Sie sind auf Seite 1von 18

16/12/2018 AllPart5 - Advanced Networks and Security

Part 5
Session 5
Session 5: Topic 5 - Topic 5 - Network Security (2)

Self-assessment questions
1. Briefly explain what MTU is.
Maximum Transmission Unit (MTU): parameter that determines the longest datagram that can be transmitted by an IP interface without
needing to be fragmented into smaller units.
2. Briefly explain what IP Datagram Fragmentation is and how it works.
IP implements datagram fragmentation, so packets can pass through a link with a smaller maximum transmission unit (MTU) than the
original datagram size. Maximum Transmission Unit (MTU): parameter that determines the longest datagram that can be transmitted by
an IP interface without needing to be fragmented into smaller units. It is usually limited by Network Layer frame size.
3. Briefly explain what ICMP protocol is used for.
This protocol is used for diagnostic, control purposes or in response to errors in IP operations ICMP messages are sent using IP.
4. Briefly explain what Echo request and Echo reply, and Redirect message ICMP messages are used for.
• Echo Request & Echo Reply: Type 8 (request) / 0 (reply).
Echo request can include data. The reply to that request includes exactly the same data (echo). ping command uses these messages.
Basic service to check availability of a path to a host.
• Redirect message:
Allows to optimize routing tables, sending a message if an alternative route exists.
5. Briefly explain where vulnerabilities in a program/protocol come from.
The vulnerabilities can be due to • Specification flaws, or • Implementation errors. • Attacks can use these vulnerabilities, or be based on
6. Briefly explain the Buffer overflow and the Uncontrolled format string vulnerabilities.
-Buffer overflow • Anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent
memory. • Special case of violation of memory safety. • This may result in erratic program behavior, including memory access errors,
incorrect results, a crash, or a breach of system security. • Basis of many software vulnerabilities and can be maliciously exploited. -
Uncontrolled format string • A *printf() call without format specifier is dangerous and can be exploited. • printf(input); is exploitable,
while printf(y, input); is not exploitable. • Result of 1st call, used incorrectly, allows an attacker to be able to peek at stack memory since
the input string will be used as the format specifier. • Attacker can fill the input string with format specifiers and begin reading stack
values, since the parameters will be pulled from the stack. • A malicious user may use the %s and %x format tokens, among others, to
print data from the stack or possibly other locations in memory. • One may also write arbitrary data to arbitrary locations using the %n
format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack. •
Worst case, this improper use may give away enough control to allow an arbitrary value (or values in the case of an exploit program) to
be written into the memory of the running program. • Format string exploits can be used to crash a program or to execute harmful code
7. Briefly explain what a Denial-of-service attack (DOS attack) is.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack DDoS attack) is an attempt to make a computer resource
unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists
of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or
8. Briefly explain what IP Spoofing is.
IP address forgery. It allows a remote attacker, and without the need of a sniffer, to pretend it has a local address.
9. Briefly explain what IP Flooding attack is, the type of traffic generated and the type of IP datagrams used.
The IP Flooding Attack is based on a massive flood of the network using IP datagrams. This attack is usually done in local networks or
connections with large bandwidth. It consists of junk traffic generation in order to get the service degradation, thus the available
bandwidth is reduced, slowing down all existing conununications in the network. This attack is particularly effective in local networks
whose medium access control is null and any machine can send and receive packets without any restrictions on the bandwidth it
consumes. The traffic generated in this type of attack can be: Random: when the source address or destination of the IP packet is
fictitious or false. This is the most basic and simply seeks to degrade the conununication service network segment in which the computer
behind the attack is connected to. Defined or directed: when the source address, destination, or even both, it the machine that receives the
attack. The aim of this attack is twofold, as well as leaving out of service the network where the attacker creates IP datagrams, also seeks
to collapse the target computer, either by reducing the available bandwidth or service, by saturating the connection with large number of
requests that the server will be unable to process. IP datagrams used could correspond to: ICMP: generating error messages or control
flow. UDP: in order to generate requests without connection to any of the available ports. Depending on the implementation of the
TCP/IP stack of the machines involved, mass petitions to specific UDP ports are likely to cause the collapse of the system. TCP: to
generate connection requests in order to saturate the network resources of the attacked machine.
10. Briefly explain the use of broadcast in IP Flooding attacks.
Broadcast in an IP flooding attack is used to force the network router to send the packet to all computer in the same network, consuming
bandwidth and dreading the service performance.
11. Briefly explain the Smurf attack.
This type of denial of service attack is a variant of the previous attack (IP Flooding), but doing an impersonation of the source and
destination addresses of an echo-request type ICMP request (ping):
• Source address is set to the IP address of the machine that should be attacked. • The destination IP address field is set to the broadcast
address of the LAN or network to be used as a springboard to collapse the victim. With this fraudulent petition, all the machines on the
network respond at the same time to the same machine,
consuming all available bandwidth and saturating the attacked computer.
12. Briefly explain the prevention mechanisms against Smurf attack.
Prevention mechanism against Smurf Attack Configure individual hosts and routers not to respond to ping requests or broadcasts. Then
Configure routers not to forward packets directed to broadcast addresses. (Until l999, standards required routers to forward such packets
by default, but in that year, the standard was changed to require the default to be not to forward.) Another proposed solution, to fix this as
well as other problems, is network ingress filtering which rejects the attacking packets on the basis of the forged source address.
13. Briefly explain the Teardrop attack. 1/18
16/12/2018 AllPart5 - Advanced Networks and Security
The Teardrop attack will attempt to make fraudulent use ofiP fragmentation to confuse the operating system in the reconstruction of the
original datagram, and so collapse the system. The goal of Teardrop is making the necessary changes in the position and length fields to
introduce inconsistencies when the reconstruction of the original datagram occurs. Thus, Teardrop and its direct variants will achieve the
datagram to be overwritten and to produce a buffer-overrun error when reassembled. Buffer-overrun error can occur because of the
existence of negative offsets. Another possibility consists on sending hundreds of fragments maliciously modified in order to saturate the
IP protocol stack on the target machine (from a superposition of different IP datagrams).
14. Briefly explain the prevention mechanisms against Teardrop attack.
•On Windows based machines that fall victim to teardrop attacks, Windows Teardrop Attack Detection Software is considered to be a
solution to Teardrop Downtime aftermath. •If you are experiencing attacks on a Linux based system, upgrade it to version 2.0.32 I2.1.63
or later.
15. Briefly explain the Ping of Death attack.
• One of the best known denial of service attacks. • Like other existing DoS attacks, it uses a fraudulent definition of maximum length of
IP datagram. • The maximum length of an IP datagram with no special options is 65535 bytes including the header (20 bytes). • POD
attack is based on the possibility of building, through the ping command, an IP datagram exceeding 65535 bytes, fragmented into N
pieces, with the aim to lead to inconsistencies in the reassembly. • When reconstructing the original packet to the destination, errors will
occur if there are deficiencies in the implementation of the system TCPliP stack that could cause degradation or crash of the system
16. Briefly explain the prevention mechanisms against Ping of Death attack.
-Control the size of IP fragmentation data. -Blocking Ping prevent people from pinging you at all. This could possibly break some things
that rely on ping.
17. Give an overview of how security is implemented in IPv6 and how can it be adapted/implemented in IPv4.
The 1Pv6 has been designed in a way that implements authentication and privacy capabilities. This is achieved through the use of
extension headers, in particular with Authentication (AH) and Encapsulating security Payload (ESP) headers. In 1Pv4 security is
implemented in the option field of the header.
18. Briefly explain what a Secure Association is, and what information it includes.
An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely.
19. Briefly explain Authentication Header (AH) and Encapsulating Security Payload (ESP).
• AH
Origin authentication and Integrity
-Datagram data -Outer IP header (partially: header invariable fields)
Integrity verification code
-Originator and destination known key -No data encryption •ESP
Encryption and/or
-Datagram data encryption and/or
-ESP Header& Datagram data integrity -Origin authentication; No authentication of outer IP header -Padding (ESP Trailer)
partially hides original packet size -Optional sequence number to detect datagram reply attack.
20. Briefly explain the two IPSec Connection modes.
Intermediate nodes with IPSec support: this provides secure gateways. F.e. routers or firewalls with IPSec support (in some cases, a
gateway can act as a fmal node as in SNMP network management protocol) Intermediate nodes without IPSec support: This is a
transparent to the protocol, sine IPSec datagrams are like other IP datagrams.
21. What restriction does Transport mode has regarding the connection path?
This operates between hosts and is not very secure because the original source and destination IP addresses are readable, i.e. the hosts do
their own AH encapsulation of their data. A risk exists because the IPsec header sits within the original IP header.
22. Is it possible to have simultaneously more than one Security Association (“=secure connection”) at the same time in a communication
No, we can only have one secure connection in one time. Should be AH or ESP protocol only.
23. Between which devices can IPSec (Security Associations) be applied?
In Transport Mode
• AH/ESP header between “existing” IP and TCP headers
In Tunnel mode
• New IP+AH/ESP header before “existing” IP and TCP headers
24. Briefly explain the issue of key distribution and exchange in IPSec.
25. Make a brief summary of security provided by IPSec / Secure Network Protocols.
• Host-based security
-End-to-end -Host-to-host
• Services
-Traffic Flow Confidentiality -Network Access Control -Datagram sequence integrity
• Features
-Transparent & automatic security -Implemented into hosts or gateways (routers) -Integrated into/below IP layer -Extensible -
Independent from the Security Mechanism -Compression (may be ineffective with compr. in upper layers)
26. Briefly explain what a Virtual LAN (VLAN) is, and the 2 different types of VLAN.
A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2).
[1][2] LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by
additional logic. VLANs work by applying tags to network packets and handling these tags in networking systems – creating the
appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks.
In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring
multiple sets of cabling and networking devices to be deployed.
Two types of VLAN: Group computers at data link layer
• Through the use of switches that allow the definition of VLANs
Joining remote subnets at network layer
• Through tunnels
• Internal IP datagrams encapsulated within IP datagrams through another remote subnet
• Usually secure and using IPSec in Tunnel mode
• Transport Layer tunnels using TCP are also used
• All computers see computers from the remote network as if they are in the own network.
27. Briefly explain what a Virtual Private Network (VPN) is.
A VPN, or virtual private network, is a secure tunnel between two or more devices. VPNs are used to protect private web traffic from
snooping, interference, and censorship. Applications running across a VPN may therefore benefit from the functionality, security, and
management of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of 2/18
16/12/2018 AllPart5 - Advanced Networks and Security
dedicated connections, virtual tunneling protocols, or traffic encryption. A VPN available from the public Internet can provide some of
the benefits of a wide area network (WAN).
28. What relationship is there between IPSec and VPNs?
A VPN provides a means by which remote computers communicate securely across a public WAN such as the Internet.
A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two
points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure
VPN communication while passing through the WAN, the two participants create an IP Security (IPsec) tunnel.
A VPN is a private network that uses a public network to connect two or more remote sites. Instead of using dedicated connections
between networks, VPNs use virtual connections routed (tunneled) through public networks. IPsec VPN is a protocol, consists of set of
standards used to establish a VPN connection.
29. Briefly explain how LAN-level Network Layer VLAN (Tunnel / VPN) work.

LAN-level Network Layer VLAN: Tunnel / VPN
• PC A sends within subnet A a datagram with PC B as destination @
• Router A encapsulates the datagram inside datagram with Router B as destination @ and sends I through the network (typically
• If desired, security can be added to the content (original datagram): VPN
• Router B receives the datagram, decapsulates it and places its contents (the original datagram with PC B as destination @) within the
subnet B.
• PC B receives the datagram


Session 6
Session 6: Topic 5 - Network Security (3)

1. Briefly explain the two existing Transport layer protocols.

User datagram protocol is an open systems interconnection (OSI) transport layer protocol for client- server network applications. UDP uses a
simple transmission model but does not employ handshaking dialogs for reliability, ordering and data integrity. The protocol assumes that error-
checking and correction is not required, thus avoiding processing at the network interface level.
The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network
implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP.
2. Briefly explain the TCP three-way handshake connection mechanism.
Three-way handshake:
The first segment sent has the SYN bit set, and the ACK bit not set.
The second segment of the establishment has the SYN and ACK bits set, specifying an acknowledgement of the first segment.
The last segments has only the ACK bit set and it is used to inform the destination that an agreement has been reached and therefore the
connection is established.
3. Briefly explain the TCP Graceful disconnection mechanism.
Graceful termination protocol
Because in a TCP connection the are two simultaneous streams involved the termination is performed separately.
The segments to indicate the closing of the connection have the FIN bit set.
Graceful termination
When a data stream is over the connection in this direction is closed: the last ACK is waited for and a FIN is sent.
After the receiving of the segment with the FIN tcp, TCP will refuse all data segments coming from this direction of the communication.
The other end of the connection sends an ACK, finishes sending the pending data (waiting the acknowledgements) and finally sends a
Between the first FIN and the second there is, at least, one ACK without FIN.
In between the reception of the first FIN (and sending of ACK) and the sending of the second one all pending data of the stream in the
opposite direction are sent.
The connection is over when the ACK of this FIN is received.
4. Briefly explain the TCP Abrupt disconnection mechanism.
Connections should be closed with the gracefully closing procedure described above.
There could be situation in which it is necessary to force an immediate shutdown of the connection:
The reset (RST) bit is used for this.
5. Briefly explain the TCP/SYN Flooding attack.
Denial of Service (DoS) attack.
Many connection establishment requests (SYN segments) are sent to the same host.
No ACK is returned as response to SYN+ACK
Moreover, usually source address in the IP header of the packet in the SYN flood is distorted/modified
The receiver has a limited space to keep simultaneous requests.
When this space is all used, no more requests are accepted.
6. Briefly explain the prevention mechanisms against TCP/SYN Flooding attack.
SYN cookies 3/18
16/12/2018 AllPart5 - Advanced Networks and Security
SYN Cookies are the key element of a technique against SYN flood attacks.
particular choices of initial TCP sequence numbers by TCP servers.
The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry.
Allows a server to avoid dropping connections when the SYN queue fills up.
Instead, the server behaves as if the SYN queue had been enlarged.
SYN Cookies initial sequence numbers are carefully constructed:
t: A slowly-incrementing timestamp (typically time() logically right-shifted 6 positions, which gives a 64 second resolution)
m: The maximum segment size (MSS) value that the server would have stored in the SYN queue entry
s: The result of a cryptographic secret function computed over the server IP address and port number, the client IP address and port
number, and the value t. The returned value s must be a 24-bit value.
If server then receives a subsequent ACK response, it can reconstruct the SYN queue entry using information encoded in TCP sequence
Common Defences
Since in the absence of an army of controlled hosts, the ability to send packets with spoofed source IP addresses is required for this attack
to work, removing an attacker's ability to send spoofed IP packets is an effective solution that requires no modifications to TCP.
Increasing Backlog
An obvious attempt at a defence is for end hosts to use a larger backlog.
Backlog: number of TCB structures that can be resident at any time
Transmission Control Block (TCB): data structure to store all the state information for an individual connection.
Reducing SYN-RECEIVED Timer
Another quickly implementable defence is shortening the timeout period between receiving a SYN and reaping the created TCB for lack
of progress.
Recycling the Oldest Half-Open TCB
Once the entire backlog is exhausted, some implementations allow incoming SYNs to overwrite the oldest half-open TCB entry.
SYN Cache
Based on minimizing the amount of state that a SYN allocates, i.e., not immediately allocating a full TCB.
The full state allocation is delayed until the connection has been fully established.
SYN Cookies
SYN cookies go a step further and allocate no state at all for connections in SYNRECEIVED.
Instead, they encode most of the state (and all of the strictly required) that they would normally keep into the sequence number
transmitted on the SYN-ACK.
Hybrid Approaches
The SYN cache and SYN cookie techniques can be combined.
Firewalls and Proxies
Firewall-based tactics may also be used to defend end hosts from SYN flooding attacks.
The basic concept is to offload the connection establishment procedures onto a firewall that screens connection attempts until they are
completed and then proxies them back to protected end hosts.
7. Briefly explain the TCP RST attack.
DoS and finishes active connections.
Segments with the RST bit set are sent to a host.
As packets can arrive out of order, the TCP stack will accept packets out of sequence, as long as they are within a certain 'distance' or
'window' from the most recent ACK seq number.
The established connections are finished at once.
If the attack is continuous no new connections can be established.
8. Briefly explain the prevention mechanisms against TCP RST attack.
Enhanced sequence verification for RST packets
Verify that the sequence number of RST packets is either the next expected sequence number, or the last acknowledged sequence
Spoofed RST attack detection (without sequence verification)
In order for a spoofed RST attack to succeed, the attacker must guess an approximate sequence number.
This typically results in a flood of RST packets.
Protection detecting such RST floods for connections that belong to the specified services, and drop consecutive RST packets for a
certain penalty period.
9. Briefly explain the FIN SCAN attack.
TCP FIN Attack
A type of scan whose usual aim is to perform network reconnaissance.
Attacker sends a TCP packet with only the FIN flag set that tends to get past many firewalls.
Some firewalls do not even log the attempt!
The scan takes the form of a signal that says
"hi, I've finished my communications on this port" and the computer scanned sends back the signal that says
"acknowledged, yup communications are done" (And closes any open communications on that port if they have the right bug and it's not
patched) or
"I'm sorry that port is closed" or
perhaps (rarely) "Odd. There is a problem that port did not have communications with you".
10. Briefly explain the prevention mechanisms against FIN SCAN attack.
Modern Windows PC's have a flaw where they send back the “acknowledged” response no matter if the port is open or not.
Thus all an attacker can learn about a windows pc by fin scanning is that the windows PC is up and running and that it's not running a
very good firewall.
However, even if the firewall is not that good, you cannot actually exploit the information you receive from a FIN to attack a given port
with the intent of starting
communications unless the firewall does not block a SYN packet to the port in question - even poorer firewall will block this.
11. Briefly explain the UDP flood attack.
UDP flood is a type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the targeted host with IP packets
containing UDP datagrams. Initiated by sending a large number of UDP packets to random ports on a remote host.
As a result, the distant host will:
• Check for the application listening at that port.
• See that no application listens at that port.
• Reply with an ICMP Destination Unreachable packet.
12. Briefly explain the prevention mechanisms against UDP flood attack.
•Deploying firewalls to filter out unwanted network traffic.
•The potential victimneverreceives and never responds to the malicious UDP packets because the firewall stops them. 4/18
16/12/2018 AllPart5 - Advanced Networks and Security
13. Briefly explain the Fraggle attack.
A type of denial-of-service attack where an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake
source address.
This is a simple rewrite of the smurf attack code.
14. Briefly explain the Snork attack.
•The Snork attack is based on the malicious use of two typical services in Unix systems:
1. The CHARGEN service (CHARacter GENerator, character generator):
It only responds with a randomstring of charactersto the host that requests it receives.
2. ECHO service:
It is used as a testsystem to verify the operation of the IP protocol.
15. Briefly explain the prevention mechanisms against Fraggle/Snork attack.
• chargen not to respond requests from echo port
• echo not to respond requests from chargen port
16. Briefly explain the IP Spoofing attack in relationship with Transport Layer.
IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of hiding the
identity of the sender or impersonating another computing system.
One technique which a sender may use to maintain anonymity is to use a proxy server.<<BR>
17. Briefly explain what a Session hijacking is.
Session hijacking, sometimes also known as cookie hijacking is the exploitation of valid computer session (sometimes also called a session
key) to gain unauthorized access to information or services in a computer system.
18. Briefly explain the Connection flooding attack.
An attacker can use all available resources from a server, establishing the maximum allowed number of valid connections.
By flooding the server with requests for new connections, it prevents legitimate requests from being established and served.
19. Briefly explain the 2 phases of the SSL/TLS protocol.
1.SSL Security parameters negotiation
• [Server authentication +]
[Client authentication +]
Symmetric key exchange
• Application data transfer: Symmetrically encrypted message exchange
20. Draw and explain the relationship of SSL/TLS layer and function/system calls regarding with application layer and sockets library.

• TCP Connection
• connect() (Client)
• accept() (Server)
• SSL Security parametersnegotiation
• SSL_Connect() / SSL_Accept(): write() + read()
• Application data transfer
• SSL_write() / SSL_read(): write() / read()
21. Briefly describe the format of TLS record (“TLS data unit”).
Content Type: change_ cipher_ spec(20), alert(21 ), handshake(22), application_ data(23),(255) • Protocol Version • Length • Data:
Encrypted/Compressed o Data o MAC: Message Authentication Code o Padding o Lp: Length of padding
• MAC: Message Authentication Code
o Hash function to a bytes stream o Stream: MAC key (Secret bytes from master secret), implicit sequence number ( 64 bits),
register data
22. Taking into account the functionality of SSL/TLS, briefly describe the components (sublayers and protocols) of the SSL/TLS layer.
Applications with SSL secure transport: o HTTPS (HTTP over SSL): Secure navigation in WWW o NNTPS (NNTP over SSL): Secure
access to New
Like HTTP & NNTP, with secure SSL transport, and own TCP ports: 443 for HTTPS and 563 for NNTPS Protocols with SSL
negotiation extensions: o TELNET: authentication option (RFC1416) o FTP: security extensions (RFC2228) o
SMTP: SSL/TLS extensions (RFC2487)
o POP3 & IMAP: specific commands for SSL/TLS (RFC2595) o HTTP: Mechanisms to negotiate TLS as HTTPS alternative (RFC2817)
23. Make a brief comparison of SSL/TLS and IPSec.
Differences between IPsec and SSLffLS o IPsec provides security at a low level, directly protecting IP datagrams_ o IPsec allows
creating a secure network of computers from insecure channels such as Internet or dedicated lines. o IPsec makes "safe" the
communication between two computers. o SSL/TLS works at the transport layer, end to end. o SSL/TLS operates between two hosts that
do not have to be on the same secure network. o While SSL makes "safe" co=unications between two applications.
24. Make a brief summary of the security provided by SSL/TLS.
• Application-to-application security
• Packet eavesdropping ->Encryption • Client/Server supplanting -> Client/server authentication • Packet modification -> Integrity
(MAC) • Packet repetition, removing or reordering -> MAC, depending on sequence number 5/18
16/12/2018 AllPart5 - Advanced Networks and Security
Non encrypted data: * MAC: Message Authentication Code ("'keyed "hash")
25. Make a list of applications using SSL/TLS.
Applications with SSL secure transport: • HTTPS (HTTP over SSL): Secure navigation in WWW • NNTPS (NNTP over SSL): Secure
access to News
Like HTTP & NNTP, with secure SSL transport, and own TCP ports: 443 for HTTPS and 563 for NNTPS Protocols with SSL
negotiation extensions:
• TELNET: authentication option (RFC1416) • FTP: security extensions (RFC2228) • SMTP: SSLffLS extensions (RFC2487)
• POP3 & IMAP: specific commands for SSLffLS (RFC2595) • HTTP: Mechanisms to negotiate TLS as HTTPS alternative (RFC2817)
26. What is the Secure Shell (SSH) protocol?
It is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and
it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols
(such as telnet, rlogin) and insecure file transfer methods (such as FTP).
27. Briefly explain the three main components of SSH.
1) The SSH Transport Layer Protocol o Secure, low level transport protocol. o It provides strong encryption, cryptographic host
authentication, and integrity protection. o It may optionally also provide compression. o Authentication in this protocol
level is host-based; this protocol does not perform user authentication. o A higher level protocol for user authentication can be
designed on top of this protocol. o Simple and flexible to allow parameter negotiation o It will typically be run over a TCP liP
connection, but might also be used on top of any other reliable data stream.
2) The SSH Authentication Protocol o Generalpurpose
user authentication protocol. o Authenticates the client-side user to the server. oIntended to be run over the SSH transport layer
protocol. o Assumes that the underlying protocols provide integrity and confidentiality protection. 3) The SSH Connection
Protocol oMultiplexes multiple streams (channels) of data over the confidential and authenticated transport. o Multiplexes the
encrypted tunnel into several logical channels. o Provides interactive login sessions, remote execution of commands, forwarded
TCPIIP connections, and forwarded Xll connections. o Designed to run on top of the SSH transport layer and userauthentication
28. Briefly explain the format of SSH Packet format.
• Encrypted data: • Length: Length of rest of packet, excluding MAC • Length of padding: Number of padding bits • Payload: Message,
encrypted, if required • Random padding: Random bits of padding • Non encrypted data: • MAC: Message Authentication Code
(≈ keyed “hash”)

29. Briefly describe the security provided by SSH.

The security features provided by SSH are: confidentiality and integrity of data over an insecure network
30. Briefly explain where can SSH be used.
The protocol is used in corporate networks for: • providing secure access for users and automated processes • interactive and automated
file transfers • issuing remote commands • managing network infrastructure and other mission-critical system components.
31. Briefly explain what a firewall is.
A firewall is a system that allows to protect a computer or a network of computers from intrusions that come from a third network
(specifically from the Internet). The firewall is a system that
allows filtering the data packets that go around the network. It is a "narrow bridge" that filters, at least, the traffic between the internal
and external network.

32. Briefly describe what a Bastion host is.

• Often direct communications are not allowed between outside and inside network. So, an intermediate host called Bastion is usually put
acting as a proxy and offering services. A bastion may
be on the same internal network.
33. Briefly describe the two approaches of firewall operation.
• To let pass all traffic by default and add filters to those who do not want to accept datagrams.
• To block all traffic by default and add filters to let pass only traffic allowed.
34. Briefly explain what a firewall can and cannot protect against. 6/18
16/12/2018 AllPart5 - Advanced Networks and Security
Firewall can protect :
• Generally, firewalls are configured to protect against unauthenticated interactive logins from the “outside” world.
• Help preventing vandals from logging into machines on your network.
• Firewalls can block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside.
• Firewalls can protect you against any type of network-borne attack if you unplug it.
• Firewalls are also important since they can provide a single “choke point” where security and audit can be imposed.
Firewall cannot protect:
• Firewalls can't protect against attacks that don't go through the firewall.
• Traitors or idiots inside your network
• Firewalls also cannot protect you against stupidity
• Floppy/USB disks to export data
• For a firewall to work, it must be a part of a consistent overall organizational security architecture.
• Firewall policies must be realistic and reflect the level of security in the entire network.
35. Taking into account the communications layer at which they work, which are the two different types of firewalls?
Basic Types of Firewalls:<<BR>> • Packet filtering routers: Network layer (and transport)
• Proxy servers: Application layer
• The lower-level the forwarding mechanism, the less examination the firewall can perform.
• Generally speaking, lower-level firewalls are faster, but are easier to fool into doing the wrong thing.
36. Briefly explain the two types of firewalls.
A. Packet filtering routers
• A router is a machine that forwards packets between two or more networks
• At the network (and transport) layer
• A packet filtering router compares each packet with a list of rules to decide whether to forward or not
B. Proxy servers
• Server that acts as intermediary between a user of a computer and Internet
• Application Level: application specific
• Must “understand” the application protocol being used, so they can also implement protocol specific security
37. Briefly explain the two Linux tools that provide firewall functionality.
• It is a set of routines present in the GNU/Linux operating system kernel that handle data traffic, both inbound and outbound, that access
to the operating system or applications.
• It is the name of the user tool with which the administrator can create NAT and packet filtering rules.
• The iptables name is usually used to refer to the complete structure, including netfilter, connection tracking and NAT.
• iptables is now a standard part of most GNU/Linux distributions.


Session 7
Session 7: Topic 5 - Network Security (3)

1. Briefly explain the functionality of the Application Layer.

Communication protocols for specific applications
Application specific
Provides end-user communication services, such as file transfers, electronic messaging, e-mail, and virtual terminal access.
The layer the user interacts with
Specific support for each user application
Coding of the information
Depending on the application
High level protocols: HTTP, SMTP, FTP, SNMP...
Addressing with SAPs (ports) included at the transport level
PDU = message
Normally with operations and answers; with format, arguments and results, specific, for each application.
2. Briefly explain the functionality of the Domain Name System (DNS) protocol.
Hierarchical naming system for computers, services, or any resource connected to Internet or private network.
It associates various information with domain names assigned to each of the participants.
IP @, alias names, dns and mail servers, …
Hierarchical names
It provides the service of translating domain names (meaningful to humans) into IP addresses (numerical), alias names, …
Service distributed in zones
Each user has an associated zone (e.g. their ISP, university, etc.)
Each zone has at least two servers with information of all resources (computers, …) in the zone.
Users make requests to servers in their zone
Requests related to resources outside a zone can be redirected until reaching authoritative server (in zone of the resource)
Retrieved information is usually cached
3. Briefly explain the DNS Poisoning attack.
Maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name
System (DNS) sources.
This can happen through improper software design, misconfiguration of name servers, and maliciously designed scenarios exploiting the
traditionally open-architecture of the DNS system.
Once a DNS server has received such non-authentic data and caches it for future performance increase, it is considered poisoned,
supplying the non-authentic data to the clients of the server.
Different information types may be poisoned
The attacker exploits a flaw in the DNS software.
If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up
caching the incorrect entries locally and serve them to other users that make the same request.
This technique can be used to direct users of a website to another site, by the attacker's choosing.
4. Briefly explain the prevention mechanisms against DNS Poisoning attack.
Border Gateway Protocol (BGP) is an interAutonomous System routing protocol.
The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems.
This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information 7/18
16/12/2018 AllPart5 - Advanced Networks and Security
This information is sufficient for constructing a graph of AS connectivity for this reachability from which routing loops may be pruned,
and, at the AS level, some policy decisions may be enforced.
5. Briefly explain the functionality of the Border Gateway Protocol (BGP) protocol.
BGP directs packets between autonomous systems (AS) networks managed by a single enterprise or service provider. Traffic that is
routed within a single network AS is referred to as internal BGP, or iBGP. More often, BGP is used to connect one AS to other
autonomous systems, and it is then referred to as an external BGP, or eBGP.
6. Briefly explain the attacks against BGP.
BGP hijacking, Prefix hijacking, Route hijacking or IP hijacking
Illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol
Deliberately or by accident:
An AS announces that it originates a prefix that it does not actually originate.
An AS announces a more specific prefix than what may be announced by the true originating AS.
An AS announces that it can route traffic to the hijacked AS through a shorter route than is already available, regardless of whether or not
the route actually exists.
Disruption of the normal routing of the network:
Packets forwarded towards the wrong part of the network and enter an endless loop (and discarded), or found at the mercy of the
offending AS.
Information disclosure
Removal: through a BGP blackhole
7. Briefly explain the prevention mechanisms against attacks to BGP.
Fixing BGP:<<BR>>
Origin Authentication
Detect illegitimate MOAS
A Multiple Origin Autonomous System (MOAS) conflict occurs if a prefix appears to originate from more than one ASes
Path Attestation
Roughly attempt to verify that the AS-Path included in an update is a valid AS-level path to the destination
8. Briefly explain attacks against SMTP/e-mail.
The objective of the Simple Mail Transfer Protocol (SMTP) is to transfer mail reliably and efficiently.
Sender user -> Server, Server -> Server
Independent of the particular transmission subsystem and requires only a reliable ordered data stream channel.
Usually transport over TCP.
Capability to transport mail across networks:
SMTP mail relaying
A process can transfer mail to another process on same network or to other network via a relay or gateway process accessible to
both networks.
A mail message may pass through a number of intermediate relay or gateway hosts on its path from sender to ultimate recipient.
No user authentication is supported
Messages are sent in plain text
RFC5322 - Internet Message Format
9. Briefly explain the prevention mechanisms against attacks to SMTP/e-mail.
Transport level authentication and encryption (SMTP/POP3 on top of SSL/TLS)
User-level data (messages) authentication and encryption (e.g. PGP)
Spam filters (server/user)
10. Briefly explain what social engineering is.
Act of manipulating people into performing actions or divulging confidential information.
While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information
gathering, fraud, or computer system access;
in most cases the attacker never comes face-to-face with the victim.
Social Engineering is a real important concern in network security (wetware).
Humans generally are the weakest link in a security scheme.
11. Briefly describe types of social engineering attacks.
• Non-innocuous information (when innocuous information isn't)
• Direct attacks (ask for information)
• Building trust
• “Let me help you”
• “Can you help me?”
• False sites and dangerous attachments
• Sympathy, Guilt, and Intimidation
• Reverse sting
12. Briefly explain the Phishing attacks.
Phising is criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by
masquerading as a trustworthyentity in an electronic communication.
• Usuallysending an e-mail to a user falselyclaiming to be an established legitimate enterprise in an attempt to scam the user into
surrendering private information that will be used for identity theft.
• The e-maildirects the user to visit a Web site where they are asked to update personal information, such as passwords and credit card,
social security, and bank account numbers, that the legitimate organization already has.
• The Web site, however, is bogus and set up only to steal the user’s information.
13. Briefly explain the Pharming attacks.
• Similar in nature to e-mail phishing, pharming seeks to obtainpersonal or private (usually financial related) information through domain
• Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate,
pharming 'poisons' a DNS server by infusing false information into the DNS server, resulting in a user's request being redirected
• It can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server
• Compromised DNS servers are sometimes referred to as "poisoned".
• Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect.
• Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at
one time through domain spoofing. 8/18
16/12/2018 AllPart5 - Advanced Networks and Security
14. Briefly explain what an Intrusion Detection System (IDS) is.
These systems detect and foresee hostile activities in a network that can compromise security.
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy
violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information
and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filteringtechniques to
distinguish malicious activity from false alarms.
15. Briefly explain the 3 main components of an IDS and their functionality.
• Sensors
- Monitor the hostand/or network to detectsuspicious activity and send information to analyzers.
• Analyzers/correlators
- Analyze the information sent by the sensors and produce alerts based on information from a database.
• Response Units
- According to the received alarms activate countermeasures to stop or prevent attacks (block connections, closing ports, blocking
user accounts, etc.).
16. Briefly explain the two basic types of IDS depending of the location of the sensors.
The two basic types of IDS depending on the location of sensors are Network-based: Sensor in network and Host based: Sensors in hosts.
17. Briefly explain the two basic behaviors of the analyzers/correlators in IDS.
• Knowledge-based: Compare/look at a database of traffic patterns Basically, only known attacks • Based on behavior: Find deviations
from normal use
18. Briefly explain the two basic behaviors of the response units in IDS.
Behaviors of response units IDS are: 1) Active IDS lock attacks when they are detected Usually by adding filters in a frrewall2) Passive
only triggers an alarm o E.g. sending an e mail
19. Make a summary of the characteristics of security mechanisms at application layer.
• Protocol-specific protection. • Operations • Data • Application to application protection • Application-user to application-user
protection • Protection Mechanisms • Application data encryption (symmetric or asymmetric) • Application data signature • User (sender
and receiver) authentication
• Some applications relay to/support transport layer security (SSL/TLS) -> HTTPS, NNTPS, TELNET, FTP, SMTP, POP3, IMAP
20. Make a summary of the characteristics of security mechanisms at the rest of the layers of the communications stack.
•Secure Physical Layer Protocols •Point-to-point communications o Link encryption •Secure Network Layer Protocols
•Traffic flow confidentiality, integrity & authentication between 2 hosts o Network access control •Guarantees security in data sent to
upper protocols like TCP or UDP
It may be required some modification to some routers to support the required IP extensions
•Secure Transport Layer Protocols •Over existing transport protocols •Only the transport level protocols {TCP, UDP, etc.) in the end
nodes, may be adapted •Firewalls •Mechanisms for regulating access to/from internet filtering certain datagrams to avoid unwanted
21. Briefly make some considerations about security in Mobile IP & IPv6.
InMobile 1Pv6: •No Foreign Agent • The process that Corresponding Node receives the Binding Update information is vital: possible to
be attacked
22. Briefly explain Denial of Service (DoS) attacks against Mobile IP and the basic prevention mechanism.
When a bad guy sends fake registration request to Home Agent, using its own address as Care-of-Address, •The attacker will receive all
the packets belong to Mobile Node All the connection to the Mobile Node will fail • Solution: •All the registration message should be
under strict authentication
23. Briefly explain the DoS attack from Mobile Node against Mobile IP.
•A malicious Mobile Node could lie about its Care-of-address, with a fake Registration
Request/Binding Update, and in this way mount a DoS attack against another node in the Internet.
•The cheated Home Agent will wrongly direct the traffic to the victim node. •However, such an attack is easy to traced since the Mobile
Node must use its own Security Association information.
24. Briefly explain the Replay attacks against Mobile IP and the basic prevention mechanisms.
•Bad guy saves the old valid Registration Request/Binding Update message of Mobile Node, andre-send it to Home Agent. •Then the
Home Agent will forward packets to the old Care-of-address, rather than the new allocated Care-of-address of the Mobile Node.
•Solution: identification domain in registration messages, Le. timestamps, nonces (arbitrary number that may only be used once).
25. Briefly explain the DoS attack in IPv6.
Denial of Service (DoS) attack in IPv6:
•Attacker sends millions offake Binding Update message to Corresponding Node and Home Agent, to occupy the storage and CPU.
26. Briefly explain the TCP-SYN Flooding attacks in Mobile IP, and the problems with the solutions.
• Bad guy uses fake IP addresses to send TCP-syn packets, occupies the resources of the systems that open TCP service. • TCP-Syn
flooding cannot be totally solved unless TCP protocol is re-designed. • Mobile IP usually uses Ingress Filtering to control the access to
relieve the flooding.
27. Briefly explain 2 possible solutions to previous attacks against Mobile IP / IPv6.
The specification describes the authentication information that will go in the Registration
• Default algorithm: HMAC-MDS ("Keyed MDS"); hash with symmetrical key. Data integrity+authentication (Mobile Node &
Home Agent negotiate same secret key before registration) • Information similar to the IPSec SPI (Security Parameters Index).
1Pv6 Binding update also includes authentication.There are other mechanisms that minimize the probability of an attack.
•First solution: if Mobile Node (MN) & Corresponding Node (CN) share same Security Authority, IPSec can be used for
authentication. •Second solution: Usually MN and CN do not have the same Security Authority: return Routability Procedure •MN
must prove to CN that it owns both HoA and CoA •Mobile does not share any secret with correspondent o Correspondent send
messages to HoA and CoA. •Mobile responds correctly if it receives both.


Session 8
Session 8: Topic 5 - Network Security (4)

1. Briefly describe the Issues and Requirements of Ad hoc networks.

Very limited resources: memory, storage & power 9/18
16/12/2018 AllPart5 - Advanced Networks and Security
Unreliable communication:
Unreliable transfer: connectionless Packet-based routing
Conflicts: unreliable broadcast communication
Latency: Multi-hop routing, network congestion and node processing
Unattended operation:
Exposure to Physical Attacks.
Managed Remotely: Hard to detect physical tampering.
No Central Management Point
Shares some common points with traditional networks but also presents unique problems of its own.
Data confidentiality
Data integrity
Data authentication
Services & Network Availability:<<BR>> Self Organization: self organizing and self healing ad hoc network node.
Time Synchronization
2. Briefly describe the Nodes security in Ad hoc networks.
Nodes Physical Security
Nodes are assumed to have low physical security
Nodes can easily be stolen or compromised by an adversary
It can be assumed that few of the nodes at network formation are corrupted or malicious
Single or distributed point of failure
Sybil attack:
A “malicious device illegitimately taking on multiple identities.”
Identity falsification
Originally used against peer to peer networks but may also be used to disrupt routing algorithms, data aggregation etc.
Node replication attacks.
Malicious nodes can access data and join, destroy, etc. groups.
Solution: Only authorized nodes (subjects)
can have access to data (objects)
may form, destroy, join or leave groups
Identification can be satisfied by:
User ID-Password based authentication systems
Presented adequate credentials
Delegate certificates
3. Briefly describe the Network services availability and Denial of Service (DoS) attacks in Ad hoc networks.
Network services should:
operate properly
tolerate failures even when DoS attack threats
Denial of Service attacks
Off-path: outside network
On-path: inside network
Many nodes may be on-path manipulating routing information
Several availability attacks at different layers:
Physical:<<BR>> Nodes can be broken / stolen
Physical layer:
Jamming a node or set of nodes by transmission of a radio signal that interferes with radio frequencies being used.
Network layer:
The attacker can modify the routing protocol (divert the traffic to invalid addresses)
Adversary can shut down the network
Session layer:
Adversary can remove encryption in the session-level secure channel
Application layer:
Availability of essential services may be threatened Resource consumption
Vioiolate the communication protocol thus depleting limited network resources.
Battery power, bandwidth, computational power
Traffic storms:
Traffic generated as an artifact of other traffic
Nodes can amplify resource consumption threats
Forwarding packets that were not sent by authorized nodes
Generating unrequested reports (e.g., if control flags have been modified)
Not detecting (unplanned) replays or other mis-behaviors
Solution: Don’t allow packets that are status reports to generate other status reports
Status reports flags must be integrity protected
Encryption algorithms cost: Additional computation & communication consumes more energy / resources.
4. Briefly describe the Network Operations Security (Data / Communications) I Ad hoc networks.
Attacks against Data privacy, authenticity & integrity.
Attacks against Routing Information privacy, autenticity, integrity & non-repudiation.
Traffic Analysis Attacks:<<BR>> Take over the base station/nodes closest to base station.
5. Briefly describe the Trust management issue in Ad hoc networks.
Public-key cryptosystem
More convenience
Digital signature possibility
Symmetric-key cryptosystem
Less functionality
Key distribution problem
Trust model
Node-to-node trust
Web of Trust
Node-to-central authority trust
6. Briefly describe the Key management issue in Ad hoc networks.
Key creation 10/18
16/12/2018 AllPart5 - Advanced Networks and Security
Central key creation
Distributed key creation
Key storage
Replicated storage for fault tolerance
Distributed, on each node
Partial key storage (shared secrets)
Full key storage
Key distribution
Symmetric and private keys: Confidentiality, authenticity and integrity should not be violated
Public keys: Integrity and authenticity should be preserved
7. Briefly describe 2 Ad hoc keying mechanisms in Ad hoc networks.
ID-based cryptography
Identity-based cryptography
Master public key/secret key is generated by private-key generation service (PKG)
Master keys known to everyone
Arbitrary identities are public keys
Identity: “A1”
Public key: “MasterPublicKey | A1”
Private keys should be delivered to nodes by PKG
Threshold cryptography
Allows operations to be “split” among multiple users
In t-out-of-n threshold scheme, any set of t users can compute function while any set of t-1 users cannot
If adversary compromises even t-1 users, he cannot perform crypto operation
Honest user who needs to perform crypto operation should contact t of users
Secure against Byzantine adversaries exist for t < n/2, secure against passive adversaries can support t < n
8. Briefly discuss the important issues in Wireless sensor networks (WSN).
Same Issues as Ad-hoc networks (when applicable), plus:
Even more limited resources: memory, storage & power
Even more unreliable communication:
Unreliable Transfer, Conflitcs and Latency
Also unattended operation:
Exposure to Physical Attacks, Managed Remotely, No Central Management Point.
9. Briefly discuss the security requirements in WSN.
Shares some common points with Ad-hoc (& traditional) networks plus.
Data freshness: no old messages have to be replayed
Secure localization: Accurately and automatically locate each sensor in the network.
10. List and briefly describe the important issues in Opportunistic networks (OppNets).
Similar issues as Ad-hoc networks, plus:
[Devices limited resources: Battery, Storage, memory, CPU power]
Store, Carry and Forward
Some messages are personal in nature
Alice might not want Bob to see the video
Encryption needed, but traditional methods don’t work well
How to initialize the needed secure connections?
Some links may be short-lived
Bundles (application data / packets) Fragmentation needed
Authentication becomes very difficult
Policy-based forwarding is required
If Bob forwards a large messages from everyone his batter will soon be empty
Policy-based forwarding requires authentication of messages
11. List and briefly describe the Threats in OppNets.
Similar threats as Ad-hoc networks:
Network - Non OppNet threats
DTN is an overlay network; each overlay hop may traverse multiple underlying network elements
Attacks can be mounted in the underlying, non DTN network elements
Bit flips, insertion of new bundles, masquerading, …
Level of protection required by nodes varies
Some nodes don’t need, or are not able to protect all parts of the bundles
Lower layer protection (e.g., applying integrity)
Lack of computing power
Application layer Confidentiality and integrity
Falsifying a message/bundle’s source
Changing the intended destination
Changing the message/bundle’s control fields, or other header and payload fields
Replaying messages/bundles
Copying or disclosing message/bundle data as it passes
OppNet service Denial of Service
Off-path (outside) attacks:
Solution: Hard to guess valid values for messages/bundles
E.g., use random values instead of counters for message/bundle identification
On-path (inside) attacks:
Solution: Choke-off (obstruction) mechanism for DoS traffic
E.g., defensive mode where only fresh, authenticated messages/bundles are accepted
“Infrastructure” attacks
Many nodes may be on-path manipulating routing information (e.g., blackholing)
12. Briefly describe the Store-Carry-Forward & Security issue in OppNets.
How do I keep my message private?
End-to-end encryption
How do I know to whom I should forward my message?
Hop-by-hop authentication
Carriers 11/18
16/12/2018 AllPart5 - Advanced Networks and Security
Should I accept / keep this sender’s messages?
Publicly verifiable sender identity
Should I accept / keep this previous hop’s messages?
Hop-by-hop authentication
How do I know who sent this message?
Sender authentication
13. Summarize the problems of Traditional Crypto with OppNets.
Traditional crypto: symmetric and public key based schemes
Implicit assumptions of reachability
Multiple round-trips to exchange keys etc. before data can be sent
Reliance on infrastructure (CAs, etc.)
Integrity and authentication verification
Recipient must acquire sender specific key
Must check that the key has not been revoked
Confidentiality protection
Sender must acquire recipient specific key
Must check that the key has not been revoked
Not feasible in OppNets
14. Briefly discuss the privacy issues in Pervasive computing.
• Personal information being collected, transmitted and stored in greater volume:
• data interception, theft and ‘ubiquitous surveillance’ (official and unofficial).
• Computer in private, e.g. home.
• Personal life data on many aspects could be recorded and stored.
• Pervasive computing: data can be collectedwithout a person’s knowledge or consent.
• Could violate existing data protection law?
• personal data should be collected for a specified purpose only.
- However opportunities for ‘data mining’ could be vastly increased with PCS.
- Data mining activities can detect unknown relationships in data.
- Debate over how privacy can be protected while still realising the benefits of pervasive computing, and whether new legislation will be
15. Briefly discuss the safety and security issues in Pervasive computing.
• Pervasive computing also gives rise to debate over safety.
• E.g. road vehicles having actuating devices that intervene in the driving process, responding to hazards more quickly than humans.
- New Mercedes S-Class active braking system can detect rapidly slowing vehicles in front, activating brakes without driver intervention.
- While it may help avoid accidents, there are potential risks, e.g. if vehicle's software security is breached.
• Similar concerns over prospective PCS applications in domiciliary care.
• Breaches of security could expose vulnerable individuals to malicious acts within their own homes –e.g. withholding or over-prescribing of
16. Briefly discuss the social behavior issue related to Pervasive computing.
• Impact on work environments (e.g. employees’ supervision).
• Human relationships.
• The cell phone example:
- Every cell phone owner usually leaves the cell phone on.
- Every one expects that you should have your cell phone on (“if it’s off, then why do you have it ?!”).
- Cell phone related behaviour has become important to some people.
- Constant (possibility of) communication affects the relationships between individuals (e.g. family members etc).
- People may become more insecure because they rely on the cell phone (e.g. for emergencies).
17. Briefly discuss the privacy issue in Ubiquitous computing.
• Pervasive computing requires continuous monitoring of user actions
• Data are not always “anonymous”
• Who has access to this information ?
- Governments?
- Law enforcement agents?
- Marketing companies?
- Strangers?
- All internet users?
18. Briefly list Privacy concerns to Radio Frequency IDentification (RFID).
• From Consumers’ Perspective:
- They are not well informed.
- Unclear reason for its usage.
- Companies usually have low credibility.
- They could have something to hide.
- Lawsdonot really protect people against misuse.
- Secure technology?
- Enough experiments?
- Companies trying to profile you, thieves.
• Industry:
- Your competitor, thieves, etc.
19. Briefly describe the 3 types of adversaries against RFID.
Three levels of read or write access:
• Physical:
- Direct access to physical bits.
• Logical:
- Send or receive coherent messages.
• Signal:
- Detect traffic or broadcast noise.
20. Briefly describe different attacks to RFID.
• Eavesdropping
- The RF signal for the wireless data transfer can be picked up with antennas.
- Distance typically a small number of meters. 12/18
16/12/2018 AllPart5 - Advanced Networks and Security
- Passive devices, much harder to eavesdrop than active.
• Data modification
- Easy to destroy data by using an RFID jammer.
- Much more difficult to modify data so it appears to be valid to users.
• Relay attack
- Adversary forwards request of readertovictim and relays back its answer to reader in real time, to carry out a task pretending to be the
owner of the victim's smart card.
- Similar to a man-in-the-middle attack.
• Lost property
- Losing the NFC RFID card or the mobile phoneopens access to any finder and acts as a single-factor authenticating entity.
- To defeat it, it requires more than one physically independent authentication factor.
• Walk-off
- Lawfully opened access to a secure NFC function or data is protected by time-outclosing after a period of inactivity.
• Tag Manufacture/Cloning
• Reader Impersonator
• Traffic Analysis
• Jamming
21. Briefly describe some Countermeasures against attacks to RFID.
Countermeasures will make an adversary’s access more difficult. For example:
• Encryption:
- logical/message read access to signal read access.
• Authentication:
- logical/message write to signal write access.
• Tamper (modification) resistance
- physical read to logical/message read access.
22. Briefly describe some Security risks of RFID.
1) Security Risks: Espionage
• Corporate Espionage
- Identify Valuable Items to Steal
- Monitor Changes in Inventory
• Personal Privacy
- Leaking of personal information (prescriptions, brand of underwear, etc.).
- Locationprivacy: Tracking the physical location of individuals by their RFID tags.
• Espionage Case Study
- The US Food and Drug Administration (FDA) recently recommended tagging prescription drugs with RFID “pedigrees”.
• Problems:
- “I’m Oxycontin. Steal me.”
- “Bob’s Viagra sales are really up this month.”
- “Hi. I’m Alice’s anti-fungal cream.”
2) Security Risks: Forgery
• RFID casino chips, Mobil SpeedPass, EZ-Pass, FasTrak, prox cards, €500 banknotes, designer clothing.
• Skimming: Read your tag, make my own.
• Swapping: Replace real tags with decoys (“non-real tags”).
• Producing a basic RFID device is simple.
• A hobbyist could probably spoof most RFID devices in a weekend for under $50.
• Mandel, Roach, and Winstein @ MIT
- Took a “couple weeks” and $30 to figure out how produce a proximity card emulator.
- Can produce fake cards for a few dollars.
- Can copy arbitrary data, including TechCash.
- Could read cards from several feet.
- Broke Indala's FlexSecur “data encryption”.
3) Security Risks: Sabotage
• If we can’t eavesdrop or forge valid tags, can simply attack the RFID infrastructure.
• Wiping out inventory data.
• Vandalization.
• Interruptingsupply chains.
• Seeding fake tags – difficult to remove.
23. Big Data Security
Big data security is the collective term for all the measures and tools used to guard both the data and analytics processes from attacks, theft, or
other malicious activities that could harm or negatively affect them. Much like other forms of cyber-security, the big data variant is concerned
with attacks that originate either from the online or offline spheres.
24. Briefly give an overview of the Big data security challenges.
• Big data security challenges are multi-faceted.
• Threats:
- Theft of information stored online
- Ransomware: Publish the victim's data or perpetually block access to it unless a ransom is paid.
- DDoS attacks that could crash a server.
• Often companies store sensitive or confidential information
- customer information, credit card numbers, or even simply contact details.
• Attacks on organization BD storage can cause big financial repercussions:
- losses, litigation costs, and fines or sanctions.
• 3 major big data security best practices or rather challenges:
- Incoming data: could be intercepted or corrupted in transit.
- Data in storage: can be stolen or held hostage while resting on cloud or on-premise servers.
- Data being outputted: could provide an access point for hackers or other malicious parties.
25. Briefly explain the Big data Infrastructure security challenges.
1) Secure Computations in Distributed Programming Frameworks
• Big Data uses parallel Analysis and storage.
• 2 major attack prevention measures: 13/18
16/12/2018 AllPart5 - Advanced Networks and Security
- securing the Analysis software.
- securing the Data in the presence of an untrusted Analysis software.
2) Security Best Practices for Non-Relational Data Stores
• Big Data uses NoSQL databases.
• NoSQL DBs do not provide any explicitly security support in DB.
• NoSQL developers usually embed security in middleware.
• But, clustering aspects pose additional challenges to the robustness of such security practices.
26. Briefly explain the Big data Data privacy security challenges.
1) Cryptographically Enforced Data-Centric Security
• 2 approaches to control visibility of data to different entities.
- limiting access to the underlying system, as the operating system or the hypervisor.
- encapsulate data itself in a protective shell using cryptography.
• Both have benefits and detriments.
2) Granular Access Control
• Granular access control gives data managers more precision when sharing data, without compromising secrecy.
3) Scalable and ComposablePrivacy-Preserving Data Mining and Analytics
• Big Data can potentially enable invasions of privacy, invasive marketing, decreased civil liberties, and increased state and corporate control.
• But anonymizing data for analytics is not enough to maintain user privacy: some information may be “guessed”
27. Briefly explain the Big data Data management security challenges.
Secure Data Storage and Transactions Logs • Data and transaction logs are stored in multi-tiered storage media. • Size needs moving data
between tiers to be automatic (auto-tier). • Auto-tiering solutions do not keep track of where data is stored: new security challenges.
• New mechanisms to prevent unauthorized access & provide availability. Data Provenance • Chronology of the ownership, custody or
location • Analysis of large provenance graphs to detect dependencies for security/confidentiality Granular Audits • With real-time
security monitoring (point 5), notification at the moment an attack takes place is the goal. • To discover a missed attack, audit
information is necessary. • Scope and granularity might be different in real-time security contexts
28. Briefly explain the Big data Integrity and Reactive security security challenges.
End-Point Input Validation/Filtering • Big Data usually collects data from a variety of Sources • Input validation and filtering challenge: •
How can we trust the data? • How can we validate that a source of input data is not malicious? • And how can we filter malicious input
from our collection? Real-Time Security Monitoring • Real-time security monitoring consists of 2 main angles:
(a) monitoring the Big Data infrastructure itself and (b) using the same infrastructure for data analytics.
29. Briefly explain General security recommendations for Big data.
• Vet / Check your cloud providers: • If you are storing your big data in the cloud, you must ensure that your provider has adequate
protection mechanisms in place. • Make sure that the provider carries out periodic security audits and agree penalties in case that
adequate security standards are not met. • Create an adequate access control policy: • Create policies that allow access to authorized users
only. • Protect the data: • Both the raw data and the outcome from analytics should be adequately protected. • Encryption should be used
accordingly to ensure no sensitive data is leaked. • Protect communications: • Data in transit should be adequately protected to ensure its
confidentiality and integrity. • Use real-time security monitoring: • Access to the data should be monitored. • Threat intelligence should
be used to prevent unauthorised access to the data. Anonymizing the data is also important to ensure that privacy concerns are addressed.
• It should be ensured that all sensitive information is removed from the set of records collected. • Log everything. • It’s the only way you
can reliably detect unauthorized activities. • Use a SIEM (Security information and event management) system to make sense of log data.
• You cannot do this analysis manually.
30. Briefly explain Security strategic and tactical policy approaches.
• Organizations should run a risk assessment over the data they are collecting. • They should consider whether they are collecting any
customer information that should be kept private and establish adequate policies that protect the data and the right to privacy of their
clients. • If the data is shared with other organizations then it should be considered how this is done. • Deliberately released data that
turns out to infringe on privacy can have a huge impact on an organization from a reputational and economic point of view. •
Organizations should also carefully consider regional laws around handling customer data, such as the EU Data Directive.
31. Briefly explain what a Digital currency is, including some of its features.
• (Digital money or electronic money or electronic currency) • A type of currency available only in digital form, not in physical (as
banknotes and coins). • Properties similar to physical currencies, but allows for instantaneous transactions and borderless transfer-of-
ownership. • E.g.: virtual currencies, cryptocurrencies, central bank issued "digital base money". • May be used to buy physical goods
and services. • May also be restricted to certain communities. • It is a money balance recorded electronically on a stored-value card or
other device. • Can either be: • Centralized: there is a central point of control over money supply. • Decentralized: control over money
supply can come from various sources
32. Briefly explain what a Cryptocurrency is, including some of its features.
• A cryptocurrency (or crypto currency) is a controversial digital asset designed to work as a medium of exchange that uses cryptography
to secure its transactions, to control the creation of additional units, and to verify the transfer of assets. • Cryptocurrencies are a type of
digital currencies, alternative currencies and virtual currencies. • Cryptocurrencies use decentralized control • opposed to centralized
electronic money and central banking systems. • Decentralized control of cryptocurrency is through a blockchain, a public transaction
database, functioning as a distributed ledger. • Allow Anonymous payments: untraceability • Bitcoin, created in 2009, was the first
decentralized cryptocurrency. • Since then, over 1,800 cryptocurrencies have been created
33. Briefly compare Conventional vs Crypto currency. 14/18
16/12/2018 AllPart5 - Advanced Networks and Security
34. Briefly explain what a Bitcoin is.
A bitcoin is an accounting note, which indicates that in a direction, there is an amount of money. • These notes are inscribed in blocks
with: • Transactions pending to be registered • A value that "solves" the block • The hash of the previous block • In this way, the blocks
are linked together, forming a chain of blocks: Blockchain • This chain contains all transactions • The size of the current blockchain is
150 GB • The limit of Bitcoins is 21,000,000 XBT
35. Briefly explain how transactions are done with Bitcoins.
Transactions consist of one or more inputs and one or more outputs. • Multiple inputs may be used in a cash transaction. • When a user
sends bitcoins, the user designates each address and the amount of bitcoin being sent to that address in an output. • Each input must refer
to a previous unspent output in the blockchain. • Sender must be the owner of the input • Input cannot be spent before (in another
transaction) • Users can send bitcoins to multiple recipients in one transaction. • If sum of inputs exceed the intended sum of payments: •
An additional output is used to return the change back to the payer. • Any input not accounted in the outputs become transaction fee
36. Briefly explain the mechanisms used to provide Bitcoin ownership.
• Transactions are between addresses, not linked to any specific person • The transactions are public • The exchanges or markets may
require identification • On the client side, public/private key pairs are defined • Creating a bitcoin address is nothing more than picking a
random valid private key and computing the corresponding bitcoin address. • To be able to spend the bitcoins, the owner must know the
corresponding private key and digitally sign the transaction. • The network verifies the signature using the public key. • If the private key
is lost, the bitcoin network will not recognize any other evidence of ownership; the coins are then unusable, and effectively lost. • i.e., in
2013 one user claimed to have lost 7,500 bitcoins, worth $7.5 million at the time, when he accidentally discarded a hard drive containing
his private key. • A backup of his key(s) would have prevented this.
37. Briefly explain what a Blockchain is, and the 4 main fields in each block.
• The blockchain is a public ledger that records bitcoin transactions. • It consists of a series of blocks (3 shown above), where each block
contains: • Transactions: transactions or messages sent between users. • A randomguess R, • Proof of work: this is the digest from Bitcoin
mining! • Previous reference: a reference to the digest of the previous block. • The reference to the previous block defines the timeline in
the Bitcoin network. • The transactions in a single block happened “at the same time” (there must be no dependencies between them);

• The transactions in previous blocks happened earlier.

38. Briefly explain what happens when a new transaction arrives at a Bitcoin node.
When new transactions arrive at a Bitcoin node, they initially go into an “unverified” bucket: 15/18
16/12/2018 AllPart5 - Advanced Networks and Security

Any node in the Bitcoin network can put several

unverified transactions into a block and send it out to the rest of the network as the proposed next block in the chain.
39. Briefly explain how Bitcoin mining works.
The Bitcoin miners propose new blocks for the block chain when they mine new Bitcoin. • Take all the text from several unverified
transactions T, • plus the digest of the most recent block in the ledger D, • plus a random guess R, • and do the following SHA-256
calculation: • sha-256(T, D, R) = digest • The miners keep guessing different values of R until they find a digest with the required number
of leading zeroes. • Proof of work • The first miner to find it gets a reward of Bitcoin: to receive it, the miner must send out the new
block, which includes the digest as the “proof of work”, to all other Bitcoin nodes. • Assuming the new block is valid, it becomes a part
of the block chain:

In the example above, block 54 is now part of the block chain—that is, the Bitcoin timeline—and all the transactions in it,
including Alice’s, are considered “verified”. If more than one miner generates a solution, there may be several versions of
the blockchain.
• The longest chain is the one that prevails. 16/18
16/12/2018 AllPart5 - Advanced Networks and Security

40. Briefly explain when and how a miner is rewarded.

Bitcoin-mining receives a reward, which is a certain amount of bitcoins. The reward includes all of the transaction fees for the
transactions in that block, which motivates miners to collect as
many transactions into a block as possible, increasing their reward. The successful miner finding the new block is rewarded with newly
created bitcoins plus transaction fees.
41. Briefly explain if more than one miner generates a solution.
If more than one miner generates a solution, there may be several versions of the blockchain. The longest chain is the one that prevails.
42. Briefly explain how the Bitcoin generation rate is and when and how it is adjusted.
The bitcoin generation rate is set in the algorithm ≈10 min/block. Every 2,016 blocks (≈ 14 days at ≈10 min/block), difficulty target is
adjusted based on network's recent performance, to keep the
average ≈10 min/block.
43. Briefly explain what pooled mining is and its main features.
Computing power is often bundled together or "pooled" to reduce variance in miner income. Individual mining rigs often have to wait for
long periods to confirm a block of transactions and receive payment. In a pool, all participating miners get paid every time a participating
server solves a block. This payment depends on the amount of work an individual miner contributed to help find that
44. Briefly explain what a Bitcoin wallet is and what it contains.
A wallet "stores the digital credentials for your bitcoin holdings" and allows one to access (and spend) them. It stores the information
necessary to transact bitcoins. While wallets are often described as a place to hold or store bitcoins, due to the nature of the system,
bitcoins are inseparable from the blockchain transaction ledger. The wallet contains the cryptographic keys associated with a user
bitcoins. Bitcoin uses public-key cryptography, in which one public and one private cryptographic keys are generated. If the wallet is lost
(it is deleted from the hard disk,
the access password is forgotten), the bitcoins are lost. Online wallets:, Coinbase, Coinkite.
45. Briefly explain the concept of Transaction fees and the main ideas on how they are calculated.
A bitcoin transaction includes a fee. Paying a transaction fee is optional. Miners can choose which transactions to process, and
they are incentivised to prioritize those that pay higher fees. Miners choose transactions based on the fee paid relative to their
storage size, not the absolute amount of money paid as a fee. The size of transactions is dependent on the number of inputs used
to create the transaction, and the number of outputs ≈ 148 * number_of_inputs + 34 * number_of_outputs + 10. The fees go to
the miners to incentivise them to keep mining, which in turn keeps the
Bitcoin network secure.
46. Briefly explain how coins are selected to be spent.
Coins are selected to use to make up the payment amount. When you receive a payment, it goes into your wallet until you spend
it. If you receive a payment of 2 XBT and another of 3 XBT, you'll have 2 new amounts in your wallet, of 2 XBT and 3 XBT. They
don't "merge" into a single 5 XBT coin. Over time: collection of differently sized amounts in your wallet, and need to decide
which ones best fit for the amount to spend. These amounts are the "inputs" of your new transaction, and the amounts you are
sending (including change sent back to your own wallet) are known as the "outputs".
Outputs (incl. change) less than 0.01 XBT discouraged: 0.0001 XBT fee.
47. Briefly explain some risks in Bitcoin usage.
If an online site suffers an attack and the private keys are stolen, all the bitcoin of the users are stolen. The equivalent of a
robbery in a bank, but there is no guarantee of return (at least for now). Trojans have been developed for both computers and
mobile phones that seek to steal the victims' wallet files. It is always recommended to protect these files with a password. 17/18
16/12/2018 AllPart5 - Advanced Networks and Security
Cryptocurrencies are targets for highly sophisticated hackers, who have been able to breach advanced security systems.They
have fewer protections.If you trust someone else to hold your cryptocurrencies and something goes wrong, that company may not
offer you the kind of help you expect from a bank or debit or credit card provider. The Cost of Cryptocurrencies can cost
consumers much more to use than credit cards or even regular cash, often due to price volatility. Scams, Fraudsters are taking
advantage of the hype surrounding virtual currencies to cheat people with fake
opportunities. Lack of Transparency.The anonymous nature of cryptocurrencies make transparency and accountability difficult
for consumers seeking to ensure the safety of their investments.
48. Briefly discuss the real anonymity in Bitcoins.
The problem with anonymity is that every transaction ever made is recorded forever.The solution is to use new identity for each
transaction but heuristics allow to cluster identities.To keep
anonymous we can use alternatives such as Zerocoin, Zerocash.
49. Briefly explain what Ethereum is.
Ethereum is an open-source, public, blockchain-based distributed computing platform and operating system featuring smart
contract (scripting) functionality. Ethereum is not just a platform but also a programming language (Turing complete) running
on a blockchain, helping developers to build and publish distributed applications. Ether is a cryptocurrency whose blockchain is
generated by the
Ethereum platform. Ether can be transferred between accounts and used to compensate participant mining nodes for
computations performed.
50. Briefly compare Ethereum vs Bitcoin.
While both Bitcoin: Digital Money and Ethereum: Smart Contracts are powered by the principle of distributed ledgers and
cryptography, the two differ in many technical ways. For example, the programming language used by Ethereum is Turning
complete whereas Bitcoin is in a stack-based language. Other differences include block time (Ethereum transaction is confirmed
in seconds compared to minutes for Bitcoin) and their basic builds (Ethereum uses ethash while Bitcoin uses a secure hash
algorithm, SHA-256). However, from a general point of view, Bitcoin and Ethereum differ in purpose. While Bitcoin is created as
an alternative to regular money and is thus a medium of payment transaction and store of value, Ethereum is developed as a
platform which facilitates peer-to- peer contracts and applications via its own currency vehicle. While Bitcoin and Ether are both
digital currencies, the primary purpose of Ether is not to establish itself as a payment alternative
(unlike Bitcoin) but to facilitate and monetize the working of Ethereum to enable developers to build and run distributed


AllPart5 (editat per darrera vegada el 2018-09-05 09:30:09 per RamonMarti) 18/18