Security - What is meant by a spoofing attack?

A spoofing attack can be described as a situation in which a program is successfully masqueraded by another person or program in the area of network security. This is done by falsification of inbound data through which the masquerading program gains an advantage, of the illegitimate kind. A number of TCP/ IP protocols do not have mechanisms for the source and destination authentication of the messages. This makes them too much vulnerable to the spoofing attacks. Thus some extra precautions have to be taken by the applications for verification of the sending and receiving host identity. A source IP address is forged using which IP packets are created. This is done for impersonation of identity of some other computer system and to conceal the sender’s identity. Thus, IP protocol is the basic one that is used for sending data across the networks. Each packet consists of numerical addresses. The header field of the packet is usually forged so that it appears as if it is from someone else.
The man-in-the-middle attacks against the network’s hosts are often carried out with the help of two types of spoofing namely ARP spoofing and the IP spoofing.
The implementation of firewalls having capability of inspecting the packets deeply can prevent the spoofing attacks from taking advantage of the TCP/ IP protocols. This can also be done by taking measures for the verification of the message sender and the recipient’s identity. There are sites which are pay sites and they can be accessed only through a certain log-in page that is approved by them. This enforcement is made by referrer header checking in the HTTP request. This is so because the referrer header can be changed by the unauthorized users to gain access to the site content. This is called referrer spoofing.
Sometimes the copyright holders also use spoofing for inserting un-listenable and distorted versions of works on networks where file is shared. This is termed as poisoning the file – sharing networks. Another type of spoofing attack is the caller ID spoofing. Caller ID info is often provided by the public telephone networks including the name and number of the caller. VoIP (voice over IP) is one such technology in which the caller ID info can be forged by the callers so as to present names and numbers that are false. This false information is then forwarded by the gateways that connect public networks and allow spoofing.
It is also possible that the origination of the spoofed call might be some other country. In that case the laws in the country of the recipient might not be applicable to the caller. This has also limited the effectiveness of the laws against the caller ID spoofing. This results in a lot of scams. Another type is email spoofing or email address spoofing. The information of the sender that you see in the emails can be easily spoofed. Spammers use this technique quite often for hiding their information. This creates problems such as spam backscatter, misdirected bounces and so on.
A GPS receiver can be deceived by GPS spoofing attacks. In this the counterfeit GPS signals are broadcasted that have been structured to appear same as the normal GPS signals. This can also be done with original signals and rebroadcasting them at some other point. Because of the receiver will estimate its position wrongly. One variant of GPS spoofing attack is the carry off attack. This attack involves synchronization and broadcasting of the signals and genuine signals together. This gradually increases the power of the counterfeit signals which causes them to drift away from the genuine signals.

How is security management done in home and small businesses?

As there are different kinds of networks, so there are different types of security management for them. In this article we shall talk about how security management is done in the home and small businesses. Only basic security is required for a small office or at home. On the other hand a lot of maintenance is required for large businesses and large institutions. Also here, normally used hardware and software is used when compared to the sophisticated hardware and software that is used for the prevention of spamming, hacking and other kinds of malicious attacks. Here we list some basic points for security management at home and small office:

- A basic firewall can be installed or even a unified threat management system can be used.
- A basic antivirus software will do the task if you are working in the windows environment.
- Other software that can be installed for security include anti – spyware programs. A number of anti – virus and anti – spyware software are available in the market.
- If you are using a wireless connection, you must take care to secure your system with a robust password. A number of security methods are supported by the wireless devices. so try to use the strongest of those methods such as the AES, WPA2. A wide range of devices are supported by the TKIP. But they can only be used in the cases where there is no compliance with the AES.
- While using wireless, the default SSID name of the network must be changed. Another security measure that can be taken is to disable the SSID broadcast as this is not required for the home use. This can be easily bypassed by the use of modern technology and if the attacker has some knowledge regarding how the wireless traffic can be detected.
- You can enable the MAC address filtering for keeping track of all the MAC devices that are on that network connected to your router. Even though strictly this is not a security feature, it does can be used for limiting and monitoring the DHCP address pool for the attackers by both AP association and exclusion.
- Static IP addresses can be assigned to the devices connected to the network. This is done for complementing the other security features and to make the AP less desirable to the attackers.
- The ICMP ping on the router must be disabled.
- You can even review the logs of the router and the firewall for identification of any abnormal traffic or connection if any is there.
- Passwords must be set for all the accounts.
- If you are using a windows operating system, you can create multiple accounts for the family members to limit all the activities.
- Children of the family must be given lessons about the information security.

Security management is about identifying the important assets of the user that of course includes the information assets and checking whether the policies protecting these assets are implemented properly. It is also about protecting these assets from loss. It identifies the critical assets and focuses on protecting them first. The potential threats to the system are assessed. Then measures are taken for eliminating or minimizing these threats. The security risks are managed by the virtue of the risk management principles. It involves identification of the risks, assessment of the effectiveness of the control strategies, determination of the consequences. The risks are identified by means of the impact they can have. The identified risks are classified and appropriate response is selected for each. 

How can firewalls secure a network?

Firewalls in computer systems are either software based or hardware based. But they have the same purpose of keeping a control over the incoming as well as the outgoing traffic. 

In this article we discuss about how the network is secured by the firewalls. 

- This control is maintained through the analyzation of the data packets. 

- After analyzation, the firewall’s work is to determine whether to allow these packets to pass or not. 

- This decision is taken based up on some set of rules.

- With this set of rules, a barrier is established by the firewall between the external network that is not considered as secure and trusted and the internal network which is secure and trusted. 

- Most of the personal computer’s operating systems come with a built-in software based firewall for providing protection against the threats from external networks. 

- Some firewall components might also be installed in the intermediate routers in the network. 

- Also some firewalls have been designed to perform routing as well.

There are different types of firewalls which function differently.This classification of the firewalls is based up on the place where the communication is taking place i.e., whether at the network layer or the application layer.

Packet filters or network layer: 

- Firewalls used at the network layer are often termed as the packet filters. 

- This firewall operates at low level of the protocol stack of the TCP/ IP and so does not allow the packets to pass through it unless they satisfy all the rules. 

- These rules might be defined by the administrator of the firewall. 

- These firewalls can also be classified in to two categories namely the stateless firewalls and the state-ful firewall. 

- The former kind use less memory and operates faster in the simple filters, thus taking less time for filtering. 

- These firewalls are used for filtering the stateless network protocols i.e., the protocols which do not follow the session concept. 

- These firewalls are not capable of making complex decisions based up on the state of the communication. 

- The latter kind maintains the context of the active sessions. 

- This state info is used by these firewalls for speeding up the packet processing. 

- A connection is described using any of the properties such as the UDP or TCP ports, IP addresses and so on. 

- If a match is found between an existing connection and the packet, it is allowed to pass. 

- Today firewalls have capabilities of filtering the packets based up on attributes like IP addresses of source and destination hosts, protocols, originator’s netblock, TTL values and so on.

Application layer Firewalls: 

- Firewalls of this type work on the TCP/ IP stack’s application level. 

- All the packets traveling in and out of the application are intercepted by this firewall. 

- This leads to blocking of the other packets also. 

- Firstly, all the packets are inspected for any malicious content for preventing the outspread of the Trojans and worms. 

- Some additional inspection criteria might be used for adding some extra latency to the packet forwarding. 

- This firewall determines whether a given connection should be accepted by a process. 

- This function is established by the firewalls by hooking themselves in to the socket calls for filtering the connections. 

- These application layer firewalls are then termed as the socket filters.

- There way of working is somewhat similar to the packet filters except that the rules are applied to every process rather than connections. 

- Also, the rules are defined using the prompts for those processes that have not been provided with a connection. 

- These firewalls are implemented in combination with the packet filters.

Firewalls: Circuit Level Gateway Firewall

Circuit Relay firewall or Circuit Level Gateway is an approach to configure a firewall that validates connections before allowing data to be exchanged. A circuit relay firewall is a type of security firewall (proxy server) that provides a controlled network connection between internal and external systems (that is, there is no "air gap"). A virtual "circuit" exists between the internal client and the proxy server. Internet requests go through this circuit to the proxy server, and the proxy server delivers those requests to the Internet after changing the IP (Internet Protocol) address.

All traffic is disallowed unless a session is open and every session of data exchange is validated and monitored. Using Circuit level gateway, IP spoofing is particularly much more tedious in comparison to the firewall based only on packet filtering. The Circuit Level Gateway operates at the Transport Layer of OSI Model. Traffic is filtered based on specified session rules and may be restricted to recognized computers only. Circuit-level firewalls hide the network itself from the outside, which is useful for denying access to intruders. But they don't filter individual packets.
Whether a connection is valid may for examples be based upon:
- destination IP address and/or port
- source IP address and/or port
- time of day
- protocol
- user
- password

SOCKS is an example of this type of firewall. This type of proxy is not aware of applications but just cross links your connects to another outside connection.

Firewalls : Network and Application layer firewalls

A firewall is a software program or device that monitors, and sometimes controls, all transmissions between an organization's internal network and the Internet. However large the network, a firewall is typically deployed on the network's edge to prevent inappropriate access to data behind the firewall. The firewall ensures that all communication in both directions conforms to an organization's security policy.

Network layer Firewalls
These generally make their decisions based on the source, destination addresses and ports in individual IP packets. A simple router is the ``traditional'' network layer firewall, since it is not able to make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from. Network-level firewalls are fast, and today you'll find them built into most network appliances, particularly routers. These firewalls, however, don't support sophisticated rule-based models. They don’t understand languages like HTML and XML, and they are capable of decoding SSL-encrypted packets to examine their content. One thing that's an important distinction about many network layer firewalls is that they route traffic directly though them, so to use one you either need to have a validly assigned IP address block or to use a ``private internet'' address block. Network layer firewalls tend to be very fast and tend to be very transparent to users.

Application layer Firewalls

These generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. They can log user activity too. Application-level filtering may include protection against spam and viruses as well, and be able to block undesirable Web sites based on content rather than just their IP address. The downside to deep packet inspection is that the more closely a firewall examines network data flow, the longer it takes, and the heavier hit your network performance will sustain.

Quick Tech Tip: Types Of Firewalls

There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.

1. Packet Filtering Firewall : A packet filtering firewall will examine the information contained in the header of a packet of information which, is attempting to pass through the proverbial 'drawbridge into the castle'. It works on the network level of the OSI. This type of firewall only examines the header information. If data with malicious intent is sent from a trusted source, this type of firewall is no protection. When a packet passes the filtering process, it is passed on to the destination address. If the packet does not pass, it is simply dropped. This model is the best known and most widely used model for describing networking environments."

2. Stateful Packet Inspection : They filter packets at the network level and they recognize and process application-level data, but since they don't employ proxies, they deliver reasonably good performance in spite of the deep packet analysis. On the downside, they are not cheap, and they can be difficult to configure and administer.

3. Application Level Proxy : The slowest and most unwieldy firewall is the application level proxy. This type of firewall works on the application level of the protocol stack, which enables it to perform with more intelligence than a packet filtering or circuit gateway firewall.hey determine if a connection to a requested specific application is permitted such as, Internet access or Email. This allows the user to determine what application their computers will be used for. Also known as proxy servers they not only screen packets and determine what applications are permitted to be accessed but also offer protection from outside sources by hiding internal computers from external viewing.

4. Circuit Gateways : Circuit gateway firewalls work on the transport level of the protocol stack. They are fast and transparent, but really provide no protection from attacks. Circuit gateway firewalls also do not check the data in the packet. The one great benefit to this type of firewall is that they make the LAN behind the firewall invisible, as everything coming from within the firewall appears to have originated from the firewall itself. This is the least used type of firewall.

5. Network-Level Firewalls : The first generation of firewalls (c. 1988) worked at the network level by inspecting packet headers and filtering traffic based on the IP address of the source and the destination, the port and the service. Network-level firewalls are fast, they do not support sophisticated rule-based models. They don’t understand languages like HTML and XML, and they are capable of decoding SSL-encrypted packets to examine their content. As a result, they can’t validate user inputs or detect maliciously modified parameters in an URL request. This leaves your network vulnerable to a number of serious threats.

6. Internet Connection Firewall : Windows XP provides Internet security in the form of the new Internet Connection Firewall (ICF). ICF makes use of active packet filtering, which means the ports on the firewall are opened for as long as needed to enable you to access the services you are interested in.

Introduction to Firewalls

A firewall is a hardware or software system that prevents unauthorized access to or from a network. They can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the Intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.

Firewalls can greatly enhance the security of a host or a network. They can be used to do one or more of the following things:
* To protect and insulate the applications, services and machines of your internal network from unwanted traffic coming in from the public Internet.
* To limit or disable access from hosts of the internal network to services of the public Internet.
* To support network address translation (NAT), which allows your internal network to use private IP addresses and share a single connection to the public Internet (either with a single IP address or by a shared pool of automatically assigned public addresses).



FIREWALL CONCEPTS
There are two basic ways to create firewall rulesets: “inclusive” or “exclusive”. An exclusive firewall allows all traffic through except for the traffic matching the ruleset. An inclusive firewall offers much better control of the outgoing traffic, making it a better choice for systems that offer services to the public Internet. It also controls the type of traffic originating from the public Internet that can gain access to your private network. All traffic that does not match the rules, is blocked and logged by design.
Inclusive firewalls are generally safer than exclusive firewalls because they significantly reduce the risk of allowing unwanted traffic to pass through them.

HOW FIREWALLS WORK ?
A firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources.
Firewalls use one or more of three methods to control traffic flowing in and out of the network:
* Packet filtering - Packets are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.
* Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.
* Stateful inspection - It compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.