Cyber
Cyber
Cyber
Types of firewalls
→ Network layer
→ Application layer
→ Proxy
→ UTM
What’s proxy?
In an enterprise that uses the Internet, a proxy server is a server that acts as an
intermediary between a workstation user and the Internet so that the enterprise can
ensure security, administrative control, and caching service. A proxy server is
associated with or part of a gateway server that separates the enterprise network
from the outside network and a firewall server that protects the enterprise network
from outside intrusion.
A proxy server receives a request for an Internet service (such as a Web page
request) from a user. If it passes filtering requirements, the proxy server, assuming it
is also a cache server , looks in its local cache of previously downloaded Web pages.
If it finds the page, it returns it to the user without needing to forward the request to
the Internet. If the page is not in the cache, the proxy server, acting as a client on
behalf of the user, uses one of its own IP addresses to request the page from the
server out on the Internet. When the page is returned, the proxy server relates it to
the original request and forwards it on to the user.
To the user, the proxy server is invisible; all Internet requests and returned
responses appear to be directly with the addressed Internet server. (The proxy is not
quite invisible; its IP address has to be specified as a configuration option to the
browser or other protocol program.)
An advantage of a proxy server is that its cache can serve all users. If one or more
Internet sites are frequently requested, these are likely to be in the proxy's cache,
which will improve user response time. In fact, there are special servers called cache
servers. A proxy can also do logging.
The functions of proxy, firewall, and caching can be in separate server programs or
combined in a single package. Different server programs can be in different
computers. For example, a proxy server may in the same machine with a firewall
server or it may be on a separate server and forward requests through the firewall.
An antivirus utility scans the files and Registry on your computer to detect and remove
viruses and other malicious software. Its realtime component prevents malicious
programs from installing or launching in the first place.
What’s worm?
The most common form of spam is unwanted email. You can also get text message
spam, instant message spam (sometimes known as spim), and social networking spam.
Some spam is annoying but harmless. However, some spam is part of an identity theft
scam or other kind of fraud. Identity theft spam is often called a phishing scam
If a white hat hacker finds a fault in a security system ie. a website then they will inform
the owner immediately.
Whereas if a grey hat hacker finds a fault he will do what he feels like at the time ie.
exploiting the site OR informing the owner.
A black hat hacker if they find a fault will immediately exploit the site for there own
beneficial gain ie. advertising and infecting other computers with "viruses" to gain access
to more sites.
So a hacker can be many things from protecting systems by informing the owners or
Exploiting and stealing data.
The most common name for the destructive type of "hacker" is a "cracker". I always try to
refer to a bad hacker as a cracker to avoid confusion.
What’s worm?
In a computer, a worm is a self-replicating virus that does not alter files but resides in
active memory and duplicates itself. Worms use parts of an operating system that
are automatic and usually invisible to the user. It is common for worms to be noticed
only when their uncontrolled replication consumes system resources, slowing or
halting other tasks.
This term is not to be confused with WORM (write once, read many).
RELATED GLOSSARY TERMS: RSA algorithm (Rivest-Shamir-Adleman), data key, greynet (or
graynet), spam cocktail (or anti-spam cocktail), fingerscanning (fingerprint
scanning),munging, insider threat, authentication server, defense in depth, nonrepudiation
When infected traffic does hit the network, the IDS will see this and take appropriate
action. The problem is that this appropriate action is not direct action; since the IDS is
not in the traffic flow, it has to inform a network device that is in that flow that action
must be taken.
By the time the IDS detects an issue and notifies the appropriate network devices, the
beginning of the infected traffic flow is already in the network.
In contrast, our Intrusion Prevention System (IPS) does sit in the middle of the traffic
flow - in this case, the IPS will actually be our Cisco router. When the IPS detects a
problem, the IPS itself can prevent the traffic from entering the network.
What’s honeypot ?
A honey pot is a computer system on the Internet that is expressly set up to attract and
"trap" people who attempt to penetrate other people's computer systems. (This
includes thehacker, cracker, and script kiddy.) To set up a honey pot, it is
recommended that you:
What’s Access Control ?
Network access control (NAC), also called network admission control, is a method of
bolstering the security of a proprietary network by restricting the availability of
network resources to endpoint devices that comply with a defined security policy.
A traditional network access server (NAS) is a server that performs authentication and
authorization functions for potential users by verifying logon information. In addition
to these functions, NAC restricts the data that each particular user can access, as well
as implementing anti-threat applications such as firewalls, antivirus software and
spyware-detection programs. NAC also regulates and restricts the things individual
subscribers can do once they are connected. Several major networking and IT vendors
have introduced NAC products
In the context of information security, confidentiality means that information that should stay
secret stays secret and only those persons authorized to access it may receive access. From ancient
times, mankind has known that information is power, and in our information age, access to
information is more important than ever. Unauthorized access to confidential information may
have devastating consequences, not only in national security applications, but also in commerce
and industry. Main mechanisms of protection of confidentiality in information systems are
cryptography and access controls. Examples of threats to confidentiality are malware, intruders,
social engineering, insecure networks, and poorly administered systems
2-Integrity.
4- Identification
5- Authentication
Authentication, which happens just after identification and before authorization, verifies the
authenticity of the identity declared at the identification stage. In other words, it is at the
authentication stage that you prove that you are indeed the person or the system you claim to be.
6- Authorization
After declaring identity at the identification stage and proving it at the authentication stage, users
are assigned a set of authorizations (also referred to as rights, privileges, or permissions) that
define what they can do on the system. These authorizations are most commonly defined by the
system’s security policy and are set by the security or system administrator. These privileges may
range from the extremes of “permit nothing” to “permit everything” and include anything in
between.
7- Accountability
Accountability is another important principle of information security that refers to the possibility
of tracing actions and events back in time to the users, systems, or processes that performed them,
to establish responsibility for actions or omissions.
A system may not be considered secure if it does not provide accountability, because it would be
impossible to ascertain who is responsible and what did or did not happen on the system without
that safeguard. Accountability in the context of information systems is mainly provided by logs
and the audit trail.
8- Non-repudiation
Non-repudiation (the creator/sender of the information cannot deny at a later stage
his or her intentions in the creation or transmission of the information)
Logon authentication
Most network operating systems require that a user be
authenticated in order to log onto the network. This can be done
by entering a password, inserting a smart card and entering the
associated PIN, providing a fingerprint, voice pattern sample, or
retinal scan, or using some other means to prove to the system
that you are who you claim to be.
IPSec authentication
IP Security (IPSec) provides a means for users to encrypt and/or
sign messages that are sent across the network to guarantee
confidentiality, integrity, and authenticity. IPSec transmissions
can use a variety of authentication methods, including the
Kerberos protocol, public key certificates issued by a trusted
certificate authority (CA), or a simple pre-shared secret key (a
string of characters known to both the sender and the recipient).
IPSec configuration
If IPSec policies have been configured to require that
communications be secured, the sending and receiving
computers will not be able to communicate at all if they do not
support a common authentication method.
Remote authentication
There are a number of authentication methods that can be used
to confirm the identity of users who connect to the network via a
remote connection such as dial-up or VPN. These include:
There are a number of SSO products on the market that allow for
single sign-on in a mixed (hybrid) environment that incorporates,
for example, Microsoft Windows servers, Novell NetWare, and
UNIX.
Details on SSO
For a more detailed discussion of SSO, see Single Sign-On
Solutions in a Mixed Computing Environment.
Authentication types
There are several physical means by which you can provide your
authentication credentials to the system. The most common—but
not the most secure—is password authentication. Today’s
competitive business environment demands options that offer
more protection when network resources include highly sensitive
data. Smart cards and biometric authentication types provide this
extra protection.
Password authentication
Most of us are familiar with password authentication. To log onto
a computer or network, you enter a user account name and the
password assigned to that account. This password is checked
against a database that contains all authorized users and their
passwords. In a Windows 2000 network, for example, this
information is contained in Active Directory.
For more detailed information about how smart cards work, see
my TechProGuild Daily Drill Down “Enhancing security with the
use of smart cards.”
Biometric authentication
An even more secure type of authentication than smart cards,
biometric authentication involves the use of biological statistics
that show that the probability of two people having identical
biological characteristics such as fingerprints is infinitesimally
small; thus, these biological traits can be used to positively
identify a person.
Biometrics
For more information about biometrics, see this article
at Network Computing.
When the user wants to log on, he or she provides the credentials
and the system checks the database for the original entry and
makes the comparison. If the credentials provided by the user
match those in the database, access is granted.
Kerberos
SSL
Microsoft NTLM
PAP and SPAP
CHAP and MS-CHAP
EAP
RADIUS
Certificate services
Kerberos
Kerberos was developed at MIT to provide secure authentication
for UNIX networks. It has become an Internet standard and is
supported by Microsoft’s latest network operating system,
Windows 2000. Kerberos uses temporary certificates called
tickets, which contain the credentials that identify the user to
the servers on the network. In the current version of Kerberos,
v5, the data contained in the tickets is encrypted, including the
user’s password.
The name
Kerberos derives its name from the three-headed dog of Greek
mythology (spelled Cerberus in Latin) that guarded the gates to
Hades. Kerberos likewise stands guard over the network to
ensure that only those who are authorized can enter.
Secure Sockets Layer (SSL)
The SSL protocol is another Internet standard, often used to
provide secure access to Web sites, using a combination of
public key technology and secret key technology. Secret key
encryption (also called symmetric encryption) is faster, but
asymmetric public key encryption provides for better
authentication, so SSL is designed to benefit from the
advantages of both. It is supported by Microsoft, Netscape, and
other major browsers, and by most Web server software, such as
IIS and Apache.
SSL overview
An excellent overview of how SSL works, Introduction to
SSL, can be found at Netscape.
PAP
PAP is used for authenticating a user over a remote access
control. An important characteristic of PAP is that it sends user
passwords across the network to the authenticating server in
plain text. This poses a significant security risk, as an
unauthorized user could capture the data packets using a
protocol analyzer (sniffer) and obtain the password.
SPAP
SPAP is an improvement over PAP in terms of the security level,
as it uses an encryption method (used by Shiva remote access
servers, thus the name).
The client sends the user name along with the encrypted
password, and the remote server decrypts the password. If the
username and password match the information in the server’s
database, the remote server sends an Acknowledgment (ACK)
message and allows the connection. If not, a Negative
Acknowledgment (NAK) is sent, and the connection is refused.
CHAP specs
The specifications for CHAP are discussed in RFC 1994.
EAP
EAP is a means of authenticating a Point-to-Point Protocol (PPP)
connection that allows the communicating computers to
negotiate a specific authentication scheme (called an EAP type).
RFC
EAP-TLS is defined in RFC 2716.
EAP can also be used with RADIUS (see below).
RADIUS
RADIUS is often used by Internet service providers (ISPs) to
authenticate and authorize dial-up or VPN users. The standards
for RADIUS are defined in RFCs 2138 and 2139. A RADIUS server
receives user credentials and connection information from dial-up
clients and authenticates them to the network.
Certificate services
Digital certificates consist of data that is used for authentication
and securing of communications, especially on unsecured
networks (for example, the Internet). Certificates associate a
public key to a user or other entity (a computer or service) that
has the corresponding private key.
What’s cryptography ?
Cryptography is the science of information security.