Network Security

1. Terminology

A hacker can be:

• A hacker is a cybercriminal or syberterrorist. They can be divided into a white hat (someone who informs a company before they go public), a gray hat (someone who does not inform anyone unless paid), or a black hat (someone who does not inform anyone and uses the information for personal gain).
• A phreaker os someone who hacks phone systems.
• A virii creates computer viruses. (Ransomware, spyware, trojans).
• A cracker is someone who breaks into systems for malicious purposes, using tools created by hackers.
• A DDoSer is a participant in a distributed denial of service attack.
• A spammer is a mess-sender of unsolicted spam messages.
• A pirate is someone who distributes copyrighted material without permission.
• A cyberbully is someone who uses the internet to harass others.
• A whistleblower is someone who leaks company secrets to the public.
• A social engineer may use phishing, vishing, smishing or catfishing to gain access to information.

1.1 Black Hat Hacking

A black hat hacker can use one of the following methods:

• Credential reuse or stuffing tests known email and password combinations on other sites.
• Network monitoring or packet sniffing reads messages sent that were not intended for your NIC.
• A code/SQL injection involves running your own code on someone elses machine.
• A session/cookie hack involves stealing a session cookie to impersonate a user.
• Wardriving involves searching for open / unsecured networks.
• Dumpster checking or trashing involves checking the physical rubbish bins of targets for useful information.
• Clickjacking forces users to click on hidden links or popups.
• Bait & Switch involves luring users to a fake site with ads.
• Spoofing involves pretending to be someone else by faking their IP address, MAC address, or DNS server.

A black hat hacker may use hacking tool such as:

• Rootkits allow attackers to secretly control a computer. Usually installed as a virus.
• Keyloggers allow attackers to record all the keypresses on a system.
• Trojans allow attackers to control a computer remotely.
• Evil Twins allow attackers to lure their victims into using networks the control / own.
• ...

2. Access Control

When a principal sends a request to a resource, the guard controls which principal can access the resource, where the principals are allowed to be located, and what requests principals are allowed to make.

A firewall controls access to a network, it is a security gateway betweeen the internal and external network. It can be a stateless packet filter (checking the IP addresses and ports), stateful packet filtering (remembering connections and checks current and previous packets), circuit level gateway (fully takes over hosts communication and decides what to allow or block), proxy server (runs on the network, can protect entire LAN. It also performs caching.), application level gateway (runs on the host, can only protect their host), or hybrid firewall. They can be software based, or hardware based.

2.1 Access Via Proxy

A proxy can filter incoming / outgoing traffic. A private network is only accessible via a proxy. It can operate in three modes:

• Normal: The client is aware of the proxy, and needs to be set up for it.
• Transparent: The client is not aware of the proxy, and the router takes care of everything.
• Reverse: It runs on the receiving side, impersonating senders (CDN load balancing).

2.2 Bastion Hosts

A bastion host expects to be attacked. It performs auditing / logging, and should run a trusted / secure OS. Only runs necessary services, and should be isolated from the rest of the network. It should be monitored, and should be able to detect and respond to attacks.

A bastion host may act as a proxy firewall - in the midst of a logical connection, can filter based on message content, scan for data leaks, and even rewrite data.

2.3 Stateful Inspection

A stateful inspection firewall keeps track of the state of active connections. It:

• Relays connections and maintains connection state.
• Authenticates users.
• Drops connections based on destination, incorrect connection packets, time, volume, etc.
• Useful for logging / auditing / monitoring.

2.4 IDS, IPS, NGFW, UTM

• Intrusion Detection System (IDS): Software that detects intrusions (e.g. DDoS), but does nothing to stop them except informing the system.
• Intrusion Prevention System (IPS): Software that detects intrusions (e.g. SYN flood) and stops them. May include or work with an IDS.
• Next Generation Firewall (NGFW): A stateful firewall that came with an IPS / IDS system in addition to ACL mechanisms.
• Unified Thread Management (UTM): Similar to NGFW, but with more capabilities, such as antivirus, antispam, and content filtering.

2.5 Port Forwarding

A demilitarized zone (DMZ) is the neutral zone between the internal and external networlk. All non-DMZ hosts are hidden / protected by the gateway / router / firewall. The router uses NAT to get the external messages to the correct internal host. To expose an internal host, we have to use port forwarding.

Port forwarding lets the router know that packets for certain ports should be forwarded directly to an internal host / port. This should be done with caution, as it can expose your network to attacks. It is useful to host servers on your network, such as a web server, mail server, or game server.

2.6 Getting Around Firewalls

• Often, non-standard services are blocked by a firewall. If ssh is allowed, you can use it to tunnel through a firewall. For example, ssh -g -N -L 1433:test:1433 user@host will forward all traffic from port 1433 on the local machine to port 1433 on the remote machine.
• Alternatively, you could spoof a MAC address.
• You could also spoof an IP address, but a stateful firewall will probably catch it.
• You could use a VPN, so a firewall won't know what you are doing, as long as your tunnel is secure.

3. Encryption

We work with a ciphertext , and plaintext . Only some users should have and . Without , an attacker can only find by enumerating all possible , which is not feasible if the domain of is large.

In secret-key or symmetric encryption, . In this case, must be carefully distributed to all hosts who are to access the channel.

When , we have assymetric encruption, where is the private key of a host , and is never shared, and is the public key of host , and is freely distributed. If we encrypt the message with the public key of the destination, only the destination can decrypt it. We also encrypt the message with the senders private key, so that the receiver can verify that the sender has sent it.

Although assymmetric encryption is slower, it is much more secure.

3.1 Deffie - Hellman

We must exchange keys used for encryption, over a public, unsecured channel:

1. Bob and Alice agree on a generator and large prime number .
2. Bob chooses a secret number , and Alice chooses a secret number .
3. They use their secret value to caclulate a public value, and exchange it.
4. They then use each other's public value to calculate a shared secret key.

An alternative solution is to use a trusted key server to distribute keys. This is more secure, but requires a trusted third party.

3.2 Hashing

A hash function is a function that maps data of arbitrary size to a fixed size. It is a one-way function, meaning that it is easy to calculate the hash of a message, but hard to find a message that hashes to a given value. It is also hard to find two messages that hash to the same value. The hash value is a fixed size alphanumeric string.

Websites may store a password hash for authentication instead of a password itself. Rainbow tables can be used to quickly search for precomputed hash values, so websites may use password salting to make your password stronger (e.g. hash(password + salt)).