CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

5. NETWORK PROTECTION SYSTEMS

Access Control Lists - Cisco Adaptive Security Appliance Firewall - Configuration and Risk Analysis
Tools for Firewalls and Routers - Intrusion Detection and Prevention Systems - Network-Based and
Host-Based IDSs and IPSs - Web Filtering - Security Incident Response Teams - Honeypots.

ACCESS CONTROL LISTS:

A network Access Control List (ACL) is made up of rules that either allow access to a computer
environment or deny it. An ACL is like a guest list at an exclusive club. Only those on the list are allowed in
the doors. This enables administrators to ensure that, unless the proper credentials are presented by the device,
it cannot gain access. Access Control List (ACL) is a set of rules defined for controlling network traffic and
reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming
or outgoing of the network.
The basic syntax used to create a standard numbered access control list on a Cisco router is as follows,

Router (config)# access-list (1300-1999) (permit | deny) source-addr (source-wildcard)

The various parts mean the following,

✓ (1300-1999) specifies the ACL IP number range. This names the ACL and defines the type of ACL.
1300-1999 makes this a standard ACL.
✓ (permit | deny) specifies the packet to permit or reject.
✓ Source-addr specifies the source IP address.
✓ Source-wildcard specifies the wildcard mask.

There are two basic kinds of ACLs,

✓ File system ACLs - These work as filters, managing access to directories or files. A file system
ACL gives the operating system instructions as to the users that are allowed to access the system, as well as
the privileges they are entitled to once they are inside.

✓ Networking ACLs - Networking ACLs manage access to a network. They provide instructions to
switches and routers as to the kinds of traffic that are allowed to interface with the network. They also
dictate what each user or device can do once they are inside.

ACLs can also be categorized by the way they identify traffic,

MCE CSE Page 1

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Standard ACLs - Standard ACLs block or allow an entire protocol suite using source IP addresses.
✓ Extended ACLs - Extended ACLs block or allow network traffic based on a more differentiated set of
characteristics that includes source and destination IP addresses and port numbers, as opposed to just source
address.

When ACLs were first conceived, they worked like firewalls, blocking access to unwanted entities.
While many firewalls have network access control functions, some organizations still use ACLs with
technologies such as Virtual Private Networks (VPNs). In this way, an administrator can dictate which
kinds of traffic get encrypted and then sent through the secure tunnel of the VPN.

Many admins choose to place ACLs on the edge routers of a network. This enables them to filter traffic
before it hits the rest of their system. To do this, one can place a routing device that has an ACL on it,
positioning it between the Demilitarized Zone (DMZ) and the internet. Within the DMZ, one may have
devices such as application servers, web servers, VPNs, or Domain Name System (DNS) servers.

One can also place an ACL between the DMZ and the rest of the network. If one uses an ACL between
the internet and the DMZ, as well as between the DMZ and the rest of the network, they will have different
configurations - each setting designed to protect the devices and users that come after the ACL.

Working of ACLs:

With a file system ACL, one has a table that tells the computer’s operating system which users have
which access privileges. The table dictates the users that are allowed to access specific objects, such as
directories or files on the system. Every object on the computer has a security property that links it to its
associated access control list. On the list, there is information for every user that has the requisite rights to
access the system.

One may have interfaced with an ACL while trying to change or open a file on a computer. For
example, there are certain objects that only an administrator can access. If one sign in to a computer as a
regular user, he may not be allowed to open certain files. However, if he sign in as an administrator, the
object’s security property will see that he is an administrator and then allow him to access.

When considering network ACL vs. security group, the two share a similarity. A security group may
consist of a list of people who can gain access, or it can be composed of categories of users, such as

MCE CSE Page 2

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

administrators, guests, and normal users. As a user makes a request to access an object, the computer’s

MCE CSE Page 3

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

operating system checks the ACL to see if the user should have the access they desire. If the list dictates the
user should not be allowed to open, use, or modify that particular object, access will be denied.

Networking ACLs are different in that they are installed in switches and routers. Here, they are
traffic filters. To filter traffic, a network ACL uses rules that have been predefined by an administrator or the
manufacturer. These rules check the contents of packets against tables that govern access parameters. Based
on whether the user checks out, their access is either granted or denied.

In this way, switches and routers that have ACLs perform the function of packet filters. They check
the Internet Protocol (IP) addresses of the sources and destination, the source and destination ports, and the
packet’s official procedure, which dictates how it is supposed to move through the network.

Components of an ACL:
An ACL consists of several components central to its function,

Fig 5.1 Components of an ACL

✓ Sequence number - The sequence number identifies the ACL entry with a specific number.
✓ ACL name - The ACL name defines the ACL entry using a name assigned to it as opposed to
numbers. In some cases, the router will allow both numbers and letters.
✓ Remark - On some routers, one can input comments, which can be used to include more detailed
descriptions.
✓ Statement - With a statement, one either permit or deny a source using a wildcard mask or address.
A wildcard mask dictates which elements of an IP address can be examined by a system.
✓ Network protocol - The network protocol can be used to permit or deny certain networking protocols,
such as IP, Internetwork Packet Exchange (IPX), Transmission Control Protocol (TCP), Internet Control

MCE CSE Page 4

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Message Protocol (ICMP), User Datagram Protocol (UDP), or others.

MCE CSE Page 5

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Source or destination - The source or destination component defines the destination or source IP
address as an address range or a single IP. It can also allow all addresses.
✓ Log - There are devices that can maintain a log when they find ACL matches.
✓ Other criteria of advanced ACLs - Some more advanced ACLs give the option to control traffic
according to IP precedence, the Type of Service (ToS), or its priority as derived from its Differentiated
Services Code Point (DSCP). DSCP is a networking architecture that allows for the classification and
management of traffic on a network.

Benefits of ACLs:

With an access list, one can simplify the way local users, remote users, and remote hosts are identified.
This is done using an authentication database configured to ensure only approved users are allowed access to
the device.
An access list also allows one to prevent unwanted users and traffic. If one set up parameters that
dictate which source or destination addresses and which users are allowed to access a network, he can prevent
all others from getting inside. One can also categorize the kinds of traffic he wants to allow to access the
network and then apply those categories to the ACL. For example, one can create a rule that enables all email
traffic to pass through to the network but block traffic that contains executable files.
✓ Simplified user identification - An access control list simplifies the way that users are identified.
ACLs ensure that only approved users and traffic have access to a system.
✓ Performance - ACLs provide performance advantages over other technologies that perform the same
function. They are configured directly on the routing device's forwarding hardware, so access control lists do
not have a negative performance effect on routing devices. Compare this to a stateful inspection firewall,
which is a separate piece of software that may cause performance degradation. Also, controlling network
traffic enables networks to be more efficient.
✓ Control - ACLs can give administrators more granular control over user and traffic permissions on a
network at many different points in the network. They help control access to network endpoints and traffic
flowing between internal networks.

CISCO ADAPTIVE SECURITY APPLIANCE FIREWALL:

ASA (Adaptive Security Appliance) is a Cisco security device that can perform basic firewall
capabilities with VPN (Virtual Private Network) capabilities, anti-virus, and many other features. A Cisco
Adaptive Security Appliance's (ASA) default behaviour is to prevent all external traffic from entering a

MCE CSE Page 6

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

network. A firewall is a network security system that takes actions on the ingoing or outgoing packets based
on the defined rules on the basis of IP address, port numbers. Cisco calls its firewall Adaptive Security
Appliance.

In the world of cybersecurity, there are many types of protection. Different hardware and software
solutions offer unique protections. A Cisco Adaptive Security Appliance, or ASA, is especially powerful
because it bundles many features and capabilities into one network security device. It is a multi-purpose
firewall from Cisco. It combines the capabilities of a firewall alongside anti-virus protection, intrusion
prevention and everything that a virtual private network has to offer. It aims to stop a threat in its tracks before
it has a chance to spread through a network.

Cisco ASA isn’t merely a firewall, although it does build upon the generic protection of a firewall. It is
a vast array of security devices that aims to protect all sorts of data centres and networks from the smallest to
the very largest and most complex. With a stunning network security platform and firewall, end-users are able
to access sensitive data, documents, and information swiftly, securely, and efficiently from any device, at any
time, and anywhere.

Cisco models:

The Cisco ASA 5500 series has models namely, Cisco ASA 5505, Cisco ASA 5510, Cisco ASA 5515-
X, Cisco ASA 5520, Cisco ASA 5525-X, Cisco ASA 5540, Cisco ASA 5550, Cisco ASA 5555-X, Cisco
ASA 5585-X.

✓ Cisco ASA 5510 - A model perfect for small to medium-sized enterprises that consider
remote working, this is a cost-effective security solution. All security services can be controlled via an online
management platform. The Cisco 5510 has the high-performance firewall and network security solutions. A
security services module allows full control over intrusion prevention capabilities and has stalwart antivirus
prevention inbuilt.

✓ Cisco ASA 5525-X - Using the Cisco SecureX framework, this model is perfect for the
midsize company that has a more complex network to secure. SecureX technology is the latest in the range of
security solutions that Cisco has to offer. A business will enjoy AMP (Advanced Malware Protection) for
endpoints, email security, stealth watch, SecureX threat response, identity services engine, and a sophisticated
threat-aware firewall. Utilizing VPN, anti-virus, and network protection capabilities, this model has a secure

MCE CSE Page 7

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

online management platform. It is renowned for its superior performance and ability to manage the intricacies
of sub-netted networks and larger numbers of end-users.

Fig 5.2 CISCO ASA

Consider a network having an "inside" zone and a "de-militarized zone" (DMZ) of several servers that
touch the internet, along with an ASA in-between the network and the Internet which protects the entire
network. Any traffic trying to come in from the outside, whether that's a user, a server or a system, is going to
be denied at the connection to the ASA. When a network has an ASA protecting it, outside traffic gets stopped
before it can even make its way to any device on the network. An ASA's default behavior may be to allow no
packets through to either the inside zone or the DMZ, but it has a host of bells and whistles that make safe,
valid interaction with the internet possible.

Features of Cisco ASA:

✓ Packet filtering - Packet filtering is a simple process of filtering the incoming or outgoing packet on
the basis of rules defined on the ACL which has been applied to the device. It consists of various permit or
deny conditions. If the traffic matches one of the rules, no other rule is matched and the matched rule is
executed.
✓ Stateful filtering - By default, ASA performs stateful tracking of the packet if the packet is generated
from a higher security level to a lower security level. By default, if the traffic is initiated by the devices in
higher security levels for lower security levels device (as destination), TCP and UDP reply traffic will be
allowed and will able to, say, telnet the other device in Lower security level. This is because a stateful

MCE CSE Page 8

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

database is maintained (in which an entry about the source and destination device information such as IP
address, port numbers are maintained) as stateful inspection is enabled by default.
✓ Routing support - ASA can perform static routing, default routing also dynamic routing protocols
like EIGRP (Enhanced Interior Gateway Routing Protocol), OSPF (Open Shortest Path First), and RIP
(Routing Information Protocol).
✓ Transparent firewall - ASA can operate in two modes,
• Routed mode - In this mode, ASA acts like a layer 3 device (router hop) and needs to have
two different IP addresses (means two different subnets) on its interface.
• Transparent mode - In this mode, ASA operates at layer 2 and only a single IP address is
needed to manage ASA management purpose as both the interfaces (inside and outside) act as a bridge.
✓ AAA support - ASA supports AAA (Authentication, Authorization, and Accounting) services either
using its local database or using an external server like ACS (Access Control Server).
✓ VPN support - ASA supports policy-based VPNs like point-to-point IPsec VPN (site-to-site VPN and
remote-access VPN) and SSL-based VPNs.
✓ Supports IPv6 - ASA supports IPv6 routing such as static, dynamic.
✓ VPN (Virtual Private Network) load Balancing - It is a Cisco proprietary feature of Cisco ASA.
Multiple clients can be shared across multiple ASA units at the same time.
✓ Stateful failover - ASA supports the high availability of pair of Cisco ASA devices. If one of the ASA
goes down, the other ASA device will perform the operations without any interruption. When stateful failover
is enabled, the active unit continuously passes connection state information to the backup device. After the
failover occurs, the same connection information is available on the new active unit.
✓ Clustering - Cisco ASA lets one configure multiple ASA devices as a single logical device. The
cluster can consist of a maximum of 8 cohesive units. This results in high throughput and at the same time
provides redundancy.
✓ Advanced Malware Protection (AMP) - Cisco ASA provides support for Next-Generation firewall
features which can provide protection advanced malware protection in a single device as the classic firewall
features are combined with NGFWs features.
✓ Modular Policy Framework (MPF) - MPF is used to define policies for different traffic flows. It is
used in ASA to utilize advanced firewall features like QoS, Policing, prioritizing, etc. For using MPF, one
define Class-map for identifying the type of traffic, policy-map for identifying what action should be taken
like prioritize, and service-policy for where it should be applied.

MCE CSE Page 9

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Advantages of Cisco ASA:

✓ Robust Firewall Capabilities - Cisco ASA is primarily known for its strong firewall capabilities. It
uses stateful packet inspection to examine traffic and make access control decisions based on defined rules,
providing a high level of security for a network.

✓ VPN Support - Cisco ASA supports a wide range of VPN technologies, including Site-to-Site VPNs
and Remote Access VPNs. This allows organizations to establish secure and encrypted connections for remote
users, branch offices, and partners.

✓ Intrusion Prevention - Cisco ASA can be configured with intrusion prevention system (IPS)
functionality, which adds an extra layer of security by detecting and blocking malicious traffic and network-
based attacks.

✓ Scalability - Cisco offers various models of ASA appliances, allowing organizations to choose the
right size and capacity for their specific needs. This scalability makes it suitable for small businesses,
enterprises, and data centers.

✓ High Availability - Cisco ASA supports high-availability configurations such as failover and
clustering, ensuring network uptime and minimizing downtime in the event of a hardware or software failure.

✓ Advanced Threat Protection - Integration with Cisco's Advanced Malware Protection (AMP)
technology enhances the ASA's ability to detect and mitigate advanced threats like malware and zero-day
exploits.

✓ Content and URL Filtering - ASA can be configured to filter web content and URLs, helping
organizations enforce internet usage policies, block malicious websites, and protect against phishing attacks.

✓ User Authentication - It supports various authentication methods, including LDAP (Lightweight

Directory Access Protocol), RADIUS (Remote Authentication Dial-In User Service), and TACACS+
(Terminal Access Controller Access-Control System Plus), allowing organizations to control user access to
network resources and enforce security policies.

✓ Integration with Cisco Ecosystem - Cisco ASA can be integrated seamlessly with other Cisco
security products and services, creating a comprehensive security ecosystem for threat detection and
prevention.

MCE CSE Page 10

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Logging and Reporting - ASA generates detailed logs and reports on network activity, which are
essential for monitoring, compliance, and forensic analysis. These logs can be sent to external log
management systems for analysis.

✓ Flexibility - Cisco ASA offers flexibility in terms of deployment options. It can be deployed as a
physical appliance, a virtual appliance, or as part of a cloud-based security solution, depending on the
organization's requirements.

✓ Vendor Support - Cisco is a well-established and reputable vendor with a strong support system.
This includes regular software updates, patches, and access to technical support to help address security issues
promptly.

✓ Compliance and Regulatory Standards - Cisco ASA can assist organizations in achieving
compliance with various regulatory standards, such as PCI DSS (Payment Card Industry Data Security
Standard), HIPAA (Health Insurance Portability and Accountability Act), and GDPR (General Data
Protection Regulation), by providing the necessary security controls and reporting capabilities.

Disadvantages of Csco ASA:

✓ Complex Configuration - Setting up and configuring Cisco ASA can be complex, especially for
users with limited experience in network security. The device offers a wide range of features and options,
which may require a steep learning curve for administrators.

✓ Cost - Cisco ASA devices can be expensive, particularly for smaller organizations or those with
budget constraints. Licensing costs for additional features and support contracts can add to the overall cost of
ownership.

✓ Limited Next-Generation Features - While Cisco ASA provides basic intrusion prevention and
malware detection capabilities, it may not offer the advanced threat protection features found in more modern
next-generation firewalls (NGFWs). Organizations with advanced security needs may need to complement
their ASA deployment with additional security solutions.

✓ Scalability - While Cisco ASA devices come in various models to accommodate different levels of
traffic and performance, they may not scale well for extremely high-throughput environments or complex
network infrastructures. In such cases, larger and more specialized security appliances may be required.

MCE CSE Page 11

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Integration Complexity - Integrating Cisco ASA with other Cisco security solutions can sometimes
be complex and may require a deep understanding of the Cisco ecosystem. This complexity can make it
challenging to create a seamless and integrated security architecture.

✓ Limited Cloud Integration - Traditional Cisco ASA devices are primarily designed for on-premises
security. While Cisco has introduced cloud-based security solutions, integration with cloud environments can
still be a challenge for older ASA models.

✓ Hardware Upgrades - Over time, as security threats evolve, older ASA hardware may become less
capable of handling the latest security demands. This may necessitate hardware upgrades or replacements to
maintain effective security.

✓ User Interface - Some users find the Cisco ASA user interface less intuitive and user-friendly
compared to newer security appliances with more modern graphical interfaces.

✓ Maintenance and Updates - Regularly applying firmware updates and security patches is critical
for maintaining security. However, managing updates and ensuring minimal downtime can be challenging for
organizations with complex network architectures.

✓ Resource Consumption - Depending on the configuration and traffic load, Cisco ASA devices can
consume significant system resources, potentially affecting overall network performance.

✓ Vendor Lock-In - Choosing Cisco ASA as a security solution may lead to vendor lock-in, making it
more challenging to switch to alternative security solutions in the future.

✓ Support and Training - Ongoing support and training for Cisco ASA administrators may be
necessary to keep up with evolving security threats and best practices, which can be an added cost and
resource commitment.

CONFIGURATION AND RISK ANALYSIS TOOLS FOR FIREWALLS AND ROUTERS:

Configuring and analyzing the risks associated with firewalls and routers is crucial for network
security. There are several tools and best practices one can use to assist in these tasks.

Firewalls:

Firewalls are a fundamental component of network security that act as a barrier between a trusted
internal network and untrusted external networks, such as the internet. They are designed to monitor, filter,
MCE CSE Page 12
CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

and control incoming and outgoing network traffic based on a set of predefined security rules and policies.
Firewalls play a crucial role in preventing unauthorized access, protecting sensitive data, and mitigating
various cyber threats.

Types of Firewalls:

✓ Packet Filtering Firewalls - These firewalls examine individual packets of data and determine
whether to allow or block them based on criteria such as source and destination IP addresses, port numbers,
and protocols. They operate at the network layer (Layer 3) of the OSI model.

✓ Stateful Inspection Firewalls - Stateful firewalls keep track of the state of active connections and
make decisions based on the context of the traffic. They are more secure than packet filtering firewalls and
can operate at both the network and transport layers (Layer 4).

✓ Proxy Firewalls - Proxy firewalls act as intermediaries between clients and servers. They inspect
and filter traffic at the application layer (Layer 7) and can provide advanced content filtering and application
level security.

✓ Next-Generation Firewalls (NGFWs) - NGFWs combine traditional firewall capabilities with

advanced features such as intrusion detection and prevention (IDS/IPS), application awareness, and deep
packet inspection (DPI).

Firewall Configuration:

Proper firewall configuration is crucial for effective security. This involves setting up rules, access
control lists (ACLs), and policies that align with the organization's security requirements. Configuration may
include,

✓ Allowing only necessary traffic.

✓ Blocking known malicious IPs.
✓ Logging and monitoring traffic.
✓ Regularly reviewing and updating rules.
Guidelines for Configuring firewall and firewal policy:
Configuring firewall includes installing hardware and software, configuring policies, configuring
logging and alerting, and integrating the firewall into the network architecture.

MCE CSE Page 13

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

1. Hardware and Software Installation:

Once the firewall has been chosen and acquired, the hardware, operating system, and underlying
firewall software should be installed for a software-based firewall. Next, for both software-based and
hardware based firewalls, patches and vendor updates should be installed on the system. During this stage, the
firewall should also be hardened to decrease the risk of vulnerabilities and protect the system against
unauthorized access. Any console software needed for remote access should also be installed at this time.
During the installation and configuration, only the administrator doing that work should be able to manage the
firewall. All other management services for the firewall, such as SNMP, should be disabled, and these
services should be left disabled permanently unless needed. If the firewall supports having a separate
administrator account for each person performing firewall administration duties, configure such accounts.

Network firewalls should be placed in a room that meets the product’s recommended
environmental requirements for temperature, humidity, space, power, etc. This room should also be physically
secured to prevent unauthorized personnel from accessing the firewall. Comparing the logs of multiple
systems when analyzing problems is very important, so the internal clocks in each firewall should be
consistent with those in all other systems used by the organization. The best way to do this is to have all
systems synchronize with an authoritative time source.

2. Configuring policies:
Once hardware and software has been installed and secured, administrators can create the
firewall’s policies. Some firewalls implement policy through explicit rules; some firewalls require configuring
firewall settings that then create internal rules; some firewalls create policies and rules automatically; and still
others use a combination of these three types of configuration. The end result is a set of rules called a ruleset
that describes how the firewall acts. Most firewalls also allow configuring policies that are not traffic-based,
such as who can view or change the rules, or where external DNS servers and time synchronization servers
can be found. These rulesets should implement the organization’s firewall policy as documented in the system
security plan, and should be as specific as possible with regards to the network traffic they control. To create a
ruleset, it should first be determined what types of traffic (protocols, source and destination addresses, etc.)
are required by approved applications for the organization. This should include protocols that the firewall
itself may need (DNS, Simple Network Management Protocol [SNMP], NTP, logging, etc.). The details of
creating a ruleset vary by type of firewall and specific products. For example, many firewalls check traffic
against rules in a sequential manner until a match is found. For these firewalls, rules with the highest chance
of matching traffic patterns should be placed as high in the list as possible to improve firewall performance.
MCE CSE Page 14
CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Other firewalls have more complex ways of processing rulesets, such as first checking “deny” rules and then
checking “allow” rules. If multiple firewalls need to have the same rules or a common subset of rules, those
rules should be synchronized across the firewalls. At minimum, the following rules should be defined,

✓ Port filtering should be enabled at the outer edge of the network, and probably at places
inside the network as well.

✓ Content filtering should be done as close to the content receiver as possible.

3. Configuring logging and alerting:

The next step in the configuration process is to set up logging and alerts. Logging is a critical step
in preventing and recovering from failures as well as ensuring that proper security configurations are set on
the firewall. Proper logging can also provide vital information for responding to security incidents. Whenever
possible, the firewall should be configured both to store logs locally and to send them to a centralized log
management infrastructure. Resource constraints, firewall logging capabilities, and other situations may
impair the ability to store logs both locally and centrally. If the firewall supports having administrator
accounts with different capabilities, create one or more administrative user accounts with just read access to
the logs, if possible. Use these credentials when performing read-only tasks such as auditing and periodic
inspection of the logs. In addition to configuring logging, real-time alerts should also be set up to notify
administrators when important events occur on the firewall. Notifications may include the following,

✓ Any modifications or disabling of the firewall rules .

✓ System reboots, disk shortages, and other operational events.
✓ Secondary system status changes, if applicable.
Routers:

Routers are critical networking devices that play a central role in directing and managing network
traffic within and between networks. They are responsible for determining the best path for data packets to
travel from their source to their destination across interconnected networks. Routers operate at the network
layer (Layer 3) of the OSI model and perform various essential functions in network infrastructure like packet
forwarding, routing table, network segmentation, Network Address Translation (NAT), Firewall and Access
control, Quality of Service (QoS), Virtual LANs, interconnection of different networks, redundancy and load
balancing, VPN support, monitoring and logging, firmware updates and security, network addressing, traffic

MCE CSE Page 15

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

management and bandwidth control.

MCE CSE Page 16

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Configuration and risk analysis tools of firewalls and routers:

✓ Cisco Security Device Manager (SDM) - If one is using Cisco devices, SDM provides a
graphical interface for configuring Cisco routers and switches.

✓ Cisco Adaptive Security Device Manager (ASDM) - This tool is designed specifically for
configuring Cisco ASA (Adaptive Security Appliance) firewalls.

✓ Check Point SmartDashboard - If one is using Check Point firewalls, SmartDashboard is a

management tool that helps configure and manage them.

✓ Palo Alto Networks Panorama - For Palo Alto Networks firewalls, Panorama is a centralized
management tool that helps configure and monitor multiple devices.

✓ Juniper Networks Junos Space - Junos Space offers a comprehensive set of tools for
managing Juniper firewalls and routers.

✓ Nipper - Nipper is a specialized tool designed to analyze firewall configurations. It checks

firewall rule sets against best practices and security guidelines, helping identify potential risks and areas for
improvement.

✓ Firewall Analyzer - Some commercial solutions like ManageEngine's Firewall Analyzer offer
configuration analysis features that assess firewall rules, compliance, and security posture.

✓ Configuration Management Systems - Network configuration management tools, such as

RANCID, SolarWinds NCM, or Ansible, automate the retrieval, storage, and analysis of router
configurations. They can help identify configuration changes and ensure consistency across devices.

✓ Router Security Configuration Assessment (RSCA) - This is a framework and methodology

for assessing the security of router configurations, with tools and scripts available to automate the process.

✓ Network Monitoring Tools - Network monitoring solutions like Nagios, PRTG, or Zabbix
can provide insights into router performance and configuration changes. They can alert one to anomalies and
deviations from established configuration baselines.

✓ Vulnerability Scanners - Tools like Nessus or OpenVAS can scan routers for known
vulnerabilities and misconfigurations. They can help one identify security weaknesses in router configurations.

✓ Security Information and Event Management (SIEM) Tools - SIEM solutions such as
Splunk, ELK Stack, or ArcSight can collect and analyze router log data to detect security incidents and track
configuration changes.

MCE CSE Page 17

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Configuration Auditing Tools - Tools like Nipper, AlgoSec, or SolarWinds NCM can audit
router configurations against best practices and compliance standards, highlighting areas that require attention.

✓ Flow Analysis Tools - Tools like NetFlow analyzers or the Elastic Stack can provide insights
into network traffic patterns and anomalies, helping one identify configuration issues impacting traffic.

✓ Packet Capture and Analysis Tools - Wireshark and tcpdump are powerful packet capture
and analysis tools that can help diagnose network issues caused by router configurations.

✓ Third-Party Assessment Tools - External vulnerability assessment and penetration testing

services can provide independent assessments of router configurations, identifying vulnerabilities and
potential risks.
✓ Router Simulation and Emulation - Tools like GNS3 or Cisco Packet Tracer can simulate
router configurations, allowing one to test changes and assess their impact before applying them to production
devices.

✓ Router Vendor-Specific Tools - Router manufacturers often provide specialized management

and analysis tools for their devices. For example, Cisco offers Cisco Configuration Professional (CCP) for
router configuration and monitoring.

✓ Configuration Baseline Tools - Establish and maintain a configuration baseline using tools like
NIST's National Checklist Program or the Center for Internet Security (CIS) benchmarks. These
resources provide recommended security settings for routers.

INTRUSION DETECTION AND PREVENTION SYSTEMS:

Intrusion detection and prevention systems monitor networks for possible incidents and threats, alert
administrators, and prevent potential attacks.

Intrusion Detection System:

A system called an Intrusion Detection System (IDS) observes network traffic for malicious
transactions and sends immediate alerts when it is observed. It is software that checks a network or system
for malicious activities or policy violations. Each illegal activity or violation is often recorded either
centrally using a SIEM system or notified to an administration. IDS monitors a network or system for
malicious activity and protects a computer network from unauthorized access from users, including perhaps
insiders.

MCE CSE Page 18

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Fig 5.3 Intrusion Detection System

Intrusion Prevention System:

Fig 5.4 Intrusion Prevention System

An intrusion prevention system (IPS) is a network security tool (which can be a hardware device or
software) that continuously monitors a network for malicious activity and takes action to prevent it, including

MCE CSE Page 19

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

reporting, blocking, or dropping it, when it does occur. It is more advanced than an intrusion detection system
(IDS), which simply detects malicious activity but cannot take action against it beyond alerting an
administrator.

FUNCTIONS OF IDPS:

Fig 5.5 Functions of IDPS

✓ Guards technology infrastructure and sensitive data - No system can exist in a silo, particularly
in the current era of data-driven businesses. Data is constantly flowing through the network, so the easiest way
to attack or gain access to a system is to hide within the actual data. The IDS part of the system is reactive,
alerting security experts of such possible incidents. The IPS part of the system is proactive, allowing security
teams to mitigate these attacks that may cause financial and reputational damage.

✓ Reviews existing user and security policies - Every security-driven organization has its own set
of user policies and access-related policies for its applications and systems. These policies considerably
reduce the attack surface by providing access to critical resources to only a few trusted user groups and
systems. Continuous monitoring by intrusion detection and prevention systems ensures that administrators
spot any holes in these policy frameworks right away. It also allows administrators to tweak policies to test for
maximum security and efficiency.

✓ Gathers information about network resources - An IDS-IPS also gives the security team a
bird’s-eye view of the traffic flowing through its networks. This helps them keep track of network resources,
allowing them to modify a system in case of traffic overload or under-usage of servers.

MCE CSE Page 20

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Helps meet compliance regulations - All businesses, no matter the industry vertical, are being
increasingly regulated to ensure consumer data privacy and security. Predominantly, the first step toward
fulfilling these mandates is to deploy an intrusion detection and prevention system.

Intrusion Detection and Prevention System Techniques:

Intrusion Detection and Prevention Systems have two levels of broad functionalities namely
detection and prevention.

1. Detection level functionalities of IDPS:

✓ Threshold Monitoring - The first step of threshold monitoring consists of setting accepted levels
associated with each user, application, and system behaviour. Examples of metrics that are used during
threshold monitoring include the number of failed login attempts, the number of downloads from a
particular source, or even something slightly more complicated such as the accepted time of access to a
specific resource. The monitoring system alerts administrators and sometimes triggers automated responses
when a threshold is crossed.

✓ Profiling - Intrusion detection and prevention systems offer two types of profiling namely user
profiling and resource profiling. User profiling involves monitoring if a user with a particular role or user
group only generates traffic that is allowed. Short-term user profile monitoring allows administrators to
view recent work patterns while long-term profiling provides an extended view of resource usage. Resource
profiling measures how each system, host, and application consumes and generates data. An application with
a suddenly increased work-flow might indicate malicious behaviour. Executable profiling tells
administrators what kind of programs are usually installed and run by individual users, applications, and
systems. This kind of profiling makes it easy to trace malware, ransomware, or Trojan downloaded by
mistake.

2. Prevention level functionalities of IDPS:

✓ Stopping the attack - Otherwise known as ‘banishment vigilance’, intrusion prevention systems
prevent incidents before they occur. This is done by blocking users or traffic originating from a particular IP
address. It also involves terminating or resetting a network connection. For example, when a particular user is
scanning data too frequently, it makes sense to revoke access until these requests have been investigated.

✓ Security environment changes - This involves changing security configurations to prevent

attacks. An example is the IPS reconfiguring the firewall settings to block a particular IP address.

MCE CSE Page 21

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Attack content modification - Malicious content can be introduced into a system in various forms.
One way of making this content more benign is to remove the offending segments. A basic example is
removing suspicious-looking attachments in emails. A more intricate example is repackaging incoming
payloads to a common and pre-designed lot, such as removing unnecessary header information.

Techniques of IDPS:
1. Signature-based detection:
A signature is a specific pattern in the payload. This specific pattern can be anything from the
sequence of 1s and 0s to the number of bytes. Most malware and cyberattacks come with their own
identifiable signature. Another example of a signature is something as simple as the name of the attachment in
a malicious email. The IDP system maintains a database of known malware signatures with signature-based
detection. Each time new malware is encountered, this database is updated. The detection system works by
checking the traffic payload against this database and alerting when there’s a match.

Signature-based detection obviously cannot work if the malware isn’t previously known. It does not
check for the payload’s nature and cannot give administrators information such as the preceding request to a
malicious response.

2. Anomaly-based detection:

Anomaly detection works on threshold monitoring and profiling. The ‘normal’ behavior of all users,
hosts, systems, and applications is configured. Any deviation from this norm is considered an anomaly and
alerted for. For example, if an email ID generates hundreds of emails within a few hours, the chances of that
email account being hacked are high. Anomaly detection is better than signature-based detection when
considering new attacks that aren’t in the signature database. Creating these baseline profiles takes a lot of
time (also known as the ‘training period’). Even then, the rates of false positives may be high, especially in
dynamic environments.

3. Stateful protocol analysis:

Anomaly detection uses host or network-specific profiles to determine suspicious activity. Stateful
protocol analysis goes one step further and uses the predefined standards of each protocol state to check for
deviations.

For example, File Transfer Protocol (FTP) only allows logins when unauthenticated. Once a session is
authenticated, users can view, create, or modify files based on their permissions. This information is part of

MCE CSE Page 22

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

the FTP protocol definition. The intrusion detection system analyzes if these norms are met. This kind of
stateful protocol analysis makes it easy to keep track of the authenticator in each session and subsequent
activity associated with this request. Most IDP solutions offer a combination of more than one approach.

Advantages of IDS:

✓ It monitors the working of routers, firewall, key servers and files. It uses its extensive attack
signature database, raises an alarm and sends appropriate notifications on detecting a breach.
✓ By using the signature database, IDS ensures quick and effective detection of known anomalies with
a low risk of raising false alarms.
✓ It analyzes different types of attacks, identifies patterns of malicious content and help the
administrators to tune, organize and implement effective controls.
✓ It helps the company maintain regulatory compliance and meet security regulations as it provides
greater visibility across the entire network.

Advantages of IPS:
✓ Monitor and evaluate threats, catch intruders and take action in real time to thwart such instances
that firewall or antivirus software may miss.
✓ Prevent DoS/DDoS attacks.
✓ Maintain the privacy of users as IPS records the network activity only when it finds an activity that
matches the list of known malicious activities.
✓ Stop attacks on the SSL protocol or prevent attempts to find open ports on specific hosts.
✓ Detect and foil OS fingerprinting attempts that hackers use to find out the OS of the target system to
launch specific exploits.

Disadvantages of IDS:
✓ Generates false positives and negatives.
✓ Require full-time monitoring.
✓ It is expensive
✓ Require highly skilled staffs.

Disadvantages of IPS:
✓ Not every IPS threat detection is true. It has false positive possibilities as well. When IPS stops any
irregular activity that’s not malicious, it creates opportunities for DoS attacks.

MCE CSE Page 23

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ IPS is a resource-extensive system and needs enough bandwidth and network storage. If these two
aren’t offered properly, IPS will slow down the system.
✓ When a couple of IPSes are linked together, network and connectivity will be poor as data has to
pass through each IPS before reaching the end-user.
✓ IPS implementation and maintenance are costly, and it’s not for every organization.
✓ As the prevention mechanism won’t help one to mitigate threats or detect them once they have
entered the system, they need to deploy a separate detection system, adding to the cost and resource
consumption.

NETWORK-BASED AND HOST-BASED IDSs AND IPSs:

Intrusion detection is the process of monitoring a network traffic and analyzing it for signs of possible
intrusions, such as exploit attempts and incidents that may be imminent threats to the network. Intrusion
prevention is the process of performing intrusion detection and then stopping the detected incidents, typically done
by dropping packets or terminating sessions. These security measures are available as Intrusion Detection Systems
(IDS) and Intrusion Prevention Systems (IPS), which are part of network security measures taken to detect and stop
potential incidents and are included functionality within Next-Generation Firewalls (NGFW).

NIDS (Network Intrusion Detection System):

A Network Intrusion Detection System (NIDS) is a computer software application that can detect and
report network security problems by monitoring network or system activities for malicious or anomalous
behaviour.

Fig 5.6 Network-based Intrusion Detection System (NIDS)

MCE CSE Page 24

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Technologies monitored by NIDS:

Network Intrusion Detection Systems use one or more technologies to analyze for threats on a network.
These can include,

✓ Packet headers - Packet headers contain specific information about the packet being transmitted
across a network. Information in the header can include source and destination IP addresses, ports, protocol
types, etc. The NIDS will analyze this information for suspicious activity or malicious behavior.
✓ Packets/transmissions - The total packets per second is a common technology used by a NIDS to
monitor for threats on a network. This may be a configuration option that one specifies when installing a
traffic monitoring system on the network. An IDS can compare normal traffic rates, with those being
transmitted at any one time across the network, to detect anything out of the ordinary. For example, if there is
no heavy traffic on the network, but packets are still being transmitted at a high rate of speed, this could
indicate suspicious activity.
✓ Protocols and applications - Network Intrusion Detection Systems use various types of protocols to
monitor for threats on a network. These can include,
• Packet protocols - TCP/IP, UDP/IP, ICMP etc.
• Anomaly-based protocols - This is where an IDS has been programmed to detect anomalies in
protocols that are otherwise benign when working normally.
• Data flow analysis - NIDS can analyze data flow throughout the network to determine where a
problem may be taking place. For example, if a user suddenly begins transmitting a large amount of data, an
IDS will recognize this and alert one for possible security breaches occurring on a network.

Advantages of NIDS:

✓ Detects known and unknown malware - A NIDS can be configured to detect common types of
malware, as well as new or unknown threats, so one will quickly know when hackers have compromised the
systems.
✓ Reduces downtime - Once an intrusion is detected, NIDS immediately shuts down the process and
alerts one, so they can react quickly to stop further damage.
✓ Prevents attacks - The NIDS constantly monitors network traffic to identify suspicious activity and
block it before hackers are able to gain access to the system.
✓ Detects compromised devices - A NIDS can detect when a user’s computer has been compromised so,
the attacker cannot gain access to other machines on the network or use the compromised machine as an

MCE CSE Page 25

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

attack vector into other parts of the business’s information technology infrastructure.

MCE CSE Page 26

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Disadvantages of NIDS:

✓ Requires frequent updating - It is important to update the NIDS regularly so it will continue to
recognize known threats and keep up with new ones. There are several ways to perform this update; updates
are essential to the success of a NIDS.
✓ Requires extensive configuration - To be most effective, a NIDS must be configured with
information about how a network normally operates and what types of activities should trigger an alert. This
can require some effort on user’s part but will ensure that they receive alerts for suspicious behavior or
malware only after it has been detected.
✓ Requires maintenance - Many systems require manual updating and configuration and therefore need
constant management by IT staff to be most effective. If one does not have dedicated IT resources available to
maintain the system, it may need to be removed from the network until these resources become available.

NIPS (Network-based Intrusion Prevention System):

A network-based intrusion prevention system (NIPS) is a system used to monitor a network as well as
protect the confidentiality, integrity, and availability of a network. Its main functions include protecting the
network from threats, such as denial of service (DoS) and unauthorized usage.

Fig 5.7 Network-based Intrusion Prevention System (NIPS)

The NIPS monitors the network for malicious activity or suspicious traffic by analyzing the protocol
activity. Once the NIPS is installed in a network, it is used to create physical security zones. This, in turn,
makes the network intelligent and quickly discerns good traffic from bad traffic. In other words, the NIPS
becomes like a prison for hostile traffic such as Trojans, worms, viruses, and polymorphic threats. A NIPS
uses the following techniques for screening data for anomalies,

MCE CSE Page 27

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Signature-based detection - The NIPS scans and analyzes data for patterns or signatures of
known malware. It regularly updates its database of known signatures and rules to maximize its effectiveness.
✓ Anomaly-based detection - The NIPS monitors for suspicious or unfamiliar network traffic
patterns by using network behavior analysis to sample network activity and regularly compare those samples
to a baseline standard. This technique also requires consistent updates to the database of rules and patterns,
though newer systems are using artificial intelligence and machine learning to streamline these processes.
✓ Policy-based detection - Network administrators set specific network security policies and
create rules tied to them. Network traffic is monitored for adherence to those policies and rules, and traffic
patterns that go against them trigger a response from the system.

Benefits of NIPS:
✓ Reduces the likelihood of cyber-attacks and the issues that come with them.
✓ Increases threat protection and network visibility.
✓ Facilitates anomaly analysis.
✓ Automates network activity monitoring.
✓ Notifies administrators about any threats or anomalies.
✓ Makes information readily available to admins.

Challenges of NIPS:

✓ These systems must be regularly reviewed and updated to ensure their rules and analytical tools
remain up to date.
✓ Insufficient network bandwidth and capacity can result in slower applications while the NIPS operates.
✓ They can generate false positives that might unnecessarily deny service to users.

HIDS (Host-based Intrusion Detection System):

A Host-Based Intrusion Detection System, or HIDS, is a type of cybersecurity solution that monitors
IT systems for signs of suspicious activity to detect unusual behaviors or patterns associated either with
human users or applications that could be a sign of a security breach or attempted attack.

HIDS systems are so-named because they operate on individual host systems. In this context, a host
could be a server, a PC, or any other type of device that produces logs, metrics, and other data that can be
monitored for security purposes.

MCE CSE Page 28

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Fig 5.8 Host-based Intrusion Detection System (HIDS)

Working of HIDS:
Host-Based Intrusion Detection works by collecting data from servers, computers, and other host
systems, then analyzing the data for anomalies or suspicious activity. The data that HIDS tools analyze may
include security-centric data sources, such as authentication logs (which record login events). However, a
HIDS typically also analyzes other types of data, like application and operating system logs. Even though the
latter types of data are not related to security specifically, unusual patterns within those data sets could be
linked to security issues.

Types of HIDS:

Host-Based Intrusion Detection Systems can be broken into two main categories based on how they
are deployed,

✓ Agent-based HIDS - An agent-based HIDS relies on software agents that are installed on each
host to collect information from the host. This is a “heavier-weight” approach because running agents on hosts
increases the resource utilization of the hosts.
✓ Agentless HIDS - With an agentless HIDS, information from hosts is collected without relying
on agents, such as by streaming the data over the network. This type of HIDS is more complex to implement,
and agentless HIDS sometimes can’t access as much data as agent-based solutions, but the agentless approach
offers the benefit of consuming fewer resources.

MCE CSE Page 29

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

HIDS components:
No matter which type of HIDS you deploy, your HIDS solution will typically include three main
components,

✓ Data collectors - Using either agents or an agentless approach, a HIDS deploys sensors that
collect data from hosts.
✓ Data storage - After being collected, the data is usually aggregated and stored in a central
location. The data is retained at least as long as is necessary to analyze it, although organizations may also
choose to keep the data on hand so they can reference it at a later time if desired.
✓ Analytics engine - The HIDS uses an analytics engine to process and evaluate the various data
sources that it collects. The purpose of analytics is to look for patterns or anomalies, then assess the likelihood
that they are the result of security risks or attacks.

HIDS Detection Methods:

Most HIDS solutions use a combination of the following two methods.

✓ Host Intrusion Detections Systems Based on Signatures - This type of intrusion detection system is
focusing on searching for a previously known pattern, identity, or a specific intrusion event. Most IDSs are
coming from a database that needs constant updates to keep up with known cyber threats. As long as the
database is up to date this type of IDS will do a good job. However, attackers tirelessly generate new malware
or add small changes to their attack methods so databases cannot possibly keep up in real-time.
✓ Host Intrusion Detections Systems Based on Anomalies - As opposed to signature-based HIDS,
anomaly-based ones rely more on analyzing “trustworthy behaviour” and use machine learning techniques to
flag malicious behaviour. This will translate sometimes into a higher false-positive rate, as the system might
also flag legitimate behaviour as well. Anomaly-based IDS is a good option for determining when someone is
probing a network before a cyber-attack. The success of this type of IDS also depends on the degree of
distribution across the network and the level of training provided by the IT administrators.

Table 5.1 Difference between HIDS and NIDS

S.No. Categories HIDS NIDS

1 Definition Host Intrusion Detection System Network Intrusion Detection System

MCE CSE Page 30

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

2 Type It doesn’t work in real-time Operates in real-time

MCE CSE Page 31

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

3 Concern HIDS is related to just a single system, as NIDS is concerned with the entire network
the name suggests it is only concerned system, NIDS examines the activities and
with the threats related to the Host traffic of all the systems in the network.
system/computer.

4 Installation HIDS can be installed on each and every NIDS being concerned with the network is
Point computer or server i.e., anything that can installed at places like routers or servers as
serve as a host. these are the main intersection points in the
network system.

5 Execution HIDS operates by taking the snapshot of NIDS works in real-time by closely
Process the current status of the system and examining the data flow and immediately
comparing it against some already stored reporting anything unusual.
malicious tagged snapshots stored in the
database, this clearly shows that there is a
delay in its operation and activities.

6 Information HIDS are more informed about the attacks As the network is very large making it hard
about as they are associated with system files to keep track of the integrating
attack and processes. functionalities, they are less informed of
the attacks.

7 Ease of As it needs to be installed on every host, Few installation points make it easier to
Installation the installation process can be tiresome. install NIDS.

8 Response Response time is slow Fast response time

Time

Host-based Intrusion Prevention System (HIPS):

A Host Intrusion Prevention System (HIPS) is an approach to security that relies on third-party
software tools to identify and prevent malicious activities. HIPS regularly checks the characteristics of a
single host and the various events that occur within the host for suspicious activities. Host-based intrusion
prevention systems are typically used to protect endpoint devices. Once it detects malicious activity, the HIPS

MCE CSE Page 32

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

tool can take a variety of actions, including sending an alarm to the computer user, logging the malicious
activity for future investigation, resetting the connection, dropping malicious packets and blocking subsequent
traffic from the suspect IP address. Some host intrusion prevention systems allow users to send logs of
malicious activity and suspicious code directly to the vendor for analysis and possible identification.

Most host intrusion prevention systems use known attack patterns, called signatures, to identify
malicious activity. Signature-based detection is effective, but it can only protect the host device against known
attacks. It cannot protect against zero-day attacks or signatures that are not already in the provider's database.

A second approach to intrusion detection establishes a baseline of normal activity and then compares
current activity against the baseline. The HIPS looks for anomalies, including deviations
in bandwidth, protocols and ports. When activity varies outside an acceptable range, such as a remote
application attempting to open a normally closed port, an intrusion might be in progress. However, an
anomaly such as a sudden spike in bandwidth use does not guarantee an actual attack, so this approach
amounts to an educated guess, and the chances for false positives can be high.

A third common intrusion detection method uses stateful inspection to assess the actual protocols in
packets traversing the network. The analysis is called stateful because the malware prevention tool tracks the
state of each protocol. For example, it understands how Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP) packets can or cannot carry domain name system (DNS), Simple Mail Transfer
Protocol (SMTP), Hypertext Transfer Protocol (HTTP) and other protocols, and what values should be
contained within each packet of each protocol. Stateful protocol analysis looks for deviations from normal
states of protocol content and can flag a possible attack when an unexpected deviation occurs. Since stateful
analysis is more aware of actual packet contents, the chances for false positives are somewhat lower than with
statistical anomaly detection.

Advantages of HIPS:

A HIPS often monitors memory, kernel, and network state, log files, and process execution. A HIPS
also protects against buffer overflows. The advantage of intrusion prevention is that one does not have to
wait for a security officer to respond before preventive measures are taken to maintain host integrity. HIDS
can monitor specific activities, which provide more detail than network-based systems. Lower barrier entry
than NIDS makes them more cost-effective for small businesses. Also, one doesn't need extra hardware,

MCE CSE Page 33

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

which saves on management and maintenance costs.

MCE CSE Page 34

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Disadvantages of HIPS:

✓ HIPS does not provide a complete network picture - Because HIPS examines information only at
the local host level, HIPS has difficulty constructing an accurate network picture or coordinating the events
happening across the entire network.
✓ HIPS has a requirement to support multiple operating systems - HIPS needs to run on every
system in the network. This requires verifying support for all the different operating systems used in a
network.

WEB FILTERING:
Web filtering software monitors and manages the locations where users are browsing on the Internet,
enabling an organization to either allow or block web traffic in order to protect against potential threats and
enforce corporate policy.

Importance of Web filtering:

Web filtering provides an organization with the ability to control the locations where users are
browsing, which is important for a number of reasons,

✓ Malware Protection - Phishing and other malicious sites can be used to deliver malware and
other malicious content to users’ computers. Web filtering makes it possible for an organization to block
access to websites that pose a threat to company and user security.
✓ Data Security - Phishing sites are commonly intended to steal user credentials and other sensitive
data. By blocking access to these pages, an organization limits the risk that such data will be leaked or
breached.
✓ Regulatory Compliance - Companies are responsible for complying with a growing number of
data protection regulations, which mandate that they protect certain types of data from unauthorized access.
With web filtering, an organization can manage access to sites that are likely to try to steal protected data and
ones that may be used intentionally or unintentionally to leak data (such as social media or personal cloud
storage).
✓ Policy Enforcement - Web filtering enables an organization to enforce corporate policies for web
usage. All types of web filtering can be used to block inappropriate use of corporate resources, such as
visiting sites containing explicit content.
✓ Data Protection - Unauthorized access to your network can lead to data breaches. This means
sensitive personal information, financial data, and other confidential information could be at risk.
MCE CSE Page 35
CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Privacy - Without security, anyone can potentially intercept your internet traffic, including the
online activities, login credentials, and personal communication.
✓ Malware and Viruses - An unsecured network can be an entry point for malware and viruses that
can infect the devices and spread to others on a network.
✓ Bandwidth Theft - If a network is open or poorly secured, others can use the internet connection
without their knowledge, slowing down their internet speed and potentially causing them to incur extra costs.
✓ Illegal Activities - An unsecured network could be used for illegal activities, and one might be
held responsible if their network is traced back to these activities.

Types of Web Filtering:

A web filtering service can work in a variety of ways. One of the ways by which web filtering
solutions can be differentiated is by how they define acceptable content. Web filters can be defined in a few
ways including,

✓ Allow Listing - Allow lists are designed to specify the sites that a user, computer, or application is
permitted to visit. All web traffic is compared to this list, and any requests with a destination not included on
the list are dropped. This provides very strict control over the sites that can be visited.
✓ Block Listing - Block lists are the exact opposite of allow lists. Instead of specifying the sites that
a user can visit, they list sites that should not be visited. With a block-list, all traffic is inspected and any
traffic to a destination on the list is dropped. This approach is commonly used to protect against known-bad
locations, such as phishing sites, drive-by malware downloads, and inappropriate content.
✓ Content Filtering - Content and keyword filtering makes decisions whether to allow or block
traffic based upon the content of a webpage. For example, an organization may have filters in place to block
visits to sites containing explicit content. When a request is made, the content of the site is inspected and the
site is blocked if the policy is violated. This filtering approach enables an organization to block malicious or
inappropriate sites that they don’t know exist.

In addition to filter types, different web filtering solutions can differ in terms of where they look to
apply their rules. Filters can be applied in a few different ways such as,

✓ DNS Filtering - The Domain Name Service (DNS) is the phone book of the Internet, translating
domains (like google.com) to the IP addresses used by computers to route traffic. DNS filtering monitors
requests for DNS lookups and allows or blocks the traffic based upon policy.

MCE CSE Page 36

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ URL Filtering - A URL is the address of a webpage. URL filtering inspects the URLs contained
within web requests and determines whether or not to allow a request to go through based on policy.
✓ Content Filtering - Content filtering looks at the contents of a requested webpage. If a response
violates policy, then it is blocked.

Finally, web filtering solutions can be classified by where the filter is applied. The options for this
include:

✓ Client-Side Filtering - Client-side web filtering is performed by software installed on a user’s

computer. It inspects all outbound and inbound traffic and allows or blocks it based upon policy.
✓ Server-Side Filtering - Server-side filtering is performed via a solution located either on-premises
or in the cloud. All web traffic is routed through this solution, providing it with visibility and control.

Securing wireless networks through Web filtering:

To build a secure home network, consider the following techniques and best practices,

✓ Use a Quality Router - Invest in a reputable router with built-in web filtering capabilities or the
ability to support third-party web filtering software.
✓ Choose a Web Filtering Solution:
• Router-Based Filtering - Many modern routers offer built-in web filtering options. Enable
and configure these features to block specific categories of websites or specific URLs.
• Third-Party Software - Consider using third-party web filtering software or services that
can be installed on the network devices or router for more advanced filtering and reporting capabilities.
✓ Create User Profiles - Set up different user profiles or devices categories (e.g., children, adults,
guests) with varying levels of web filtering rules and access permissions.
✓ Content Categories - Define and customize content categories that one wants to filter, such as
adult content, social media, gaming, or streaming sites.
✓ Whitelisting and Blacklisting - Maintain whitelists (allowed sites) and blacklists (blocked sites)
to fine-tune web filtering rules according to user’s preferences.
✓ Schedule Filtering - Implement time-based filtering rules to restrict access to certain content
during specific hours, which is particularly useful for parental controls.
✓ HTTPS Filtering - Enable HTTPS inspection and filtering to monitor and filter secure (HTTPS)
websites for potential threats.

MCE CSE Page 37

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Regular Updates - Ensure that the web filtering solution is regularly updated to stay current with
evolving online threats and content.
✓ Test and Adjust - Periodically review and adjust the web filtering rules to ensure they are
effective and not overly restrictive.
✓ Guest Network - If one has guests frequently, consider setting up a separate guest network with
its own web filtering rules to keep the primary network more secure.
✓ Educate Users - Educate all users on a network about safe online practices and the importance of
adhering to web filtering rules.

By implementing web filtering on a home network, one can better control and protect the content
accessed by users, making the network safer, more secure, and suitable for different needs, such as family
safety or productivity in a home office environment.

Tools for Web filtering:

✓ Perimeter81 ✓ Smoothwall Web Filter

✓ Cisco Umbrella ✓ iBoss Web Security

✓ Zscaler Internet Access ✓ Fortinet FortiGate Web Filtering

✓ Symantec WebFilter ✓ GFI WebMonitor

✓ Barracuda Web Security Gateway ✓ OpenDNS

✓ Forcepoint Web Security ✓ Untangle Web Filter

✓ McAfee Web Gateway ✓ WebTitan

✓ Sophos Web Appliance ✓ DNSFilter

✓ Palo Alto Networks URL Filtering ✓ McAfee Web Protection

Advantages of Web filtering:

Web filtering refers to the process of controlling or restricting access to websites and online content
based on predefined criteria. This technology is commonly used in various settings, such as homes, schools,
businesses, and public institutions, to manage internet access. There are several advantages to implementing
web filtering,

MCE CSE Page 38

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

1. Security Enhancement:

✓ Protection against malware - Web filters can block access to websites known for distributing
malware, viruses, and other malicious software, reducing the risk of infection.

✓ Phishing prevention - They can help prevent users from visiting phishing websites that attempt to
steal sensitive information like login credentials and credit card details.

2. Content Control:

✓ Parental control - In homes, web filters can be used to restrict children's access to inappropriate
or harmful content, ensuring a safer online environment for them.

✓ Compliance with regulations - In educational institutions and workplaces, web filters can help
maintain compliance with regulations and acceptable use policies by blocking access to explicit, illegal, or
non-work/school-related content.

3. Bandwidth Optimization:

✓ Network efficiency - By blocking access to bandwidth-intensive or non-essential websites (e.g.,

video streaming or social media), web filtering can help optimize network performance and reduce congestion.

4. Productivity Improvement:

✓ Distraction reduction - Blocking access to distracting websites during work or study hours can
enhance productivity by minimizing time spent on non-work-related activities.

✓ Encouraging focused work - In educational settings, web filtering can help ensure students stay
on task and focus on their studies.

5. Cost Savings:

✓ Reduced data usage - By blocking access to certain websites and content, organizations can save
on data usage costs, especially in situations where data is limited or expensive.

6. Legal and Liability Protection:

✓ Avoiding legal issues - Implementing web filtering can help organizations avoid legal troubles by
preventing employees or users from accessing and downloading copyrighted material without authorization.

7. Customization and Control:

✓ Tailored policies - Web filtering solutions often allow administrators to customize filtering
policies based on the specific needs and requirements of their organization or household.

MCE CSE Page 39

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Real-time monitoring - Many web filtering tools provide real-time monitoring and reporting,
allowing administrators to see which websites are being accessed and by whom.

8. Protecting Reputation:

✓ Reputation management - Organizations can use web filtering to prevent employees from
visiting websites that could harm the organization's reputation or leak sensitive information.

9. Phishing and Fraud Prevention:

Blocking access to known fraudulent websites and email phishing attempts can help protect users from
scams and identity theft.

10. Compliance and Reporting:

Many web filtering solutions offer reporting capabilities, which can be valuable for demonstrating
compliance with industry regulations or internal policies.

Disadvantages of Web filtering:

✓ Overblocking - Web filters may mistakenly block legitimate and useful websites, which can
frustrate users. For example, educational or research content may be inadvertently blocked due to the filtering
system's overzealousness.

✓ Underblocking - On the flip side, web filters may not catch all inappropriate or harmful content,
allowing some potentially harmful websites to slip through the cracks. This can create a false sense of security.

✓ False Positives - Users may encounter false positives, where harmless websites are incorrectly
flagged as malicious or inappropriate. This can disrupt productivity and cause frustration.

✓ Evasion - Tech-savvy users can sometimes find ways to bypass web filters, such as using proxy
servers, VPNs (Virtual Private Networks), or alternative browsers, potentially undermining the filtering
system's effectiveness.

✓ Complexity - Managing and configuring web filtering systems can be complex, especially in large
organizations. Customizing filters to meet specific needs and keeping them up to date can be time-consuming
and require ongoing maintenance.

✓ Privacy Concerns - Web filtering systems often log user activity, raising privacy concerns among
users who may feel their online activities are being monitored and recorded.

MCE CSE Page 40

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Censorship - Web filtering can be seen as a form of censorship, as it allows administrators to

control and restrict access to certain information. In some cases, this can lead to concerns about limiting
freedom of expression or access to diverse viewpoints.

✓ Resource Intensive - Implementing web filtering can require significant resources, both in terms
of hardware and software. It may also require ongoing updates and maintenance, adding to the overall cost.

✓ Cost - Web filtering solutions, especially advanced ones, can be expensive to purchase, implement,
and maintain. Smaller organizations and individuals may find it challenging to afford these solutions.

✓ Unintended Consequences - Overly restrictive web filtering can discourage creativity, learning,
and exploration. In educational settings, it might hinder students' ability to research and access information
necessary for their studies.

✓ User Frustration - Users may become frustrated if they perceive web filtering as an unnecessary
restriction, leading to decreased morale and job satisfaction in workplaces or resistance to using the internet in
educational settings.

✓ Maintenance Challenges - Keeping web filtering databases and blacklists up to date can be
challenging. New websites and content are constantly being created, and web filter databases may not always
keep pace.

SECURITY INCIDENT RESPONSE TEAM:

A computer security incident response team, or CSIRT, is a group of IT professionals that provides an
organization with services and support surrounding the assessment, management and prevention
of cybersecurity-related emergencies, as well as coordination of incident response efforts.

Phases of CSIRT:
The main goal of a CSIRT is to respond to computer security incidents quickly and efficiently,
thus regaining control and minimizing damage. This involves four phases of incident response,

✓ Preparation
✓ Detection and analysis
✓ Containment, eradication and recovery
✓ Post-incident activity

MCE CSE Page 41

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

To do so, CSIRTs may take on many responsibilities, including the following,

✓ Create and update incident response plans

✓ Maintain and communicate information to internal and external entities
✓ Identify, assess and analyze incidents
✓ Coordinate and communicate response efforts
✓ Remediate incidents
✓ Report on incidents
✓ Manage audits
✓ Review security policies
✓ Recommend changes to prevent future incidents.

Department employee responsibilities:

In support of the Department’s CSIRT efforts, employees are required to,

✓ Immediately report any breach of security, including but not limited to, unlawful accesses,
suspected intrusions, theft, or other actions that compromise the security of technology resources to the FDOT
Service Desk.
✓ Cooperate with the CSIRT during investigations of suspected computer security incidents by
providing all requested information whether verbal or written to members of the CSIRT in a timely manner.
✓ Respond to final reports from a CSIRT investigation.
✓ Establish any additional security controls that are deemed necessary by the CSIRT as a result of a
computer security incident investigation.
✓ Maintain proper security controls and adhere to security guidelines and all other information
security standards and procedures.

CSIRT roles and responsibilities:

Role of the CISRT:

The role of the CSIRT is to serve as the first responder to computer security incidents within the
Department and to perform vital functions in identifying, mitigating, reviewing, documenting, and reporting
findings to management. The CSIRT coordinates with the Chief Technology Officer (CTO), but is
accountable directly to the Secretary.

MCE CSE Page 42

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Responsibilities of the CISRT:

The CSIRT will be responsible for the following activities,

✓ Classifying Department security incidents.

✓ Meeting upon notification of a reported computer security incident dependent upon the incident
severity level.
✓ Conducting a preliminary assessment to determine the root cause, source, nature and extent of
damage of the suspected computer security incident with recommended responses as deemed appropriate.
✓ Selecting additional support members and subject matter experts as necessary for the reported
incident.
✓ Maintaining confidentiality and need to know of information related to computer security incidents.
✓ Assisting with recovery efforts and providing reports to management.
✓ Performing and documenting all incidents and as appropriate include a root cause analysis and
lessons learned.
✓ Reporting incidents to the Florida Digital Services and the Cybercrime Office.
✓ Maintaining awareness of, and implementing procedures for, an effective response to computer
security incidents.
✓ Staying current on functional and security operations for the technologies within their individual
area of responsibility.
✓ Receiving annual training on cybersecurity, threats, trends and best practices.

CSIRT meetings:

The CSIRT will meet at least once a quarter to facilitate its activities. Regular CSIRT meetings will be
convened by the CSIRT leader and include incident trends and review established processes and escalation
protocols.

CSIRT member roles and responsibilities:

The FDOT (Florida Department of Transportation) CSIRT Core team, includes at a minimum, the
Information Security Manager, the Chief Technology Officer, the Chief Information Officer (CIO) and a
member of the Office of Inspector General. If the CSIRT leader determines that the incident requires the
additional expertise of a support member, that member will be added to the CSIRT for the duration of the
incident resolution.

MCE CSE Page 43

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

1. Role of the Information Security Manager:

The ISM will serve as the CSIRT leader. In the event that the ISM is not available during a security
event, the CIO will act as the CSIRT leader or designate a CSIRT leader to serve in the interim. The CSIRT
leader is responsible for managing the activities of the CSIRT. The CSIRT leader’s duties will include the
following,

✓ Contacting the Chief Information Officer.

✓ Convening the CSIRT.
✓ Designating CSIRT Incident Manager (CSIRT-IM).
✓ Selecting additional support members as necessary for the reported incident Managing incidents.
✓ Periodically reporting status of incidents to the CIO.
✓ Ensuring Class 2 and Class 3 incidents are documented.
✓ Ensuring Class 2 and Class 3 incidents are reported to the Florida Digital Services-Chief of
Information Security Officer (FDS-CISO).
✓ Conducting a debriefing of lessons learned and reporting to the CIO.
✓ Conducting meetings of the CSIRT.
✓ Ensuring meetings are documented.
✓ Directing CSIRT training on an ongoing basis.
✓ Coordinating CSIRT incident research and response activities.
✓ Maintaining up-to-date contact information for CSIRT members.

2. Role of the Chief Technology Officer:

Though the CSIRT is owned by FDOT, the ISM is responsible for all CSIRT activities and will ensure
that the CSIRT operates according to the Department CSIRT procedure as well as all applicable authorities,
references, and policies. All decisions relating to incident resolution are the responsibility of the CTO or
designee after conferring with the Secretary. The CTO is responsible for reporting incidents to FDOT
executive management.

3. Role of the Chief Information Officer:

The Chief Information Officer is responsible for ensuring operational support is available for the
resolution and remediation of incidents. This includes providing coordinated oversight between the various

MCE CSE Page 44

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

OIT sections, establishing priorities, and assisting in the prioritization of future work. The CIO will work
closely with the CTO to detail the impact of incidents on OIT.

4. Role of the Office of the Inspector General:

Each agency’s Inspector General are tasked with initiating, conducting, and coordinating
investigations related to the programs and operations of each state agency. The Department’s OIG will assign
a representative to serve on the CSIRT to ensure that CSIRT reviews are properly handled and that reviews
that uncover policy violations, fraud, or other abuses are transferred to the OIG for further investigation when
appropriate.
The OIG representative will determine if and when law enforcement agencies should be called during
the course of an incident review whenever the OIG has reasonable grounds to believe there has been a
violation of criminal law. If a CSIRT incident requires the intervention of law enforcement, the OIG will
contact law enforcement and develop any required protocols before exchanging investigative information. The
CSIRT leader will keep the FDS-CISO informed of any referrals to law enforcement and ensure CSIRT
members are fully briefed on any interagency incidents. The CSIRT leader and / or designated member of
OIG staff may serve as a liaison among law enforcement, FDS-CISO, and the CSIRT.

5. CSIRT Incident Manager:

The CSIRT Incident Manager (CSIRT-IM) will be designated by the CSIRT Leader. The criteria for
designating a CSIRT-IM will be based upon the technical nature and scope of the incident. For most incidents,
this will be an OIT Bureau Chief. In incidents of a highly sensitive or unique nature, the CSIRT leader and /
or CIO may designate someone other than an OIT bureau chief as the CSIRT-IM.

6. General Roles and Responsibilities of CSIRT members:

CSIRT members must be familiar with published security guidelines available through the
Department’s published security policies and procedures. Each CSIRT member will serve as a subject matter
expert for the area of the Department they represent. As representatives of their respective areas, each member
will ensure that all policies and procedures as well as state and federal laws that apply to their specific area of
responsibility are being adhered to during the implementation of this CSIRT procedure. Each CSIRT member
should have an awareness of the duties of the other CSIRT members.

Each CSIRT member must also be available (or have a designee available) to respond to security
incidents during business and non-business hours in order to mitigate possible incidents and react swiftly to
minimize damage to critical infrastructure, computer system(s), networks, and data.

MCE CSE Page 45

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Computer Security Incident Classifications:

The CSIRT will classify each incident as a Class 0, Class 1, Class 2, or Class 3 incident based upon
risk-based severity. These classifications allow for consistency for reporting and tracking purposes. If an
incident meets several criteria in different rating categories, the incident will be defined based on the highest
rating. Class 0 are deemed to be observable events that are worth being documented with the understanding
they may possibly become incidents. Examples including but not limited to are anti-malware protection that
prevents infection, an Intrusion Prevention System (IPS) that drops inbound traffic.

Incident Reporting:
Incident reports will include the following,
(1) Executive summary
(2) Description of the incident
(3) CSIRT members participating
(4) CSIRT findings
(5) Conclusions
(6) Recommendations

HONEYPOTS:
A honeypot is a network-attached system set up as a decoy to lure cyber attackers and detect,
deflect and study hacking attempts to gain unauthorized access to information systems. Honeypot is a network-
attached system used as a trap for cyber-attackers to detect and study the tricks and types of attacks used by
hackers.

The function of a honeypot is to represent itself on the internet as a potential target for attackers
usually, a server or other high-value asset and to gather information and notify defenders of any attempts to
access the honeypot by unauthorized users.

Honeypot systems often use hardened operating systems (OSes) where extra security measures have
been taken to minimize their exposure to threats. They are usually configured so they appear to offer attackers
exploitable vulnerabilities.

Two or more honeypots on a network form a honeynet, while a honey farm is a centralized collection
of honeypots and analysis tools.
MCE CSE Page 46
CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

Fig 5.9 Honeypot

Working of Honeypots:

Generally, a honeypot operation consists of a computer, applications and data that simulate the
behavior of a real system that would be attractive to attackers, such as a financial system, internet of things
(IoT) devices, or a public utility or transportation network. It appears as part of a network but is actually
isolated and closely monitored. Because there is no reason for legitimate users to access a honeypot, any
attempts to communicate with it are considered hostile.

Honeypots are often placed in a Demilitarized Zone (DMZ) on the network. That approach keeps it
isolated from the main production network, while still being a part of it. In the DMZ, a honeypot can be
monitored from a distance while attackers access it, minimizing the risk of the main network being breached.

Viewing and logging activity in the honeypot provides insight into the level and types of threats a
network infrastructure faces while distracting attackers from assets of real value. Cybercriminals
can hijack honeypots and use them against the organization deploying them. Cybercriminals have also been
known to use honeypots to gather intelligence about researchers or organizations, act as decoys and spread
misinformation.

Types of Honeypots:
Honeypots are classified based on their deployment and the involvement of the intruder. Based on their
deployment, honeypots are divided into,

✓ Research honeypots - These are used by researchers to analyze hacker attacks and deploy
different ways to prevent these attacks.

MCE CSE Page 47

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Production honeypots - Production honeypots are deployed in production networks along with
the server. These honeypots act as a frontend trap for the attackers, consisting of false information and giving
time to the administrators to improve any vulnerability in the actual system.

Based on interaction, honeypots are classified into,

✓ Low interaction honeypots - Low interaction honeypots give very little insight and control to
the hacker about the network. It simulates only the services that are frequently requested by the attackers.
The main operating system is not involved in the low interaction systems and therefore it is less risky. They
require very fewer resources and are easy to deploy. The only disadvantage of these honeypots lies in the
fact that experienced hackers can easily identify these honeypots and can avoid it.
✓ Medium Interaction Honeypots - Medium interaction honeypots allow more activities to the
hacker as compared to the low interaction honeypots. They can expect certain activities and are designed to
give certain responses beyond what a low-interaction honeypot would give.
✓ High Interaction honeypots - A high interaction honeypot offers a large number of services
and activities to the hacker, therefore, wasting the time of the hackers and trying to get complete information
about the hackers. These honeypots involve the real-time operating system and therefore are comparatively
risky if a hacker identifies the honeypot. High interaction honeypots are also very costly and are complex to
implement. But it provides with extensively large information about hackers.

Based on the detection of type of activity, honey pots can be broken down into,
✓ Email trap or spam trap or Email honeypots - An email or spam trap will implant a fictitious
email address in a hidden field that can only be detected by an automated address harvester or site crawler.
Since the address is not visible to legitimate users, the organization can categorize all correspondence
delivered to that inbox as spam. The organization can then block that sender and its IP address, as well as any
messages that match its content.
✓ Decoy Database or Database honeypots - A decoy database is an intentionally vulnerable
fictitious data set that helps organizations monitor software vulnerabilities, architecture insecurities or even
nefarious internal actors. The decoy database will gather information about injection techniques, credential
hijacking or privilege abuse used by an attacker that can then be built into system defenses and security
policies.
✓ Malware Honeypots - A malware honeypot mimics a software application or an application
programming interface (API) in an attempt to draw out malware attacks in a controlled, non-threatening

MCE CSE Page 48

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

environment. In doing so, the infosec team can then analyze the attack techniques and develop or enhance
anti-malware solutions to address these specific vulnerabilities, threats or actors.
✓ Spider Honeypots - A spider honeypot is designed to trap web crawlers, sometimes called
spiders, by creating web pages and links only accessible to automated crawlers. Identifying these spiders can
help organizations understand how to block malicious bots, as well as ad-network crawlers.

Honeypot Detection Techniques:

When an attacker attempts to break into a system, honeypots are utilized to track or attack them.
Honeypots can be detected on a network if services are propped up. A malicious packet can be created using
HTTPS, SMTPS, etc. For instance, one can detect honeypots on ports that should run services by denying
three-way handshakes. In addition to using multi-proxies (TORs) and encryption for hiding conversations,
attackers may be able to defeat honeypots by employing encryption techniques.

Honeypot Detection Tools:

Attackers detect honeypots in target organizations by using honeypot detection tools.

✓ Kippo - By using Kippo, an attacker can engage in an SSH session with the server, assuming it is
a legitimate one. Once the attacker guesses the password successfully, they are moved into a fake system
where they can interact. The fake system implements monitoring and recording all interactions.
✓ Cowrie - Honeypots such as Cowrie are used for logging brute force attacks and shell interactions
conducted by an attacker over SSH and Telnet. In addition to acting as an SSH and telnet proxy, Cowrie
allows one to observe attacker behavior on another computer. Kippo led to Cowrie's development.
✓ Send-Sage Honeypot Hunter - This tool checks HTTPS and SOCKS proxy lists for honeypots
using Send-Safe Honeypot Hunter. A honeypot is a fake proxy server that bulkers use to log traffic through
and then complain to their ISPs about bulkers.

Advantages of honeypot:
✓ Acts as a rich source of information and helps collect real-time data.
✓ Identifies malicious activity even if encryption is used.
✓ Wastes hackers’ time and resources.
✓ Improves security.

Disadvantages of honeypot:

MCE CSE Page 49

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Being distinguishable from production systems, it can be easily identified by experienced attackers.

MCE CSE Page 50

CCS344 - ETHICAL HACKING UNIT 5 - NETWORK PROTECTION SYSTEMS

✓ Having a narrow field of view, it can only identify direct attacks.

✓ A honeypot once attacked can be used to attack other systems.
✓ Fingerprinting (an attacker can identify the true identity of a honeypot).

Comparison of firewall, IDS and Honeypot:

✓ Honeypots Vs Firewalls - A firewall is designed to keep the attackers out of the network whereas
honeypots are designed to entice the hackers to attack the system. This is done so that a security researcher
can know how hackers operate and can know which systems and ports the hackers are most interested in. Also
firewalls log activities and logs also contains events related to production systems. However in case of
honeypot, the logs are only due to non-productive systems, these are the systems that no one should be
interacting with. So a firewall log contains 1000 entries of all the systems of the network whereas the
honeypot’s log only contain 5-10 entries.
✓ Honeypots Vs IDS - IDS also suffer from high false positive rates. The value of a honeypot is
determined by the information that can be obtained from it. Monitoring the data that enters and leaves a
honeypot lets one gather information that is not available to IDS. To detect malicious behaviour, IDS require
signatures of known attacks and often fail to detect compromises that were unknown at the time it was
deployed. On the other hand, honeypots can detect vulnerabilities that are not yet understood. Consequently,
forensic analysis of data collected from honeypots is less likely to lead to false positives than data collected by
IDS. IDS is used as an alternative for building a shield around the network. The shielding approach is
deficient in several ways, including failure to prevent attacks from insiders. IDS often depend upon signature
matching or statistical models to identify attacks. This means that unknown or novel threats may not be
detected. In contrast, honeypots are designed to capture all known and unknown attacks directed against them.
Because any network activity related to the honeypot represents an anomaly, even the stealthiest activity will
register on a honeypot.

MCE CSE Page 51