BestInternetSecurity.net

Intrusion Detection System (IDS), as its name suggests, is used to detect network anomalies.

It is nothing but a combination of software and hardware used to network and host monitoring. If you are a network administrator, and you have the habit of regularly checking your server log, workstation login details, and/or firewall access logs. Then you are already doing intrusion detection.

IDS is made to assist you in this process. It is divided into two types of devices : the Network Based and Hosted Based device.

Network Based IDS comprises of a sniffer engine as the component to capture network packets in a subnet. Sniffer is a network tap connected to a particular network segment using a network device in promiscuous mode. It captures and retains the packets to be sent to a analyzing engine for analysis.

A Network Based IDS can be comprised of many sniffer taps connected at various segments of your network. They collect the network packet information and send them all back to the analyzing engine for one-stop analysis.

The analyzing engine operates by comparing the packet information to known network misuse patterns and decide if they is any potential danger of network attacks.

IDS operates by basing on the network attack signature files that guide the analyzing engine to do the lookup. So it works like anti-virus program, if your pattern file is smart, it works smart. If it is dump, it does not work either. So you need to constantly update and refine the pattern file as per your unique network traffic pattern and usage.

Host Based Intrusion Detection device works by operating itself on a host (usually a server but you can use it on a particular suspicious workstation) and anlayse the host with the Host Based IDS software.

The drawback of Host Based IDS is, thus, the unavoidable modification of the host (because you have to install the IDS software to it) and you need different version of IDS software for different hosts of different OS.

But Host Based IDS can be made to conduct more precise monitoring on the host related suspicious activities and it also achieve a higher level of monitoring (on application level) than Network Based IDS.

There are many myths about IDS. Let’s talk more about this later.

Screened Subnet Architecture refers to setup a firewall (or two firewalls) in a way that there is a separate subnet dedicated for network di-militarized zone (DMZ). The traffic comes from external Internet can only get to the DMZ whereas internal users can access the DMZ only before their traffic going to reach Internet.

Bastion Hosts are hosted in the DMZ. Those hosts are designed to serve external visitors who would like to request services from the network owners. HTTP, FTP and SMTP services are common services provided by Bastion Hosts in DMZ. Since Bastion hosts are aimed at supporting external users’ access, they have to be built against possible Internet attacks.

DMZ is setup in the security concept of layered defending. External hackers, even though they can potentially hack those Bastion hosts in success, they still need to figure out the way to get into the internal networks. This extra layer adds difficulty because all external servers are in DMZ. Hackers are unlikely have any direct access to any hosts in the internal network.

To setup DMZ, the most direct way is to use two firewalls with two network interfaces each. One Firewall is connected to internal network and the other one connected to external Internet. These two firewalls are then joined together using their remaining interface to form a subnet called DMZ.

Another solution is to use a Firewall with three network interfaces. One interface is connected to Internet, the other one to internal network and the last one to a DMZ subnet. In this way, we can configurate the firewall rule to operate the DMZ as a middle network between external and internal network.

Firewall is a perimeter security device. A perimeter security device is only good at protecting the internal network from external attack. That means if an intrusion originates from internal network, then firewall cannot deal with it.

Statistics shows that most of the network attacks of an organization comes from internal employee and hence most likely comes from internal network. Firewall cannot handle this kind of network attacks.

To compliment Firewall’s limitation in dealing internal network attacks, we need other devices like Intrusion Detection System (IDS), and of course other common security measures in areas like physical security.

Firewall cannot operate properly without careful configuration. It is actually a device that help realize your company (or home)’s Internet Access Policy.

Who decides the Internet Access Policy? The information owner! Many people mistaken this to be done by the company’s system administrator. It is wrong. The administrator’s role is to help implementing the firewall policy as per company’s senior management’s intention. It is afterall not the administrator’s call whether a particular service is allowed or not during a particualr period of time.

Since firewall is the gatekeeper between your company’s internal network with the Internet, it should be an important device that you need to put resources to protect. If it is compromised, the intruder can potentially get the direct access to internal network.

What can be improved so that the the susceptibility to frequency analysis attack problems of alphabetic subsitution methods like Caesar Cipher and Monalphabetic Substituion can be removed?

We can use a different set of encryption mapping in the order of each alphabet encryption. Suppose we have the sentence again

ATTACK STARTS ON SEVEN TONIGHT

We now have three different set of mappings for:

• ABCDEFGHIJKLMNOPQRSTUVEXYZ

===================================

• IXSYJECTFHRVBZUAKQWDNLOPMG
• NFMXGLOYCAPRWQSVBDEHTZJIUK
• ABGQHRLSCDMOTNUZEFIPVYJWXK

We map first of the above message’s alphabet to mapping 1, then second alphabet to mapping 2 and then the third one to mapping 3 and the fourth one back to mapping 1 and so on and so forth…..

So the encrypted message is

IHPIMM QHPIDPW ……………….

this is called Polyalphabetic Substituion Encryption

This encryption defeats the problem of a constant mapping of a particular alphabet to another alphabet as in the monoalphabetic and caesar cipher. And hence renders the Frequency Analysis Attack to unusable.
If we have, say 9 different mapping systems. Then if we encrypt a message using a key of say 34135, that means we encrypt the message using the third mapping for first alphabet and then the fourth one for second, the first one for the third alphabet, the third one again for the fourth alphabet and the fifth one for the fifth alphabet. The third one would be used again for the sixth alphabet.

So the decryption is easy if we have the key ‘34135’ and the nine set of mapping systems that should be shared among the sender and the receiver.

To improve Caesar Cipher Encryption, we can assign each alphabet with another one in an non-sequential manner. For example A can be mapped to D while B can be mapped to R, and so are the rest being mapped to a different alphabet. Recall that Caesar Cipher has a key space of 25, Monoalphabetic Substitution can have a key space of 26 x 25 x 24 x…….x 1, i.e. 26! (This time we have a different assumption, we assume that each alphabet can be mapped to itself).

26! is roughly equal to 4.03291461 × 10²⁶

So this improvement greatly increases the possible key combinations and hence the work factor of brute force attack. Unfortunately, since each alphabet is still tied to another alphabet in the encryption process, so Monoalphabetic Subsitution is still susceptible to Frequency Analysis Attack

Can we do anything more to improve it?

One information that is truly important when conducting Cryptographic Attack, it is: the nature of the plaintext. Is it a sentence of a particular language? or is it of some software code? If we know the fundamental nature of the plaintext, then our code breaking job could be a bit easier.

If it is of a commonly used language, then we can use the very unique characteristic of that language to help deducing the plaintext. One popular method is frequency analysis. In the languages of Latin origin, we know that certain alphabets are of higher frequency of appearance than others.
In English, we should know that the vowels – ‘a’, ‘e’, ,’i’, ‘o’, ‘u’ appear more often than other alphabets.

And if we run analysis of a particular language long enough, we can deduce a table of relative frequency of each alphabet appearing in that language.

So if a particular language message is encrypted using substitution method like Caesar Cipher, we can easily break the code using frequency analysis if we know the original language used in the plaintext.

In cryptographic study, we know the simpliest way to conceal the information is by ‘substitution’. You replace the original word/alphabet by another word/alphabetic ‘systematically’. The word ‘systemtically’ have to be in place because you need a way to decrypt the concealed message.

In Latin language system, we use a alphabet to replace another one sequentially as below:

A replaced by D

B replaced by E

C replaced by F

………………………. and so on and so forth.

In this way, a message originally written as

ATTACK STARTS ON SEVEN TONIGHT

becomes

DWWDFN VWDUWV ……………..

And the key is 3 for we ‘shifted’ three alphabets for each alphabet.

So the decryption is easy, we just shift back the three alphabets in the reverse direction to decrypt the ciphertext.

This encryption method is too naive that an attacker can easily uncover the message by brute force attack. Why? It is because there are only 25 possible keys for this encryption. A can be shifted by at most 25 different positions and so is B, C and D, etc.

So an attacker can literally try all possible keys to break the encryption.

Other than that, can you think of another attack method that can uncover the plaintext encrypted by Caesar Cipher ?

It is Frequency Analysis Attack method…

The main idea of cryptography is that a group of people can use private knowledge to keep written messages secret from everyone else.

The original message sent is called PLAINTEXT. The message encrypted is called the CIPHERTEXT . In both encryption and decryption process, we need a KEY to be incorporated into the process.
What is KEY?

Your own door lock is mass-produced by a company. The point is that you own a key which is different from the others who also own a door lock from the same company (the same model). Therefore, even though the mechanism to build the door lock and the internal structure of the door lock is well known to the others, your own house is secured for you own the door lock with the specific key combination design in it that only you in the World who owns the particular key can open it (theoretically !).

This is the security concept that Leon Battista Alberti, the famous Italian Renaissance architect, brought to cryptography in 1466 where he invented the cryptographic key. Everyone can have the same brand lock but with different key.

KEY solves the problem of moving in and out of a private group. If Tom and May share a key, they want to let Philip to join their conversation, they can simply pass the key to him. If later on, they find Philip is un-trustworthy, they can simply change the key without telling Philip and Philip would be immediately out of the subsequent conversation.

Technorati Tags: Cryptographic Key, Information Security

Availability is a complete different concern from Confidentiality and Integrity. It focuses on the data’s availability when a user needs it. Its aim is easy to understand but the measures to achieve availability could be very costly.

Since the September 11th attack, organizations tend to pay more effort and investment in maintaining the continuation of the business operation after unexpected incidents. It is now commonly named as Business Continuity Planning (BCP). BCP is not only about the Availability of the information system (what we used to name it as Diaster Recovery Planning) but also the ability to keep the whole business operation run without interruption.

In information system management, to achieve Availability requires an organization to impose security measures like redundant IT infrastructure, proper information backup, data protection policy and many Internet security defenses particularly to fight against the Denial of Service (DOS) Attack and Distributed Denial of Service (DDOS)Attack, etc.

The measures of redundant infrastructure could be particularly costly if it involves the setup of a ‘warm site’ -  the site with complete duplicated IT installations ready to be put into operation once the main site is in jeopardy.Technorati Tags: Information System Availability, Information Security