Punit kumar

CHAPTER 1

Introduction to Networking

Introduction to Networking explains computer networking basics in terms that you can easily understand, using concepts common to everyday, non-computing experience. A brief introduction to networking history provides context, explaining how networks have become so important to businesses and individuals. The course emphasizes networking fundamentals, explaining the software and hardware that makes networking possible. The course stresses understanding how and why networks work, rather than focusing on memorization of terms or numbers.

1.1 What Is Network?A network consists of two or more computers that are linked in order to share resources (such as printers and CDs), exchange files, or allow electronic communications. The computers on a network may be linked through cables, telephone lines, radio waves, satellites, or infrared light beams.

1.2 Advantages of the networking1. Easy Communication and Speed

It is very easy to communicate through a network. People can communicate efficiently using a

network with a group of people. They can enjoy the benefit of emails, instant messaging,

telephony, video conferencing, chat rooms, etc.

2. Ability to Share Files, Data and Information

This is one of the major advantages of networking computers. People can find and share

information and data because of networking. This is beneficial for large organizations to

maintain their data in an organized manner and facilitate access for desired people.

3. Sharing Hardware

Another important advantage of networking is the ability to share hardware. For an example, a

printer can be shared among the users in a network so that there’s no need to have individual

printers for each and every computer in the company. This will significantly reduce the cost of

purchasing hardware.

4. Sharing Software

Users can share software within the network easily. Networkable versions of software are

available at considerable savings compared to individually licensed version of the same software.

Therefore large companies can reduce the cost of buying software by networking their

computers.

5. Security

Sensitive files and programs on a network can be password protected. Then those files can only

be accessed by the authorized users. This is another important advantage of networking when

there are concerns about security issues. Also each and every user has their own set of privileges

to prevent them accessing restricted files and programs.

6. Speed

Sharing and transferring files within networks is very rapid, depending on the type of network.

This will save time while maintaining the integrity of files.

1.3 Disadvantages of networking

1. Breakdowns and Possible Loss of Resources

One major disadvantage of networking is the breakdown of the whole network due to an issue of

the server. Such breakdowns are frequent in networks causing losses of thousands of dollars each

year. Therefore once established it is vital to maintain it properly to prevent such disastrous

breakdowns. The worst scenario is such breakdowns may lead to loss of important data of the

server.

2. Expensive to Build

Building a network is a serious business in many occasions, especially for large scale

organizations. Cables and other hardware are very pricey to buy and replace.

3. Security Threats

Security threats are always problems with large networks. There are hackers who are trying to

steal valuable data of large companies for their own benefit. So it is necessary to take utmost care

to facilitate the required security measures.

4. Bandwidth Issues

In a network there are users who consume a lot more bandwidth than others. Because of this

some other people may experience difficulties.

Although there are disadvantages to networking, it is a vital need in today’s environment. People

need to access the Internet, communicate and share information and they can’t live without that.

Therefore engineers need to find alternatives and improved technologies to overcome issues

associated with networking. Therefore we can say that computer networking is always beneficial

to have even if there are some drawbacks.

1.4 Different types of network

LAN(Local Area Networking)

Local Area Networking is used primarily in small areas such as schools, hospitals and office buildings. Local Area Networking, is one of the older types of networks. TCP/IP is used as the method of communication between computers in Local Area Networking. Due to its small size, it is possible for one person to administrate a Local Area Network. Local Area Networks are viable to quick change, using a bus network topology that allows for easy access to the Local Area Network.

WLAN(Wireless Local Area Networks)

http://networkwire.org/network-topology.html

Wireless Local Area Networks are much like LAN networks, except they do not require network cables to connect each other. Radio and infrared signals are used to communicate between machines whilst using a wireless local area network. Wireless Local Area Networks allow for small amounts of mobility whilst being connected to the internet. Wireless Local Area Networks work according to the IEEE 802.11 standards. Wireless Area Networks are commonly seen being used by a WiFi internet connection. Wireless LAN connections offer a surprising amount of mobility for users with laptops and smart phones while being able to stay connected to the internet by different networking topology.

WAN(Wide Area Networks)

Wide Area Networks are used to connect server machines and computers across continents are countries for constant information updates. Wide Area Networks, are used across the globe, many networks connect with one another across continents to create one giant Wide Area Network. Wide Area Networks use optic fibre as their communication medium. The largest example of a Wide Area Network is the internet itself, which connects all users to the information and data that is available on the the internet.

MAN(Metropolitan Area Networks)

Metropolitan Area Networks are not commonly used these days, they are used to create communication between systems in an entire city. Hence a Metropolitan Area Network area falls between the sizes Local Area Networks, and Wide Area Networks. Metropolitan Area Networks are used by city specific businesses such as the New York Times in the state of New York.1.5 Network AddressA network address is an identifier for a node or network interface of a telecommunications network.Network addresses are often designed to be unique across the network, although some networks allow for relative or local addresses that may not be unique.More than one type of network address may be used in any one network.In some cases terminal nodes may have more than one network address, for example, each link interface may be uniquely identified. In addition, non terminal nodes are often one protocol's network address can occur in any particular network interface or node.

1.6 ClassesVarious classes are given below

I. Class AII. Class B

III. Class CIV. Class DV. Class E

By viewing examples we know that where we use which classi. Class A :- Network.Host.Host.Host.

ii. Class B :- Network.Network.Host.Host.iii. Class C :- Network.Network.Network.Host.iv. Class D :- Multicast.v. Class E :- Research.

1.7 Subnetting

The Steps to identify the Network and Broadcast Address of a Subnet

Convert the IP Address and CIDR (or Netmask) to binary. In our lesson entitled Decimal and Binary Conversion of IP Addresses we gave you the tools to convert any IP to Binary. If you need additional help you can try our handy IP Conversion Calculators.

Use a Bitwise AND (IP & CIDR) Operator to return the corresponding values of the IP and CIDR addresses. This gives you the Network Address (Network ID) A simple way to use the Bitwise AND Operator in Binary is show in the following example:

IP Address: 192.168.1.15

CIDR: 24 (Netmask: 255.255.255.0)

Binary IP Address: 11000000.10101000.00000001.00001111

Binary CIDR: 11111111.11111111.11111111.00000000

http://www.countryipblocks.net/ip_calculators.php

http://www.countryipblocks.net/ip-address-conversion-to-decimal-and-binary-equivalents

http://www.countryipblocks.net/ip-address-conversion-to-decimal-and-binary-equivalents

Using the Bitwise AND (&) Operator, compare the Binary IP Address to the Binary CIDR Address. The result will be the Network Address of the IP Address we are using:

Binary IP: 11000000.10101000.00000001.00001111Binary CIDR: 11111111.11111111.11111111.00000000Binary Network: 11000000.10101000.00000001.00000000

The resultant Network Address is 11000000.10101000.00000001.00000000. Converting this back to the format of an IPv4 Address gives us 192.168.1.0. This is our Network Address. Therefore, 192.168.1.15 belongs to the 192.168.1.0/24 network.

To get the Broadcast Address we need to do a Binary inversion of the CIDR or Netmask Address.

The inversion of the CIDR Address of 11111111.11111111.11111111.00000000 becomes: 00000000.00000000.00000000.11111111.

Now we use the Bitwise OR Operator on the Binary Network Address and the inverted CIDR Address to get the Broadcast address.

Binary Network Address: 11000000.10101000.00000001.00000000Inverted Binary CIDR: 00000000.00000000.00000000.11111111Binary Broadcast Address: 11000000.10101000.00000001.11111111

We now convert 11000000.10101000.00000001.11111111 to IPv4 Decimal octet: 192.168.1.255.

The Broadcast Address for the 192.168.1.0/24 Subnet is 192.168.1.255.

Now that you have your feet wet, let's try a few more.

Identify the Network and Broadcast Addresses for each of the following examples:

1. 10.10.1.97/232. 192.168.0.3/253. 172.16.5.34/264. 192.168.11.17/28

Example one: Convert 10.10.1.97/23 to Binary.

IP Address: 00001010.00001010.00000001.01100001

CIDR Address: 11111111.11111111.11111110.00000000

Use Bitwise AND Operator (IP & CIDR):

IP Address: 00001010.00001010.00000001.01100001CIDR Address: 11111111.11111111.11111110.00000000Network Address: 00001010.00001010.00000000.00000000

Network Address: 10.10.0.0

Binary Inversion of CIDR:

Binary CIDR: 11111111.11111111.11111110.00000000Inverted Binary CIDR: 00000000.00000000.00000001.11111111

Use Bitwise OR Operator to get the Broadcast Address:

Binary Network: 00001010.00001010.00000000.00000000

Inverted Binary CIDR: 00000000.00000000.00000001.11111111

Binary Broadcast: 00001010.00001010.00000001.11111111

Broadcast Address: 10.10.1.255

IP Address 10.10.1.97/23 belongs to the 10.10.0.0/23 Network. The network Address is 10.10.0.0 and the Broadcast Address is 10.10.1.255.

Example two: Convert 192.168.0.3/25 to Binary.

IP Address: 11000000.10101000.00000000.00000011

CIDR Address: 11111111.11111111.11111111.10000000


IP: 11000000.10101000.00000000.00000011CIDR: 11111111.11111111.11111111.10000000Network:11000000.10101000.00000000.00000000





Binary Network: 11000000.10101000.00000000.00000000





Example three: Convert 172.16.5.34/26 to Binary.

IP Address: 11000000.10101000.00000000.00000011

CIDR Address: 11111111.11111111.11111111.10000000


IP: 10101100.00010000.00000101.00100010CIDR: 11111111.11111111.11111111.11000000Network:10101100.00010000.00000101.00000000





Binary Network: 10101100.00010000.00000101.00000000





Example four: Convert 192.168.11.17/28 to Binary.

IP Address: 11000000.10101000.00001011.00010001

CIDR Address: 11111111.11111111.11111111.11110000


IP: 11000000.10101000.00001011.00010001CIDR: 11111111.11111111.11111111.11110000Network:11000000.10101000.00001011.00010000





Binary Network: 11000000.10101000.00001011.00010000





1.8 Hierarchical IP Addressing Scheme

With more than four billion potential 32-bit IP addresses, Internet routers could not feasibly maintain table entries for each one. Even a single byte per address would consume 4GB. Yet paradoxically, routers must be capable of delivering data to any of those addresses. Their routing tables must, at the least, be able to indicate the next step in the delivery process for each address.

The solution to this dilemma is to design the tables so that one entry can match multiple addresses. The most common way to achieve this is to assign addresses in a hierarchical fashion, so that addresses physically close together share a common address prefix.

Hierarchical addressing schemes are not unique to Internet IP addresses. Both the telephone company and the postal service use hierachical schemes to manage large numbers of addresses.

A telephone switch in California isn't configured with the location of every telephone in Virginia. Instead, the switch in California knows only that all telephone numbers beginning with area code 703 should be sent to Virginia. The Virginia switches know that numbers beginning with 703 555 all originate from a given switch. That particular telephone switch is configured with the precise line to use for 703 555-1212.

Likewise, a postman in Los Angeles doesn't need to know the location of every zip code in the country. Any zip code beginning with 2 is somewhere on the other side of the country. The L.A. postman only needs to know the exact locations of zip codes beginning with 902 - his particular postal region.

What is unique about IP addresses is their use of a binary, rather than a decimal hierarchy. This should not come as much of a surprise, but reemphasizes the need for a good grasp of binary numbering

Like zip codes and telephone numbers, IP addresses are assigned in a hierarchical fashion. Unlike zip codes and telephone numbers, IP addresses are designed to be interpreted by computers, which operate on a binary numbering system, so IP addresses are organized into a binary hierarchy.

Therefore, to understand IP addressing, it is necessary to convert IP addresses into binary, as in this example with the address 128.8.74.1. Each of the four components in the dotted decimal IP address is converted into eight binary bits.

The first sixteen bits, corresponding to the 128.8 portion of the address, are a unique prefix identifying the University of Maryland. A router outside of the University would require only a single routing table entry, indicating that any address beginning with the sixteen bits 10000000 00001000 (in decimal, 128.8) should be sent towards UMD.

Having reached the University of Maryland, a further routing decision must be made, using some or all of the remaining bits. In this case, a routing table entry matches the first twenty four bits 10000000 00001000 01001010 (128.8.74 decimal) and directs the packet towards Worchester Hall.

The router at Worchester Hall discovers that one of its Ethernet interfaces (for example), is configured to match the twenty four bit prefix 10000000 00001000 01001010. At this point, the layer three routing process is complete, since the packet is now in the hands of a router with an interface configured to match the destination address. The final destination should be directly reachable via that interface, so the router relies on a layer two protocol such as ARP to resolve the IP address into an Ethernet address and complete delivery.

IP address prefixes are patterns which match the first n binary bits of an IP address.

The standard syntax is to write the prefix bits that must match in dotted-quad format, followed by a slash and then the number of bits in the prefix. Any trailing bits, not part of the prefix, are written as zero. If an entire trailing byte is zero, it can be written explicitly, as in 128.8.0.0/16, or omitted, as in 128.8/16. Since only the first sixteen bits are significant (in this example), it would be meaningless to specify the remaining sixteen bits, so there's no ambiguity in omitting them.

128.8/16 means to match 10000000 00001000 as the first sixteen bits, and would match 128.8.74.1, 128.8.8.8, and 128.8.0.0, but not 128.9.7.3

10/10 means to match 00001010 00 as the first ten bits, and would match 10.41.173.13, 10.10.10.10 and 10.13.94.1, but not 10.128.7.1 (pay attention to the second number).

208.130.28/24 means to match 11010000 10000010 00011100 as the first twenty four bits, and would match 208.130.28.1, 208.130.28.255, and everything in between.

1.9 Types of IP AddressAn Internet Protocol address (also known as an IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: "A name indicates what we seek. An address indicates where it is. A route indicates how to get there.

1.10 The ISO/OSI Reference ModelThe Open Systems Interconnection model (OSI) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers. The model is a product of the Open Systems Interconnectionproject at the International Organization for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.

The model groups communication functions into seven logical layers. A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of that path. Two instances at one layer are connected by a horizontal connection on that layer.

Physical (Layer 1)the hardware means of sending and receiving data on a carrier, including defining cables, cards and physical aspects. Fast Ethernet, RS232, and ATM are protocols with physical layer components. This layer conveys the bit stream - electrical impulse, light or radio signal -- through the network at the electrical and mechanical level.

Data Link (Layer 2)At this layer, data packets are encoded and decoded into bits. It furnishes transmission

protocol knowledge and management and handles errors in the physical layer, flow control and frame

synchronization. The data link layer is divided into two sub layers: The Media Access Control (MAC)

layer and the Logical Link Control (LLC) layer. The MAC sub layer controls how a computer on the

network gains access to the data and permission to transmit it. The LLC layer controls

frame synchronization, flow control and error checking.

Network (Layer 3)This layer provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. Routing and forwarding are functions of this

layer, as well as addressing,internetworking, error handling, congestion control and packet sequencing.

Transport (Layer 4)This layer provides transparent transfer of data between end systems, or hosts, and is responsible for end-to-end error recovery and flow control. It ensures complete data transfer.

Session (Layer 5)This layer establishes, manages and terminates connections between applications. The session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the applications at each end. It deals with session and connection coordination.

Presentation (Layer 6)This layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa. The presentation layer works to transform data into the form that the application layer can accept. This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems. It is sometimes called the syntax layer.

Application (Layer 7)This layer supports application and end-user processes. Communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that exist entirely in the application level. Tiered application architectures are part of this layer.

1.11 The InternetThe Internet is a global system of interconnected computer networks that use the standard Internet protocol suite (TCP/IP) to link several billion devices worldwide. It is a network of networks that consists of millions of private, public, academic, business, and government networks, of local to global scope, that are linked by a broad array of electronic, wireless, and optical networking technologies. The Internet carries an extensive range of information resources and services, such as the inter-linked hypertextdocuments and applications of the World Wide Web (WWW), the infrastructure to support email, and peer-to-peer networks for file sharing and telephony.

Protocols

The standards for the architectural design of the Internet systems are produced by the Internet Engineering Task Force(IETF).[53] The IETF conducts work groups, open to any individual, about the various aspects of Internet architecture. Resulting discussions and standards are published in a series of publications, each called a Request for Comments (RFC), freely available on the IETF web site.The principal methods of networking that enable the Internet are contained in specially designated RFCs that constitute theInternet Standards. Other less rigorous documents are simply informative, experimental, or historical, or document the best current practices (BCP) when implementing Internet technologies.The Internet standards describe a framework known as the Internet protocol suite. This is a model architecture that divides methods into a layered system of protocols, originally documented in RFC 1122 and RFC 1123. The layers correspond to the environment or scope in which their services operate. At the top is the application layer, the space for the application-specific networking methods used in software applications. For example, a web browser program uses the client-serverapplication model and a specific protocol of interaction between servers and clients, while many file-sharing systems use apeer-to-peer paradigm. Below this top layer, the transport layer connects applications on different hosts with a logical channel through the network with appropriate data exchange methods.

1.12 Network design

Network planning process involves three main steps:Topological design: This stage involves determining where to place the components and how to connect them. The (topological) optimisation methods that can be used in this stage come from an area of mathematics called Graph Theory. These methods involve determining the costs of transmission and the cost of switching, and thereby determining the optimum connection matrix and location of switches and concentrators.

Network-synthesis: This stage involves determining the size of the components used, subject to performance criteria such as the Grade of Service (GOS). The method used is known as "Nonlinear Optimisation", and involves determining the topology, required GoS, cost of transmission, etc., and using this information to calculate a routing plan, and the size of the components.Network realization: This stage involves determining how to meet capacity requirements, and ensure reliability within the network. The method used is known as "Multicommodity Flow Optimisation", and involves determining all information relating to demand, costs and reliability, and then using this information to calculate an actual physical circuit plan.

1.13 Some used equipment in networking

Ethernet cables

An Ethernet cable is one of the most popular forms of network cable used on wired networks. Ethernet cables connect devices on local area networks such as PCs, routers and switches

Types of Ethernet Cables

Ethernet cables normally support one or more industry standards including Category 5 (CAT5) and Category 6 (CAT6)A crossover cable is a special type of Ethernet cable specially designed for connecting two computers to each other. By contrast, most Ethenet cables are designed to connect one computer to a router or switch.Ethernet cables are physically manufactured in two basic forms called solid and stranded. Solid Ethernet cables tend to offer better performance and protection against electrical interference, while stranded cables are less prone to physical cracks and breaks making them more suitable for travelers and portable devices

Limitations of Ethernet Cables

A single Ethernet cable, like an electric power cord, can extend only limited distances due to their electrical transmission characteristics.

Alternatives to Ethernet Cables for Computer Networking

Wireless technologies like Wi-Fi and Bluetooth have replaced Ethernet on many home and business networks.

Hub

An Ethernet hub, active hub, network hub, repeater hub, multiport repeater or hub is a device for connecting multipleEthernet devices together and making them act as a single network segment. It has multiple input/output (I/O) ports, in which asignal introduced at the input of any port appears at the output of every port except the original incoming.[1] A hub works at the physical layer (layer 1) of the OSI model.[2] Repeater hubs also participate in collision detection, forwarding a jam signal to all ports if it detects a collision.Some hubs may also come with a BNC and/or Attachment Unit Interface (AUI) connector to allow connection to legacy10BASE2 or 10BASE5 network segments. The availability of low-priced network switches has largely rendered hubs obsolete but they are still seen in 20th century installations and more specialized applications.

Ethernet extender

An Ethernet extender (also network extender or LAN extender) is any device used to extend an Ethernet or network segment beyond its inherent distance limitation which is approximately

100 metres (330 ft) for most common forms of twisted pair Ethernet. These devices employ a variety of transmission technologies and physical media (wireless, copper wire, fiber-optic cable, coaxial cable).The extender forwards traffic between LANs transparent to higher network-layer protocols over distances that far exceed the limitations of standard Ethernet.

Switch

A network switch (sometimes known as a switching hub) is a computer networking device that is used to connect devices together on acomputer network by performing a form of packet switching. A switch is considered more advanced than a hub because a switch would only send a message to the device that needs or requests it, rather than broadcasting the same message out of each of its ports.A switch is a multi-port network bridge that processes and forwards data at the data link layer (layer 2) of the OSI model. Some switches have additional features, including the ability to route packets. These switches are commonly known as layer-3 or multilayer switches.Switches exist for various types of networks including Fibre Channel, Asynchronous Transfer Mode, InfiniBand, Ethernet and others. The first Ethernet switch was introduced by Kalpana in 1990.

Router

A router is a device that forwards data packets between computer networks. This creates an overlay internetwork, as a router is connected to two or more data lines from different networks. When a data packet comes in one of the lines, the router reads the address information in the packet to determine its ultimate destination. Then, using information in its routing

table or routing policy, it directs the packet to the next network on its journey. Routers perform the "traffic directing" functions on the Internet. A data packet is typically forwarded from one router to another through the networks that constitute the internetwork until it reaches its destination node.The most familiar type of routers are home and small office routers that simply pass data, such as web pages, email, IM, and videos between the home computers and the Internet. An example of a router would be the owner's cable or DSL router, which connects to the Internet through an ISP. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerfulcore routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common

Chapter 2

Network Security & Security Devices

Network security consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorizedaccess, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password

2.1 Types and sources of network threat

There are at least seven types of network attacks.1. Spoofing.2. Sniffing.3. Mapping.4. Hijacking.5. Trojans.6. DoS and DDoS.7. Social engineering.

1. Spoofing (Identity spoofing or IP Address Spoofing)

Any internet connected device necessarily sends IP datagrams into the network. Such internet data packets carry the sender's IP address as well as application-layer data. If the attacker obtains control over the software software running on a network device, they can then easily modify the device's protocols to place an arbitrary IP address into the data packet's source address field. This is known as IP spoofing, which makes any payload appear to come from any source. With a spoofed source IP address on a datagram, it is difficult to find the host that actually sent the datagram

2. Sniffing

. Packet sniffing is the interception of data packets traversing a network. A sniffer program works at the Ethernet layer in combination with network interface cards (NIC) to capture all traffic traveling to and from internet host site. Further, if any of the Ethernet NIC cards are in promiscuous mode, the sniffer program will pick up all communication packets floating by anywhere near the internet host site. A sniffer placed on any backbone device, inter-network link or network aggregation point will therefore be able to monitor a whole lot of traffic. Most of packet sniffers are passive and they listen all data link layer frames passing by the device's network interface. There are dozens of freely available packet sniffer programs on the internet. The more sophisticated ones allow more active intrusion.The key to detecting packet sniffing is to detect network interfaces that are running in promiscuous mode. Sniffing can be detected two ways:Host-based : Software commands exist that can be run on individual host machines to tell if the NIC is running in promiscuous mode.Network-based : Solutions tend to check for the presence of running processes and log files, which sniffer programs consume a lot of. However, sophisticated intruders almost always hide their tracks by disguising the process and cleaning up the log files.The best countermeasure against sniffing is end-to-end or user-to-user encryption.

3. Mapping (Eavesdropping)

Before attacking a network, attackers would like to know the IP address of machines on the network, the operating systems they use, and the services that they offer. With this information, their attacks can be more focused and are less likely to cause alarm. The process of gathering this information is known as mapping.In general, the majority of network communications occur in an unsecured or "clear text" format, which allows an attacker who has gained access to data paths in your network to "listen in" or interpret the traffic. When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise.

4. Hijacking (man-in-the-middle attack)

This is a technique that takes advantage of a weakness in the TCP/IP protocol stack, and the way headers are constructed. Hijacking occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your

communication transparently. For example, the attacker can re-route a data exchange. When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data.Man-in-middle attacks are like someone assuming your identity in order to read your message. The person on the other end might believe it is you, because the attacker might be actively replying as you, to keep the exchange going and gain more information.

5. Trojans

These are programs that look like ordinary software, but actually perform unintended or malicious actions behind the scenes when launched. Most remote control spyware programs are of this type. The number of trojan techniques are only limited by the attacker's imagination. A torjanizes file will look, operate, and appear to be the same size as the compromised system file.The only protection is early use of a cryptographic checksum or binary digital signature procedure

6. Denial-of-Service attack (DoS) and Distributed-Denial-of-Service (DDoS)

A denial of service attack is a special kind of Internet attack aimed at large websites. It is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Denial of Service can result when a system, such as a Web server, has been

flooded with illegitimate requests, thus making it impossible to respond to real requests or taks. Yahoo! and e-bay were both victims of such attacks in February 2000.

A Dos attack can be perpetrated in a number of ways. There are three basic types of attack.

Consumption of computational resources, such as band width, disk space or CPU time.

Disruption of configuration information, such as routing information.

Disruption of physical network components.

The consequences of a DoS attack are the following:

Unusually slow network performance.

Unavailability of a particular web site.

Inability to access any web site.

Dramatic increase in the amount of spam you receive in your account.

Common forms of denial of service attacks are,

a) Buffer Overflow Attacks

The most common kind of DoS attack is simply to send more traffic to a network address than the programmer's expectation on size of buffers. A few of the better known attacks based on the buffer characteristics of a program or system include:

Sending e-mail messages that have attachments with 256 character file names to Netscape and Microsoft mail programs.

Sending over sized Internet Control Message Protocol (ICMP) packets.

b) Smurf Attack

In this attack, the perpetrator sends an IP ping request to a receiving site. The ping packet specifies that, it is broadcast to a number of hosts within the receiving site's local network. The packet also indicates that the request is from another site, which is the target site that is to receive the denial of service attack. The result will be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic

c) SYN floods

When a computer wants to make a TCP/IP connection to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the connection, usually the client's or user's computer, sends a TCP/SYN packet which asks the server if it can connect. If the server is ready, it sends a TCP/SYN-ACK packet back to the client to say "Yes, you may connect" and reserves a space for the connection, waiting for the client to respond with a TCP/ACK packet. In a SYN flood, the address of the client is often forged so that when the server sends a TCP/SYN-ACK packet back to the client, the message is never received

from client because the client either doesn't exist or wasn't expecting the packet and subsequently ignores it. This leaves the server with a dead connection, reserved for a client that will never respond. Usually this is done to one server many times in order to reserve all the connections for unresolved clients, which keeps legitimate clients from making connections

Distributed Denial-of-Service attacks (DDoS)

A distributed denial of service attack (DDoS) occurs when multiple compromised sysrems or multiple attackers flood the band width or resources of a targeted system with useless traffic. These systems are compromised by attackers using a variety of methods.

In DDoS attacks, the attacker first gains access to user accounts on numerous hosts across the Internet. The attacker then installs and runs a slave program at each compromised site that quietly waits for commands from a master programs running, the master program then contacts the slave programs, instructing each of them to launch a denial-of-service attack directed at the same target host. The resulting coordinated attack is particularly devastating, since it comes from so many attacking hosts at the same time.

7. Social Engineering

Social engineering is the use of persuasion or deception to gain access to information systems. The medium is usually a telephone or e-mail message. The attacker usually pretends to be a director or manager in the company traveling on business with a deadline to get some important data left on their network drive. They pressure the help desk to give them the toll-free number of the RAS server to dial and some times get their password reset. The main purpose behind social engineering is to place the human element in the network-breaching loop and use it as a weapon. The human element has been referred to as the weakest link in network security.

Examples of social engineering.

1. Faked Email : The social engineer sends a message to one or more users in a domain that "this is the system administrator and your password must be reset to user 123 " for a temporary period of time. The hacker then continuously monitors for the change and then exploits the whole system.

2. Fictitious Competition : The social engineer manipulates a group of users to participate in some fake competition for a jackpot prize, with the ultimate purpose of eventually extracting confidential information about network and password security.

3. The Helpful Help Desk : The help desk gets a call from the social engineer impersonating a user reporting a forgotten password. In many cases the help desk will change the user's password over the phone. The hacker now has a legitimate user name and password to work with.

2.2 Firewall

In computing, a firewall is a software or hardware-based network security system that controls the

incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier

between a trusted, secure internal network and another network (e.g., the Internet) that is not

assumed to be secure and trusted.[1]

Many personal computer operating systems include software-based firewalls to protect against

threats from the public Internet. Many routers that pass data between networks contain firewall

components and, conversely, many firewalls can perform basic routing functions.

2.3 Virtual Private Network

http://en.wikipedia.org/wiki/Router_(computing)

http://en.wikipedia.org/wiki/Operating_system

http://en.wikipedia.org/wiki/Firewall_(computing)#cite_note-Oppliger_1997_94-1

http://en.wikipedia.org/wiki/Network_security

http://en.wikipedia.org/wiki/Computing

A virtual private network (VPN) extends a private network across a public network, such as

the Internet. It enables a computer to send and receive data across shared or public networks as if it

is directly connected to the private network, while benefiting from the functionality, security and

management policies of the private network.[1] A VPN is created by establishing a virtual point-to-

point connection through the use of dedicated connections, virtual tunneling protocols, or traffic

encryptions.

A virtual private network connection across the Internet is similar to a wide area network (WAN) link

between sites. From a user perspective, the extended network resources are accessed in the same

way as resources available within the private network.[2]

VPNs allow employees to securely access their company's intranet while traveling outside the office.

Similarly, VPNs securely connect geographically disparate offices of an organization, creating one

cohesive network. VPN technology is also used by Internet users to connect to proxy servers for the

purpose of protecting personal identity and location.

3.4 Network Address Translation

http://en.wikipedia.org/wiki/Proxy_server

http://en.wikipedia.org/wiki/Virtual_private_network#cite_note-2

http://en.wikipedia.org/wiki/Wide_area_network

http://en.wikipedia.org/wiki/Point-to-point_(network_topology)

http://en.wikipedia.org/wiki/Point-to-point_(network_topology)

http://en.wikipedia.org/wiki/Virtual_private_network#cite_note-1

http://en.wikipedia.org/wiki/Internet

http://en.wikipedia.org/wiki/Public

http://en.wikipedia.org/wiki/Private_network

Network address translation (NAT) is a methodology of modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device for the purpose of remapping one IP address space into another.Network address translation was originally used to map every address of one address space to a corresponding address in another space, such as when an enterprise changed Internet service providers without having a facility to announce a public route to the network. Most often today, NAT is used in conjunction with IP masquerading which is a technique that hides an entire IP address space, usually consisting of private network IP addresses (RFC 1918), behind a single IP address in another, usually public address space. This mechanism is implemented in a routing device that uses stateful translation tables to map the "hidden" addresses into a single IP address and readdresses the outgoing Internet Protocol packets on exit so they appear to originate from the routing device. In the reverse communications path, responses are mapped back to the originating IP addresses using the rules ("state") stored in the translation tables. The translation table rules established in this fashion are flushed after a short period unless new traffic refreshes their state.The method enables communication through the router only when the conversation originates in the masqueraded network, since this establishes the translation tables. For example, a web browser in the masqueraded network can browse a website outside, but a web browser outside could not browse a web site hosted within the masqueraded network. However, most NAT devices today allow the network administrator to configure translation table entries for permanent use. This feature is often referred to as "static NAT" or port forwarding and allows traffic originating in the "outside" network to reach designated hosts in the masqueraded network.Because of the popularity of this technique to conserve IPv4 address space, the term NAT has become virtually synonymous with the method of IP masquerading.As network address translation modifies the IP address information in packets, it has serious consequences on the quality of Internet connectivity and requires careful attention to the details of its implementation. NAT implementations vary widely in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior is not commonly documented by vendors of equipment containing implementations.

Chapter 3Intusion Detection System(IDS) & Intusion prevention System(IPS)Used in computer security, intrusion detection refers to the process of monitoring computer and network activities and analyzing those events to look for signs of intrusion in your system. The

point of looking for unauthorized intrusions is to alert IT professionals and system administrators within your organization to potential system or network security threats and weaknesses.

IDS — A Passive Security SolutionAn intrusion detection system (IDS) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. IDS is considered to be a passive-monitoring system, since the main function of an IDS product is to warn you of suspicious activity taking place − not prevent them. An IDS essentially reviews your network traffic and data and will identify probes, attacks, exploits and other vulnerabilities. IDSs can respond to the suspicious event in one of several ways, which includes displaying an alert,logging the event or even paging an administrator. In some cases the IDS may be prompted to reconfigure the network to reduce the effects of the suspicious intrusion.An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker. This is done by looking for known intrusion signatures or attack signatures that characterize different worms or viruses and by tracking general variances which differ from regular system activity. The IDS is able to provide notification of only known attacks.The term IDS actually covers a large variety of products, for which all produce the end result of detecting intrusions. An IDS solution can come in the form of cheaper shareware or freely distributedopen source programs, to a much more expensive and secure vendor software solution. Additionally, some IDSs consist of both software applications and hardware appliances and sensor devices which are installed at different points along your network.

There are several ways to categorize an IDS system:

Misuse Detection vs. Anomaly DetectionIn misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, detection software is only as good as the database of intrusion signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.

Passive Vs. Reactive Systems

In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.

Network-based vs. Host-based IDS

Intrusion detection systems are network or host based solutions. Network-based IDS systems (NIDS) are often standalone hardware appliances that include network intrusion detection capabilities. It will usually consist of hardware sensors located at various points along the network or software that is installed to system computers connected to your network, which analyzes data packets entering and leaving the network. Host-based IDS systems (HIDS) do not offer true real-time detection, but if configured correctly are close to true real-time.Host-based IDS systems consist of software agents installed on individual computers within the system. HIDS analyze the traffic to and from the specific computer on which the intrusion detection software is installed on. HIDS systems often provide features you can't get with a network-based IDS. For example, HIDS are able to monitor activities that only an administrator should be able to implement. It is also able to monitor changes to key system files and any attempt to overwrite these files. Attempts to install Trojans or backdoors can also be monitored by a HIDS and stopped. These specific intrusion events are not always seen by a NIDS.While it depends on the size of your network and the number of individual computers which require intrusion detection system, NIDS are usually a cheaper solution to implement and it requires less administration and training − but it is not as versatile as a HID. Both systems will require Internet access (bandwidth) to ensure they system is kept up-to-date with the latest virus and worm signatures.

Is IDS the Same as Firewall?The quick answer is no. Unfortunately, IDS is commonly mistaken for a firewall or as a substitute for a firewall. While they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. The network-based intrusion protection system can also detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules.An IDS is not a replacement for either a firewall or a good antivirus program. An IDS should be considered a tool to use in conjunction with your standard security products (like anti-virus and a firewall) to increase your system specific or network-wide security.

IPS — An Active Security SolutionIPS or intrusion prevention system, is definitely the next level of security technology with its capability to provide security at all system levels from the operating system kernel to network data packets. It provides policies and rules for network traffic along with an IDS for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also some unknown attacks due to its database of generic attack

behaviors. Thought of as a combination of IDS and an application layer firewall for protection, IPS is generally considered to be the "next generation" of IDS.Currently, there are two types of IPSs that are similar in nature to IDS. They consist of host-based intrusion prevention systems (HIPS) products and network-based intrusion prevention systems (NIPS).

Network-based vs. Host-based IPSHost-based intrusion prevention systems are used to protect both servers and workstations through software that runs between your system's applications and OS kernel. The software is preconfigured to determine the protection rules based on intrusion and attack signatures. The HIPS will catch suspicious activity on the system and then, depending on the predefined rules, it will either block or allow the event to happen. HIPS monitors activities such as application or data requests, network connection attempts, and read or write attempts to name a few.Network-based intrusion prevention systems (often called inline prevention systems) is a solution for network-based security. NIPS will intercept all network traffic and monitor it for suspicious activity and events, either blocking the requests or passing it along should it be deemed legitimate traffic. Network-based IPSs works in several ways. Usually package- or software-specific features determine how a specific NIPS solution works, but generally you can expect it to scan for intrusion signatures, search for protocol anomalies, detect commands not normally executed on the network and more.One interesting aspect of NIPS is that if the system finds an offending packet of information it can rewrite the packet so the hack attempt will fail, but it means the organization can mark this event to gather evidence against the would be intruder, without the intruder's knowledge. As with all technology, NIPS is not perfect. In some instances you may end up blocking a legitimate network request.While host-based IPSs are considered to be more secure than network-based intrusion prevention systems, the cost to install the software to each and every server and workstation within your organization may be quite costly. Additionally, the HIPS on each system must be frequently updated to ensure the attack signatures are up-to-date.Problems associated with implementing NIPS exist as well. We already mentioned the possibility of blocking legitimate traffic, and you also have to take network performance into consideration. Since all data moving through the network will pass through the IPS it could cause your network performance to drop. To combat this problem, network-based IPSs that consist of appliance or hardware and software packages are available today (at a larger cost), but it will take most of the load from running a software-based NIPS off your network.

IDS vs. IPSWhile many in the security industry believe IPS is the way of the future and that IPS will take over IDS, it is somewhat of an apples and oranges comparison. The two solutions are different in that one is a passive detection monitoring system and the other is an active prevention system. The age-old debate of why you want to would be passive when you could be active comes into play. You can also evaluate the implementation of a more mature IDS technology, versus the younger, less established IPS solutions. The drawbacks mentioned regarding IDS can largely be overcome with proper training, management, and implementation. Plus, overall an IDS solution

will be cheaper to implement. Many, however, look at the added benefits of the intuitive IPS systems and believing that IPS is the next generation of IDS choose to use the newer IPSs as opposed to the IDSs. Adding to the muddle, of course, will be your initial decision of choosing host-based or network-based systems for either IDS or IPS security solutions.Much like choosing between standard security devices like routers and firewalls, it is important to remember that no single security device will stop all attacks all the time. IPS and IDS work best when integrated with additional and existing security solutions.

Chapter 4

Analysis and Discussion

The market for Intrusion Detection System/Intrusion Prevention System (IDS/IPS) comprises of both Intrusion Prevention and Intrusion Detection System. Intrusion Prevention Systems are the advancement of IDS and has expanded the total IDPS market. The market is divided into three submarkets, which include Network based, Host based, and Wireless technologies.

Network based IDS/IPS: these systems are standalone hardware appliances having intrusion detection capabilities.

Host based IDS/IPS: these are the software agents installed on individual computers having Intrusion detection capabilities.

Wireless: these network devices monitor the radio spectrum for the presence of unauthorized access points.Out of these three; Host based IDS/IPS is gaining traction very fast. The Intrusion Detection System/Intrusion Prevention System market is build upon three components, hardware, software and services; the hardware market includes both physical and virtual appliances. These solutions can be deployed either through cloud or on-premise deployment.Moreover, the global Intrusion Detection System market has also been classified on the basis of industry verticals and regions. Based on the industry verticals the Intrusion Prevention system market is segmented into Aerospace, defense and intelligence, Government and public utilities, BFSI, IT and Telecommunication, Healthcare and Life sciences; Retail, and Transportation. Based on the regions the global Intrusion Detection System/Intrusion Prevention System security market has been segmented into five regions namely North America, Europe, MEA, APAC and Latin America. At present in 2014 North America is the biggest market for intrusion detection and prevention system, but the growing economies of Europe and Asia such as Germany, Norway, Indonesia, China, India, Korea and others are a good opportunity for this market.The growth of the intrusion detection system market is based on a number of driving forces, the major drivers for the Prevention System security market are the continuous sophistication of the cyber attacks, security threats and hacking attempts increasing governmental pressure on security compliance and regulations and increasing spending on IT security solutions and services. Driven by these factors IDS/IPS market is evolving and gaining maturity and now moving towards its advanced stage which is the “Next Generation IDS/IPS”All these factors have boosted the IDPS market and it is expected that this market will grow up to $5.04 billion in 2019 from $2.71 billion in 2014 with a CAGR of 13.2%.The Intrusion Detection system market is a diversified and competitive market, with a large number of players. It is dominated by various players, depending on their core competencies. The key player in this market are Corero (Massachusetts), Dell (Texas), Extreme Networks (California), IBM (New York), Check point (Israel). Whereas key players providing the next generation IPS solutions are HP Tipping Point (California), CISCO-Sourcefire (California), and McAfee (California).

Scope of the Report

This research report categorizes the global intrusion prevention systems security market to forecast the revenues and analyze the trends in each of the following submarkets:

On the basis of IDS/IPS security market by types:

Network based Host based Wireless

On the basis of security market by components:

Hardware Software Services Consulting Managed Services Design and Integration Training and Education

On the basis of security market by deployment model:

Cloud Deployment On-Premise Deployment

On the basis of market by industry verticals:

Aerospace, Defense and Intelligence Government (excluding defense) & Public Utilities IT & Telecommunication Healthcare & Life sciences BFSI Others

On the basis of security market segmentation by regions:

NA EU APAC MEA LA