15

Computer Security

1. Define the term ‘computer security’. What aspects are responsible for effective computer security?

Ans.: Computer security refers to the protection given to computers and the information contained in them from unauthorized access. The practice of computer security also includes policies, procedures, hardware, and software tools that are necessary to protect the computer systems and the information processed, stored, and transmitted by the systems. It involves the measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer. These three aspects are responsible for effective computer security and are described as follows:

images Confidentiality: It ensures that information is available only to those persons who are authorized to access it. Strict controls must be implemented to ensure that only those persons who need access to certain information have that access. The most common form of access control is the use of passwords. Requiring passwords, smart cards, or single-use-password devices is the first step to prevent unauthorized individuals from accessing sensitive information and is the first layer of defence in access control. Therefore, keeping password confidential is one of the most fundamental principles of computer security.
images Integrity: It ensures that information cannot be modified in unexpected ways, as loss of integrity could result from human error, intentional tampering, or even catastrophic events. The consequence of using inaccurate information can be disastrous, therefore, an effort must be made to ensure the accuracy and integrity of data at all times. When the validity of information is of utmost importance, it is often helpful to design controls and checks to ensure accuracy of information. For this, encryption process is used, which transforms information into some secret form to prevent unauthorized individuals from accessing the data. Such a technique prevents an intruder from reading or modifying the information.
images Availability: It prevents resources from being deleted or becoming inaccessible. This applies not only to information, but also to the machines on the network and other aspects of the technology infrastructure. This inability to access the required resources is called denial of service (DoS). Intentional attacks against computer systems often aim to disable access to data. Another aspect of availability ensures that needed resources are usable when and where needed, thus providing system redundancy, in the form of back-up data and power source.

2. Explain different security threats.

Ans.: Computer systems are vulnerable to many kinds of threats that can cause various types of damages, which may result in significant data loss. A threat can come from any person, object, or event that, if realized, could potentially cause damage to the computer network. It can also arise from intentional modification of sensitive information or accidental error in a calculation or because of a natural disaster like flood, storm, or fire. The effects of various threats vary considerably; some affect the confidentiality or integrity of data, while others affect the availability of a system. Some of the commonly occurring security threats are discussed as follows:

images Errors and omissions: They are important threats to data and system integrity. These errors are caused not only by data entry operators, processing hundreds of transactions per day, but also by users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions. A sound awareness and training program can help an organization reduce the number and severity of errors and omissions.
images Fraud and theft: Information technology is increasingly being used to commit fraudulent and theft activity. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods. For example, individuals may use a computer to steal money from a large number of financial accounts, thus generating a significant sum for their own use. Financial systems are not the only institutions facing fraudulent activity but the systems such as time and attendance systems, inventory systems, school grading systems, or long-distance telephone systems, which control access to any resource, are also the targets.

The majority of fraud uncovered on computer systems is committed by insiders who are authorized users of a system. Since insiders have both access to and familiarity with the victim computer system, including what resources it controls and where the flaws are, they are in a better position to commit crimes. An organization's former employees may also pose threats, particularly if their access is not terminated promptly.
images Loss of physical and infrastructure support: Loss of physical and infrastructural support in an organization also contributes to the security threat. The infrastructural support includes power failures, loss of communications, water outages and leaks, lack of transportation services, natural calamity, and so forth. Recent study has shown that more loss is associated with fires and floods than with viruses and other more widely publicized threats. A loss of infrastructure often results in system downtime, sometimes in unexpected ways.
images Hacker and cracker: The term ‘hacker’ refers to the person with the intention of finding some weak points in the security of websites and other computer systems in order to gain unauthorized access. The activities of hackers are not limited to only gaining the unauthorized access to systems, but also include stealing and destroying the confidential information. They can also introduce viruses in the network, which can enter database or other applications and crash the whole server. In addition, they can also modify links in websites to redirect the sensitive information to the database of their interests.

In hacking community, hackers have been classified into two categories: white-hat and black-hat hackers depending on their intent behind hacking. The hackers who break into the computer security with non-malicious reasons are known as white-hat hackers. Usually, such hackers are security experts working with manufacturers. On the other hand, the hackers who break into the computer security without authorization for ulterior purposes such as property theft, credit card theft, terrorism, etc. are known as black-hat hackers or crackers. In mass media, the terms ‘hacker’ and ‘cracker’ are often used interchangeably.
images Malicious software: These software (shortened form malware) are the programs that generate threats to the computer system and stored data. They could be in the form of viruses, worms, Trojan horses, logic bombs, and zombie programs. All the malicious programs fall under two categories: one that require a host program such as an application program or a system program in order to be executed by the operating system and another that can be executed by the operating system independently. Some examples of malicious programs belonging to first category include viruses and logic bombs, while worms and zombie programs are the examples of the second category.
images Foreign government espionage: In some instances, threats can be posed by foreign government intelligence services. In addition to possible economic espionage, foreign intelligence services may target unclassified systems to collect information about intelligence missions. Some unclassified information that may be of interest includes travel plans of senior officials, defence, emergency preparedness, manufacturing technologies, satellite data, personnel and payroll data, investigative, and security files. Therefore, adequate guidance must be sought from the security office regarding such threats.

3. What is a virus? Explain different types of virus.

Ans.: Virus (stands for Vital Information Resources Under Seize) is a program or small code segment that is designed to replicate, attach to other programs, and perform unsolicited and malicious actions. It enters into the computer system from external sources such as compact disc (CD), pen drive, or e-mail and executes when the infected program is executed. Further, as an infected computer gets in contact with an uninfected computer (e.g., through computer networks), virus may pass on to the uninfected system and destroy the data.

Just as flowers are attractive to the bees that pollinate them, virus host programs are deliberately made attractive to victimize the user. They become destructive as soon as they enter a system or are programmed to lie dormant until activated by a trigger. The different types of virus are discussed as follows:

images Boot sector virus: This virus infects the master boot record of a computer system. This virus either moves the boot record to another sector on the disk or replaces it with the infected one. It then marks that sector as a bad sector on the disk. This type of virus is very difficult to detect since the boot sector is the first program that is loaded when a computer starts. In effect, the boot sector virus takes full control of the infected computer.
images File-infecting virus: This virus infects files with extension .com and .exe. This type of virus usually resides inside the memory and infects most of the executable files on a system. The virus replicates by attaching a copy of itself to an uninfected executable program. It then modifies the host programs and subsequently, when the program is executed, it executes along with it. This virus can only gain control of the computer if the user or the operating system executes a file infected with the virus.
images Polymorphic virus: This virus changes its code as it propagates from one file to another. Therefore, each copy of virus appears different from others; however, they are functionally similar. This makes the polymorphic virus difficult to detect like the stealth virus. The variation in copies is achieved by placing superfluous instructions in the virus code or by interchanging the order of instructions that are not dependent. Another more effective means to achieve variation is to use encryption. A part of the virus, called the mutation engine, generates a random key that is used to encrypt the rest portion of the virus. The random key is kept stored within the virus, while the mutation engine changes by itself. At the time the infected program is executed, the stored key is used by the virus to decrypt itself. Each time the virus replicates, the random key changes.
images Stealth virus: This virus attempts to conceal its presence from the user. It makes use of compression such that the length of infected program is exactly same as that of the uninfected version. For example, it may keep intercept logic in some I/O routines so that when some other program requests for information from the suspicious portions of the disk using these routines, it will present the original uninfected version to the program. The Stoned Monkey virus is an example of the stealth virus. This virus uses ‘read stealth’ capability and if a user executes a disk editing utility to examine the main boot record, the user would not find any evidence of infection.
images Multipartite virus: This virus infects both boot sectors and executable files, and uses both mechanisms to spread. It is the worst virus of all because it can combine some or all of the stealth techniques along with polymorphism to prevent detection. For example, if a user runs an application infected with a multipartite virus, the virus activates and infects the hard disk's master boot record. Moreover, the next time the computer starts; the virus gets activated again and starts infecting every program that the user runs. OneHalf virus is an example of a multipartite virus, which exhibits both stealth and polymorphic behaviour.

4. Write a short note on the following:

(a) Worm

(b) Trojan horse

(c) Logic bomb

(d) Spyware

Ans.:  (a) Worm: It is a program constructed to infiltrate on the legitimate data processing programs and alters or destroys the data. It often uses network connections to spread from one computer system to another, thus, it attacks systems that are linked through communication lines. Once active within a system, it behaves like a virus and performs a number of disruptive actions. To reproduce itself, it makes use of a network medium such as network mail facility (in which it can mail a copy of itself to other systems), remote execution capability (in which it can execute a copy of itself on another system), and remote login capability (whereby it can log into a remote system as a user and then use commands to copy itself from one system to another).

Both worms and viruses tend to fill computer memory with useless data thereby preventing you from using memory space for legal applications or programs. In addition, it can destroy or modify data and programs to produce erroneous results as well as halt the operation of the computer system or network. Like virus, the operation of a network worm also involves dormant, propagation, triggering, and execution phase.

(b) Trojan Horse: It is a malicious program that appears to be legal and useful but concurrently does something unexpected like destroying existing programs and files. It does not replicate itself in the computer system and hence, it is not a virus. However, it usually opens the way for other malicious programs such as virus to enter into the computer system. In addition, it may also allow unauthorized users to access the information stored in the computer.

It spreads when users are convinced to open or download a program because they think it has come from a legitimate source. It can also be included in software that is freely downloadable. It is usually subtler especially in the cases where it is used for espionage. It can be programmed to self-destruct, without leaving any evidence other than the damage it has caused. The most famous Trojan horse is a program called Back Orifice, which is an unsubtle play of words on Microsoft's BackOffice suite of programs for NT server. This program allows anybody to have the complete control over the computer or server it occupies.

(c) Logic Bomb: It is a program or portion of a program that lies dormant until a specific part of program logic is activated. The most common activator for a logic bomb is date. It periodically checks the computer system date and does nothing until a pre-programmed date and time is reached. It could also be programmed to wait for a certain message from the programmer. When it sees the message, it gets activated and executes the code. It can also be programmed to activate on a wide variety of other variables such as when a database grows past a certain size or a user's home directory is deleted. For example, the well-known logic bomb is a Michelangelo, which has a trigger set for Michelangelo's birthday. On the given birth date, it causes system crash or data loss or other unexpected interactions with existing code.

(d) Spyware: It is a small program that installs itself on a computer to gather data secretly about the computer user without his/her consent and reports the collected data to interested users or parties. The information gathered by the spyware may include e-mail addresses and passwords, net surfing activities, credit card information, etc. It often gets automatically installed on your computer when you download a program from the Internet or click any option from the pop-up window in the browser.

5. What is the need to protect the computer systems against virus? How are the computer system protected?

Ans.: In the early days of computer networking, computers were not networked very well, and computer viruses spread extremely slowly. Files were transmitted by means of BBSs (Bulletin Board Systems) or on diskette. As a result, the transmission of infected files was not that fast and easy. However, as the connectivity improved, mostly by the use of computers in the workplace, the scope of virus threat widened. First, there was local area network (LAN), and then there was wide area network (WAN) and now the Internet. The extensive use of e-mail has also contributed to the significant rise in the number of virus incidents. As a result, the probability of getting infected by a virus today is more than it was a few years ago. Moreover, as the computer technology is gaining heights, these viruses are also getting advanced in causing destruction. To stop such destruction, it is necessary to protect the systems against virus. For this purpose, a software utility named antivirus is used.

Antivirus is an application software that is used for providing protection against malicious software. It is a software utility that (upon installing on a computer) detects viruses and if found, tries to remove them. The built-in scanner of antivirus software scans all the files on the computer's hard disk to look for particular types of code within programs. Most antivirus programs include an auto-update feature that enables the program to download profiles of new viruses so that it can check for the new viruses as soon as they are discovered. The most popular available antivirus software includes Norton AntiVirus, McAfee VirusScan, and Quick Heal.

Figure 15.1 depicts a typical virus detection mechanism used by an antivirus program. The image illustrates that if an antivirus program is not installed on the computer, the virus in the e-mail gets into the computer. However, once an antivirus program is installed in the computer, it checks all the incoming files (mails), detects the viruses, and removes them before storing the files onto the user's machine. However, in some cases, antivirus is not able to remove the virus and thus, one has to delete that file.

images

Figure 15.1 Virus Protection Using Antivirus

6. Explain in brief on the term ‘cryptography’?

Ans.: Cryptography is a means for implementing some security mechanisms. The term ‘cryptography’ is derived from a Greek word kryptos which means ‘secret writing’. In simple terms, cryptography is the process of altering messages in a way that their meaning is hidden from the adversaries who might intercept them. It allows a sender to disguise a message to prevent it from being read or altered by an intruder as well as it enables receiver to recover the original message from the disguised one.

In data and telecommunications, it is an essential technique required for communicating over any untrusted medium, which includes any network, such as Internet. By using cryptography techniques, the sender can first encrypt a message and then transmit it through the network. The receiver, on the other hand, can decrypt the message and recover its original contents.

It relies upon two basic components: an algorithm (or cryptographic methodology) and a key. Algorithm is a complex mathematical formula and key is a string of bits. For two parties to communicate over a network (Internet), they must use the same algorithm (or algorithms that are designed to work together). In some cases, they must also use the same key. However, in all cases, the original unencrypted message is referred to as the plaintext, which is encrypted into ciphertext.

7. Discuss the various types of cryptographic techniques.

Ans.: Cryptography techniques are broadly classified into three types: secret-key cryptography, public-key cryptography, and hash functions.

Secret-key Cryptography

It is sometimes also called private-key cryptography or symmetric-key cryptography. It uses a single shared key (secret key) for both encryption and decryption of data. Thus, it is obvious that the key must be known to both the sender and the receiver. As shown in Figure 15.2, the sender uses the shared key and the encryption algorithm to transform the plaintext into ciphertext. The ciphertext is then sent to the receiver via a communication network. The receiver applies the same key and the decryption algorithm to decrypt the ciphertext and recover the plaintext. Some examples of symmetric-key algorithms include Data Encryption Standard (DES), double DES, triple DES, and Advanced Encryption Standard (AES).

images

Figure 15.2 Message Exchange Using Secret Key

The main problem in the private-key cryptography is getting the sender and receiver to agree on the secret key without anyone else finding it out. If the key is compromised, the security offered by the secret-key cryptography is severely reduced or eliminated. It assumes that the parties who share a key rely upon each other not to disclose the key and protect it against modification. If they are in separate physical locations, they must trust on a medium such as courier or a phone system, to prevent the disclosure of the secret key. Anyone who overhears or intercepts the key in transit can later read, modify, and forge all messages encrypted or authenticated using that key.

Public-key Cryptography

It is sometimes also called asymmetric-key cryptography. It was introduced by Diffie and Hellman in 1976 to overcome the problem found in the secret-key cryptography. It involves the use of two different keys for encryption and decryption. These two keys are referred to as the public key (used for encryption) and the private key (used for decryption). Each authorized user has a pair of public and private keys. The public key of each user is known to everyone, whereas, the private key is known to its owner only.

Now suppose that a user A wants to transfer some information to user B securely. The user A encrypts the data by using the public key of B and sends the encrypted message to B. On receiving the encrypted message, B decrypts it by using his/her private key. Since decryption process requires the private key of user B, which is only known to B, the information is transferred securely. Figure 15.3 illustrates the whole process. Rivest, Shamir, Adleman (RSA) is a well-known example of public-key algorithm.

images

Figure 15.3 Message Exchange Using Public Key

The main advantage of the public-key cryptography is that the need for the sender and receiver to share the secret key is eliminated and all communications involve only public keys. Thus, no private key is ever transmitted or shared. Anyone can send a confidential message using the public key, but the message can only be decrypted with a private key, which is in the sole possession of the intended recipient.

Hash Functions

It is a one-way encryption algorithm that does not use any key to encrypt or decrypt the data. It takes a variable-length message as input and produces a fixed-length output referred to as the hash code or hash value. Formally, the hash code (h) can be expressed as follows:

h = H(M)

where,

M = Message (string) of any length

h = Hash function

H(M)= Fixed-length string (hash code)

At the sender's end, the hash code is computed and concatenated with the message. The message plus hash code are then sent to the receiver through the network. At the receiver's end, the receiver separates the message from the hash code and again applies the hash function on it to produce a new hash code. If the recomputed hash code is same as the received hash code, the message is authenticated.

As secret key is not given as an input to hash function, thus, hash code plays the role of a ‘signature’ for the data being sent from the sender to receiver through the network. In addition, the hash function takes into account all bits of the message; therefore, change to one bit or many bits of the message results in change to the hash code. Hash functions are commonly employed by many operating systems to encrypt passwords and preserve the integrity of a file.

8. Differentiate between private-key and public-key cryptography.

Ans.: Some of the differences between private-key and public-key cryptography are listed in Table 15.1

Table 15.1 Differences Between Private-key and Public-key Cryptography

 

S. No.

 Private-key Cryptography Public-key Cryptography

1.

 It uses a single key for both encryption and decryption of data. It uses two different keys: public key for encryption and private key for decryption.

2.

 Both the communicating parties share the same algorithm and the key. Both the communicating parties should have at least one of the matched pair of keys.

3.

 The process of encryption and decryption is very fast. Encryption and decryption process is slower as compared to symmetric cryptography.

4.

 Key distribution is a big problem. Key distribution is not a problem.

5.

 The size of the encrypted text is usually same or less than the original text. The size of encrypted text is usually more than the size of the original text.

6.

 It can only be used for confidentiality (i.e., only for encryption and decryption of data). It can be used for confidentiality of data as well as for integrity and non-repudiation checks (i.e., for digital signatures).

 

9. What is a digital signature? Describe digital signature process with the help of a suitable example.

Ans.: A digital signature is an authentication mechanism that allows the sender to attach an electronic code with the message in order to ensure its authenticity and integrity. This electronic code acts as a signature of the sender and hence, named digital signature. It uses the public-key cryptography technique. The sender uses his private key and a signing algorithm to create a digital signature, and the signed document can be made public. The receiver, on the other hand, uses the public key of the sender and a verifying algorithm to verify the digital signature.

The digital signature process is shown in Figure 15.4. Suppose user A wants to send his/her signed message to B through the network. To achieve this communication, follow the steps given below:

  1. User A uses his/her private key (EA), applied to a signing algorithm, to sign the message (M).
  2. The message (M) along with A's digital signature (S) is sent to B.
  3. On receiving the message (M) and the signature (S), B uses A's public key (DA), applied to the verifying algorithm, to verify the authenticity of the message. If the message is authentic, B accepts the message; otherwise he/she rejects it.

images

Figure 15.4 Digital Signature Process

10. Discuss the various services provided by digital signatures.

Ans.: The various security services provided by digital signatures are as follows:

images Message authentication: A normal message authentication scheme protects the two communicating parties from the attack of the third party (intruder). However, a secure digital signature scheme protects the two parties against each other also. Suppose A wants to send his signed message (message with A's digital signature) to B through a network. For this, A encrypts the message using his private key, which results in a signed message. The signed message is then sent through the network to B. Now, B attempts to decrypt the received message using A's public key in order to verify that the received message has really come from A. If the message gets decrypted, B can believe that the message is from A.
images Message integrity: They also provide message integrity. If a message bears a digital signature, then any change in the message after signature will invalidate the signature. That is, it is not possible to get the same signature if the message is changed. Moreover, there is no efficient way to modify a message and its signature such that a new message with a valid signature is produced.
images Non-repudiation: They also ensure non-repudiation. For example, if A has sent a signed message to B, then in future A cannot deny about the sending of the message. B can keep a copy of the message along with A's signature. In case A denies, B can use A's public key to generate the original message. If the newly created message is same as that of the message initially sent by A, it is proved that the message has been sent by A only. In the same way, B can never create a forged message bearing A's digital signature because only A can create his/her digital signatures with the help of his/her private key.
images Message confidentiality: They do not provide message confidentiality because anyone knowing the sender's public key can decrypt the message. Thus, to achieve message confidentiality, we need to encrypt the message along with the signature using either secret-key encryption or public-key encryption scheme. For example, if we use the public-key encryption scheme, then at A's end, first the message is encrypted using A's private key and then a second encryption is performed using the B's public key. Similarly, at B's end, first the message is decrypted using B's private key and then a second decryption is performed using A's public key. With this mechanism, only B can decrypt the encrypted message received from A because only he/she knows his/her own private key.

11. What are the essential properties and requirements for a digital signature?

Ans.: A digital signature is used in those situations where there is a lack of trust between the sender and receiver. For example, suppose a user A transfers funds to B electronically. Now, B in future increases the amount of funds transferred and claims that the larger amount had arrived from A. Thus, to achieve secure communication between the two users and to resolve their disputes, if any, the digital signature must have the following properties:

images It must be able to verify the author and the date and time of the signature.
images It must be able to authenticate the contents of the message at the time of the signature.
images There must be some third (trusted) party that can verify the digital signature to resolve disputes between the sender and the receiver.

Thus, we can say that the authentication function is included within the digital signature function. Based on the above-mentioned properties, we can devise the following requirements for a digital signature:

images It must be in a form of a bit pattern and relative to the message being signed.
images It must contain some information that is unique to the sender so that forgery and denial can be avoided.
images The process of creating the digital signature must be comparatively easy.
images The process of recognizing and verifying the digital signature must also be comparatively easy.
images A high computational effort must be required to forge a digital signature. That is, it must be infeasible for an intruder to create a new message for an existing signature or to create a fake digital signature for an existing message.
images The copy of a digital signature must be retained in some storage mechanism.

12. What do you understand by the term ‘firewall’? Explain its use with the help of an example?

Ans.: The progressive use of Internet in the organizations has opened up possibilities for the outside world to interact with the internal network, creating a great threat to the organization. Usually, organizations have huge amount of confidential data, leaking of which may prove a serious setback. Moreover, it is also required to protect the internal network against malicious programs such as virus and worms. Therefore, some mechanism is needed to ensure that the valuable data within the organization remains inside as well as the outside attackers cannot break the security of the internal network.

Firewall is such a mechanism that protects and isolates the internal network from the outside world. Simply put, it prevents certain outside connections from entering into the network. It traps inbound or outbound packets, analyzes them, and then permits access or discards them. Basically, it is a router or a group of routers and computers that filter the traffic and implement access control between an un-trusted network (Internet) and the more trusted internal networks.

To understand the use of the firewall, consider an example where an organization is having hundreds of computers on the network. In addition, the organization will have one or more connections to the Internet lines. Now, without a firewall in place, all the computers are directly accessible to anyone on the Internet. A person who knows what other people are doing can probe those computers; try to make FTP (file transfer protocol) connections to them, or telnet connections, etc. If one employee makes a mistake and leaves a security hole, hackers can get to the machine and exploit that hole.

With a firewall in place, the network landscape becomes much different. An organization will place it at every connection to the Internet (e.g., at every T1 line coming into the company). It can implement security rules. For example, one of the security rules may be: out of the 300 computers inside an organization, only one is permitted to receive public FTP traffic. A company can set up rules like this for FTP servers, web servers, telnet servers, etc. In addition, the organization can have control on how employees connect to websites, whether files can be sent as attachments outside the company over the network, etc. Firewall provides incredible control over how people use the network.

13. What kind of protection does a firewall provide?

Ans.: A firewall provides incredible control over how people use the network. It provides the following kinds of protection:

images It blocks unwanted traffic.
images It directs incoming traffic to more trustworthy internal systems.
images It hides vulnerable systems, which cannot be secured from the Internet.
images It logs traffic to and from the private network.
images It hides information like system names, network topology, network device types, and internal user IDs from the Internet.
images It provides more robust authentication than standard applications.

14. Explain the various types of firewall along with their advantages and disadvantages?

Ans.: Depending on the criteria used for filtering traffic, there are three common types of firewalls: packet filter (or packet-filtering router), application-level gateway, and circuit-level gateway.

Packet-filtering Router

It is also known as screening router or screening filter. It is one of the oldest firewall technologies that operates at the network layer. It examines the incoming and outgoing packets by applying a fixed set of rules on them and thus, determines whether to forward the packets or to reject them. The rules used for filtering the packets are defined based on the following information contained in a network internet protocol (IP) packet:

images The IP address of the system from where the packet has come.
images The IP address of the system for which the packet is destined.
images The transport layer protocol used such as transmission control protocol (TCP) or user datagram protocol (UDP).
images Transport-level address (i.e., port number) of source and destination, which identifies the application such as Telnet or simple network management protocol (SNMP).
images The interface of the router where the packet came from or is destined to.

The filtering rules specify which packets are allowed to pass through and in which direction they should flow, that is, from external to internal network or vice versa. Each rule has a specified action associated with it, either to allow or to deny a packet. Thus, there are two sets of filtering rules: allow that permit the traffic and deny that discard the traffic. While examining a packet, if a match is found with any of the allow set of rules, then the packet is forwarded to the desired destination. On the other hand, if a match is found with any of the deny set of rules, the packet is discarded. In case no match is found, the default action is taken. The default policy can be either forward or discard the packet. The former default policy provides more ease of use to the end-users, however, offers reduced level of security. In contrast, the latter default policy is more conservative, however, provides more security. Therefore, generally, the implementation of a firewall is initiated with default discard policy and later packet filtering is enforced by applying the rules one by one.

Some advantages of packet filter are as follows:

images It is simple as a single rule is enough to indicate whether to allow or deny the packet.
images It is transparent to the users; the users need not know the existence of packet filters.
images It operates at a fast speed as compared to other techniques.
images The client computers need not be configured specially while implementing packet-filtering firewalls.
images It protects the IP addresses of internal hosts from the outside network.

Some disadvantages of packet filter are as follows:

images It is unable to inspect the application layer data in the packets and thus, cannot restrict access to FTP services.
images It is a difficult task to set up the packet-filtering rules correctly.
images It lacks support for authentication and has no alert mechanisms.
images Being stateless in nature, it is not well suited for application layer protocol.

Application-level Gateway

It operates at the application layer of the open systems interconnection (OSI) model. It is also termed as a proxy server or simply called proxy that handles the flow of application-level traffic. The operations of application-level gateways are as follows:

  1. A user contacts the application gateway with the help of a TCP/IP application such as telnet, FTP, or hypertext transfer protocol (HTTP).
  2. In response, the application gateway asks the user for the name, IP address, and other information about the remote host that is to be accessed. It also asks the user to present its user ID and password to access the gateway.
  3. The user supplies a valid user ID, password, and other desired information to it.
  4. After verifying the user, it contacts the application running on the remote host on behalf of the user. The TCP segments comprising the application data are exchanged between the two endpoints.
  5. Now, the application gateway serves as a proxy of the original user and delivers application data in both directions, from remote host to the user and vice versa.

It is considered the most secure type of firewalls as it provides the following advantages:

images The entire communication between the internal and external networks is only through the application gateway. This protects the internal IP addresses from the external network.
images The use of application gateway provides transparency between the users and the external network.
images It understands and implements high-level protocols such as HTTP and FTP.
images It supports functions such as user authentication, caching, auditing, and logging.
images It can process and manipulate the packet data.

Some disadvantages of application-level gateway are as follows:

images Each new network service requires a number of proxy services to be added. Thus, it is not scalable.
images The addition of proxy services causes the client applications to be modified.
images It operates at a slow speed and as a result, the performance degrades.
images As it relies on the support provided by the underlying operating system, it vulnerable to the bugs in the system.

Circuit-level Gateway

It operates in a similar manner as that of the packet-filtering firewall except that it operates at the session and transport layers of the OSI model. Whenever a session is to be established between a host in the internal network and a host outside the internal network, two TCP connections are to be established, one between the TCP user in the internal network and the circuit-level gateway and another between the circuit-level gateway and the TCP user in the external network. After both the connections have been established, the circuit-level gateway forwards the packet from one connection to another without inspecting their contents. This is because in circuit-level gateway, the session is validated before opening the connections. Thus, there is no need to examine the packet contents once the session has been established. It is best suited in the situation where the system administrator trusts the internal users.

It maintains a virtual table to store session-related information of all the valid connections. This information includes the session date, a unique session identifier, connection state, IP addresses of source and destination, the sequencing information, and the physical network interface through which the packet has to come and go. Rather than allowing all packets that meet the rule set requirements to pass, it allows only those packets that are part of a valid, established connection.

Some advantages of circuit-level gateway are as follows:

images It operates at a fast speed as compared to application-level gateway.
images It offers more security than packet filter.
images It is not subject to IP address spoofing attack.

Some disadvantages of circuit-level gateway are as follows:

images It is unable to perform security checks on higher level protocols.
images It can restrict access only to TCP protocol subsets.
images It has only a confined audit event generation capability.

15. List some limitations of firewalls.

Ans.: Though a firewall is an effective means of providing security to an organization, it has certain limitations:

images It provides effective security to the internal network if it is configured as the only entry–exit point in the organization. However, if there are multiple entry–exit points in the organization and a firewall is implemented at just one of them, then the incoming or outgoing traffic may bypass the firewall. This makes the internal network susceptible to attack from the points where it has not been implemented.
images It is designed to protect against outside attacks. However, it does not have any mechanism to protect against internal threats such as an employee of a company who unknowingly helps an external attacker.
images It does not provide protection against any virus-infected program or file being transferred through the internal network. This is because it is almost impossible to scan all the files entering in the network for viruses. To protect the internal network against virus threats, a separate virus detection and removal strategy should be used.

Multiple-choice Questions

1.  Some of the commonly occurring security threats to a network are __________.

(a) Errors and omissions

(b) Fraud and theft

(c) Malicious code

(d) All of these

2.  Virus is a computer __________.

(a) File

(b) Network

(c) Program

(d) Database

3.  A __________ replicates itself by creating its own copies, in order to bring the network to a halt.

(a) Worm

(b) Virus

(c) Trojan horse

(d) Logic bomb

4.  Virus that changes its code as it propagates from one file to another is called __________.

(a) File-infecting virus

(b) Stealth virus

(c) Polymorphic virus

(d) Multipartite virus

5.  Cryptography technique relies on __________.

(a) Algorithm

(b) Key

(c) Both (a) and (b)

(d) None of these

6.  The shared-key concept of cryptography is used in the __________.

(a) Public-key cryptography

(b) Secret-key cryptography

(c) Hash function

(d) None of these

7.  Firewall application is used for __________.

(a) Trapping inbound or outbound packets

(b) Scanning viruses

(c) Encrypting messages

(d) None of these

8.  Firewall technique that requires a proxy for each service to be supported through it is called __________.

(a) Packet-filtering router

(b) Circuit-level gateway

(c) Application-level gateway

(d) None of these

9.  Which of the following pair of keys is used to create and verify the digital signature respectively?

(a) Signer's private key and verifier's public key

(b) Verifier's public key and verifier's private key

(c) Signer's private key and signer's public key

(d) Signer's public key and signer's private key

10.  Circuit-level gateways are __________ as compared to packet filters.

(a) Less secure

(b) More secure

(c) Slower

(a) None of these

11.  __________ firewall is mostly used in small businesses.

(a) Packet-filtering

(b) Circuit-level gateway

(c) Application-level gateway

(d) None of these

Answers

1. (d)

2. (c)

3. (a)

4. (c)

5. (d)

6. (b)

7. (a)

8. (b)

9. (c)

10. (b)

11. (a)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.19.217