Intrusion Detection System (IDS), as its name suggests, is used to detect network anomalies.

It is nothing but a combination of software and hardware used to network and host monitoring. If you are a network administrator, and you have the habit of regularly checking your server log, workstation login details, and/or firewall access logs. Then you are already doing intrusion detection.

IDS is made to assist you in this process. It is divided into two types of devices : the Network Based and Hosted Based device.

Network Based IDS comprises of a sniffer engine as the component to capture network packets in a subnet. Sniffer is a network tap connected to a particular network segment using a network device in promiscuous mode. It captures and retains the packets to be sent to a analyzing engine for analysis.

A Network Based IDS can be comprised of many sniffer taps connected at various segments of your network. They collect the network packet information and send them all back to the analyzing engine for one-stop analysis.

The analyzing engine operates by comparing the packet information to known network misuse patterns and decide if they is any potential danger of network attacks.

IDS operates by basing on the network attack signature files that guide the analyzing engine to do the lookup. So it works like anti-virus program, if your pattern file is smart, it works smart. If it is dump, it does not work either. So you need to constantly update and refine the pattern file as per your unique network traffic pattern and usage.

Host Based Intrusion Detection device works by operating itself on a host (usually a server but you can use it on a particular suspicious workstation) and anlayse the host with the Host Based IDS software.

The drawback of Host Based IDS is, thus, the unavoidable modification of the host (because you have to install the IDS software to it) and you need different version of IDS software for different hosts of different OS.

But Host Based IDS can be made to conduct more precise monitoring on the host related suspicious activities and it also achieve a higher level of monitoring (on application level) than Network Based IDS.

There are many myths about IDS. Let’s talk more about this later.

Technorati Tags: Intrusion Detection System, IDS, network anomalies, network and host monitoring, Network Based IDS, sniffer, promiscuous mode, network misuse patterns, network attack signature, Host Based Intrusion Detection, myths about IDS

Screened Subnet Architecture refers to setup a firewall (or two firewalls) in a way that there is a separate subnet dedicated for network di-militarized zone (DMZ). The traffic comes from external Internet can only get to the DMZ whereas internal users can access the DMZ only before their traffic going to reach Internet.

Bastion Hosts are hosted in the DMZ. Those hosts are designed to serve external visitors who would like to request services from the network owners. HTTP, FTP and SMTP services are common services provided by Bastion Hosts in DMZ. Since Bastion hosts are aimed at supporting external users’ access, they have to be built against possible Internet attacks.

DMZ is setup in the security concept of layered defending. Exteral hackers, even though they can potentially hack those Bastion hosts in success, they still need to figure out the way to get into the internal networks. This extra layer adds difficulty because all external servers are in DMZ. Hackers are unlikely have any direct access to any hosts in the internal network.

To setup DMZ, the most direct way is to use two firewalls with two network interfaces each. One Firewall is connected to internal network and the other one connected to external Internet. These two firewalls are then joined together using their remaining interface to form a subnet called DMZ.

Another solution is to use a Firewall with three network interfaces. One interface is connected to Internet, the other one to internal network and the last one to a DMZ subnet. In this way, we can configurate the firewall rule to operate the DMZ as a middle network between external and internal network.

Technorati Tags: Screened Subnet Architecture, network di-militarized zone, DMZ, Bastion Hosts

Firewall is a perimeter security device. A perimeter security device is only good at protecting the internal network from external attack. That means if an intrusion originates from internal network, then firewall cannot deal with it.

Statistics shows that most of the network attacks of an organization comes from internal employee and hence most likely comes from internal network. Firewall cannot handle this kind of network attacks.

To compliment Firewall’s limitation in dealing internal network attacks, we need other devices like Intrusion Detection System (IDS), and of course other common security measures in areas like physical security.

Technorati Tags: Firewall, perimeter security device, internal network attacks, Intrusion Detection System, IDS, physical security

Firewall cannot operate properly without careful configuration. It is actually a device that help realize your company (or home)’s Internet Access Policy.

Who decides the Internet Access Policy? The information owner! Many people mistaken this to be done by the company’s system administrator. It is wrong. The administrator’s role is to help implementing the firewall policy as per company’s senior management’s intention. It is afterall not the administrator’s call whether a particular service is allowed or not during a particualr period of time.

Since firewall is the gatekeeper between your company’s internal network with the Internet, it should be an important device that you need to put resources to protect. If it is compromised, the intruder can potentially get the direct access to internal network.

Technorati Tags: Firewall, Internet Access Policy, information owner, firewall policy

What can be improved so that the the susceptibility to frequency analysis attack problems of alphabetic subsitution methods like Caesar Cipher and Monalphabetic Substituion can be removed?

We can use a different set of encryption mapping in the order of each alphabet encryption. Suppose we have the sentence again

ATTACK STARTS ON SEVEN TONIGHT

We now have three different set of mappings for:

• ABCDEFGHIJKLMNOPQRSTUVEXYZ

===================================

• IXSYJECTFHRVBZUAKQWDNLOPMG
• NFMXGLOYCAPRWQSVBDEHTZJIUK
• ABGQHRLSCDMOTNUZEFIPVYJWXK

We map first of the above message’s alphabet to mapping 1, then second alphabet to mapping 2 and then the third one to mapping 3 and the fourth one back to mapping 1 and so on and so forth…..

So the encrypted message is

IHPIMM QHPIDPW ……………….

this is called Polyalphabetic Substituion Encryption

This encryption defeats the problem of a constant mapping of a particular alphabet to another alphabet as in the monoalphabetic and caesar cipher. And hence renders the Frequency Analysis Attack to unusable.
If we have, say 9 different mapping systems. Then if we encrypt a message using a key of say 34135, that means we encrypt the message using the third mapping for first alphabet and then the fourth one for second, the first one for the third alphabet, the third one again for the fourth alphabet and the fifth one for the fifth alphabet. The third one would be used again for the sixth alphabet.

So the decryption is easy if we have the key ‘34135′ and the nine set of mapping systems that should be shared among the sender and the receiver.

Technorati Tags: Caesar Cipher, Monalphabetic Substituion, Polyalphabetic Substituion Encryption, encryption, Frequency Analysis Attack, decryption

To improve Caesar Cipher Encryption, we can assign each alphabet with another one in an non-sequential manner. For example A can be mapped to D while B can be mapped to R, and so are the rest being mapped to a different alphabet. Recall that Caesar Cipher has a key space of 25, Monoalphabetic Substitution can have a key space of 26 x 25 x 24 x…….x 1, i.e. 26! (This time we have a different assumption, we assume that each alphabet can be mapped to itself).

26! is roughly equal to 4.03291461 × 10²⁶

So this improvement greatly increases the possible key combinations and hence the work factor of brute force attack. Unfortunately, since each alphabet is still tied to another alphabet in the encryption process, so Monoalphabetic Subsitution is still susceptible to Frequency Analysis Attack

Can we do anything more to improve it?

Technorati Tags: Monoalphabetic Substitution, work factor, brute force attack, Frequency Analysis Attack

One information that is truly important when conducting Cryptographic Attack, it is: the nature of the plaintext. Is it a sentence of a particular language? or is it of some software code? If we know the fudemental nature of the plaintext, then our code breaking job could be a bit easier.

If it is of a commonly used language, then we can use the very unique characterisitc of that language to help deducing the plaintext. One popular method is frequency analysis. In the languages of latin origin, we know that certain alphabets are of higher freqency of appearance than others.
In English, we should know that the vowels - ‘a’, ‘e’, ,’i', ‘o’, ‘u’ appear more often than other alphabets.

And if we run analysis of a particular language long enough, we can deduce a table of relative frequency of each alphabet appearing in that language.

So if a particular language message is encrypted using substitution method like Caesar Cipher, we can easily break the code using frequency analysis if we know the original language used in the plaintext.

Technorati Tags: Cryptographic Attack, frequency analysis, Caesar Cipher

In cryptographic study, we know the simpliest way to conceal the information is by ’substitution’. You replace the original word/alphabet by another word/alphabetic ’systematically’. The word ’systemtically’ have to be in place because you need a way to decrypt the concealed message.

In Latin language system, we use a alphabet to replace another one sequentially as below:

A replaced by D

B replaced by E

C replaced by F

………………………. and so on and so forth.

In this way, a message originally written as

ATTACK STARTS ON SEVEN TONIGHT

becomes

DWWDFN VWDUWV ……………..

And the key is 3 for we ’shifted’ three alphabets for each alphabet.

So the decryption is easy, we just shift back the three alphabets in the reverse direction to decrypt the ciphertext.

This encryption method is too naive that an attacker can easily uncover the message by brute force attack. Why? It is because there are only 25 possible keys for this encryption. A can be shifted by at most 25 different positions and so is B, C and D, etc.

So an attacker can literally try all possible keys to break the encryption.

Other than that, can you think of another attack method that can uncover the plaintext encrypted by Caesar Cipher ?

It is Frequency Analysis Attack method…

Technorati Tags: brute force attack, Caesar Cipher