unauthorized person who gets access to the computer system and exploit data.
 Misfeasor a legitimate user who accesses data for which he is not authorized.
 Clandestine user: user who gains supervisory access to the system.
 Intrusion prevention is almost impossible all the times. So intrusion detection is better approach.

Q - 2 What is Intrusion detection system?

 It is the art of detecting inappropriate, incorrect, or anomalous activity.
 An intrusion detection system (IDS) examines system or network activity to find possible
intrusions or attacks which includes both inside and outside attacks and reports to the
management.
 Most common analysis approach of IDS is to misuse detection and anomaly detection.
 IDS serves three essential security functions; monitor, detect and respond to unauthorized activity
 ID systems that operate on a host to detect malicious activity on that host are called host based ID
systems, and ID systems that operate on network data flows are called network-based ID systems.
 IDS activities
 Monitoring and analyzing each user and system activities.
 Analyzing system configurations and vulnerabilities.
 Assessing system and file integrity.

Prepared By: A.R.Raol Page 1

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 Analysis of abnormal activity patterns.

 Tracking user policy violations.
 Monitors the operation of firewalls, routers, key management servers and files essential to
alternative security mechanisms.

Q - 3 Classification of IDS?

IDS classification

(Note: among the all types, mainly two types: Host based and Network based)

 Host Based Intrusion Detection System (HIDS)

 It runs on single host. It is also called application based IDS.
 A host-based intrusion detection system (HIDS) is a system that monitors a computer system on
which it is installed to detect an intrusion and/or misuse, and responds by logging the activity and
notifying the designated authority.
 A HIDS monitors the inbound and outbound packets from the device only and will alert the user or
administrator of suspicious activity is detected.
 It takes snapshot of existing system files and matches it to the previous snapshot.
 If the critical system files were modified or deleted, the alert is sent to the administrator.
 HIDS detecting the abnormal behaviour of the system.
 Advantages of HIDS
 It verifies the success or failure of an attack.
Prepared By: A.R.Raol Page 2
Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 It monitors system activities based on IDS sensors, monitoring the file access, permission and
changes.
 Monitoring system specific activities.
 HIDS sensors are cheaper than NIDS sensors.
 It is more accurate and versatile than NIDS.
 Disadvantages of HIDS
 HIDS may be targeted and attacked by an intruder.
 It is not well suit for detecting network based attacks.
 It can be affected by denial-of-service (DoS) attack.
 Deployment of HIDS is expensive.

 Network Based Intrusion Detection System (NIDS)

 NIDS is simply an extension from single host intrusion detection to multi host intrusion detection
system.
 An NIDS is used to monitor and analyze network traffic to protect the system from network based
threats.
 NIDS examine raw packets in the network passively and triggers alerts.
 NIDS system is placed at a strategic point or points within the network to monitor network traffic
to and from all the devices on the network.
 NIDS reads all inbound packets and searches for any suspicious patterns.
 When threats are discovered, based on some strict rules, the system can
 take action like notifying the administrator or barring (અઅઅઅઅઅ) IP address.
 NIDS can be implemented using DMZ.
 Advantages of NIDS
 It can monitor a large network.
 It detects network threats without interfering the normal network operations.
 It is very secure against attacks even made invisible to the attackers.
 It is operating system independent.
 Deployment, maintenance, and upgrade costs are usually lower.
 Disadvantages of NIDS
 Sometime fails to recognize an attack when there is a heavy network traffic.

Prepared By: A.R.Raol Page 3

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 Not so secure against modern switch based network.

 Most NIDS can‟t tell whether or not an attack was successful.
 Need to have the complete network topology and complete host behavior.

 Signature based IDS

 A signature based IDS looks for packets and compares them with the predefined rules or
signatures defined in the database. Alerts are generated on the basis of the result of the
comparison.
 This is just similar to the most antivirus activities. Until you don‟t update your signature,
your IDS would be unable to detect new threats.
 It searches network packets sequence to find known malicious threats.
 The main advantage of this detection is it is easy to understand and easy to develop if you know
the network behavior.
 Also pattern matching can be performed using this IDS.
 The disadvantage is it only detect known attacks. Unable to detect novel attacks.

 Anomaly based IDS

 In this type, behavior of users‟ overtime is captured as statistical data and processed.
 Rules are applied to test whether the user behavior is legitimate or not.
 Example if a user logs on and off 20 times a day while the normal behavior is 1-2 times.
 This can be done in two ways:
 1. Threshold detection in it, thresholds are defined for all the users and frequency of various
events are measured against these thresholds. If the count surpasses what is considered a
reasonable number that one might expect to occur, then the intrusion is assumed.
 2. Profile based detection in it, profiles of individual users are created and they matched against
the collected to check irregular patterns.
 The key advantage of this detection over the other two techniques is the ability to detect new
attacks, or rather attacks for which no signature or known protocol violation exists.

Prepared By: A.R.Raol Page 4

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 Rule based IDS

 Rule-based techniques detect intrusion by observing events in the system and applying a set of
rules that lead to a decision regarding whether a given pattern of activity is suspicious.
 This is classified into two categories:
 1. Anomaly detection used patterns are collected to analyze the deviation with the help of certain
rules. It does not require the knowledge of security vulnerabilities within the system, rather a
large database of rules will be needed.
 2. Penetration identification this is expert system that looks for illegitimate behavior.

 Logical components of IDS

 Whether it is NIDS or HIDS, an IDS typically consists several specialized components working
together shown in following figure
 These components are often logical and software based rather than physical and will vary slightly
vender to vender and product to product.

IDS components

Prepared By: A.R.Raol Page 5

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 Traffic collector (sensors)

 It collects activity/events for the IDS to examine.
 In HIDS, this could be log file, audit logs or traffic to or leaving a specific system.
 In NIDS, a mechanism for copying traffic off the network, functioning as a sniffer.
 This component often referred as a sensor.
 Analysis engine
 Examines the collected network traffic and compares it to known patterns of suspicious or
malicious activity stored in the signature database.
 This analysis engine is the „brain‟ of the IDS.
 Signature database
 It is a collection of patterns and definitions of known suspicious or malicious activity.
 User interface and reports
 These are the interfaces with the human elements, providing alerts when appropriate and giving
the user a means to interact with and operate the IDS.

Q - 4 Explain Web Security Threats?

 A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats are
multiple types of malware and frauds which utilize HTTP or HTTPS protocols.
 Web service security is security standard that addresses security concerns when data is
exchanged using web.
 There are mainly four types of threats which founds in web services. Integrity, Confidentiality,
Denial of service and authentication.
 Integrity
 It means honesty or truthfulness.
 That can harmful to data as the data can be modified.
 Better solution against this attack is cryptography
 Confidentiality
 It harms the confidentiality of the message, steal information or loss of privacy.
 Better solution to this attack is encryption.
 Denial of Service (DoS)

Prepared By: A.R.Raol Page 6

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 This attack prevents user from getting the work done. Attacker may get the access over valid
users.
 Better solution to this attack is cryptographic function.
 Authentication
 That is an invalid user get the access of valid user and cause of loss of data and privacy.
 Better solution to this attack is cryptographic techniques.
 Taxonomy of Web security threats

Phishing

 File format issue

 Java script vulnerability
Web browser  Protocol handling
exploit  Vendor specific issue

Web
Security
Threats  File format issue
 Scripting issue
Third party add-ons
 Security bypass
 Protocol Handling

 Executables
Downloads  Documents
 Drive-by downloads

 Phishing
 In which victim is led to believe that he or she is on a legitimate website, when in fact it is just a
copy of the real one and loss of privacy is there.
 Phishing attacks have been known to target company email websites (webmail), public email
websites (like Gmail) and popular sites like Amazon or eBay.
 To avoid from this attack don’t follow the link came from anonyms mails rather type URL in
browser.
 Web browser exploits
 In which cyber criminals gain access without the victim‟s knowledge. They are using the
weaknesses of the browsers.

Prepared By: A.R.Raol Page 7

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 Third party add-ons

 The majority of websites require the use of third party add-ons such as Adobe Flash player and
Acrobat Reader, and these become the target for the cyber criminals.
 Attackers send malwares through updates and patches from various places and can breach the
security.
 Downloads
 This is one of the attractive features for attackers to facilitate crime.
 In which attackers providing some attractive schemes to the users, as and when victims click on it
or download the .exe files, attackers send malwares, trojans, viruses etc. to the client system.

Q - 5 Explain Web traffic Security approaches.

 There are number of ways to provide security to the web.
 One solution is to provide security at network layer using IPSec.

HTTP FTP SMTP

TCP

IP / IPSec

Network layer security

 The main advantage of IPSec is it is transparent to the end users and applications and provides
general purpose solution.
 IPSec also providing filtering capability, so only selected traffic id allowed.
 Another solution is to implement security just above TCP. The security implemented above TCP is
named as Secure Socket Layer (SSL) and followed on internet standard named as Transport Layer
Security (TLS).

Prepared By: A.R.Raol Page 8

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

HTTP FTP SMTP

SSL or TLS

TCP

IP

Transport layer security

 One more solution that is to implement application specific security services, embedded within a
particular application. In reference to the web security, the security at the application layer is
Secure Electronic Transaction (SET).
 The main advantage of this approach is that the service can be personalized to the specific need of
the given application.

S/MIME PGP SET

Kerberos SMTP HTTP

UDP TCP

IP

Application layer security

Q - 6 Explain SSL Secure Socket Layer.

 SSL was originally developed by Netscape (1994) to secure http communication.
 SSL is an intermediate security layer between the transport layer and the application layer.
 SSL is able to provide security for any TCP based application protocol e.g. HTTP, FTP, TELNET,
POP3 etc.
 One of the important features of SSL is that it is application independent.
 Services of SSL
 Client server authentication.
 Data traffic confidentiality (using public key cryptography).

Prepared By: A.R.Raol Page 9

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 Lossless data compression.

 Message authentication and integrity (using HASH key function).
 Provide end to end reliable secure service.
 SSL architecture

SSL SSL change

Handshake Cipher Spec SSL Alert
Applications
Protocol Protocol Protocol
(HTTP)

SSL Record Protocol

TCP

IP

 SSL defines four protocols as shown in above figure.

 1. The SSL record protocol is a carrier which carries messages from three other protocols. The
record protocols are shipments to the TCP (Transport Layer).
 SSL record protocol also provides basic security services like confidentiality, message integrity to
higher layer protocols.
 2. The SSL handshake protocol is used before any application data is transmitted.
 It is used to allow the server and client to authenticate each other.
 3. The SSL change cipher spec protocol is used to read function of cryptographic secrets. It allows
server and client to authenticate each other.
 4. The alert protocol is used for reporting abnormal conditions. It conveys SSL related alerts to
peer entity.
 Specific alerts of this protocol are fatal (like unexpected massage, handshake failure, illegal
parameter etc.) and warning (like close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired etc.)
 Disadvantages of SSL protocol
 It does not provide traffic analysis.
 It does not provide security against TCP implementation attacks.

Prepared By: A.R.Raol Page 10

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

Q - 7 Explain Transport Layer security.

 It is actually version 3.1 SSL.
 TLS is the successor of the SSL as it provides internet standards over SSL.
 TLS is a protocol that ensures privacy between communicating
applications and their users on the internet.
 When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper
with any message.

Without TLS
Application 1 Application 2

Application 1 Application 2

With tls

 TLS creates an encrypted tunnel between two applications. It protects data from eavesdropping.
 TLS is composed of two layers: the TLS record protocol and the TLS handshake protocol.
 The TLS record protocol provides connection security with encryption using Data Encryption
Standard (DES). It also fragments the data into manageable blocks.
 While TLS handshake protocol allows server and client to authenticate each other.
 Advantages of TLS
 It does not require enhancement to each application.
 It is firewall friendly.
 Disadvantages of TLS
 Need to maintain context for connection.
 Doesn’t protect IP addresses & headers.

Q - 8 Explain Secure electronic Transactions (SET).

 SET was developed by MasterCard in 1996 mainly designed to protect credit card transactions.
 It is not a payment system, rather a set of security protocols and formats. Secure Electronic
Transaction (SET) is a system for ensuring the security of financial transactions on the Internet.

Prepared By: A.R.Raol Page 11

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 SET provides main three services confidentiality of information, ensure payment integrity and
also provide authentication.
 SET relies on digital certificate to ensure message confidentiality.
 Digital envelop is widely used in this protocol. In which message data is encrypted using a
randomly generated key that is further encrypted using recipient's public key. This is the “digital
envelop” that is sent to the receiver.
 At receiver end, recipient decrypts digital envelop using a private key and then uses the symmetric
key to unlock the original message.
 SET participants

 Card holder: he is an authorized user who holds the payment cards (for example: MasterCard,
Visa) that has been given by an issuer.
 Merchant: person or organization that has goods to sell.Sell goods and services. Especially web
transaction.
 Issuer (customer’s bank): is a financial institution that provides a card to consumer and collect
payment from consumer.
 Acquire: a financial organization that set up an account with a merchant, provides electronic
payment transfer. Also controls payment limit.
 Payment gateway: Work as middleman between SET and Issuer, provides authorization and
payment function during transaction.
 Certificate authority: This is a trusted unit that issue public-key certificates to cardholder,
merchants and payment gateway.

Prepared By: A.R.Raol Page 12

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

 How SET works (SET transactions)

 Here we are assuming that a customer has a SET-enabled browser and that the transaction
provider (bank, store, etc.) has a SET-enabled server.
 Both card holders and merchants must register with CA first before they buy or sell on internet.
 1. Customer browse website and decides what to purchase.
 2. Customer sends order and payment information, which includes purchase order and card
information.
 3. Merchant forwards payment (card) information to its bank.
 4. Merchant’s bank checks with Issuer for payment authorization.
 5. Issuer send authorization of payments to Merchant’s bank.
 6. Merchant’s bank send authorization to merchant.
 7. Merchant completes the order and sends confirmation to the customer.
 8. Merchant captures the transaction from their bank.
 9. Issuer prints credit card bill (invoice) and send to customer.
 10. The merchant ships the goods or provides service to the custome

Prepared By: A.R.Raol Page 13

Atmiya Institute of Technology and Science for Diploma Studies Unit - V

Q-9 Difference between HIDS and NIDS

HIDS NIDS
It is installed in a single host and it can It is positioned in a network to detect
monitor traffics that are originating and any attack on the hosts of that network.
coming to that particular host only.

It is capable of verifying if an attack was It only gives an alert of the attack

successful or no

It can monitor all users‟ activities. It can’t monitor.

Deployment cost is high. Deployment cost is low.

It is more accurate and versatile than It is less accurate than HIDS.
NIDS.

It can analyze the decrypted traffic to It can’t analyze.

find attack signature.

Example: PortSentry Example: Real Secure, SecureNet, Snort

Prepared By: A.R.Raol Page 14