Internet Security Controls, Firewall Security SystemsIntrusion Detection Systems, Components of IDS, Digital Certificates

<< Web Security: Passive attacks, Active Attacks, Methods to avoid internet attacks

Commerce vs. E-Business, Business to Consumer (B2C), Electronic Data Interchange (EDI), E-Government >>

Information System (CS507)

LESSON 40

Factors Encouraging Internet Attacks

Generally, Internet attacks of both a passive and active nature occur for a number of reasons,

including availability of tools and techniques on the Internet or as commercially available software

that an intruder can download easily. For example, to scan ports, an intruder can easily obtain

network scanners, various password cracking programs are available free or at a minimal cost. Lack

of security awareness and training among an organization's employees. No matter how perfect a

system is made by removing all possible vulnerabilities, there are still chances that weaknesses exist

and the system can be intruded at any given time. Inadequate security over firewalls and operating

systems may allow intruders to view internal addresses and use network services indiscriminately.

40.1 Internet Security Controls

Information Systems can be made secure from the threats discussed last slides. There is not a

single control available to cater for the risk of vulnerabilities associated with web (Internet). Some

of the solutions are:

· Firewall Security Systems

· Intrusion Detection Systems

· Encryption

40.2 Firewall Security Systems

Every time a corporation connects its internal computer network to the Internet if faces potential

danger. Because of the Internet's openness, every corporate network connected to it is vulnerable

to attack. Hackers on the Internet could break into the corporate network and do harm in a

number of ways: steal or damage important data, damage individual computers or the entire

network, use the corporate computer's resources, or use the corporate network and resources as a

way of posing as a corporate employee. Companies should build firewalls as one means of

perimeter security for their networks. Likewise, this same principle holds true for very sensitive or

critical systems that need to be protected from entrusted users inside the corporate network.

Firewalls are defined as a device installed at the point where network connections enter a site; they

apply rules to control the type of networking traffic flowing in and out. The purpose is to protect

the Web server by controlling all traffic between the Internet and the Web server.

To be effective, firewalls should allow individual on the corporate network to access the Internet

and at the same time, stop hackers or others on the Internet from gaining access to the corporate

network to cause damage. Generally, most organizations can follow any of the two philosophies

· Deny-all philosophy -- which means that access to a given recourses will be denied unless

a user can provide a specific business reason or need for access to the information

resource.

· Accept All Philosophy -- under which everyone is allowed access unless someone can

provide a reason for denying access.

System reports may also be generated to see who attempted to attack to system and tried to enter

the firewall from remote locations.

167

Information System (CS507)

Firewalls are hardware and software combinations that are built using routers, servers and variety

of software. They should control the most vulnerable point between a corporate network and the

Internet, and they can be as simple or complex as the corporate security policy demands. There are

many types of firewalls, but most enable organization to:

· Block access to an organization sites on the Internet

· Limit traffic on an organization's public services segment to relevant addresses.

· Prevent certain users from accessing certain servers or services.

· Monitor communications between an internal and an external network

· Monitor and record all communications between an internal and the outside world to

investigate network penetrations or detect internal subversion.

· Encrypt packets of data that are sent between different physical locations within an

organization by creating a VPN over the Internet.

Firewalls encrypt packets that are sent between different physical locations within an organization

by creating a VPN over the Internet. The capabilities of some firewalls can be extended so that

they can also provide for protection against viruses and attacks directed to exploit known operating

system vulnerabilities. Remote Location server protected by fire walls and IDS further

complemented by IPS (Intrusion Prevention system) Defining Specific ranges of IP addresses

that may access the location with defined rights.

40.3 Intrusion Detection Systems (IDS)

Another element to securing networks is an intrusion detection system (IDS). IDS is used in

complement to firewalls. An IDS works in conjunction with routers and firewalls by monitoring

network usage anomalies. It protects a company's information systems resources from external as

well as internal misuse.

Types of IDS includes:

· Signature-based: These IDS systems protect against detected intrusion patterns. The

intrusive patterns they can identify are stored in the form of signatures.

· Statistical-based: These systems need a comprehensive definition of the known and

expected behaviour of systems.

· Neural networks: An IDS with this feature monitors the general patterns of activity and

traffic on the network and creates a database.

Signature-based IDSs will not be able to detect all types of intrusions due to the limitations of

detection rules. On the other hand, statistical-based systems may report many events outside of the

defined normal activity but which are normal activities on the network. A combination of

signature- and statistical based models provides better protection. IDS is used as part of the

network. It may be used in the form of hardware and software or a software may only be installed

on the server. An IDS is located in between firewall and corporate network and works in

compliment with the firewall. However it can also be installed before the fire wall. IDS helps to

detect both on-site unauthorized access through network based IDS, and remote unauthorized

access through the use of host based IDS Biometrics may also be used However biometrics helps

to prevent only on site illegal access. A log can be maintained in an IDS to detect and observe

attempts of intrusions made and those successful. IDS is more concerned with recording and

detecting intrusions. For blocking intrusions, an other system called Intrusion Prevention System

(IPS) is used which takes input from IDS. IDS reports the IP addresses that are attacking the

168

Information System (CS507)

organizational network.

40.4 Components of an IDS

An IDS comprise of following components:

· Sensors that are responsible for collecting data. The data can be in the form of network

packets, log files, system call, traces, etc.

· Analyzers that receive input from sensors and determine intrusive activity

· An administrative console it contains intrusion definitions applied by the analyzers.

· A user interface

Host-based IDS

The HIDS reside on a particular computer and provide protection for a specific computer system.

They are not only equipped with system monitoring facilities but also include other modules of a

typical IDS, for example the response module HIDS can work in various forms.

1. Systems that monitor incoming connection attempts. These examine host-based incoming

and outgoing network connections. These are particularly related to the unauthorized

connection attempts to various protocols used for network communication such as

· TCP (Transmission Control Protocol) or

· UDP (User Datagram Protocol) ports and can also detect incoming portscans.

2. Systems that examine network traffic that attempts to access the host. These systems

protect the host by intercepting suspicious packets and scanning them to discourage

intrusion.

· Network Traffic data travel in the form of packets on network

· Packet a specific amount of data sent at a time

Network Based IDS

The network-based type of IDS (NIDS) produces data about local network usage. The NIDS

reassemble and analyze all network packets that reach the network interface card. For example,

while monitoring traffic, The NIDS's capture all packets that they see on the network segment

without analyzing them and just focusing on creating network traffic statistics. Honeynet (s) does

not allow the intruder to access actual data but leaves the intruder in a controlled environment

which is constantly monitored. Monitoring provides information regarding the approach of the

intruder.

Components of IDS

An IDS comprises on the following:

· Sensors that are responsible for collecting data. The data can be in the form of network

packets, log files, system call traces, etc.

· Analyzers that receive input from sensors and determines intrusive activity.

· An administration console

· A user interface.

Features of IDS

The features available in an IDS includes:

· Intrusion Detections

· Gathering evidence on intrusive activity

· Automated response (i.e. termination of connection, alarm messaging)

169

Information System (CS507)

Security policy

Interface with system tools

Security policy management

Limitations of IDS

An IDS can not help with the following weaknesses :

· Incorrectness or scope limitation in the manner threats are defined

· Application-level vulnerabilities

· Backdoors into application

· Weakness in identification and authentication schemes

40.5 Web Server Logs

The major purpose of enhancing web security is to protect web server from attacks through the

use of internet. While doing that Logging is the principal component of secure administration of a

Web server. Logging the appropriate data and then monitoring and analyzing those logs are critical

activities. Review of Web server logs is effective, particularly for encrypted traffic, where network

monitoring is far less effective. Review of logs is a mundane activity that many Web administrators

have a difficult time fitting into their hectic schedules. This is unfortunate as log files are often the

best and/or only record of suspicious behavior. Failure to enable the mechanisms to record this

information and use them to initiate alert mechanisms will greatly weaken or eliminate the ability to

detect and assess intrusion attempts.

Similar problems can result if necessary procedures and tools are not in place to process and

analyze the log files. System and network logs can alert the Web administrator that a suspicious

event has occurred and requires further investigation. Web server software can provide additional

log data relevant to Web-specific events. If the Web administrator does not take advantage of these

capabilities, Web-relevant log data may not be visible or may require a significant effort to access.

Web Trust

Under the web trust approach, a WebTrust Seal of assurance is placed on the site to show potential

customers that a CPA or CA has evaluated the website's business practices and controls. The

purpose is to determine whether they are in conformity with the Web Trust Principles. The

WebTrust Principles and Criteria are intended to address user needs and concerns and are designed

to benefit users and providers of electronic commerce services. Your input is not only welcome, it

is essential to help ensure that these principles and their supporting criteria are kept up-to-date and

remain responsive to marketplace needs. Web trust principals broadly cover following aspects:

1. Business Practices Disclosures The entity discloses how it does business with its electronic

commerce.

2. Transaction integrity the website operator maintains effective controls and practices to

ensure that customer's orders placed using electronic commerce are completed and billed as

agreed.

3. Information protection the entity maintains effective controls and practices to ensure that

private customer information is protected from uses not related to entity business.

40.6 Web Security audits

Going online exposes an entity to more hazards than otherwise. This requires implementation of

170

Information System (CS507)

effective controls and checks to secure both the company's online data from undesired

manipulation, and the customer's information and orders. The organization may hire an audit firm

to offer these services and check the integrity of the website. Web audits help in gaining a web

rating which enhances the credibility of the audits. There are different levels of audits, tailored to

your needs and your budget. Among the issues we can carefully review on your site, resulting in a

detailed report with recommendations:

· performance, page load time

· graphics optimization

· navigation usability, consistency

· browser compatibility

· content formatting consistency

· accessibility compliance with ADA guidelines and Section 508 Standards

· broken links

· page errors, script errors

· search engine ranking

· interface layout

40.7

Digital Certificates

The digital equivalent of an ID card is also called "digital IDs," digital certificates are issued

by a trusted third party known as a "certification authority" (CA) such as VeriSign and

Thawte.

For example, CBR requires a NIFT class 2 digital certificate in order to facilitate filing

return electronically

NIFT itself is an affiliate of Verisign Inc. working as certification authority in pakistan.

The certificate is valid for one year.

The certificate is attached to email every time a message is attached and sent to recipient.

The CA verifies that a public key belongs to a specific company or individual (the

"subject"), and the validation process it goes through to determine if the subject is who it

claims to be depends on the level of certification and the CA itself.

The process of verifying the "signed certificate" is done by the recipient's software, which is

typically the Web browser. The browser maintains an internal list of popular CA's and their public

keys and uses the appropriate public key to decrypt the signature back into the digest. It then

recomputes its own digest from the plain text in the certificate and compares the two. If both

digests match, the integrity of the certificate is verified. Companies like VeriSign and thawte

provide a variety of security and telecom services like digital certificates.

171

Table of Contents: