Menu

Sunday, December 8, 2013

Some useful stuff on UNIX and Network Security


1) Secure Shell (SSH) is a UNIX-based command interface and protocol for securely getting access to a remote computer. It is a suite of three utilities - slogin, ssh, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH uses RSA public key cryptography for both connection and authentication. Its default encryption algorithm is IDEA (International Data Encryption Algorithm).

2) IDEA encryption algorithm was developed at ETH in Zurich, Switzerland. It uses a block cipher with a 128-bit key, and is considered to be very secure and among the best publicly known algorithms.

3) A spam cocktail (or anti-spam cocktail) is the use of several different technologies in combination to successfully identify and minimize spam. It puts each e-mail message through a series of tests that provides a numeric score showing how likely the message is to be spam. Scores are computed and the message is assigned a probability rating.

4) Non-repudiation is the assurance that someone cannot deny something. Typically, non-repudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.

5) Echelon is an officially unacknowledged U.S.-led global spy network that operates an automated system for the interception and relay of electronic communications. Monitored transmissions are said to include up to 3 billion communications daily, including all the telephone calls, e-mail messages, faxes, satellite transmissions, and Internet downloads of both public and private organizations and citizens worldwide. Led by the U.S. National Security Agency (NSA).

6) On UNIX systems, snort is an open source network intrusion detection system (NIDS). Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies. Through protocol analysis and content searching and matching, Snort detects attack methods, including denial of service, buffer overflow, CGI attacks, stealth port scans, and SMB probes.

7) Server Message Block (SMB) is a network protocol mostly used by Windows-based computers that allows systems within the same network to share files. It allows computers connected to the same network or domain to access files from other local computers as easily as if they were on the computer's local hard drive.

8 ) Greynet (or graynet)) is a term for the use of unauthorized applications on a corporate network. A greynet application is a network-based program that corporate network users download and install without permission from their company's IT department. They introduce security risks, including client code vulnerabilities and new avenues for attack, and can lead to data loss and property or identity theft.

9) Munging is the deliberate alteration of an e-mail address on a Web page to hide the address from spambot programs that examine the Internet for e-mail addresses. Such addresses are easily recognized because they contain the @ symbol. Address munges should allow a real person reading the content (as opposed to a program scanning it) to easily deduce the true e-mail address.

Here is an example of a munged address: editor at xyz dot com.

10) Traceroute is a utility that records the route (the specific gateway computers at each hop) through the Internet between your computer and a specified destination computer. It also calculates and displays the amount of time each hop took. This utility initiates the sending of a packet using Internet Control Message Protocol (ICMP), including in the packet a time limit value (known as the "time to live" (TTL) that is designed to be exceeded by the first router that receives it, which will return a Time Exceeded message. This enables traceroute to determine the time required for the hop to the first router. Increasing the time limit value, it resends the packet so that it will reach the second router in the path to the destination, which returns another Time Exceeded message, and so forth. Finally, traceroute determines when the packet has reached the destination.
11) Intrusion Detection Systems (IDS) is a passive way to monitor a network and its computers. The program keep a watch on all inbound and outbound traffic and looks for attacks. It sends an alert when it finds something unusual. It can only act on known intrusion signatures. Intrusion Detection Systems (IPS) tools perform active, in-line monitoring and can prevent attacks by known and unknown sources.

12) An IDS is not a substitute for a firewall. A firewall can stop intrusions like an IDS but is not able to monitor activity from inside the network.

13) Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It can be setup inside, outside or in the DMZ of a firewall design or even in all of the location.

14) Port Scanning identifies open doors to a computer. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. Types of port scans:
vanilla: the scanner attempts to connect to all 65,535 ports
strobe: a more focused scan looking only for known services to exploit
fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall
UDP: the scanner looks for open UDP ports
sweep: the scanner connects to the same port on more than one machine
FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan.
stealth scan: the scanner blocks the scanned computer from recording the port scan activities.

15) Types of firewall techniques:
Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.