Unit3 - Subjective Questions

A Firewall is a network security device or software that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. It acts as a barrier between a trusted internal network and an untrusted external network (like the Internet).

Difference between Packet Filtering and Stateful Inspection:

• Packet Filtering Firewalls:

  • Mechanism: These work at the Network layer (Layer 3) and Transport layer (Layer 4). They examine individual packets in isolation based on rules defined by IP addresses, ports, and protocols.
  • Pros: High speed and low resource usage.
  • Cons: They are stateless; they do not remember previous packets. If a packet matches a rule, it is allowed, making them vulnerable to IP spoofing attacks.

• Stateful Inspection Firewalls:

  • Mechanism: These operate at the Network, Transport, and Application layers. They track the state of active connections (e.g., TCP streams) in a state table.
  • Pros: They are context-aware. They can determine if a packet is part of an existing, established connection or a new request. This makes them significantly more secure against spoofing and scanning.
  • Cons: Slower than simple packet filtering due to the overhead of maintaining state tables.

Server Hardening is the process of enhancing server security by reducing the 'attack surface'—the sum of all potential points where an unauthorized user can try to enter data or extract data from a system. The goal is to eliminate vulnerabilities and maximize security configuration.

Five Essential Techniques:

1. Update and Patch Management: Regularly update the kernel and installed software packages to fix known security vulnerabilities.
2. Disable Unnecessary Services: Identify and stop services or daemons that are not required for the server's function to close unused open ports.
3. Configure Firewalls: Implement a firewall (e.g., iptables or ufw) to restrict incoming and outgoing traffic to only necessary ports (e.g., allow 80/443 for web, 22 for SSH).
4. Secure SSH Access: Disable root login via SSH, use key-based authentication instead of passwords, and change the default port (22) to a non-standard port.
5. Principle of Least Privilege: Ensure users and processes run with the minimum permissions necessary to perform their tasks. Avoid running applications as root.

Both HIDS and NIDS are used to detect suspicious activity, but they operate at different scopes:

The CIA Triad is a foundational model used to guide policies for information security within an organization. It consists of three main components:

1. Confidentiality:

   • Definition: Ensures that sensitive information is accessed only by authorized person.
   • Implementation: Achieved through encryption, access control lists (ACLs), and authentication mechanisms.

2. Integrity:

   • Definition: Ensures that data is trustworthy and accurate. It guarantees that data has not been modified or tampered with by unauthorized people.
   • Implementation: Achieved through hashing algorithms (e.g., SHA-256), digital signatures, and version control.

3. Availability:

   • Definition: Ensures that data and system resources are available to authorized users when needed.
   • Implementation: Achieved through redundancy (RAID), clustering, backups, and protection against Denial of Service (DoS) attacks.

The Bell-LaPadula Model is a formal state transition model of computer security rules that focuses mainly on confidentiality and access control in government and military applications. It uses Mandatory Access Control (MAC).

Let:

• be a Subject (User).
• be an Object (File/Resource).
• be the clearance level of the Subject.
• be the classification level of the Object.

The Two Main Rules:

1. Simple Security Property (No Read Up):

   • A subject may read object only if the subject's clearance level dominates the object's classification level.
   • Example: A user with 'Secret' clearance cannot read a 'Top Secret' document.

2. *The -Property (Star Property) (No Write Down):**

   • A subject may write to object only if the object's classification level dominates the subject's clearance level.
   • Example: A user with 'Top Secret' clearance cannot write information into a 'Public' file, preventing the leakage of sensitive data to lower security levels.

Discretionary Access Control (DAC):

• Owner-Centric: The owner of the resource determines who has access to it.
• Flexibility: It is highly flexible and easy to implement (standard in most consumer OSs like Windows and Linux default).
• Risk: It is less secure because if a user's account is compromised, the attacker has access to everything that user owns. Malware running as a user inherits all that user's permissions.

Mandatory Access Control (MAC):

• System-Centric: Access rights are regulated by a central authority (administrator/policy) based on multiple levels of security.
• Labels: Users have 'clearance' and objects have 'labels' (e.g., Confidential, Secret). The OS kernel enforces the policy.
• Security: Much more secure and rigid. Even the root user or owner cannot modify permissions if the central policy forbids it (e.g., SELinux).
• Usage: Used in high-security environments (Military, Banking).

SSH (Secure Shell) is a cryptographic network protocol for operating network services securely over an unsecured network. It replaces insecure protocols like Telnet.

How Public Key Authentication Works:

1. Key Generation: The user generates a key pair: a Public Key (locks data) and a Private Key (unlocks data).
2. Key Placement: The Public Key is placed on the server in the ~/.ssh/authorized_keys file. The Private Key remains secretly on the user's client machine.
3. Challenge-Response:
   • When the client attempts to connect, the server generates a random challenge string.
   • The server encrypts this challenge using the user's Public Key and sends it to the client.
   • The client receives the encrypted message. Only the client possessing the corresponding Private Key can decrypt this message.
   • The client decrypts the challenge, hashes it, and sends the result back to the server.
4. Verification: If the server verifies the result matches the original challenge, access is granted without ever transmitting a password over the network.

A DMZ (Demilitarized Zone) is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet.

Purpose:
External-facing services (like Web servers, Mail servers, DNS) are placed in the DMZ. If an attacker compromises a server in the DMZ, they still do not have direct access to the internal corporate network where sensitive data (databases, file servers) resides.

Conceptual Structure:

• The Internet (Untrusted)
• External Firewall (Filters traffic from Internet to DMZ)
• The DMZ (Contains Web Server, Mail Server)
• Internal Firewall (Filters traffic from DMZ to Internal LAN - very strict rules)
• Internal LAN (Trusted - contains workstations and databases)

This architecture creates a buffer zone where public services can function without exposing the core network.

A Virtual Private Network (VPN) extends a private network across a public network (like the Internet). It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

Tunneling: This is the process of encapsulating a packet within another packet to transport it securely.

Protocols:

1. IPSec (Internet Protocol Security):

   • Operates at the Network Layer (Layer 3).
   • Used often for Site-to-Site VPNs (connecting two office branches).
   • It authenticates and encrypts IP packets. It uses modes like Transport Mode (payload encrypted) or Tunnel Mode (entire packet encrypted).

2. SSL/TLS (Secure Sockets Layer / Transport Layer Security):

   • Operates at the Session/Application Layer.
   • Used often for Remote Access VPNs (e.g., OpenVPN or clientless browser-based VPNs).
   • It relies on the same encryption standards used for secure web browsing (HTTPS) and is generally easier to configure through firewalls than IPSec.

Physical security is the first line of defense; if an attacker can physically access a server, software defenses can be bypassed. Measures include:

1. Access Control:
   • Biometrics: Fingerprint or retina scanners.
   • Smart Cards/Key Fobs: RFID badges for authorized personnel.
   • Mantraps: A small room with two doors where the first must close before the second opens.
2. Surveillance:
   • CCTV: 24/7 video monitoring with recording retention.
   • Logs: Physical entry logs (sign-in sheets or digital access logs).
3. Environmental Controls:
   • HVAC: Proper cooling to prevent overheating.
   • Fire Suppression: Systems like FM-200 (gas-based) that extinguish fires without water damage to electronics.
   • UPS and Generators: Uninterruptible Power Supplies to handle power spikes and outages.
4. Hardware Security:
   • Rack Locks: Server racks should be locked.
   • Port Locks: Physical blockers for unused USB or Ethernet ports.

Role-Based Access Control (RBAC) is an access control method where permissions are assigned to specific roles rather than directly to individual users. Users are then assigned to these roles based on their job functions.

Structure:

• Roles: e.g., 'HR Manager', 'IT Admin', 'Guest'.
• Permissions: e.g., 'Read Employee Files', 'Restart Server'.
• Assignment: Permissions Role User.

Simplifying Overhead:
In DAC, if a user changes jobs or a new employee joins, the admin must configure permissions for every file/resource individually. In RBAC:

• If a new employee joins HR, the admin simply adds them to the 'HR' role. They instantly inherit all necessary permissions.
• If a security policy changes (e.g., HR can no longer view payroll), the admin modifies the Role once, and it updates for all users in that role immediately.
  This drastically reduces the complexity of user management in large organizations.

VLANs are logical groups of workstations, servers, and network devices that appear to be on the same LAN despite their geographical distribution. They are configured on network switches.

Security Benefits:

1. Network Segmentation: By separating sensitive departments (e.g., Finance) from general traffic (e.g., Guest Wi-Fi), VLANs reduce the attack surface.
2. Broadcast Containment: Broadcast traffic is limited to the specific VLAN, preventing sniffing attacks where an attacker captures broadcast packets meant for other departments.
3. Access Control: Routers or Layer 3 switches are required to communicate between VLANs. This allows administrators to place firewalls or Access Control Lists (ACLs) between the VLANs to strictly filter traffic flow (e.g., preventing the 'Engineering' VLAN from accessing the 'HR' VLAN).

The Biba Integrity Model focuses on maintaining Data Integrity rather than confidentiality. It prevents unauthorized modification of data.

Rules (Inverse of Bell-LaPadula):

1. Simple Integrity Axiom (No Read Down): A subject cannot read data from a lower integrity level (to prevent contaminating high-integrity data with unreliable information).
2. *Integrity -Axiom (No Write Up):** A subject cannot write data to a higher integrity level (to prevent lower-integrity subjects from overwriting or corrupting high-integrity data).

Difference from Bell-LaPadula:

• Bell-LaPadula: Focuses on Confidentiality. Prevents information leakage (No Read Up, No Write Down).
• Biba: Focuses on Integrity. Prevents data corruption (No Read Down, No Write Up).

Access Control Lists (ACLs) provide a flexible permission mechanism for file systems that allows defining permissions for specific users or groups, beyond the standard Owner/Group/Others model found in Linux/Unix.

Standard Linux Permissions:
Only allow setting permissions for one owner, one owning group, and everyone else. e.g., rwx r-x ---.

ACL Extension:
ACLs allow an admin to say: "This file is owned by Alice, but Bob needs Read access, and Charlie needs Write access."

Example:
Using the setfacl command:
setfacl -m u:bob:rwx filename.txt
This gives the specific user 'bob' read, write, and execute permissions on filename.txt without changing the file's owner or changing the permissions for the rest of the group. The existence of an ACL is usually indicated by a + sign at the end of the permission string in ls -l output.

Signature-based Detection:

• Concept: Works like an antivirus. It compares network traffic or system logs against a database of known attack patterns (signatures).
• Pros: Very low false alarm rate for known attacks; fast detection.
• Cons: Cannot detect "Zero-Day" attacks (new attacks for which no signature exists yet).

Anomaly-based (Behavioral) Detection:

• Concept: Establishes a baseline of "normal" network or system behavior (e.g., normal traffic volume, typical login times). It triggers an alarm if activity deviates significantly from this baseline.
• Pros: Can detect new, unknown attacks (Zero-Day exploits) because they often act differently than normal traffic.
• Cons: Higher false positive rate (legitimate surges in traffic might be flagged as an attack) and requires a training period to learn "normal" behavior.

The Principle of Least Privilege (PoLP) states that any user, program, or process should have only the bare minimum privileges necessary to perform its function, and for the shortest time possible.

Criticality for Server Administration:

1. Limits Damage: If a user account or a service process is compromised by an attacker, the damage is contained to only what that specific account could do. For example, if a web server running as a limited user is hacked, the attacker cannot delete system kernel files.
2. Prevents Accidental Errors: It stops administrators from accidentally deleting critical configuration files or stopping essential services when performing routine tasks (unless they explicitly escalate privileges using sudo).
3. Audit Trails: Using privilege escalation tools (like sudo) creates logs of who performed privileged actions, aiding in accountability.

The TLS (Transport Layer Security) Handshake occurs when a client (browser) connects to a server (website) via HTTPS. It establishes encryption algorithms and exchanges keys.

Key Steps:

1. Client Hello: The client sends the SSL/TLS version and a list of supported cipher suites (encryption algorithms) and a random string.
2. Server Hello: The server selects a cipher suite, sends its digital certificate (containing its Public Key), and a random string.
3. Authentication: The client verifies the server's certificate with a Certificate Authority (CA) to ensure the server is legitimate.
4. Pre-Master Secret: The client generates a random 'Pre-Master Secret', encrypts it with the server's Public Key, and sends it. Only the server can decrypt this using its Private Key.
5. Session Keys: Both parties use the Pre-Master Secret and the random strings exchanged earlier to mathematically generate the same Session Key (symmetric key).
6. Finished: Both parties send a "finished" message encrypted with the new Session Key. All subsequent data is encrypted using this symmetric Session Key for speed.

Network Segmentation is the architectural practice of dividing a computer network into smaller sub-networks (segments or subnets), acting as separate security zones.

Implementation:
It is achieved using VLANs, subnets, and firewalls/routers that control traffic between segments.

Security Advantages:

• Containment: If a threat enters one segment (e.g., the User Wi-Fi segment), segmentation prevents lateral movement to critical segments (e.g., the Data Center or PCI-DSS Payment segment).
• Traffic Optimization: Reduces congestion by keeping local traffic local.
• Granular Policy: Administrators can apply strict security policies to sensitive segments (e.g., "No internet access for Database segment") while being lenient on others.

TCP Wrappers are a host-based networking ACL system, used in Linux/Unix to filter network access to Internet Protocol servers.

Function:
When a request comes in for a specific service (like SSH or FTP), the TCP Wrapper intercepts the request before passing it to the actual application.

Configuration Files:
It primarily uses two files:

1. /etc/hosts.allow: Specifies which IP addresses are allowed to access a service.
2. /etc/hosts.deny: Specifies which IP addresses are denied.

Logic:

1. Check hosts.allow. If a match is found, access is granted.
2. If no match, check hosts.deny. If a match is found, access is denied.
3. If no match in either, access is usually granted (default allow).
   This provides an extra layer of security behind the network firewall.

Defense in Depth (also known as the Layered Security approach) is a strategy that leverages multiple security measures to protect an organization's assets. The idea is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped or slowed down.

Layers in Server Administration:

1. Physical Layer: Locks, guards, cameras preventing physical access to the server.
2. Perimeter Layer: Firewalls and DMZ preventing network intrusion.
3. Network Layer: VLANs, IPS/IDS, and secure protocols (VPN, SSH).
4. Host Layer: Server hardening, patch management, and antivirus/HIDS.
5. Application Layer: Secure coding practices, input validation, and WAF (Web Application Firewalls).
6. Data Layer: Encryption (at rest and in transit) and access controls (ACLs, permissions).