LO 4 - INFORMATION SHEET - Monitor and Administer System and Network Security - ICT HNS3 05 0710
LO 4 - INFORMATION SHEET - Monitor and Administer System and Network Security - ICT HNS3 05 0710
TVET INSTITUTE
Learning Guide 4
Course Title: Computer System and Network
Security
Module Title: Administering Network Infrastructure
Course Content: Determine Network Security
LO4- Determining network
Instruction
security
Security Computers have become an integral part of our life and network security threats are something
that we usually fear and hear about often. Whether it is a personal computer or a computer being used
in a huge corporate company, each computer needs to be protected from the computer network
security threats. The moment we have a computer ready to be used, we also have it readily exposed to
the network security threats such as various virus and bugs which can damage the functionality of the
computer. In addition to these network security threats the personal information of the owner which
might be stored in the computer is also at risk if the computer has not been protected from the hackers
who are ever ready to steal that stored information from your computer.
In order to protect our computers from the network security threats that it is exposed to, we need to
first understand the different types of threats that exist, only then we will be able to safeguard our
computer. The most common kind of network security threats that computers are exposed to, are the
threat of “Viruses”. It is important to know that a virus is usually sent as a downloadable attachment
which is in the form of an executable file. Once a person downloads a file and runs it, that’s when the
problem starts. The moment the executable file is “run” the computer gets affected by the network
security threats and a virus has now been downloaded by the user.
The function of the virus is usually related to corrupting the files which are on the system; this could be
the software related file or the actual hardware itself. There are certain viruses which are less harmful
and affect only certain types of software which are on the computer. However there are many
software’s which completely rash the hardware of the computer the moment that they are downloaded
and executed. Such viruses are listed as the top most computer network security threats.
When we talk about the network security threats that are posed by the different kinds of viruses, it is
important to understand that there are computer programs called “worms” which are basically subsets
of viruses and can cause massive amount of damage to your computer system. There are certain
network security threats and bugs which only cause the computer screen to have annoying pop-ups
every now and then; however some of the more deadly bugs cause permanent damage to the software
installed. There have been cases where “worms” have affected the computer in such a way that the
computer started automatically sending e-mails to all the addresses which are listed in the computer.
The most dangerous part about worms is that they don’t need to be in an executable format which
needs to be run.
People often store their personal information on their computers because most of us take care of our
bill payments, bank account transactions, and other important things through our computers. Imagining
the magnitude of the problem which can arise if your computer is hacked or crash can be a scary
thought. It is better that all of us secure our computers by installing good anti-virus software which can
safeguard our computers from the excessive computer network security threats.
While there are several free systems that you can use online that will safeguard your computer, they are
often times not as effective as the paid versions of network security threats software. They are usually
very limited and will not completely eliminate the network security threats such as the viruses and
This learning guide is developed to provide you the necessary information regarding the following
content coverage and topics –
Resource Sharing
Security Threats
Signature Files for Anti-virus
This guide will also assist you to attain the learning outcome stated in the cover page.
Learning Activities:
*Your teacher will evaluate your output either satisfactory or not satisfactory. If not satisfactory, your
teacher shall advice you on additional work. But if satisfactory you can proceed to the next topic.
Examples are shared file access (also known as disk sharing and folder sharing), shared printer access
(printer sharing), shared scanner access, etc. The shared resource is called a shared disk (also known as
mounted disk), shared drive volume, shared folder, shared file, shared document, shared printer or
shared scanner.
The term file sharing traditionally means shared file access, especially in the context of operating
systems and LAN and Intranet services, for example in Microsoft Windows documentation. Though, as
BitTorrent and similar applications became available in the early 2000's, the term file sharing
increasingly has become associated with peer-to-peer file sharing over the Internet.
Users can share resources over the network. You can share a single file, specific folders, or an entire
drive, as shown in Figure 1.
Members of the Administrators or Power Users group can share folders on a Windows member server.
Users have to be members of the Administrators or Server Operators group to share folders on a
domain’s domain controller. Users that have the Create Permanent Shared Objects user right are able to
share folders as well. To share folders on NTFS volumes, users have to minimally have the Read
permission.
When folders are shared, it is important to keep in mind that only folders can be shared, not files.
Shared folder permissions are irrelevant to users who are locally logged onto a computer. Shared folders
that are moved are no longer shared. When shared folders are copied, the copy is not shared. The
original shared folder however remains shared.
Shared folder permissions do not have as many permission options as NTFS permissions. The only
shared folder permissions that can be assigned to users/groups are Read, Change, or Full Control.
Share permissions are not inheritable.
Users cannot back up or audit shared folder permissions.
If the user moves or even renames a shared folder, the shared folder permissions for that
particular folder no longer exist.
Because of these disadvantages, shared folder permissions are typically utilized on drive volumes that
are FAT or FAT32 volumes.
Users can use Windows Explorer to share local folders only. In order to share local folders and remote
folders, use Computer Management. Use the File Server Management MMC snap-in to manage shared
folders.
The shared folder options that can be set when sharing a folder are listed below:
Do Not Share This Folder: The folder can only be accessed locally.
Share This Folder: The folder can be accessed locally and over the network. See Figure 2
Share Name: The name users would see and utilize to access the folder.
Description: Additional information on the shared folder.
User Limit: The maximum number of connections that are concurrently permitted to the shared
folder.
Permissions: The manner in which users are allowed to access the folder.
Offline Settings: The manner in which folders are cached at times when the folder is offline.
Shared folders basically enable users to access folders over the network. Shared folder permissions
specify those users that are allowed to access or connect to a shared folder over the network. Unlike
NTFS permissions, shared folder permissions do not utilize access control lists (ACLs) to limit access to
resources and cannot be assigned to both folders and files. Shared folder permissions can only be
specified for folders, but can be specified for folders stored on volumes formatted with a file system
other than NTFS.
The shared folder permissions that can be configured are summarized below:
Read: The Read permission allows users to view folder and file names, file data, and file attributes.
Users are also able to access the shared folder’s subfolders, and run program files and scripts.
Change: Those who are granted the Change permission can perform all of the functions that the
Read permissions grant as well as create and delete files and subfolders. Users are also able to
change file attributes, change the data in files, and append data to files.
Full Control: Users that are granted the Full Control permission can perform all the tasks that the
Change permissions enable, take ownership of files, and change file permissions.
Windows XP Professional and Windows Vista Business are limited to a maximum of 10 simultaneous file-
sharing connections.
Directions: Match the definition on the left with a term on the right. Write the letter only. All
definitions and terms are used exactly one time.
DEFINITIONS TERMS
a. A folder option that can only be accessed
locally. _______1. Share this folder
b. Used to restrict access to a folder or file
that is shared over a network _______2. Permission
c. Can perform all the tasks that the Change
permissions enable, take ownership of _______3. Shared Folder Permission
files, and change file permissions.
d. A folder option in which users are allowed _______4. Read
to access the folder.
e. Can perform all of the functions that the _______5. Offline Settings
Read permissions grant as well as create
and delete files and subfolders _______6. Change
f. The maximum number of connections that
are concurrently permitted to the shared _______7. Do not share this folder
folder.
g. The name users would see and utilize to _______8. User limit
access the folder
h. Permission allows users to view folder and _______9. Full control
file names, file data, and file attributes.
i. The manner in which folders are cached at _______10. Share name
times when the folder is offline
j. A folder option that can be accessed
locally and over the network
In this activity, you will create and share a folder, share a printer, and set permissions for the
shares.
Recommended Equipment
Two computers running Windows XP Professional that are directly connected to each other
or through a switch or hub
Uncheck the “Use Simple File Sharing (Recommended)” checkbox, and then click OK.
Save the file in the “Example” folder with the name “Brief.doc”, and then close WordPad.
Step 3: Right-click the Example folder, and then choose Sharing and Security
Click the Share this folder radio button, and then click OK.
Delete the text in the “Brief.doc” file, and then choose File > Save.
Click OK.
Close WordPad, and then choose NO when prompted to save changes to the file.
Step 6: Open the Control Panel on the computer with the attached printer.
Choose Printers and Other Hardware > Printers and Faxes.
Right-click the icon of the installed printer, and then choose Sharing….
Click the Share this printer radio button, and then click OK.
Click Next.
The Local or Network Printer of the Add Printer Wizard window appears. Click the A
network printer, or a printer attached to another computer radio button, and then click
Next.
Choose the printer from the list, and then click Next.
Click Next.
Click Finish.
Choose the General Tab, and then click Print Test Page.
A Network attack or security or security incident is defined as a threat, intrusion, denial of service or
other attack on a network infrastructure that will analyze your network and gain information to
eventually cause your network to crash or to become corrupted. In many cases, the attacker might not
only be interested in exploiting software applications, but also try to obtain unauthorized access to
network devices. Unmonitored network devices are the main source of information leakage in
organizations. In most organizations, every email message, every web page request, every user logon,
and every transmittable file is handled by a network device. Under some setups, telephone service and
voice messaging are also handled by network devices. If the attacker is able to "own" your network
devices, then they "own" your entire network. Network attacks cut across all categories of software and
platform type.
1. Spoofing.
2. Sniffing.
3. Mapping.
4. Hijacking.
5. Trojans.
6. DoS and DDoS.
7. Social engineering.
8. Phishing
FIGURE 1. Spoofing
The countermeasure for spoofing is ingress filtering. Routers usually perform this. Routers that
perform ingress filtering check the IP address of incoming datagrams and determine whether the
source addresses that are known to be reachable via that interface. If the source addresses that are
known to be reachable via that interface. If the source address is not in the valid range, then such
packets will be discarded.
2. Sniffing
FIGURE 2. Sniffing
Packet sniffing is the interception of data packets traversing a network. A sniffer program works at
the Ethernet layer in combination with network interface cards (NIC) to capture all traffic traveling
to and from internet host site. Further, if any of the Ethernet NIC cards are in promiscuous mode,
the sniffer program will pick up all communication packets floating by anywhere near the internet
host site. A sniffer placed on any backbone device, inter-network link or network aggregation point
will therefore be able to monitor a whole lot of traffic. Most of packet sniffers are passive and they
listen all data link layer frames passing by the device's network interface. There are dozens of freely
available packet sniffer programs on the internet. The more sophisticated ones allow more active
intrusion.
1. Host-based: Software commands exist that can be run on individual host machines to tell if the
NIC is running in promiscuous mode.
2. Network-based: Solutions tend to check for the presence of running processes and log files,
which sniffer programs consume a lot of. However, sophisticated intruders almost always hide
their tracks by disguising the process and cleaning up the log files.
3. Mapping (Eavesdropping)
FIGURE 3. Eavesdropping
Before attacking a network, attackers would like to know the IP address of machines on the
network, the operating systems they use, and the services that they offer. With this information,
their attacks can be more focused and are less likely to cause alarm. The process of gathering this
information is known as mapping.
In general, the majority of network communications occur in an unsecured or "clear text" format,
which allows an attacker who has gained access to data paths in your network to "listen in" or
interpret the traffic. When an attacker is eavesdropping on your communications, it is referred to as
sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest
security problem that administrators face in an enterprise.
Counter measures are strong encryption services that are based on cryptography only. Otherwise
your data can be read by others as it traverses the network.
FIGURE 4. Hijacking
This is a technique that takes advantage of a weakness in the TCP/IP protocol stack, and the way
headers are constructed. Hijacking occurs when someone between you and the person with whom
you are communicating is actively monitoring, capturing, and controlling your communication
transparently. For example, the attacker can re-route a data exchange. When computers are
communicating at low levels of the network layer, the computers might not be able to determine
with whom they are exchanging data.
Man-in-middle attacks are like someone assuming your identity in order to read your message. The
person on the other end might believe it is you, because the attacker might be actively replying as
you, to keep the exchange going and gain more information.
FIGURE 5. Trojans
These are programs that look like ordinary software, but actually perform unintended or malicious
actions behind the scenes when launched. Most remote control spyware programs are of this type.
The number of trojan techniques are only limited by the attacker's imagination. A torjanizes file will
look, operate, and appear to be the same size as the compromised system file.
The only protection is early use of a cryptographic checksum or binary digital signature procedure.
A Dos attack can be perpetrated in a number of ways. There are three basic types of attack.
* Consumption of computational resources, such as band width, disk space or CPU time.
* Disruption of configuration information, such as routing information.
* Disruption of physical network components.
Sending e-mail messages that have attachments with 256 character file names to Netscape and Microsoft
mail programs.
Sending oversized Internet Control Message Protocol (ICMP) packets.
Ending to a user of an e-mail program a message with a "From" address longer than 256 characters.
b. Smurf Attack
In this attack, the perpetrator sends an IP ping request to a receiving site. The ping packet
specifies that, it is broadcast to a number of hosts within the receiving site's local network. The
packet also indicates that the request is from another site, which is the target site that is to
receive the denial of service attack. The result will be lots of ping replies flooding back to the
innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to
receive or distinguish real traffic.
When a computer wants to make a TCP/IP connection to another computer, usually a server, an
exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the
connection, usually the client's or user's computer sends a TCP/SYN packet which asks the
server if it can connect. If the server is ready, it sends a TCP/SYN-ACK packet back to the client to
say "Yes, you may connect" and reserves a space for the connection, waiting for the client to
respond with a TCP/ACK packet. In a SYN flood, the address of the client is often forged so that
when the server sends a TCP/SYN-ACK packet back to the client, the message is never received
from client because the client either doesn't exist or wasn't expecting the packet and
subsequently ignores it. This leaves the server with a dead connection, reserved for a client that
will never respond. Usually this is done to one server many times in order to reserve all the
connections for unresolved clients, which keeps legitimate clients from making connections.
A distributed denial of service attack (DDoS) occurs when multiple compromised systems or multiple
attackers flood the bandwidth or resources of a targeted system with useless traffic. These systems are
compromised by attackers using a variety of methods.
In DDoS attacks, the attacker first gains access to user accounts on numerous hosts across the Internet.
The attacker then installs and runs a slave program at each compromised site that quietly waits for
commands from a master program running, the master program then contacts the slave programs,
instructing each of them to launch a denial-of-service attack directed at the same target host. The
resulting coordinated attack is particularly devastating, since it comes from so many attacking hosts at
the same time.
Here also ingress filtering only can control DoS attack and that too to a small extent.
Social engineering is the use of persuasion or deception to gain access to information systems. The
medium is usually a telephone or e-mail message. The attacker usually pretends to be a director or
manager in the company traveling on business with a deadline to get some important data left on their
network drive. They pressure the help desk to give them the toll-free number of the RAS server to dial
and sometimes get their password reset. The main purpose behind social engineering is to place the
human element in the network-breaching loop and use it as a weapon. The human element has been
referred to as the weakest link in network security.
1. Faked Email: The social engineer sends a message to one or more users in a domain that "this is
the system administrator and your password must be reset to user 123” for a temporary period of
time. The hacker then continuously monitors for the change and then exploits the whole system.
2. Fictitious Competition: The social engineer manipulates a group of users to participate in some
fake competition for a jackpot prize, with the ultimate purpose of eventually extracting
confidential information about network and password security.
3. The Helpful Help Desk: The help desk gets a call from the social engineer impersonating a user
reporting a forgotten password. In many cases the help desk will change the user's password over
the phone. The hacker now has a legitimate user name and password to work with. To avoid
problems from the original user, the social engineer will then call the user who was impersonated
8. Phishing
Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an
attempt to gather personal and financial information from recipients. Typically, the messages appear to
come from well-known and trustworthy Web sites. Web sites that are frequently spoofed by phishers
include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. A phishing expedition, like the fishing
expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool at least a few
of the prey that encounter the bait.
Most people associate phishing with e-mail messages that spoof, or mimic, banks, credit card companies
or other business like Amazon and eBay. These messages look authentic and attempt to get victims to
reveal their personal information. But e-mail messages are only one small piece of a phishing scam.
1. Planning. Phishers decide which business to target and determine how to get e-mail addresses for
the customers of that business. They often use the same mass-mailing and address collection
techniques as spammers.
2. Setup. Once they know which business to spoof and who their victims are, phishers create
methods for delivering the message and collecting the data. Most often, this involves e-mail
addresses and a Web page.
3. Attack. This is the step people are most familiar with -- the phisher sends a phony message that
appears to be from a reputable source.
4. Collection. Phishers record the information victims enter into Web pages or popup windows.
5. Identity Theft and Fraud. The phishers use the information they've gathered to make illegal
purchases or otherwise commit fraud. As many as a fourth of the victims never fully recover
Phishing scams take advantages of software and security weaknesses on both the client and server
sides. But even the most high-tech phishing scams work like old-fashioned con jobs, in which a hustler
convinces his mark that he is reliable and trustworthy.
If you ask yourself how you can get a complete view for your network, the answer will be almost
through using a complete logging system and through using almost all the available traffic monitoring
tools. All of them can combine with each other to give you a complete and a clear picture about the
traffic passing through your network.
From monitoring you can detect hacking attempts, virus or worm infections and propagation,
configuration problems, exploits, hardware problems and many others. Monitoring is an important
factor to maintain stability for the network.
Information security focuses on ensuring confidentiality, integrity and availability. From network
monitoring you can detect attempts to access forbidden information or resources such as unauthorized
access, which in turn ensure confidentiality. You can detect attempts to change or alter information
such as file modification, which ensure integrity. And you can detect any kind of problems that can
affect the availability of the information such as DOS or DDOS attack.
1- Develop a security procedure that is suitable for your network. And that covers all the
security issues related to your network.
2- Secure the network by implementing the developed security procedure.
3- Monitor the network & respond to attacks.
4- Test the existing network security. Check the security holes that you detect through
monitoring.
5- Manage and improve the security procedure and the implementation.
6- Then you have to return back to step (3) to monitor, test and improve.
It is clear that the security process is a dynamic process. You must keep yourself updated with any new
technology that can assist your security. And you must always check that your security policy is good
implemented and in effect by periodic monitoring and testing.
Network monitoring gives the ability to monitor the activities of the applications and the devices to
ensure expected and normal operations. On the other hand it helps to detect problems and take the
necessary actions to correct them. It can guide you to discover the security holes opened through your
network intentionally by attackers or unintentionally such as disabled or unused suspicious services that
may be enabled by mistake.
Anyone can easily notice that attacks have become more sophisticated in the last several years as the
level of attack automation has increased. You can obtain Sample and fully functional attack software
easily from the Internet. Precompiled and ready to use programs allow any user to launch relatively
large-scale attacks with little knowledge of the underlying security exploits. Because of that, Attack
monitoring is a crucial part of the information system operation. The attack monitoring and detection
can be achieved through network monitoring.
Using an accurate and complete logging system for almost all devices.
Using almost all the available traffic monitoring tools including bandwidth monitoring,
packet sniffing, IDSs.
Logging can give detailed information about any access or change for any of the network resources.
Frequently, uses of traffic monitoring tools help you to distinguish between normal traffic and suspicious
one.
There are many free network-monitoring tools. That can help you to easily enhance your security; you
do not have to care too much about the budget. The free tools are such as kiwi syslog daemon, backlog
It is not an easy job to perfectly monitor the network. At the beginning you may face many difficulties in
understanding and analyzing your logs and your network traffic. You also consume a lot of time to do
that. By time you can gain the required experience to do your job quickly and easily. This can be
achieved through being familiar with the normal logs and traffic passed through your network.
A. Logging
Logging can be a security administrator’s best friend. It’s like an administrative partner that is always at
work, never complains, never gets tired, and is always on top of things. If properly instructed, this
partner can provide the time and place of every event that has occurred in your network or system.
Each network device or system has its own logging system such as UNIX servers, Windows servers,
firewalls, routers, cache engines, IDSs, applications. You must monitor and analyze almost all the logs
from your network devices and systems.
Centralized logging facilitates the process of monitoring and analyzing log messages. It is good practice
to use a centralized syslog server for each type of devices, as an example:
But at the end the decision depends on the size of the monitored network. It is important for every
security or network administrator to review the content of log files for suspicious entries indicating that
a potential attack has occurred, or in the process of occurring in daily basis. Doing that, will help him to
enhance and maintain the security process.
Logging management is very important, to have a good event logs you must have two main
characteristics:
Logs are dependent on time, it is very important that your network devices, systems and your
logging servers have an accurate time. To help ensure this, the Network Time Protocol (NTP)
service is used.
Time synchronization is a must to have accurate and useful logging system, all your systems and
network devices must have synchronized time stamp. If you look at any log message you will
find that the time stamp is a basic part of it. If you have an accurate time for your logs you will
be able to relate logging messages from different systems and network devices. In case of attack
or any other network problem you could be able to analyze the logs from all the systems and
the network devices based on correct time. This could help to detect the attack or the cause of
the problem and to solve it.
There are different logging levels (severity0-severity7), which are defined as Emergency, Alert,
Critical, Error, Warning, Notice, Informational and Debug.
The level of the syslog message specifies the type of messages sent to the syslog host.
Logging level is an important parameter that must be taken into consideration. You must choose
the minimum level that gives you sufficient information. Choosing the suitable logging level
helps you to maintain the stability of the network and to ensure that there will not be losses for
required logging information. As an example if you set the logging level to be the highest logging
level, which is debugging, there will be huge number of logging messages that require a
substantial amount of disk space, high performance system, and adequate network bandwidth
(especially if there is remote logging). In normal situation the error or the warning logging level
could be enough. In situations that depend on or require more information you can increase the
logging level as needed
Logging Archival
Log server needs to have adequate amount of disk storage in order to hold all of the log
messages that it is going to receive. As you look at your logging hosts you will notice that
they are starting to fill up your storage media quickly, especially if you are in an active
environment. Archiving your logs will help prevent your logging hosts from crashing due
to storage limits being reached; which in turn leads to loss logging information. Using
industry standard archive software, in combination with tape storage devices, network
shares, CD-R, CD-RW, or Zip/Jazz drives; you can easily archive the logs. Logging archival
is one step to have good and complete logs. It helps you to return back to the old logs if
you are in situation requires reviewing them.
The log message is a useful mean to view troubleshooting messages and to watch for network
events such as attacks, service denials. The syslog server is a server listen to different log
messages from different servers. Using the syslog server you can establish a centralized logging
system.
The RFC 3164 states that the syslog protocol provides a transport to allow a machine to send
event notification messages across IP networks to event message collectors, also known as
syslog server. Syslog server uses the user datagram protocol (UDP) as its underlying transport
layer mechanism. The UDP port that is assigned to the syslog is 514.
As an example of syslog servers is Kiwi Syslog Daemon. Kiwi syslog site defines it as a freeware
server for Windows (you can use the basic features for free). It receives logs, displays and
forwards syslog messages from hosts such as routers, switches, UNIX hosts and any other syslog-
enabled device. Using it you can archive the received messages into files in daily, weekly,
monthly or custom basis.
Traffic Monitoring
There are many types of traffic monitoring tools that can be combined to monitor the traffic for the
network devices, systems and applications. Frequently use of traffic monitoring tools helps you to be
familiar with your normal traffic and as a result you can detect any suspicious traffic passing through
your network.
Bandwidth monitoring
As an example of the bandwidth monitoring tools is the Multi Router Traffic Grapher
(MRTG). MRTG homepage states that it is a tool to monitor the traffic load on network-links.
MRTG generates HTML pages containing graphical images, which provide a live visual
representation of this traffic.
MRTG consists of a Perl script which uses SNMP to read the traffic counters of your routers
and a fast C program which logs the traffic data and creates beautiful graphs representing
the traffic on the monitored network connection.
These graphs are embedded into Web Pages, which can be viewed, from any modern Web-
browser. As an example, Figure 14 and 15 are two graphs for the daily utilization of 1Mb
bandwidth network. If you monitor the graph frequently, you can distinguish between
normal and abnormal traffic.
Figure 15 shows abnormal use for the network bandwidth. There is a suspicious traffic
passing through the network. You can notice the difference easily the shape of the
graph gives a clear view. Using MRTG gives a global overview for your network traffic. It
could be used as a first step to check and monitor your traffic. From which you can take
further steps to detect suspicious traffic or problems.
Packet Sniffing
As an example of the packet sniffing tools is Ethereal. Ethereal homepage states that it is a
free network protocol analyzer for UNIX and Windows. It allows you to examine data from a
live network or from a capture file on disk.
You can interactively browse the capture data, viewing summary and detail information for
each packet. If you have doubt that there is suspicious traffic passing through your network
or you have a problem and you want to know the source address, the destination address,
the source port, the destination port, and the protocol for that traffic or problem, Ethereal
could be of great help to you. At that point you could have all the information required to
detect the attack and stop it or to detect the cause of the problem and correct it.
Determining Network Security
Computer System and Network Security Page 34
Network-based IDS
Intrusion Detection is the process of monitoring the events occurring in an IT system and
analyzing them for signs of intrusions. These intrusions are the results of attackers accessing
systems from the Internet, authorized users of the systems who attempt to gain additional
unauthorized privileges, and authorized users who misuse the privileges given to them.
There are different types of Intrusion Detection Systems (IDS). There are Network-based IDS
(NIDS), Network Node IDS (NNIDS), and Host-based IDS (HIDS). We will talk briefly about one of
them, which is the Network-based ID system. It works like burglar alarm, alerting security people
if an attack is taking place so that they can respond accordingly. It can detect intrusion by using
signature/pattern analysis (signatures that are characteristics of an attack), or by using
anomaly/heuristic analysis.
It is very important to notice that the IDS must be updated with the new attack signatures as
soon as possible; most of the hackers try to use the new attacks to be able to compromise the
systems before the administrator can patch them or apply the new updates.
o Identify attacks that firewall legitimately allow through (such as http attacks against web
servers).
o Identify attempts such as port scan or ping sweep.
o Notice insider hacking.
o Provide additional checks for holes/ports opened through firewalls, intentionally or
unintentionally
Snort is an example of the free available IDS. The IDS capture each packet passing through a
network segment and detects suspicious ones. It gives information about the source address,
the destination address, the source port, the destination port, the attack type, the time of
attack, it could also give advice about the required software upgrade or patches that could be
used to prevent this attacks, and more other useful information. From the above you can see
that the IDS can help you to detect the attacks that are already happened or in the process of
happening through your network. It can help also to detect failed trials of attackers. And this can
lead you to take the required actions to protect your network.
Worm Detection
Every day start by checking the MRTG graph for bandwidth utilization. The shape of the graph
oscillations gives an indication about the network traffic if it is normal or not.
After the above overview about the logging and the traffic monitoring tools, and about some of the
detected cases from the network monitoring, it is time to suggest a method that could be used daily to
monitor the network.
1- Use a traffic-monitoring tool like MRTG to have a general idea about your bandwidth
utilization. Bandwidth monitoring gives you a quick overview of the traffic leaving and
entering your network. It can guide you to the next step that you can follow in case of
detecting abnormal traffic.
2- Take a quick look for your logs, check the log file size if possible it can give an indication
about attacks or errors. Start by looking at the firewall logs and then the servers.
3- Keep monitoring the IDS logs. There is much more information that we can’t mention
about how to analyze your IDS logs. We will talk briefly about some of the guidelines
that you can follow to monitor your IDS events.
First of all you must have a good archiving mechanism for your IDS logging. Professional
attackers always try to hide their steps and this can be done by scheduling the process
of attacking to be executed on different days, good archiving enables you to easily
monitor the events and to detect previous hacking attempts.
It is better to care about the following when you monitor your IDS alerts:
If the total number of alarms received from one source address is high this may be an
indication of attack from that source address. If the number of attack signature types
coming from one source address is high this may be an indication of attack from that
source address, some well-known attack programs have a certain set of signature types
that you can detect by frequently monitoring the IDS. If there is a number of
destinations receive the same type of attack signatures from one source address this
may be an indication of attack. Most professional attackers use the new attacks to
compromise systems so you must care about new attacks, update your IDS with the new
signature. Also you must notice the old attacks that you do not use to see them when
monitoring your IDS. The time at which the attack happened could give some help, most
attackers trying to hack systems in the nonworking hours to be sure that there is no one
monitoring or watching them. The time period also is an important factor it can help you
to guess if the attacker is using automated tool to hack the system, usually it takes small
period of time if they use automated tools. All of the above factors can be combined to
help you to detect if the alarms are false ones or they are indication of actual attacks.
4- Use a packet-sniffing tool like Ethereal to see if your traffic is normal or abnormal. Using
packet sniffing tools can help you to be aware of the different protocols passing through
your network, you can know the percentage traffic omitted from each protocol, and you
can know the source and the destination addresses for all traffic. Packet sniffing tools
require great amount of disk storage because it receives a copy of each packet passing
through the network. You do not have to operate the packet sniffing software all the
time, but it is preferable to have it available when you need to use it.
Directions: Match the definition on the left with a term on the right. Write the letter only. All
definitions and terms are used exactly one time.
DEFINITIONS TERMS
a. is the interception of data packets
traversing a network _________1. Packet sniffing
b. is the process of monitoring the events
occurring in an IT system and analyzing _________2. Intrusion Detection
them for signs of intrusions
c. is carried out by attackers that manage to _________3. Man-in-the-middle
position themselves between two
legitimate hosts. _________4. Syslog server
d. is a server listen to different log messages
from different servers. _________5. Trojans
e. These are programs that look like ordinary
software, but actually perform unintended _________6. Log message
or malicious actions behind the scenes
when launched _________7. DoS
f. is a must to have accurate and useful
logging system, all your systems and _________8. Time Synchronization
network devices must have synchronized
time stamp _________9.Social Engineering
g. is a useful mean to view troubleshooting
messages and to watch for network events _________10. Phishing
such as attacks, service denials
h. It is a type of attack on a network that is
designed to bring the network to its knees
by flooding it with useless traffic
i. is an e-mail fraud method in which the
perpetrator sends out legitimate-looking
email in an attempt to gather personal and
financial information from recipients.
j. is the use of persuasion or deception to
gain access to information systems. The
medium is usually a telephone or e-mail
message
Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network
troubleshooting, analysis, software and protocol development, and education. Before June 2006,
Wireshark was known as Ethereal.
A packet sniffer (also known as a network analyzer or protocol analyzer) is computer software that can
intercept and log data traffic passing over a data network. As data streams travel back and forth over
the network, the sniffer "captures" each protocol data unit (PDU) and can decode and analyze its
content according to the appropriate RFC or other specifications.
Wireshark is programmed to recognize the structure of different network protocols. This enables it to
display the encapsulation and individual fields of a PDU and interpret their meaning. It is a useful tool for
anyone working with networks for data analysis and troubleshooting.
Scenario
To capture PDUs the computer on which Wireshark is installed must have a working connection to the
network and Wireshark must be running before any data can be captured.
Then other Options can be set. Among those available in Capture Options, the two highlighted below
are worth examination.
If this feature is NOT checked, only PDUs destined for this computer will be captured. If this feature is
checked, all PDUs destined for this computer AND all those detected by the computer NIC on the same
network segment (i.e., those that "pass by" the NIC but are not destined for the computer) are captured.
Note: The capturing of these other PDUs depends on the intermediary device connecting the end device
computers on this network. As you use different intermediary devices (hubs, switches, routers)
throughout these courses, you will experience the different Wireshark results.
This option allows you to control whether or not Wireshark translates network addresses found in PDUs
into names. Although this is a useful feature, the name resolution process may add extra PDUs to your
captured data perhaps distorting the analysis.
There are also a number of other capture filtering and process settings available. Clicking on the Start
button starts the data capture process and a message box displays the progress of this process.
As data PDUs are captured, the types and number are indicated in the message box
When the Stop button is clicked, the capture process is terminated and the main screen is displayed.
The PDU (or Packet) Details Pane in the middle of the diagram displays the packet selected in the Packet
List Pane in more detail.
The PDU (or Packet) Bytes Pane at the bottom of the diagram displays the actual data (in hexadecimal
form representing the actual binary) from the packet selected in the Packet List Pane, and highlights the
field selected in the Packet Details Pane.
Each line in the Packet List corresponds to one PDU or packet of the captured data. If you select a line in
this pane, more details will be displayed in the "Packet Details" and "Packet Bytes" panes. The example
above shows the PDUs captured when the ping utility was used and http://www.Wireshark.org was
accessed. Packet number 1 is selected in this pane.
The Packet Details pane shows the current packet (selected in the "Packet List" pane) in a more detailed
form. This pane shows the protocols and protocol fields of the selected packet. The protocols and fields
of the packet are displayed using a tree, which can be expanded and collapsed.
The Packet Bytes pane shows the data of the current packet (selected in the "Packet List" pane) in what
is known as "hexdump" style. In this lab, this pane will not be examined in detail. However, when a more
in-depth analysis is required this displayed information is useful for examining the binary values and
content of PDUs.
The information captured for the data PDUs can be saved in a file. This file can then be opened in
Wireshark for analysis some time in the future without the need to re-capture the same data traffic
again. The information displayed when a capture file is opened is the same as the original capture.
When closing a data capture screen or exiting Wireshark you are prompted to save the captured PDUs.
Clicking on Continue without Saving closes the file or exits Wireshark without saving the displayed
captured data.
Step 1: After ensuring that the standard lab topology and configuration is correct, launch Wireshark on
a computer in a lab pod.
Set the Capture Options as described above in the overview and start the capture process.
From the command line of the computer, ping the IP address of another network connected
and powered on end. Make sure to remember the IP address.
After receiving the successful replies to the ping in the command line window, stop the packet
capture.
The Packet List pane on Wireshark should now look something like this:
Look at the packets listed above; we are interested in packet numbers 6, 7, 8, 9, 11, 12, 14 and
15. (NOTE: numbers may vary)
If you performed Step 1 above match the messages displayed in the command line window
when the ping was issued with the six packets captured by Wireshark.
From the Wireshark Packet List answer the following:
What protocol is used by ping? ______________________________
What is the full protocol name? ______________________________
What are the names of the two ping messages? ______________________________
_____________________________________________________________________
Are the listed source and destination IP addresses what you expected? Yes / No
Why? ___________________________________
The Packet Detail pane will now display something similar to:
As you can see, the details for each section and protocol can be expanded further. Spend some
time scrolling through this information. At this stage of the course, you may not fully understand
the information displayed but make a note of the information you do recognize.
Locate the two different types of 'Source" and "Destination". Why are there two types?
__________________________________________________________________
This shows the particular binary values that represent that information in the PDU. At this stage
of the course, it is not necessary to understand this information in detail.
Note: Capture Options do not have to be set if continuing from previous steps of this lab.
Step 2: Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed.
Locate and identify the TCP and HTTP packets associated with the webpage download.
Determining Network Security
Computer System and Network Security Page 48
Step 3: In the Packet List pane, highlight an HTTP packet that has the notation "(text/html)" in the
Info column.
In the Packet Detail pane click on the "+" next to "Line-based text data: html"
When this information expands what is displayed?
___________________________________________________________________
When finished close the Wireshark file and continue without saving
Task 3: Reflection
Consider the encapsulation information pertaining to captured network data Wireshark can provide.
Relate this to the OSI and TCP/IP layer models. It is important that you can recognize and link both the
protocols represented and the protocol layer and encapsulation types of the models with the
information provided by Wireshark.
Task 4: Challenge
Discuss how you could use a protocol analyzer such as Wireshark to:
Task 5: Cleanup
Unless instructed otherwise by your instructor, exit Wireshark and properly shutdown the computer.
Threats to security from viruses and worms are always present. Attackers constantly look for new ways
to infiltrate computers and networks. Because new viruses are always being developed, security
software must be continually updated. This process can be performed automatically, but a technician
should know how to manually update any type of protection software and all customer application
programs. See Figure 1
1. Set Windows Restore Point – if the file you load is corrupt, setting a restore point will allow
you to go back to the way things were. See Figure 2
2. Open the anti-virus or anti-spyware program – if the program is set to execute or obtain
updates automatically, you may need to turn the automatic feature off to perform these
steps manually. See Figure 3
Virus, spyware, and adware detection programs look for patterns in the programming code of the
software in a computer. These patterns are determined by analyzing viruses that are intercepted on the
Internet and on LANs. These code patterns are called signatures. The publishers of protection software
compile the signatures into virus definition tables. To update signature files for anti-virus and spyware
software, first check to see if the signature files are the most recent files. This can be done by navigating
to the about option of the protection software, or by launching the update tool for the protection
software. If the signature files are out of date, update them manually with the Update Now option on
most protection software.
You should always retrieve the signature files from the manufacturer’s website to make sure the update
is authentic and not corrupted by viruses. This can put great demand on the manufacturer's website,
especially when new viruses are released. To avoid creating too much traffic at a single website, some
manufacturers distribute their signature files for download to multiple download sites. These download
sites are called mirrors.
CAUTION: When downloading the signature files from a mirror, ensure that the mirror site is a
legitimate site. Always link to the mirror site from the manufacturer's website.
Viruses and worms can be difficult to remove from a computer. Software tools are required to remove
viruses and repair the computer code that the virus has modified. These software tools are provided by
operating system manufacturers and security software companies. Make sure that you download these
tools from a legitimate site.
Patches are code updates that manufacturers provide to prevent a newly discovered virus or worm from
making a successful attack. From time to time, manufacturers combine patches and upgrades into a
Determining Network Security
Computer System and Network Security Page 52
comprehensive update application called a service pack. Many infamous and devastating virus attacks
could have been much less severe if more users had downloaded and installed the latest service pack.
The Windows operating system routinely checks the Windows Update website for high-priority updates
that can help protect a computer from the latest security threat. These updates can include security
updates, critical updates, and service packs. Depending on the setting you choose, Windows
automatically downloads and installs any high-priority updates that your computer needs, or notifies
you as these updates become available.
Updates must be installed, not just downloaded. If you use the Automatic setting, you can schedule the
time and day. Otherwise, new updates are installed at 3 a.m. by default. If your computer is turned off
during a scheduled update, updates are installed the next time you start your computer. You can also
choose to have Windows notify you when a new update is available and install the update yourself.
1. __________________________________________________________________
2. __________________________________________________________________
3. __________________________________________________________________
4. __________________________________________________________________
5. __________________________________________________________________
6. __________________________________________________________________
In this activity, you will create a restore point and return your computer back to that point in time.
Recommended Equipment:
Step 1
Click Start > All Programs > Accessories > System Tools > System Restore.
Click Next.
Click Create
Step 3
Click Close.
Step 6
Click Next.
Click OK.
Click OK.
Click Finish.
Click Yes.
Step 11
Open the Notepad application by clicking Start > All Programs > Accessories > Notepad.
Click My Documents.
Click Save.
Open IIS to confirm that you have successfully installed this service.
Click Start > All Programs > Administrative Tools > Internet Information Services.
Step 13
Click Start > All Programs > Accessories > System Tools > System Restore.
Click Next.
Click Next.
Step 15
NOTE: When you click Next, Windows will restart the computer. Close all applications before
you click Next.
Click Next.
The operating system restores to the point before the IIS application was installed.
Step 18
Instructions: You are required to answer the following individually with the presence of your teacher
A. In this activity, you will use the Internet, a newspaper, or magazines to gather information to help
you become familiar with computer crime and security attacks in your area.
1. Briefly describe one article dealing with computer crime or a security attack.
2. Based on your research, could this incident have been prevented? List the precautions that
might have prevented this attack.
2. Which type of security threat installs to a computer without the user’s knowledge and then monitors
all computer activity?
a. Adware
b. Grayware
c. Malware
d. Spyware
3. Which type of security threat uses e-mail that appears to be from a legitimate sender and asks the e-
mail recipient to visit a website to enter confidential information?
a. Badware
b. Phishing
c. Stealth virus
d. Worm
a. Card keys
b. Password keys
c. Alarm triggers
d. Biometrics
B. When you receive an email from your bank requesting you go to a website and confirm your
personal details and passwords. This website is normally spoofed and will then enable the
fraudster to gain your personal bank details and allow them to commit fraud.” What is this kind of
threat called? What is the best way to avoid this type of threat?
C. Nowadays, many companies have customers fill out personal or financial information for
registrations. There is a possibility that your computer would have grayware. What is the best
option for you to complete the registration form and send back to the company?
Self-check 1
1. J
2. D
3. B
4. H
5. I
6. E
7. A
8. F
9. C
10. G
Self-check 2
1. A
2. B
3. C
4. D
5. E
6. G
7. H
8. F
9. J
10. I
Self-check 3