Network Security(21EC742)

MODULE 1
Attacks on Computers and Computer Security: Need for Security, Security Approaches,
Principles of Security Types of Attacks. (Text 2: Chapter 1)
Security Mechanisms, Services and Attacks, A model for Network security (Text 1: Chapter
1: 3, 4, 5, 6)
Network Access Control, Extensible Authentication Protocol (Text1: Chapter 16: Section 1,2)

Lecture 1

1.1 INTRODUCTION
We start with a discussion of the basic question: Why is security required in the first place?
People sometimes say that security is like statistics: what it reveals is trivial, what it conceals
is vital! In other words, the right security infrastructure opens up just enough doors that are
mandatory. It protects everything else. We discuss a few real-life incidents that should prove
beyond doubt that security cannot simply be compromised. Especially these days, when serious
business and other types of transactions are being conducted over the Internet to such a large
extent, that inadequate or improper security mechanisms can bring the whole business down,
or play havoc with people’s lives!

1.2 THE NEED FOR SECURITY

1.2.1 Basic Concepts
Most previous computer applications had no, or at best, very little security. This continued for
a number of years until the importance of data was truly realized. Until then, computer data
was considered to be useful, but not something to be protected. When computer applications
were developed to handle financial and personal data, the real need for security was felt like
never before. People realized that data on computers is an extremely important aspect of
modern life. Therefore, various areas in security began to gain prominence. Two typical
examples of such security mechanisms were as follows:
● Provide a user identification and password to every user, and use that information to
authenticate a user.
● Encode information stored in the databases in some fashion, so that it is not visible to users
who do not have the right permission.

Dept of ECE, CEC 2024-25 1

 Network Security(21EC742)

Organizations employed their own mechanisms in order to provide for these kinds of basic
security mechanisms. As technology improved, the communication infrastructure became
extremely mature, and newer applications began to be developed for various user demands and
needs. Soon, people realized the basic security measures were not quite enough.
Furthermore, the Internet took the world by storm. There were many examples of what could
happen if there was insufficient security built in applications developed for the Internet. Figure
1.1 shows such an example of what can happen when you use your credit card for making
purchases over the Internet. From the user’s computer, the user details such as user id, order
details such as order id and item id, and payment details such as credit-card information travel
across the Internet to the server (i.e. to the merchant’s computer). The merchant’s server stores
these details in its database.

Fig. 1.1 Example of information traveling from a client to a server over the Internet

There are various security holes here. First of all, an intruder can capture the credit-card details
as they travel from the client to the server. If we somehow protect this transit from an intruder’s
attack, it still does not solve our problem. Once the merchant computer receives the credit-card
details and validates them so as to process the order and later obtain payments, the merchant
computer stores the credit-card details into its database. Now, an attacker can simply succeed
in accessing this database, and therefore gain access to all the credit-card numbers stored
therein!

Dept of ECE, CEC 2024-25 2

 Network Security(21EC742)

1.2.2 Modern Nature of Attacks

If we attempt to demystify technology, we would realize that computer-based systems are not
all that different from what happens in the real world. Changes in computer-based systems are
mainly due to the speed at which things happen and the accuracy that we get, as compared to
the traditional world.
We can highlight a few salient features of the modern nature of attacks, as follows:
1. Automating Attacks
The speed of computers make several attacks worthwhile for miscreants. For example, in the
real world, let’s suppose someone manages to create a machine that can produce counterfeit
coins. Would that bother authorities? It certainly would. However, producing so many coins on
a mass scale may not be that much economical compared to the return on that investment! How
many such coins would the attacker be able to get into the market so rapidly? But, the scenario
is quite different with computers. They are quite efficient and happy in doing routine, mundane,
repetitive tasks. For example, they would excel in somehow stealing a very low amount (say
half a dollar or 20 rupees) from a million bank accounts in a matter of a few minutes. This
would give the attacker a half million dollars possibly without any major complaints! This is
shown in Fig. 1.2.

Fig. 1.2 The changing nature of attacks due to automation

Dept of ECE, CEC 2024-25 3

 Network Security(21EC742)

2. Privacy Concerns
Collecting information about people and later (mis)using it is turning out to be a huge problem
these days. The so-called data mining applications gather, process, and tabulate all sorts of
details about individuals. People can then illegally sell this information.
For example, companies like Experian (formerly TRW), TransUnion, and Equifax maintain
credit history of individuals in the USA.
Similar trends are seen in the rest of the world. These companies have volumes of information
about a majority of citizens of that country. These companies can collect, collate, polish, and
format all sorts of information to whosoever is ready to pay for that data!
Examples of information that can come out of this are: which store the person buys more from,
which restaurant he/she eats in, where he/she goes for vacations frequently, and so on! Every
company (e.g. shopkeepers, banks, airlines, insurers) are collecting and processing a mind-
boggling amount of information about us, without us realizing when and how it is going to be
used.
3. Distance Does not Matter

Fig. 1.3 Attacks can now be launched from a distance

Dept of ECE, CEC 2024-25 4

 Network Security(21EC742)

Thieves would earlier attack banks, because banks had money. Banks do not have money today!
Money is in digital form inside computers, and moves around by using computer networks.
Therefore, a modern thief would perhaps not like to wear a mask and attempt a robbery!
Instead, it is far easier and cheaper to attempt an attack on the computer systems of the bank
while sitting at home! It may be far more prudent for the attacker to break into the bank’s
servers, or steal credit card/ATM information from the comforts of his/her home or place of
work. This is illustrated in Fig. 1.3.
In 1995, a Russian hacker broke into Citibank’s computers remotely, stealing $12 million.
Although the attacker was traced, it was very difficult to get him extradited for the court case.

1.3 SECURITY APPROACHES

1.3.1 Trusted Systems

A trusted system is a computer system that can be trusted to a specified extent to enforce a
specified security policy.

Trusted systems were initially of primary interest to the military. However, these days, they
have spanned across various areas, most prominently in the banking and financial community,
but the concept never caught on. Trusted systems often use the term reference monitor. This is
an entity that is at the logical heart of the computer system. It is mainly responsible for all the
decisions related to access controls. Naturally, following are the expectations from the
reference monitor:

(a) It should be tamper-proof.

(b) It should always be invoked.

(c) It should be small enough so that it can be tested independently.

1.3.2 Security Models

An organization can take several approaches to implement its security model.

1. No Security

In this simplest case, the approach could be a decision to implement no security at all.

2. Security through Obscurity

Dept of ECE, CEC 2024-25 5

 Network Security(21EC742)

In this model, a system is secure simply because nobody knows about its existence and
contents. This approach cannot work for too long, as there are many ways an attacker can come
to know about it.

3. Host Security

In this scheme, the security for each host is enforced individually. This is a very safe approach,
but the trouble is that it cannot scale well. The complexity and diversity of modern
sites/organizations makes the task even harder.

4. Network Security

Host security is tough to achieve as organizations grow and become more diverse. In this
technique, the focus is to control network access to various hosts and their services, rather than
individual host security. This is a very efficient and scalable model.

1.3.3 Security-Management Practices

Good security-management practices always talk of a security policy being in place. Putting a
security policy in place is actually quite tough. A good security policy and its proper
implementation go a long way in ensuring adequate security-management practices. A good
security policy generally takes care of four key aspects, as follows.

● Affordability- How much money and effort does this security implementation cost?

● Functionality - What is the mechanism of providing security?

● Cultural Issues - Does the policy complement the people’s expectations, working style and

beliefs?

● Legality - Does the policy meet the legal requirements?

Once a security policy is in place, the following points should be ensured.

(a) Explanation of the policy to all concerned.

(b) Outline everybody’s responsibilities.

(c) Use simple language in all communications.

(d) Accountability should be established.

Dept of ECE, CEC 2024-25 6

 Network Security(21EC742)

(e) Provide for exceptions and periodic reviews.

Review Questions

1 Why is security essential in today's digital world?

2 What are some real-world examples of the consequences of inadequate security?
3 What are the four key aspects of a good security policy?
4 What are some essential elements of a security policy implementation?
5 How has the nature of attacks changed due to automation and distance?

Lecture 2:

1.4 PRINCIPLES OF SECURITY

Let us assume that a person A wants to send a check worth $100 to another person B. Normally,
what are the factors that A and B will think of, in such a case? A will write the check for $100,
put it inside an envelope, and send it to B.

● A will like to ensure that no one except B gets the envelope, and even if someone else gets
it, he/she does not come to know about the details of the check. This is the principle of
confidentiality.

● A and B will further like to make sure that no one can tamper with the contents of the check
(such as its amount, date, signature, name of the payee, etc.). This is the principle of integrity.

● B would like to be assured that the check has indeed come from A, and not from someone
else posing as A (as it could be a fake check in that case). This is the principle of
authentication.

● What will happen tomorrow if B deposits the check in his/her account, the money is
transferred from A’s account to B’s account, and then A refuses having written/sent the check?
The court of law will use A’s signature to disallow A to refute this claim, and settle the dispute.
This is the principle of non-repudiation.

These are the four chief principles of security. There are two more: access control and
availability, which are not related to a particular message, but are linked to the overall system
as a whole.

1.4.1 Confidentiality

Dept of ECE, CEC 2024-25 7

 Network Security(21EC742)

The principle of confidentiality specifies that only the sender and the intended recipient(s)
should be able to access the contents of a message. Confidentiality gets compromised if an
unauthorized person is able to access a message. An example of compromising the
confidentiality of a message is shown in Fig. 1.4. Here, the user of computer A sends a message
to the user of computer B. (Actually, from here onwards, we shall use the term A to mean the
user A, B to mean user B, etc., although we shall just show the computers of users A, B, etc.).
Another user C gets access to this message, which is not desired, and therefore defeats the
purpose of confidentiality. An example of this could be a confidential email message sent by A
to B, which is accessed by C without the permission or knowledge of A and B. This type of
attack is called interception.

Fig. 1.4 Loss of confidentiality

1.4.2 Authentication
Authentication mechanisms help establish proof of identities. The authentication process
ensures that the origin of an electronic message or document is correctly identified. For
instance, suppose that user C sends an electronic document over the Internet to user B.
However, the trouble is that user C had posed as user A when he/she sent this document to user
B. How would user B know that the message has come from user C, who is posing as user A?
A real-life example of this could be the case of a user C, posing as user A, sending a funds
transfer request (from A’s account to C’s account) to bank B. The bank might happily transfer
the funds from A’s account to C’s account—after all, it would think that user A has requested
for the funds transfer! This concept is shown in Fig. 1.5. This type of attack is called
fabrication.

Dept of ECE, CEC 2024-25 8

 Network Security(21EC742)

Fig. 1.5 Absence of authentication

1.4.3 Integrity
When the contents of a message are changed after the sender sends it, but before it reaches the
intended recipient, we say that the integrity of the message is lost. For example, suppose you
write a check for $100 to pay for goods bought from the US. However, when you see your next
account statement, you are startled to see that the check resulted in a payment of $1000! This
is the case for loss of message integrity. Conceptually, this is shown in Fig. 1.6. Here, user C
tampers with a message originally sent by user A, which is actually destined for user B. User
C somehow manages to access it, change its contents, and send the changed message to user
B. User B has no way of knowing that the contents of the message were changed after user A
had sent it. User A also does not know about this change. This type of attack is called
modification.

Fig. 1.6 Loss of integrity

Dept of ECE, CEC 2024-25 9

 Network Security(21EC742)

1.4.4 Non-repudiation
There are situations where a user sends a message, and later on refuses that she had sent that
message. For instance, user A could send a funds transfer request to bank B over the Internet.
After the bank performs the funds transfer as per A’s instructions, A could claim that he/she
never sent the funds transfer instruction to the bank! Thus, A repudiates, or denies, his/her funds
transfer instruction. The principle of non-repudiation defeats such possibilities of denying
something after having done it. This is shown in Fig. 1.7.

Fig. 1.7 Establishing non-repudiation

1.4.5 Access Control
The principle of access control determines who should be able to access what. For instance, we
should be able to specify that user A can view the records in a database, but cannot update
them. However, user B might be allowed to make updates as well. An access-control
mechanism can be set up to ensure this. Access control is broadly related to two areas: role
management and rule management. Role management concentrates on the user side (which
user can do what), whereas rule management focuses on the resources side (which resource is
accessible, and under what circumstances). Based on the decisions taken here, an access-
control matrix is prepared, which lists the users against a list of items they can access (e.g. it
can say that user A can write to file X, but can only update files Y and Z). An Access Control
List (ACL) is a subset of an access-control matrix.
1.4.6 Availability
The principle of availability states that resources (i.e. information) should be available to
authorized parties at all times. For example, due to the intentional actions of another
unauthorized user C, an authorized user A may not be able to contact a server computer B, as
shown in Fig. 1.8. This would defeat the principle of availability. Such an attack is called
interruption.

Dept of ECE, CEC 2024-25 10

 Network Security(21EC742)

Fig. 1.8 Attack on availability

1.4.7 Ethical and Legal Issues
Classically, the ethical issues in security systems are classified into the following four
categories:
Privacy This deals with the right of an individual to control personal information.
Accuracy This talks about the responsibility for the authenticity, fidelity, and accuracy of
information.
Property Here, we find out the owner of the information. We also talk about who controls
access.
Accessibility This deals with the issue of what information does an organization have the right
to collect? And in that situation, it also expects to know what the measures are, which will
safeguard against any unforeseen eventualities.

1.5 TYPES OF ATTACKS

We shall classify attacks with respect to two views: the common person’s view and a
technologist’s view.
1.5.1 Attacks: A General View
From a common person’s point of view, we can classify attacks into three categories, as shown
in Fig. 1.9.

Fig. 1.9 Classification of attacks as understood in general terms

Dept of ECE, CEC 2024-25 11

 Network Security(21EC742)

1. Criminal Attacks
Criminal attacks are the simplest to understand. Here, the sole aim of the attackers is to
maximize financial gain by attacking computer systems. Table 1.1 lists some forms of criminal
attacks.
2. Publicity Attacks
Publicity attacks occur because the attackers want to see their names appear on television news
channels and newspapers. History suggests that these types of attackers are usually not
hardcore criminals. They are people such as students in universities or employees in large
organizations, who seek publicity by adopting a novel approach of attacking computer systems.
One form of publicity attacks is to damage (or deface) the Web pages of a site by attacking it.
One of the most famous of such attacks occurred on the US Department of Justice’s Web site
in 1996. The New York Times home page was also infamously defaced two years later.
3. Legal Attacks
This form of attack is quite novel and unique. Here, the attacker tries to make the judge or the
jury doubtful about the security of a computer system. This works as follows. The attacker
attacks the computer system, and the attacked party (say a bank or an organization) manages
to take the attacker to the court. While the case is being fought, the attacker tries to convince
the judge and the jury that there is inherent weakness in the computer system and that she has
done nothing wrongful. The aim of the attacker is to exploit the weakness of the judge and the
jury in technological matters.
For example, an attacker may sue a bank for performing an online transaction, which he/she
never wanted to perform. In court, the attacker could innocently say something like: The bank’s
Web site asked me to enter a password and that is all that I provided; I do not know what
happened thereafter.
A judge is unwittingly likely to sympathize with the attacker!

Table 1.1 Types of criminal attacks

Attack Description
Fraud Modern fraud attacks concentrate on manipulating some aspects of
electronic currency, credit cards, electronic stock certificates, checks,
letters of credit, purchase orders, ATMs, etc.
Scams Scams come in various forms, some of the most common ones being
sale of services, auctions, multilevel marketing schemes, general

Dept of ECE, CEC 2024-25 12

 Network Security(21EC742)

merchandise, and business opportunities, etc. People are enticed to send

money in return of great returns, but end up losing their money. A very
common example is the Nigeria scam, where an email from Nigeria
(and other African countries) entices people to deposit money into a
bank account with a promise of hefty gains. Whosoever gets caught in
this scam loses money heavily.
Destruction Some sort of grudge is the motive behind such attacks. For example,
unhappy employees attack their own organization, whereas terrorists
strike at much bigger levels. For example, in the year 2000, there was
an attack against popular Internet sites such as Yahoo!, CNN, eBay,
Buy.com, Amazon.com, and e*Trade where authorized users of these
sites failed to log in or access these sites.
Identity theft This is best understood with a quote from Bruce Schneier: Why steal
from someone when you can just become that person? In other words,
an attacker does not steal anything from a legitimate user—he/she
becomes that legitimate user! For example, it is much easier to get the
password of someone else’s bank account, or to actually be able to get
a credit card on someone else’s name. Then that privilege can be
misused until it gets detected.
Intellectual Intellectual property theft ranges from stealing companies’ trade secrets,
property theft databases, digital music and videos, electronic documents and books,
software, and so on.
Brand theft It is quite easy to set up fake Web sites that look like real Web sites.
How would a common user know if he/she is visiting the HDFC Bank
site or an attacker’s site? Innocent users end up providing their secrets
and personal details on these fake sites to the attackers. The attackers
use these details to then access the real site, causing an identity theft.
Review Questions
1. Explain the four main principles of network security (confidentiality, integrity,
authentication, non-repudiation) using real-life analogies.
2. What is the principle of availability, and how can attacks like Denial-of-Service (DoS)
disrupt it?

Dept of ECE, CEC 2024-25 13

 Network Security(21EC742)

4. Explain the four ethical considerations in security systems: privacy, accuracy, property,
and accessibility.
5. From a common person's perspective, categorize the three types of attacks (criminal,
publicity, legal) and provide an example for each.
6. What is "identity theft" in the context of network security.

Lecture 3:
1.5.2 Attacks: A Technical View
From a technical point of view, we can classify the types of attacks on computers and network
systems into two categories for better understanding:
(a) Theoretical concepts behind these attacks, and
(b) Practical approaches used by the attackers.
Let us discuss these one by one.
1. Theoretical Concepts As we discussed earlier, the principles of security face threat
from various attacks. These attacks are generally classified into four categories, as mentioned
earlier. These are the following:
Interception It has been discussed in the context of confidentiality earlier. It means that an
unauthorized party has gained access to a resource. The party can be a person, program, or
computer-based system. Examples of interception are copying of data or programs, and
listening to network traffic.
Fabrication It has been discussed in the context of authentication earlier. This involves the
creation of illegal objects on a computer system. For example, the attacker may add fake
records to a database.
Modification It has been discussed in the context of integrity earlier. Here, the attacker may
modify the values in a database.
Interruption It has been discussed in the context of availability earlier. Here, the resource
becomes unavailable, lost, or unusable.
Examples of interruption are causing problems to a hardware device, erasing program, data, or
operating-system components.
These attacks are further grouped into two types: passive attacks and active attacks, as shown
in Fig. 1.10.

Dept of ECE, CEC 2024-25 14

 Network Security(21EC742)

Fig. 1.10 Types of attacks

(a) Passive Attacks Passive attacks are those wherein the attacker indulges in eavesdropping
or monitoring of data transmission. In other words, the attacker aims to obtain information that
is in transit. The term passive indicates that the attacker does not attempt to perform any
modifications to the data. In fact, this is also why passive attacks are harder to detect. Thus, the
general approach to deal with passive attacks is to think about prevention, rather than detection
or corrective actions.
Passive attacks do not involve any modifications to the contents of an original message.
Figure 1.11 shows further classification of passive attacks into two sub-categories. These
categories are, namely release of message contents and traffic analysis.

Fig. 1.11 Passive attacks

Release of message contents is quite simple to understand. When you send a confidential
email message to your friend, you desire that only he/she be able to access it. Otherwise, the
contents of the message are released against our wishes to someone else. Using certain security
mechanisms, we can prevent the release of message contents.
For example, we can encode messages using a code language, so that only the desired parties
understand the contents of a message, because only they know the code language. However, if

Dept of ECE, CEC 2024-25 15

 Network Security(21EC742)

many such messages are passing through, a passive attacker could try to figure out similarities
between them to come up with some sort of pattern that provides her some clues regarding the
communication that is taking place. Such attempts of analyzing (encoded) messages to come
up with likely patterns are the work of the traffic-analysis attack.
(b) Active Attacks Unlike passive attacks, the active attacks are based on the modification of
the original message in some manner, or in the creation of a false message. These attacks cannot
be prevented easily. However, they can be detected with some effort, and attempts can be made
to recover from them. These attacks can be in the form of interruption, modification and
fabrication.
In active attacks, the contents of the original message are modified in some way.
● Trying to pose as another entity involves masquerade attacks.
● Modification attacks can be classified further into replay attacks and alteration of
messages.
● Fabrication causes Denial Of Service (DOS) attacks.
This classification is shown in Fig. 1.12.
Masquerade is caused when an unauthorized entity pretends to be another entity. As we have
seen, user C might pose as user A and send a message to user B. User B might be led to believe
that the message indeed came from user A. In masquerade attacks, an entity poses as another
entity. In masquerade attacks, usually some other forms of active attacks are also embedded.
As an instance, the attack may involve capturing the user’s authentication sequence (e.g. user
ID and password). Later, those details can be replayed to gain illegal access to the computer
system.

Fig. 1.12 Active attacks

Dept of ECE, CEC 2024-25 16

 Network Security(21EC742)

In a replay attack, a user captures a sequence of events, or some data units, and re-sends them.
For instance, suppose user A wants to transfer some amount to user C’s bank account. Both
users A and C have accounts with bank B. User A might send an electronic message to bank B,
requesting for the funds transfer. User C could capture this message, and send a second copy
of the same to bank B. Bank B would have no idea that this is an unauthorized message, and
would treat this as a second, and different, funds transfer request from user A. Therefore, user
C would get the benefit of the funds transfer twice: once authorized, once through a replay
attack.
Alteration of messages involves some change to the original message. For instance, suppose
user A sends an electronic message Transfer $1000 to D’s account to bank B. User C might
capture this, and change it to Transfer $10000 to C’s account. Note that both the beneficiary
and the amount have been changed— instead, only one of these could have also caused
alteration of the message.
Denial Of Service (DOS) attacks make an attempt to prevent legitimate users from accessing
some services, which they are eligible for. For instance, an unauthorized user might send too
many login requests to a server using random user ids in quick succession, so as to flood the
network and deny other legitimate users to use the network facilities.
1.5.3 The Practical Side of Attacks
The attacks discussed earlier can come in a number of forms in real life. They can be classified
into two road categories: application-level attacks and network-level attacks, as shown in Fig.
1.13.

Fig. 1.13 Practical side of attacks

1. Application-level Attacks
These attacks happen at an application level in the sense that the attacker attempts to access,
modify, or prevent access to information of a particular application, or the application itself.

Dept of ECE, CEC 2024-25 17

 Network Security(21EC742)

Examples of this are trying to obtain someone’s credit-card information on the Internet, or
changing the contents of a message to change the amount in a transaction, etc.
2. Network-level Attacks
These attacks generally aim at reducing the capabilities of a network by a number of possible
means.
These attacks generally make an attempt to either slow down, or completely bring to halt, a
computer network. Note that this automatically can lead to application-level attacks, because
once someone is able to gain access to a network, usually he/she is able to access/modify at
least some sensitive information, causing havoc.
These two types of attacks can be attempted by using various mechanisms, as discussed next.
We will not classify these attacks into the above two categories, since they can span across
application as well as network levels.
Security attacks can happen at the application level or the network level.
1.5.4 Programs that Attack
Let us now discuss a few programs that attack computer systems to cause some damage or to
create confusion.

1. Virus
One can launch an application-level attack or a network level attack using a virus. In simple
terms, a virus is a piece of program code that attaches itself to legitimate program code, and
runs when the legitimate program runs. It can then infect other programs in that computer, or
programs that are in other computers but on the same network. This is shown in Fig. 1.14. In
this example, after deleting all the files from the current user’s computer, the virus self-
propagates by sending its code to all users whose email addresses are stored in the current
user’s address book.

Fig. 1.14 Virus

Dept of ECE, CEC 2024-25 18

 Network Security(21EC742)

Viruses can also be triggered by specific events (e.g. a virus could automatically execute at 12
p.m. every day). Usually viruses cause damage to computer and network systems to the extent
that they can be repaired, assuming that the organization deploys good backup and recovery
procedures.
A virus is a computer program that attaches itself to another legitimate program, and causes
damage to the computer system or to the network.

During its lifetime, a virus goes through four phases:

(a) Dormant Phase Here, the virus is idle. It gets activated based on a certain action or event
(e.g. the user typing a certain key or a certain date or time is reached, etc). This is an optional
phase.
(b) Propagation Phase In this phase, a virus copies itself, and each copy starts creating more
copies of itself, thus propagating the virus.
(c) Triggering Phase A dormant virus moves into this phase when the action/event for which
it was waiting is initiated.
(d) Execution Phase This is the actual work of the virus, which could be harmless (display
some message on the screen) or destructive (delete a file on the disk).

Viruses can be classified into the following categories:

(a) Parasitic Virus This is the most common form of virus. Such a virus attaches itself to
executable files and keeps replicating. Whenever the infected file is executed, the virus looks
for other executable files to attach itself and spread.
(b) Memory-resident Virus This type of virus first attaches itself to an area of the main
memory and then infects every executable program that is executed.
(c) Boot sector Virus This type of virus infects the master boot record of the disk and spreads
on the disk when the operating system starts booting the computer.
(d) Stealth Virus This virus has intelligence built in, which prevents anti-virus software
programs from detecting it.
(e) Polymorphic Virus A virus that keeps changing its signature (i.e. identity) on every
execution, making it very difficult to detect.
(f) Metamorphic Virus In addition to changing its signature like a polymorphic virus, this
type of virus keeps rewriting itself every time, making its detection even harder.

Dept of ECE, CEC 2024-25 19

 Network Security(21EC742)

There is another popular category of viruses, called the macro virus. This virus affects specific
application software, such as Microsoft Word or Microsoft Excel. They affect the documents
created by users, and spread quite easily since such documents are very commonly exchanged
over email. There is a feature called macro in these application-software programs, which
allows users to write small, useful, utility programs within the documents. Viruses attack these
macros, and hence the name macro virus.
Review Questions
1 What is the difference between interception and interruption in the context of network
attacks?
2 What is a replay attack? Provide an example to illustrate it.
3 How does a masquerade attack work in network security?
4 Describe the four phases of a virus lifecycle.
5 What is the difference between a polymorphic virus and a metamorphic virus?
6 What is the main purpose of a Denial of Service (DOS) attack?

Lecture 4:

2. Worm
Similar in concept to a virus, a worm is actually different in implementation. A virus modifies
a program (i.e. it attaches itself to the program under attack). A worm, however, does not
modify a program. Instead, it replicates itself again and again. This is shown in Fig. 1.15. The
replication grows so much that ultimately the computer or the network on which the worm
resides, becomes very slow, ultimately coming to a halt. Thus, the basic purpose of a worm
attack is different from that of a virus. A worm attack attempts to make the computer or the
network under attack unusable by eating all its resources.
A worm does not perform any destructive actions, and instead, only consumes system resources
to bring it down.
3. Trojan Horse
A Trojan horse is a hidden piece of code, like a virus. However, the purpose of a Trojan horse
is different. Whereas the main purpose of a virus is to make some sort of modifications to the
target computer or network, a Trojan horse attempts to reveal confidential information to an
attacker. The name (Trojan horse) comes from the epic poem Iliad. The story says that Greek
soldiers hid inside a large hollow horse, which was pulled into the city of Troy by its citizens,

Dept of ECE, CEC 2024-25 20

 Network Security(21EC742)

unaware of its contents. Once the Greek soldiers entered the city of Troy, they opened the gates
for the rest of the Greek soldiers.

Fig. 1.15 Worm

Similarly, a Trojan horse could silently sit in the code for a Login screen by attaching itself to
it. When the user enters the user id and password, the Trojan horse could capture these details,
and send this information to the attacker without the knowledge of the user who had entered
the id and password. The attacker can then merrily misuse the user id and password to gain
access to the system. This is shown in Fig. 1.16.

Fig. 1.16 Trojan horse

Dept of ECE, CEC 2024-25 21

 Network Security(21EC742)

4. Applets and ActiveX Controls:

Applets and ActiveX controls were born due to the technological development of the World
Wide Web (www) application of the Internet. The Web consists of communication between
client and server computers using a communications protocol called as Hyper Text Transfer
Protocol (HTTP). The client uses a piece of software called as Web browser. The server runs a
program called as Web server. In its simplest form, a browser sends a HTTP request for a
Web page to a Web server. The Web server locates this Web page (actually a computer file)
and sends it back to the Web browser, again using HTTP. The Web browser interprets the
contents of that file and shows the results on the screen to the user. This is shown in Fig. 1.17.

Here, the client sends a request for a Web page called as www.yahoo.com/info, which the server
sends back to the client. Many Web pages contain small programs that get downloaded onto
the client along with the Web page itself. These programs then execute inside the browser. Sun
Microsystems provides Java applets for this purpose and Microsoft's technology makes use of
ActiveX controls for the same purpose. Both are small programs that get downloaded along
with a Web page and then execute on the client. This is shown in Fig. 1.18.

Figure 1.17 HTTP connection between client and server

Dept of ECE, CEC 2024-25 22

 Network Security(21EC742)

Figure 1.18 Applet sent back along with a Web page

Here, the server sends an applet along with the Web page to the client.

• Usually, these programs (applets or ActiveX controls) are used to either perform some
processing on the client side or to automatically and periodically request for information from
the web server using a technology called as client pull.

• For instance, a program can get downloaded on to the client along with the Web page
showing the latest stock prices on a stock exchange and then periodically issue HTTP requests
for pulling the updated prices to the Web server.

• To prevent these attacks, Java applets have strong security checks as to what they can
do and what they cannot. ActiveX controls have no such restrictions.

• A number of checks have been in place to ensure that neither applets nor ActiveX
controls can do a lot of damage and even if they somehow manage to do it, it can be detected.

• Java applets (from Sun Microsystems) and ActiveX controls (from Microsoft
Corporation) are small client-side programs that might cause security problems, if used by
attackers with a malicious intention.

Dept of ECE, CEC 2024-25 23

 Network Security(21EC742)

5) Cookies:

• Cookies were born as a result of a specific characteristic of the Internet. The Internet
uses HTTP protocol, which is stateless.

• Suppose that the client sends an HTTP request for a Web page to the server. The Web
server locates that page on its disk, sends it back to the client and completely forgets about this
interaction!

• If the client wants to continue this interaction, it must identify itself to the server in the
next HTTP request. Otherwise, the server would not know that this same client had sent a
HTTP request earlier.

• Since a typical application is likely to involve a number of interactions between the

client and the server, there must be some mechanism for the client to identify itself to the server
each time it sends an HTTP request to the server.

• For this, cookies are used. Cookies are the most popular mechanism of maintaining the
state information (i.e. identifying a client to a server). A cookie is just one or more pieces of
information stored as text strings in a text file on the disk of the client computer (i.e. the Web
browser).

• Actually, a Web server sends the Web browser a cookie and the browser stores it on the
hard disk of the client computer. The browser then sends a copy of the cookie to the server
during the next HTTP request.

• This is used for identification purposes as shown in Figs 1.19 (a) and 1.19 (b)
• When you interact with a Web site for the first time, the site might want you to register
yourself. Usually, this means that the Web server sends a page to you wherein you have a form
to enter your name, address and other details such as date of birth, interests etc.
• When you complete this form and send it to the server with the help of your browser,
the server stores this information into its database. Additionally, it also creates a unique id for
you. It stores this id along with your information in the database (as shown in Fig. 1.11(b)) and
also sends the id back to you in the form of a cookie.
• The next time you interact with the server, you do not have to enter any information
such as your name and address. Your browser would automatically send your id (i.e. the cookie)
along with the HTTP request for a particular page to the server (as shown in Fig. 1.11b)).

Dept of ECE, CEC 2024-25 24

 Network Security(21EC742)

• The server now takes this id, tries to find a match in its database and having found it,
knows that you are a registered user. Accordingly, it sends you the next page.

Figure 1.19a Creation of cookies

Figure 1.19b Usage of cookies

This works as follows:

6) JavaScript, VBScript and JScript

• A Web page is constructed using a special language called as Hyper Text Markup
Language (HTML). It is a tag-based language. A tag begins with the symbol <> and it ends
with </>.

Dept of ECE, CEC 2024-25 25

 Network Security(21EC742)

• Between these boundaries of the tags, the actual information to be displayed on the
user's computer is mentioned. As an example, let us consider how the tag pair <B> and
</B> can be used to change the text font to boldface.

• When a browser comes across this portion of a HTML document, it realizes that the
portion of the text embedded within the <b> and </b> tags need to be displayed in boldface.
Therefore, it displays this text in boldface.

• In addition to HTML tags, a Web page can contain client-side scripts. These are small
programs written in scripting languages like JavaScript, VBScript or Jscript, which are
executed inside the Web browser on the client computer.

• For instance, let us assume that a user visits the Web site of an online bookshop.
Suppose that the Web site mandates that the user must place an order for at least three
books. Then, the web page can contain a small JavaScript program, which can ensure
that this condition is met before the user can place the order. Otherwise, the JavaScript
program would not allow the user to proceed. Note that HTML cannot be used for this
purpose, as its sole purpose is to display text on the client computer in a pre-specified
format. To perform dynamic actions, scripts are needed.

• These scripts can be dangerous at times. Since these scripts are small programs, they
can perform a lot of actions on the client’s computer. There are restrictions on the actions
of a scripting program. Incidents of security breaches have been reported, blaming the
scripting languages.

1.5.5 Dealing with Viruses

Preventing viruses is the best option. However, in today’s world, it is almost impossible to
achieve cent per cent security given that the world is connected to the Internet all the time. We
have to accept that viruses will attack, and we would need to find ways to deal with them.
Hence, we can attempt to detect, identify, and remove viruses. This is shown in Fig. 1.20.

Detection of viruses involves locating the virus, having known that a virus has attacked. Then
we need to identify the specific virus that has attacked. Finally, we need to remove it. For this,
we need to remove all traces of the virus and restore the affected programs/files to their original
states. This is done by anti-virus software.

Dept of ECE, CEC 2024-25 26

 Network Security(21EC742)

Fig. 1.20 Virus-elimination steps

Anti-virus software is classified into four generations, as depicted in Fig. 1.21.

Fig. 1.21 Generations of Anti-virus software

The key characteristics of the four generations of anti-virus software.

1. First Generation

These anti-virus software programs were called simple scanners. They needed a virus signature
to identify a virus. A variation of such programs kept a watch on the length of programs and
looked for changes so as to possibly identify a virus attack.

2. Second Generation

Dept of ECE, CEC 2024-25 27

 Network Security(21EC742)

These anti-virus software programs did not rely on simple virus signatures. Rather, they used
heuristic rules to look for possible virus attacks. The idea was to look for code blocks that were
commonly associated with viruses. For example, such a program could look for an encryption
key used by a virus, find it, decrypt and remove the virus, and clean the code. Another variation
of these anti-virus programs used to store some identification about the file (e.g. a message
digest, which we shall study later) are also notorious for detecting changes in the contents of
the file.

3. Third Generation

These anti-virus software programs were memory resident. They watched for viruses based on
actions, rather than their structure. Thus, it is not necessary to maintain a large database of virus
signatures. Instead, the focus is to keep watch on a small number of suspect actions.

4. Fourth Generation

These anti-virus software programs package many anti-virus techniques together (e.g.
scanners, activity monitoring). They also contain access control features, thus thwarting the
attempts of viruses to infect files.

There is a category of software called behavior-blocking software, which integrates with the
operating system of the computer and keeps a watch on virus-like behavior in real time.
Whenever such an action is detected, this software blocks it, preventing damages. The actions
under watch can be

● Opening, viewing, modifying, deleting files

● Network communications

● Modification of settings such as start-up scripts

● Attempts to format disks

● Modification of executable files

● Scripting of email and instant messaging to send executable content to others

The main advantage of such software programs is that they are more into virus prevention than
virus detection. In other words, they stop viruses before they can do any damage, rather than
detecting them after an attack.

Dept of ECE, CEC 2024-25 28

 Network Security(21EC742)

Review Questions:

1 What is the main difference between a virus and a worm in terms of how they affect a
system?
2 How does a Trojan horse attack differ from a virus attack?
3 What role do cookies play in maintaining state information during web interactions?
4 What is a replay attack, and how can it be used to exploit financial transactions?
5 What is the role of scripting languages like JavaScript in web security threats?
6 Describe the four phases of a virus's lifecycle.

Lecture 5
1.5.6 Specific Attacks

1. Sniffing and Spoofing

On the Internet, computers exchange messages with each other in the form of small groups of
data, called packets. A packet, like a postal envelope contains the actual data to be sent, and the
addressing information. Attackers target these packets, as they travel from the source computer
to the destination computer over the Internet.

These attacks take two main forms: (a) Packet sniffing (also called snooping), and (b) Packet
spoofing.

Since the protocol used in this communication is called Internet Protocol (IP), other names for
these two attacks are (a) IP sniffing, and (b) IP spoofing. The meaning remains the same.

(a) Packet Sniffing Packet sniffing is a passive attack on an ongoing conversation. An attacker
need not hijack a conversation, but instead, can simply observe (i.e. sniff) packets as they pass
by. Clearly, to prevent an attacker from sniffing packets, the information that is passing needs
to be protected in some ways. This can be done at two levels: (i) The data that is traveling can
be encoded in some ways, or (ii) The transmission link itself can be encoded. To read a packet,
the attacker somehow needs to access it in the first place. The simplest way to do this is to
control a computer via which the traffic goes through. Usually, this is a router. However, routers
are highly protected resources. Therefore, an attacker might not be able to attack it, and instead,
attack a less-protected computer on the same path.

(b) Packet Spoofing In this technique, an attacker sends packets with an incorrect source
address. When this happens, the receiver (i.e. the party who receives these packets containing

Dept of ECE, CEC 2024-25 29

 Network Security(21EC742)

false addresses) would inadvertently send replies back to this forged address (called spoofed
address), and not to the attacker. This can lead to three possible cases:

(i) The attacker can intercept the reply If the attacker is between the destination and the forged
source, the attacker can see the reply and use that information for hijacking attacks.

(ii) The attacker need not see the reply If the attacker’s intention was a Denial Of Service
(DOS) attack, the attacker need not bother about the reply.

(iii) The attacker does not want the reply The attacker could simply be angry with the host, so
it may put that host’s address as the forged source address and send the packet to the destination.
The attacker does not want a reply from the destination, as it wants the host with the forged
address to receive it and get confused.

2. Phishing

Phishing has become a big problem in recent times. In 2004, the estimated losses due to
phishing were to the tune of USD 137 million, according to Tower Group. Attackers set up fake
Web sites, which look like real Web sites. It is quite simple to do so, since creating Web pages
involves relatively simple technologies such as HTML, JavaScript, CSS (Cascading Style
Sheets), etc. Learning and using these technologies is quite simple. The attacker’s modus
operandi works as follows.

● The attacker decides to create his/her own Web site, which looks very identical to a real
Web site. For example, the attacker can clone Citibank’s Web site. The cloning is so clever that
the human eye will not be able to distinguish between the real (Citibank’s) and fake (attacker’s)
site.

● The attacker can use many techniques to attack the bank’s customers. We illustrate the most
common one below.

The attacker sends an email to the legitimate customers of the bank. The email itself appears
to have come from the bank. For ensuring this, the attacker exploits the email system to suggest
that the sender of the email is some bank official (e.g. accountmanager@citibank.com). This
fake email warns the user that there has been some sort of attack on Citibank’s computer
systems and that the bank wants to issue new passwords to all its customers, or verify their
existing PINs, etc. For this purpose, the customer is asked to visit a URL mentioned in the same
email. This is conceptually shown in Fig. 1.22.

Dept of ECE, CEC 2024-25 30

 Network Security(21EC742)

Fig. 1.22 Attacker sends a forged email to the innocent victim (customer)

When the customer (i.e. the victim) innocently clicks on the URL specified in the email, he/she
is taken to the attacker’s site, and not the bank’s original site. There, the customer is prompted
to enter confidential information, such as his/her password or PIN. Since the attacker’s fake
site looks exactly like the original bank site, the customer provides this information. The
attacker gladly accepts this information and displays a Thank you to the unsuspecting victim.
In the meanwhile, the attacker now uses the victim’s password or PIN to access the bank’s real
site and can perform any transaction as if he/she is the victim!

3. Pharming (DNS Spoofing)

Another attack, known earlier as DNS spoofing or DNS poisoning, is now called pharming
attack. As we know, using the Domain Name System (DNS), people can identify Web sites

Dept of ECE, CEC 2024-25 31

 Network Security(21EC742)

with human-readable names (such as www.yahoo.com), and computers can continue to treat
them as IP addresses (such as 120.10.81.67). For this, a special server computer called a DNS
server maintains the mappings between domain names and the corresponding IP addresses. The
DNS server could be located anywhere. Usually, it is with the Internet Service Provider (ISP)
of the users. With this background, the DNS spoofing attack works as follows.

● Suppose that there is a merchant (Bob) whose site’s domain name is www.bob.com, and the
IP address is 100.10.10.20. Therefore, the DNS entry for Bob in all the DNS servers is
maintained as follows:

www.bob.com 100.10.10.20

The attacker (say, Trudy) manages to hack and replace the IP address of Bob with her own
(say 100.20.20.20) in the DSN server maintained by the ISP of a user, say Alice. Therefore,
the DNS server maintained by the ISP of Alice now has the following entry:

www.bob.com 100.20.20.20

Thus, the contents of the hypothetical DNS table maintained by the ISP would be changed. A
hypothetical portion of this table (before and after the attack) is shown in Fig. 1.24

When Alice wants to communicate with Bob’s site, her Web browser queries the DNS server
maintained by her ISP for Bob’s IP address, providing it the domain name (i.e. www.bob.com).
Alice gets the replaced (i.e. Trudy’s) IP address, which is 100.20.20.20.

● Now, Alice starts communicating with Trudy, believing that she is communicating with Bob!
Such attacks of DNS spoofing are quite common, and cause a lot of havoc. Even worse, the
attacker (Trudy) does not have to listen to the conversation on the wire! She has to simply be
able to hack the DNS server of the ISP and replace a single IP address with her own!

A protocol called DNSSec (Secure DNS) is being used to thwart such attacks. Unfortunately,
it is not widely used.

Dept of ECE, CEC 2024-25 32

 Network Security(21EC742)

Fig. 1.23 Fake PayPal site asking for user’s credit-card details

Dept of ECE, CEC 2024-25 33

 Network Security(21EC742)

Fig. 1.24 Effect of the DNS attack

Review Questions

1 What is packet sniffing, and how can attackers gain access to packets in a network?
2 What is the difference between phishing and pharming (DNS spoofing) attacks?
3 How does DNS spoofing allow attackers to redirect a user’s traffic to a malicious site?
4 What are two ways to protect against packet sniffing?
5 What role does the DNS server play in a pharming attack?
6 What is DNSSec, and how does it help prevent DNS spoofing attacks?

Lecture 6

1.6 JAVA Security

• Java was designed in such a way that Java programs are considered safe as they
cannot install, execute or propagate viruses and because the program itself cannot
perform any action that is harmful to the user's computer.
• One of the key attributes of Java is the ability to download Java programs over
a network and execute these programs on a different computer within the
context of a Java-enabled browser.
• Different developers were attracted to Java with different expectations. As a
result , they brought different ideas about Java security. If we put Java to be
free from introducing viruses, any release of Java should satisfy our
requirements.
• However, if functionalities such as digital signatures, authentication and
encryption are required in the least release 1.1 of Java must be used.

➢ The Java Sandbox

• Java’s security model is closely associated with the idea of a sandbox model.

Dept of ECE, CEC 2024-25 34

 Network Security(21EC742)

A sandbox model allows a program to be hosted and executed, but there are
some restrictions in place.
• The developer/end user may decide to give the program access to certain
resources. However, in general, they want to make sure that the program is
confined to its sandbox. The overall execution of a java program on the Internet
is as shown in Fig 1.25.

Figure 1.25 Steps in execution of a Java program on the Internet

• The chief job of the Java sandbox is to protect a number of resources and it performs this
task so at a number of levels.
• A sandbox in which program can access the CPU, the screen, the keyboard and mouse
and its own memory. This is the basic sandbox. It contains just enough resources for a
program to execute.
• A sandbox in which a program can access the CPU and its memory as well as access the
Web server from which it was downloaded. This is often considered as the default state
for the sandbox.
• A sandbox in which program can access the CPU, its memory, its Web server and to a set
of resources (files, computers, etc.) that are local.
• An open sandbox, in which the program can access whatever resources the host machine
can.

Dept of ECE, CEC 2024-25 35

 Network Security(21EC742)

➢ Java Application Security

• The broad level aspects of Java security and their relation to each other.
• The bytecode verifier: The bytecode verifier ensures that Java class files obey
the rules of the Java programming language. The bytecode verifier ensures
memory protection for all Java programs. However, not all files are required to
go through byte code verification.

• The class loader: Class loaders load classes that are located in Java's
default path (called as CLASSPATH). In Java 1.2, the class loaders also
take up the job of loading classes that are not found in the CLASSPATH.
• The access controller: In Java 1.2, the access controller allows (or prevents)
access from the core JAVA API to the operating system.
• The security manager: The security manager is the chief interface between the
core Java API and the operating system. It has the ultimate responsibility for
allowing or disallowing access to all the operating system resources. The security
manager uses the access controller for many of these decisions.
• The security package: The security package (that is, classes in the
java.security package) helps in authenticating signed Java classes.
• The key database: The key database is a set of keys used by the security
manager and access Controller to validate the digital signature that comes
along with a signed class file.

➢ Built-in Java Application Security

• From version 1.2, the Java platform itself comes with a Security model built for the
applications it runs. Here, the classes that are found in the CLASSPATH may have to go
through a security check. This allows running of the application code in a sandbox defined
by a user or an administrator. The following points are important:
• Access methods are strictly adhered to
• A program cannot access arbitrary memory location
• Entities that are declared as final must not be changed
• Variables may not be used before they are initialized
• Array bounds must be checked during all array accesses
• Objects cannot arbitrarily cast into other object type

Dept of ECE, CEC 2024-25 36

 Network Security(21EC742)

1.7 Security Mechanisms, Services and Attacks, A model for

Network security

Access control is the ability to limit and control the access to host systems and applications via
communications links. A security service as a service that is provided by a protocol layer of
communicating open systems and that ensures adequate security of the systems or of data
transfers.

1.7.1 Security Services

A security service as a service that is provided by a protocol layer of communicating open
systems and that ensures adequate security of the systems or of data transfers. Or a processing
or communication service that is provided by a system to give a specific kind of protection to
system resources. X.800 divides these services into five categories and fourteen specific
services.

• Authentication

The authentication service is concerned with assuring that a communication is authentic.

In the case of a single message, such as a warning or alarm signal, the function of the
authentication service is to assure the recipient that the message is from the source that it claims
to be from. In the case of an ongoing interaction, such as the connection of a terminal to a host,
two aspects are involved. First, at the time of connection initiation, the service assures that the
two entities are authentic, that is, that each is the entity that it claims to be. Second, the service
must assure that the connection is not interfered with in such a way that a third party can
masquerade as one of the two legitimate parties for the purposes of unauthorized transmission
or reception.
Two specific authentication services are defined in X.800:
• Peer entity authentication: Peer entity authentication is provided for use at the
establishment of, or at times during the data transfer phase of, a connection. It attempts to
provide confidence that an entity is not performing either a masquerade or an unauthorized
replay of a previous connection.
• Data origin authentication: Provides for the corroboration of the source of a data unit.
It does not provide protection against the duplication or modification of data units. This type
of service supports applications like electronic mail, where there are no prior interactions
between the communicating entities.

Dept of ECE, CEC 2024-25 37

 Network Security(21EC742)

• Access Control
Access control is the ability to limit and control the access to host systems and
applications via communications links. To achieve this, each entity trying to gain access must
first be identified, or authenticated, so that access rights can be tailored to the individual.
• Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With respect
to the content of a data transmission, several levels of protection can be identified. The broadest
service protects all user data transmitted between two users over a period of time. Narrower
forms of this service can also be defined, including the protection of a single message or even
specific fields within a message.
The other aspect of confidentiality is the protection of traffic flow from analysis. This
requires that an attacker not be able to observe the source and destination, frequency, length, or
other characteristics of the traffic on a communications facility.
• Data Integrity
As with confidentiality, integrity can apply to a stream of messages, a single message,
or selected fields within a message. A connection-oriented integrity service, one that deals with
a stream of messages, assures that messages are received as sent with no duplication, insertion,
modification, reordering, or replays. The connection-oriented integrity service addresses both
message stream modification and denial of service. a connectionless integrity service, one
that deals with individual messages without regard to any larger context, generally provides
protection against message modification only.

We can make a distinction between service with and without recovery. Because the
integrity service relates to active attacks, we are concerned with detection rather than prevention.
If a violation of integrity is detected, then the service may simply report this violation, and some
other portion of software or human intervention is required to recover from the violation. there
are mechanisms available to recover from the loss of integrity of data, The incorporation of
automated recovery mechanisms is, in general, the more attractive alternative.
• Nonrepudiation
Nonrepudiation prevents either sender or receiver from denying a transmitted message.
Thus, when a message is sent, the receiver can prove that the alleged sender in fact sent the
message. Similarly, when a message is received, the sender can prove that the alleged receiver
in fact received the message.

Dept of ECE, CEC 2024-25 38

 Network Security(21EC742)

1.7.2 SECURITY MECHANISMS & ATTACKS

Security mechanisms

The mechanisms are divided into those that are implemented in a specific protocol layer, such
as TCP or an application-layer protocol, and those that are not specific to any particular protocol
layer or security service.

SPECIFIC SECURITY MECHANISMS May be incorporated into the appropriate protocol

layer in order to provide some of the OSI security services.

• Encipherment

The use of mathematical algorithms to transform data into a form that is not readily intelligible.
The transformation and subsequent recovery of the data depend on an algorithm and zero or
more encryption keys.

• Digital Signature

Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of
the data unit to prove the source and integrity of the data unit and protect against forgery (e.g.,
by the recipient).

• Access Control

A variety of mechanisms that enforce access rights to resources.

• Data Integrity

A variety of mechanisms used to assure the integrity of a data unit or stream of data units.

• Authentication Exchange

A mechanism intended to ensure the identity of an entity by means of information exchange.

• Traffic Padding

The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.

• Routing Control

Enables selection of particular physically secure routes for certain data and allows routing
changes, especially when a breach of security is suspected.

Dept of ECE, CEC 2024-25 39

 Network Security(21EC742)

• Notarization

The use of a trusted third party to assure certain properties of a data exchange.

PERVASIVE SECURITY MECHANISMS: Mechanisms that is not specific to any

particular OSI security service or protocol layer.

• Trusted Functionality

That which is perceived to be correct with respect to some criteria (e.g., as established by a
security policy).

• Security Label

The marking bound to a resource (which may be a data unit) that names or designates the
security attributes of that resource.

• Event Detection

Detection of security-relevant events.

• Security Audit Trail

Data collected and potentially used to facilitate a security audit, which is an independent review
and examination of system records and activities.

• Security Recovery

Deals with requests from mechanisms, such as event handling and management functions, and
takes recovery actions.

Review Questions:
1 What is the Java sandbox, and how does it protect resources?
2 Describe the function of the security manager in the Java security model.
3 What is the purpose of the key database in Java’s security architecture?
4 What is the difference between peer entity authentication and data origin authentication?
5 Explain how access control is implemented to protect system resources in network
security.
6 What is the purpose of non-repudiation, and how does it prevent denial of message
transmission?

Dept of ECE, CEC 2024-25 40

 Network Security(21EC742)

Lecture 7
1.7.3 Security Attacks:
A useful means of classifying security attacks is in terms of passive attacks and active attacks.
A passive attack attempts to learn or make use of information from the system but does not
affect system resources. An active attack attempts to alter system resources or affect their
operation.

Passive Attacks

Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal
of the opponent is to obtain information that is being transmitted.

Two types of passive attacks are the release of message contents and traffic analysis.

The release of message contents is easily understood (Fig 1.26 a).A telephone conversation, an
electronic mail message, and a transferred file may contain sensitive or confidential
information. We would like to prevent an opponent from learning the contents of these
transmissions.

A second type of passive attack, traffic analysis, is subtler (Fig 1.26 b). Suppose that we had a
way of masking the contents of messages or other information traffic so that opponents, even
if they captured the message, could not extract the information from the message. The common
technique for masking contents is encryption. If we had encryption protection in place, an
opponent might still be able to observe the pattern of these messages. The opponent could
determine the location and identity of communicating hosts and could observe the frequency
and length of messages being exchanged. This information might be useful in guessing the
nature of the communication that was taking place.

Passive attacks are very difficult to detect, because they do not involve any alteration of the
data. Typically, the message traffic is not sent and received in an apparently normal fashion and
the sender nor receiver is aware that a third party has read the messages or observed the traffic
pattern. However, it is feasible to prevent the success of these attacks, usually by means of
encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than
detection.

Dept of ECE, CEC 2024-25 41

 Network Security(21EC742)

(a) Release of message contents

b) Traffic analysis
Fig 1.26 Passive Attacks
Active Attacks
Active attacks involve some modification of the data stream or the creation of a false
stream and can be subdivided into four categories: masquerade, replay, modification Of
messages, and denial of service.
A masquerade takes place when one entity pretends to be a different entity (Fig 1.27a).
A masquerade attack usually includes one of the other forms of active attack. For example,
authentication sequences can be captured and replayed after valid authentication sequence has
taken place, thus enabling an authorized entity

Dept of ECE, CEC 2024-25 42

 Network Security(21EC742)

With few privileges to obtain extra privileges by impersonating an entity that has those
privileges.

a) Masquerade

b) Replay

c) Modification of messages

Fig 1.27 Passive Attacks

Replay involves the passive capture of a data unit and its subsequent retransmission to produce
an unauthorized effect (Figure 1.27 b).

Dept of ECE, CEC 2024-25 43

 Network Security(21EC742)

Modification of messages simply means that some portion of a legitimate message is altered,
or that messages are delayed or reordered, to produce an unauthorized effect (Fig 1.27 c). For
example, a message meaning ―Allow John Smith to read confidential file accounts‖ is
modified to mean ―Allow Fred Brown to read Confidential file accounts.

1.7.4 A Model for Network Security

In Fig 1.28. a message is to be transferred from one party to another across some sort of Internet
service. The two parties, who are the principals in this transaction, must cooperate for the
exchange to take place. A logical information channel is established by defining a route through
the Internet from source to destination and by the cooperative use of communication protocols
(e.g., TCP/IP) by the two principals.
Security aspects come into play when it is necessary or desirable to protect the information
transmission from an opponent who may present a threat to confidentiality, authenticity, and so
on. All the techniques for providing security have two components:
• A security-related transformation on the information to be sent. Examples include the
encryption of the message, which scrambles the message so that it is unreadable by the
opponent, and the addition of a code based on the contents of the message, which can be used
to verify the identity of the sender.
• Some secret information shared by the two principals and, it is hoped, unknown to the
opponent. An example is an encryption key used in conjunction with the transformation to
scramble the message before transmission and unscramble it on reception.
A trusted third party may be needed to achieve secure transmission. For example, a third party
may be responsible for distributing the secret information
to the two principals while keeping it from any opponent. Or a third party may be needed to
arbitrate disputes between the two principals concerning the authenticity of a message
transmission.
This general model shows that there are four basic tasks in designing a particular security
service:
1. Design an algorithm for performing the security-related transformation. The algorithm
should be such that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security algorithm
and the secret information to achieve a particular security service.

Dept of ECE, CEC 2024-25 44

 Network Security(21EC742)

Fig 1.28 Model for Network Security

Review Questions:
1. What is the difference between passive and active attacks in network security?
2. What are the two types of passive attacks?
3. Why are passive attacks difficult to detect, and what is the primary defense against
them?
4. What is a masquerade attack, and how does it relate to other forms of active attacks?
5. What are the two main components required to provide security for information
transmission across a network?
6. Why might a trusted third party be needed in a secure transmission?

Lecture 8
1.8 Network Access Control
Network access control (NAC) is an umbrella term for managing access to a network. NAC
authenticates users logging into the network and determines what data they can access and
actions they can perform. NAC also examines the health of the user’s computer or mobile
device (the endpoints).

Elements of a Network Access Control System

NAC systems deal with three categories of components:

Dept of ECE, CEC 2024-25 45

 Network Security(21EC742)

• Access requestor (AR): The AR is the node that is attempting to access the network and may
be any device that is managed by the NAC system, including workstations, servers, printers,
cameras, and other IP-enabled devices. Ars are also referred to as supplicants, or simply, clients.
• Policy server: Based on the AR’s posture and an enterprise’s defined policy, the policy server
determines what access should be granted. The policy server often relies on backend systems,
including antivirus, patch management, or a user directory, to help determine the host’s
condition.
• Network access server (NAS): The NAS functions as an access control point for users in
remote locations connecting to an enterprise’s internal network. Also called a media gateway,
a remote access server (RAS), or a policy server, an NAS may include its own authentication
services or rely on a separate authentication service from the policy server.
Fig 1.29 is a generic network access diagram. A variety of different Ars seek access to an
enterprise network by applying to some type of NAS. The first step is generally to authenticate
the AR. Authentication typically involves some sort of secure protocol and the use of
cryptographic keys. Authentication may be performed by the NAS, or the NAS may mediate
the authentication process. In the latter case, authentication takes place between the supplicant
and an authentication server that is part of the policy server or that is accessed by the policy
server.
The authentication process serves a number of purposes. It verifies a supplicant’s claimed
identity, which enables the policy server to determine what access privileges, if any, the AR
may have. The authentication exchange may result in the establishment of session keys to
enable future secure communication between the supplicant and resources on the enterprise
network.
Typically, the policy server or a supporting server will perform checks on the AR to determine
if it should be permitted interactive remote access connectivity. These checks—sometimes
called health, suitability, screening, or assessment checks—require software on the user’s
system to verify compliance with certain requirements from the organization’s secure
configuration baseline. For example, the user’s antimalware software must be up-to-date, the
operating system must be fully patched, and the remote computer must be owned and controlled
by the organization. These checks should be performed before granting the AR access to the
enterprise network. Based on the results of these checks, the organization can determine
whether the remote computer should be permitted to use interactive remote access. If the user
has acceptable authorization credentials but the remote computer does not pass the health

Dept of ECE, CEC 2024-25 46

 Network Security(21EC742)

check, the user and remote computer should be denied network access or have limited access
to a quarantine network so that authorized personnel can fix the security deficiencies.

Fig 1.29 Network Access Control Context

Fig 1.29 indicates that the quarantine portion of the enterprise network consists of the policy
server and related AR suitability servers. There may also be application servers that do not
require the normal security threshold be met.
Once an AR has been authenticated and cleared for a certain level of access to the enterprise
network, the NAS can enable the AR to interact with resources in the enterprise network. The
NAS may mediate every exchange to enforce a security policy for this AR, or may use other
methods to limit the privileges of the AR.
Network Access Enforcement Methods
Enforcement methods are the actions that are applied to ARs to regulate access to the enterprise
network. Many vendors support multiple enforcement methods simultaneously, allowing the
customer to tailor the configuration by using one or a combination of methods. The following
are common NAC enforcement methods.

Dept of ECE, CEC 2024-25 47

 Network Security(21EC742)

• IEEE 802.1X: This is a link layer protocol that enforces authorization before a port is
assigned an IP address. IEEE 802.1X makes use of the Extensible Authentication Protocol for
the authentication process.
• Virtual local area networks (VLANs): In this approach, the enterprise network, consisting
of an interconnected set of LANs, is segmented logically into a number of virtual LANs. The
NAC system decides to which of the network’s VLANs it will direct an AR, based on whether
the device needs security remediation, Internet access only, or some level of network access to
enterprise resources. VLANs can be created dynamically and VLAN membership, of both
enterprise servers and ARs, may overlap. That is, an enterprise server or an AR may belong to
more than one VLAN.
• Firewall: A firewall provides a form of NAC by allowing or denying network traffic between
an enterprise host and an external user.
• DHCP management: The Dynamic Host Configuration Protocol (DHCP) is an Internet
protocol that enables dynamic allocation of IP addresses to hosts. A DHCP server intercepts
DHCP requests and assigns IP addresses instead. Thus, NAC enforcement occurs at the IP layer
based on subnet and IP assignment. A DCHP server is easy to install and configure, but is
subject to various forms of IP spoofing, providing limited security.
1.9 Extensible Authentication Protocol
The Extensible Authentication Protocol (EAP), defined in RFC 3748, acts as a framework for
network access and authentication protocols. EAP provides a set of protocol messages that can
encapsulate various authentication methods to be used between a client and an authentication
server. EAP can operate over a variety of network and link level facilities, including point-to-
point links, LANs, and other networks, and can accommodate the authentication needs of the
various links and networks. Fig 1.30 illustrates the protocol layers that form the context for
EAP.
Authentication Methods
EAP supports multiple authentication methods. This is what is meant by referring to EAP as
extensible. EAP provides a generic transport service for the exchange of authentication
information between a client system and an authentication server. The basic EAP transport
service is extended by using a specific authentication protocol, or method, that is installed in
both the EAP client and the authentication server. Numerous methods have been defined to
work over EAP. The following are commonly supported EAP methods:

Dept of ECE, CEC 2024-25 48

 Network Security(21EC742)

• EAP-TLS (EAP Transport Layer Security): EAP-TLS (RFC 5216) defines how the TLS
protocol can be encapsulated in EAP messages. EAP-TLS uses the handshake protocol in TLS,
not its encryption method. Client and server authenticate each other using digital certificates.
Client generates a pre-master secret key by encrypting a random number with the server’s
public key and sends it to the server. Both client and server use the pre-master to generate the
same secret key.

Fig 1.30 EAP Layered Context

• EAP-TTLS (EAP Tunneled TLS): EAP-TTLS is like EAP-TLS, except only the server has
a certificate to authenticate itself to the client first. As in EAPTLS, a secure connection (the
“tunnel”) is established with secret keys, but that connection is used to continue the
authentication process by authenticating the client and possibly the server again using any EAP
method or legacy method such as PAP (Password Authentication Protocol) and CHAP
(Challenge-Handshake Authentication Protocol). EAP-TTLS is defined in RFC 5281.
• EAP-GPSK (EAP Generalized Pre-Shared Key): EAP-GPSK, defined in RFC 5433, is an
EAP method for mutual authentication and session key derivation using a Pre-Shared Key
(PSK). EAP-GPSK specifies an EAP method based on pre-shared keys and employs secret
key-based cryptographic algorithms. Hence, this method is efficient in terms of message flows
and computational costs, but requires the existence of pre-shared keys between each peer and
EAP server. The set up of these pairwise secret keys is part of the peer registration, and thus,
must satisfy the system preconditions. It provides a protected communication channel when
mutual authentication is successful for both parties to communicate over and is designed for
authentication over insecure networks such as IEEE 802.11. EAP-GPSK does not require any

Dept of ECE, CEC 2024-25 49

 Network Security(21EC742)

public-key cryptography. The EAP method protocol exchange is done in a minimum of four
messages.
• EAP-IKEv2: It is based on the Internet Key Exchange protocol version 2 (IKEv2). It supports
mutual authentication and session key establishment using a variety of methods. EAP-TLS is
defined in RFC 5106.
EAP Exchanges
Whatever method is used for authentication, the authentication information and authentication
protocol information are carried in EAP messages.

Fig 1.31 EAP Protocol Exchanges

RFC 3748 defines the goal of the exchange of EAP messages to be successful authentication.
In the context of RFC 3748, successful authentication is an exchange of EAP messages, as a
result of which the authenticator decides to allow access by the peer, and the peer decides to
use this access. The authenticator’s decision typically involves both authentication and
authorization aspects; the peer may successfully authenticate to the authenticator, but access
may be denied by the authenticator due to policy reasons.
Fig 1.31 indicates a typical arrangement in which EAP is used. The following components are
involved:
• EAP peer: Client computer that is attempting to access a network.
• EAP authenticator: An access point or NAS that requires EAP authentication prior to
granting access to a network.
• Authentication server: A server computer that negotiates the use of a specific EAP method
with an EAP peer, validates the EAP peer’s credentials, and authorizes access to the network.
Dept of ECE, CEC 2024-25 50
 Network Security(21EC742)

Typically, the authentication server is a Remote Authentication Dial-In User Service

(RADIUS) server.
The authentication server functions as a backend server that can authenticate peers as a service
to a number of EAP authenticators. The EAP authenticator then makes the decision of whether
to grant access. This is referred to as the EAP passthrough mode. Less commonly, the
authenticator takes over the role of the EAP server; that is, only two parties are involved in the
EAP execution.
As a first step, a lower-level protocol, such as PPP (point-to-point protocol) or IEEE 802.1X,
is used to connect to the EAP authenticator. The software entity in the EAP peer that operates
at this level is referred to as the supplicant. EAP messages containing the appropriate
information for a chosen EAP method are then exchanged between the EAP peer and the
authentication server.
EAP messages may include the following fields:
• Code: Identifies the Type of EAP message. The codes are Request (1), Response (2), Success
(3), and Failure (4).
• Identifier: Used to match Responses with Requests.
• Length: Indicates the length, in octets, of the EAP message, including the Code, Identifier,
Length, and Data fields.
• Data: Contains information related to authentication. Typically, the Data field consists of a
Type subfield, indicating the type of data carried, and a Type-Data field.
The Success and Failure messages do not include a Data field.
The EAP authentication exchange proceeds as follows. After a lower-level exchange that
established the need for an EAP exchange, the authenticator sends a Request to the peer to
request an identity, and the peer sends a Response with the identity information. This is
followed by a sequence of Requests by the authenticator and Responses by the peer for the
exchange of authentication information. The information exchanged and the number of
Request–Response exchanges needed depend on the authentication method. The conversation
continues until either (1) the authenticator determines that it cannot authenticate the peer and
transmits an EAP Failure or (2) the authenticator determines that successful authentication has
occurred and transmits an EAP Success. Fig 1.32 gives an example of an EAP exchange. Not
shown in the figure is a message or signal sent from the EAP peer to the authenticator using
some protocol other than EAP and requesting an EAP exchange to grant network access. One
protocol used for this purpose is IEEE 802.1X, discussed in the next section. The first pair of
EAP Request and Response messages is of Type identity, in which the authenticator requests
Dept of ECE, CEC 2024-25 51
 Network Security(21EC742)

the peer’s identity, and the peer returns its claimed identity in the Response message. This
Response is passed through the authenticator to the authentication server. Subsequent EAP
messages are exchanged between the peer and the authentication server. Upon receiving the
identity Response message from the peer, the server selects an EAP method and sends the first
EAP message with a Type field related to an authentication method. If the peer supports and
accepts the selected EAP method, it replies with the corresponding Response message of the
same type. Otherwise, the peer sends a NAK, and the EAP server either selects another EAP
method or aborts the EAP execution with a failure message. The selected EAP method
determines the number of Request/Response pairs. During the exchange the appropriate
authentication information, including key material, is exchanged. The exchange ends when the
server determines that authentication has succeeded or that no further attempt can be made and
authentication has failed.

Fig 1.32 EAP Message Flow in Pass-Through Mode

Review Questions

1. What are the three main components of a Network Access Control system?
2. What is the purpose of an AR (Access Requestor) in a NAC system?

Dept of ECE, CEC 2024-25 52

 Network Security(21EC742)

3. How does a policy server determine what level of access should be granted to an AR?
4. What is the function of a quarantine network in the context of NAC?
6. Describe the difference between EAP-TLS and EAP-TTLS authentication methods.

Question Bank
1. Discuss the four principles of security in detail, each with an example.
2. List the examples of application-level attacks or network level attacks each of which
has arisen in a real world. ( Student can explain any real time example).
3. Discuss the active attacks and passive attack in detail.
4. Explain the specific attacks sniffing, spoofing and phishing.
5. Describe the term virus, worms, trojan horse and cookies.
6. What is a worm? What is the significant difference between a worm and a virus?
7. Explain Java sandbox with related diagrams which show detailed steps in the
execution of the java program on the internet.
8. Write a short note on virus and worms
9. What is cookie? Explain its creation and usage of cookies with relevant diagrams.
10. What is packet spoofing? Mention its three possible cases.
11. The sole aim of the attacker is to maximize the financial gain by attacking
computer systems. Identify the attack and further elaborate the different varieties
of same.
12. What is an active attack? Explain in detail how active attacks are classified.
13. With real time examples, discuss phishing and pharming.
14. Explain the attacks in technical view.
15. Explain criminal attacks, publicity attacks and legal attacks.
16. Explain the various generations of anti-virus software.
17. List and briefly define categories of security services.
18. List and briefly define categories of security mechanisms.
19. Explain the model for network security.
20. Provide a brief definition of network access control and the elements of NAC.
21. What is an EAP?
22. List and briefly define four EAP authentication methods.

Dept of ECE, CEC 2024-25 53