Lesson Network and Web Security - Cybersecurity - ثالث ثانوي

Lesson 2 Network and Web Security Link to digital lesion www.em.edusa Network Structures and Web Technologies in Cybersecurity In cybersecurity, understanding the structure of networks and web technologies is crucial, as these elements shape the nature of the threats and the protective measures that can be taken to mitigate them. Networks consist of interconnected devices that exchange information with each other, while web technologies enable the creation and sharing of content and applications over the Internet. The Internet can be viewed as a network of networks. As the number of devices and web services increases, so does these systems' complexity and potential vulnerability. The structure of networks and web technologies directly impacts the types of threats that can be encountered in the cybersecurity landscape. For instance, networks may face distributed denial-of-service (DDoS) attacks, which can overwhelm and disrupt services by flooding them with traffic. Similarly, web technologies can be vulnerable to threats like cross-site scripting (XSS) and SQL injection attacks, where hackers exploit vulnerabilities in web applications to gain unauthorized access to sensitive data. On the other hand, the structure of networks and web technologies also shapes the protective measures that can be employed to secure them. For example, network segmentation can isolate critical systems and reduce the potential attack surface. In contrast, firewalls and intrusion detection systems (IDS) can help monitor and control traffic flow in and out of a network. In web technologies, secure programming practices, such as input validation and proper error handling, can help prevent vulnerabilities from being exploited. The following presents the basic networking and web technology concepts that influence cybersecurity threats and protective measures: Fundamental Networking Concepts Network Topologies The physical or logical arrangement of devices in a network. Common topologies include star, ring, bus, mesh, and hybrid. Network Devices Essential hardware components that facilitate communication and connectivity within networks, such as switches, routers, firewalls, and access points. Transmission Media The physical or wireless means through which data is transmitted between devices in a network. Examples include Ethernet cables (e.g., twisted-pair, coaxial, or fiber-optic cables) and wireless technologies (e.g., Wi-Fi, Bluetooth, or cellular networks). Network Protocols Sets of rules and conventions that dictate how devices communicate and exchange information within a Full network protocols operate at different layers of the Open Systems Interconnection (OSI) or TCP/IP models. Examples include HTTP/S, FTP, TCP, UDP, and IP 2173-1445 66

Fundamental Networking Components Switches Network devices responsible for directing traffic within a local area network (LAN), connecting devices and ensuring that data packets reach their intended destinations. Routers Devices that forward data packets between different networks, determining the most efficient path for the data to travel. Firewalls Security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules, protecting internal networks from unauthorized access and potential cyberattacks. Access Points Network devices that provide wireless connectivity to other devices, enabling them to connect to the network and communicate with other devices or systems. Fundamental Networking Protocols IP (Internet Protocol) Responsible for addressing and routing data packets across networks, ensuring that they reach their intended destinations. Internet Protocol Security (IPSec) IPSec is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a data stream. It operates at the network layer of the Internet Protocol Suite, enabling it to protect any application traffic across an IP network. TCP (Transmission Control Protocol) Ensures reliable data transmission by establishing a connection between devices, sequencing data packets, and managing the information flow. UDP (User Datagram Protocol) It is an unreliable protocol used by applications that require faster delivery of data but do not require the complex features of the TCP. HTTP (Hypertext Transfer Protocol) Used for transmitting web-based content between a client (e.g., a web browser) and a server using a TCP connection, enabling the exchange of text, images, and other multimedia elements. HTTPS (Hypertext Transfer Protocol Secure) An encrypted version of HTTP that uses TLS/SSL protocol instead of using TCP directly. It is currently used in the majority of Internet services. FTP (File Transfer Protocol) A standard protocol for transferring files between a client and a server over a network, allowing users to upload, downleat, and manage files on a remote system. SFTP (Secure File Transfer Protocol) FA secure version of FTP that uses SSH (Secure Shell) to encrypt data during transmission, providing an additional layer of security for file transfers. 2177-1445 67

DNS (Domain Name System) A protocol that translates human-readable domain names (e.g., www.example.com) into IP addresses, allowing users to access websites and other network resources using easily understandable names as URLS (Unified Resource Locator). DHCP (Dynamic Host Configuration Protocol) A network management protocol that automatically assigns IP addresses and other network configuration information to devices on a network, simplifying network administration and reducing the risk of IP address conflicts. SNMP (Simple Network Management Protocol) A protocal for monitoring and managing network devices, such as routers, switches, and servers, by collecting and organizing information about their performance, use, and status. SSL/TLS (Secure Sockets Layer/Transport Layer Security) Cryptographic protocols that provide secure communication over a network by encrypting data exchanged between a client and a server, commonly used in web browsing, email, and other applications that require secure data transmission. Network and Web Security Technologies In cybersecurity, it is important to understand and employ various network security protocols and technologies to protect the integrity, confidentiality, and availability of data and systems. The following are the most common and essential network security measures. Intrusion Detection Systems (IDSS) An Intrusion Detection System (IDS) is a security technology that monitors network traffic for any signs of malicious activity or policy violations. Intrusion Detection Systems can generate alerts when potential threats are detected, allowing network administrators to respond quickly and mitigate the impact of an attack. There are two types of IDS: ⚫ Network-based IDS (NIDS): This type of IDS analyzes network traffic, looking for suspicious patterns or signs of unauthorized access. ⚫ Host-based IDS (HIDS): This type of IDS is installed on individual devices, such as servers or workstations, and monitors local system activity for any signs of intrusion or unauthorized access. thuma demend Detection System Network administation Internet Figuro 2.5 Remestunum of an Ins 68 Demilitarized Zones (DMZs) A Demilitarized Zone (DMZ) is a specific network segment between an organization's internal network and the external, untrusted network, such as the Internet. The DMZ is designed to provide an additional layer of security by isolating services that need to be accessible from the Internet, such as web servers or email servers, from the organization's internal network. 173-1445

- כקוע By placing these services in the DMZ, any potential attacks or vulnerabilities are contained within the DMZ and are less likely to impact the internal network. This setup allows organizations to maintain a higher level of security for their critical systems and data. Enterprise LAN Firewall DAME Hartwork Firewall (merno Web server Router Mall server Virtual Private Networks (VPNs) Figure 2.5 DM2 Network architecture A Virtual Private Network (VPN) is a technology that establishes a secure and encrypted connection between a user's device and a remote network, often over the Internet. VPNs protect the confidentiality and integrity of data transmitted between the user's device and the remote network, ensuring that sensitive information remains private even when transmitted over unsecured networks. VPNs also provide additional benefits, such as bypassing geo-restrictions, protecting user privacy, and allowing remote access to secure networks. These technologies are commonly employed by businesses and individuals alike to maintain security and privacy while using the Internet. Ple VEN cliom intemet vice provider VPN SERVO Plintext Figure 27 Reanesentation of a VPN Internet Protecting your Devices on a Public Wi-Fi Network Using public WiFi networks is convenient, but creates various security risks for your devices and your data. The following are best practices for protecting your devices on a public WiFi network. Use your cellphone as a mobile hotspot. Turn off your WiFi connection when you are not planning to connect to a WiFi network. Do not perform tasks that require the transmission of sensitive information, like financial or medical data, over public WiFi. Do not reset passwords for your accounts over a public WiFi network. Use a VPN service. Avold web pages that use HTTP protocol instead of the more secure HTTPS resource sharing on your devices. 69

Network Monitoring and Packet Sniffing There are tools that are used to monitor the traffic on a network and track and analyze the packets that are transmitted through the network. These actions are performed by tools called Packet Analyzers. One of the most popular packet analyzer tools is Wireshark. Wireshark is an open-source packet analyzer used to examine details of traffic at several levels, from connection-level information to single packet-level information, providing information to the network administrator regarding individual packets such as transmission time, source and destination, protocol type, and packet header data which can be very important for evaluating and diagnosing security issues. You can download and install Wireshark from the following link: https://2.na.dl.wireshark.org/win64/Wireshark-win64-4.0.6.exe Monitoring a Network with Wireshark You will now familiarize yourself with the interface of the Wireshark network analyzer. Monitoring a network with Wireshark: > Open the Wireshark application and view the available networks list. > Click on the Capture command. > In the Capture window, click on the network you want to monitor. > Click on the Start button. > Monitor the flow of data packets in the network. > Click the Stop button to end the network monitoring. The Wishart 2 Caphire Loon Comi Comedi La Ampact affic care The de Wik Que and demers Mailing Int وزارة التعليم 1173-1465 70 1 All network Interfaces are displayed here.

6 shane-Cagnum Imeriace லா Local Commection' 3 Local Area Comption 1411 GEANAR Ethern LHATT User's Grade Wins Hailing Vie Capture a tinatio 253 5 When promiscuous mode is enabled, the network interface supplies all the network packets they see to the host Cove Sery, w Profile: Derul - sync micom Th From 1 Bates on pare (872 00184 bytes centered (672 bits) on Interface viceU_jai-08-10-137wout), w Ethernet 1,1 (34 540), Par Patel vesi, Sum - castelu (33:32) وزارة التعليم 07 173-1445 3# L Figure 2:8 Monitoring a network with Wireshark 71

Analyzing the Wireshark Output The Wireshark Network analyzer offers a lot of data about the flow of packets through the network, grouped into three different panes. These are the Packet List Pane, the Packet Details Pane, and the Packet Byte Pane. The Packet List Pane Time: The Time column refers to the time the packet was received or sent, measured in seconds since the start of the capture. Source: The Source column indicates the IP address of the source. Destination: The Destination column indicates the destination IP address. Protocol: The Protocol column indicates the communication protocol that was used. Length: The Length column refers to the length of the package. Info: The Info column contains additional information about the package Time Source Destination Protocol Length Info "Bla FE View Any Wellp 2T SALES vrvat 33 18. PRZE LOUR & ITA ALL AIRE M PP 900 AT I TRY ILAHIMI LMS & LEA Tisvi ALL Jack S The Packet List Pane 12 AN Supy 28: 65 bytes my užs (4 bits), @kites diyħamel (all bits) a mentes (2105_{2}\\DAĻ » AENBAU Exeme, Sec 55:47 (bell Scres: (fibl مرارة الكليمر 72 V 1773-1445 " طار PIS N C-1A38–427QGIER), The Packet Details Pane The Packet Byte Pane Packin/277 Declandi 7147 (d) Frefle: Defant Figure 2.9: Network monitoring output

The Packet Details Pane fra 241 bytes oil 14 DIT), bytes coutured a batalo Interface device_28229042-4813-4987-9408-ASSIVA), Different Titel Langen de vices ( Flag Do I fr (9) (CMI, ECR: THE-ECT) Header] [der cac Figure 2.10 The Packet Detak Pane The first dropdown list shows metadata about the packet The second dropdown list shows Information about the network analyzed The third dropdown list shows Information about the IP protocol used The Packet Byte Pane Frame 24: 60 bytes on wi >> Ethernet II, Src: VMware_ Internet Protocol Version The Packet Byte Pane box displays packet data defined in hexadecimal format. LULL j Feb 7177 m 7117 Cocoa Fo Figure 2:13: The Packet Byte Pane INFORMATION Wireshark shows the packel byte pane in hexadecimal formal because it provides a more compact and Teadable representation of the data transmitted on the network. In the hexadecimal system, each byle of data lovepresented by two digits (0-9 and A-F), which provides a concise way to display and analyze the contents of packets. The hexadecimal format is commonly used in networking protocols and standards, allowing easy data comparison and analysis across different systems and platforms. الوزارة التعليم 673-1445 13

The Packet Details Pane fra 241 bytes oil 14 DIT), bytes coutured a batalo Interface device_28229042-4813-4987-9408-ASSIVA), Different Titel Langen de vices ( Flag Do I fr (9) (CMI, ECR: THE-ECT) Header] [der cac Figure 2.10 The Packet Detak Pane The first dropdown list shows metadata about the packet The second dropdown list shows Information about the network analyzed The third dropdown list shows Information about the IP protocol used The Packet Byte Pane Frame 24: 60 bytes on wi >> Ethernet II, Src: VMware_ Internet Protocol Version The Packet Byte Pane box displays packet data defined in hexadecimal format. LULL j Feb 7177 m 7117 Cocoa Fo Figure 2:13: The Packet Byte Pane INFORMATION Wireshark shows the packel byte pane in hexadecimal formal because it provides a more compact and Teadable representation of the data transmitted on the network. In the hexadecimal system, each byle of data lovepresented by two digits (0-9 and A-F), which provides a concise way to display and analyze the contents of packets. The hexadecimal format is commonly used in networking protocols and standards, allowing easy data comparison and analysis across different systems and platforms. الوزارة التعليم 673-1445 13

Taking a closer look at the Packet List Pane that displays the scan results, you can see that the scan file contains packets describing conversations between users' machines (clients) and central servers. 444 Nats antarata 99 34 Sam 21 bytes by the (43) bits), 24ytes caytm (432) FINAL-ADALEC BASE-ATOMIECZFA), 28/0 bell hit form for Aciebie. Oul Traation mere, dus, Len: Srce Part 3668 51540 (Stream x Lepers L (relative aquecer Sesence met Smas [er] CкInd der Langt lyte (3) Flagre (AC) Apex A340 Calculated and [Ealy] Figure 2 13 Detailed output of Packet Detalls Pane In packet #2, the source IP address is 199.0.0.154, and the destination IP address is 199.0.0.46. The receiver sends a packet using the sender's TCP protocol over port 3389 as the source port (the receiver's port) and port 51549 as the destination port (the sender's port). No. Time Source 10.300000 199.0.0.45 20.74 30.0.0.154 138.0.4.48 30.805155 39.8.8.154 199.8.8.46 TLSv1.2 4.015935 19.0.0.46 199.8.8.154 TLSv1.2 5 0.032026 199.0.0.48 199.80.134 TLSv1.2 Destination Protocol Length Info 199.0.0.154 TLSv1.2 97 Application Data 8412380-525490] Segal Ack-Win-63846 Len-0 196 Application Date 104 Application Deta 104 Application Data Source IP address Source port Destination IP address Sender's TCP protocol قيارة التعليم 2173-1445 Destination port 75

7.6 In another example, in packet #10214, you can notice that the source IP address is 172.217.23.99, and the destination IP address is 199.0.0.154. The packet information also shows that the transmission protocol used is TCP, and the port number is 80, which indicates that the Hypertext Transfer Protocol (HTTP) is being used. This means the user is visiting a web page. The IP address 172.217.23.99 belongs to a Google search engine page, meaning you received a data packet from Google. Prial my h A 289.9.9.154 238.154 R U2 Ulication (a THIS D. С S TOP Enternet Pratical v17317-35. Tus: 10.154 Source Porto tell) [ Summ [Called Checksumi fill Լաոր-Առ urge lates 142 nytest, sent size. No Operation (MOP), oration (NP), scritted, o-Operation (OP), känd scale 7 [Timestamp] FB: bL 58 -246-99 AF y 14371 No. Time Source 10211 23-253043 199.0.0.154 18212 23.253149 199.8.3.154 10213 23.257407 199.0.0.154 10214 23.269741 172.217.23.99 18215 23.260831 199.0.0.154 10216 23,269944 199.0.0.154 Destination Protocol 172.217.15.161 TCP 172.217.16.161 TLSv1.2 216.58.205.14 TLSv1.2 199.8.0.154 TCP 172.217.23.99 TCP 172.217.25.99 HTTP Length Info 54 $1773 - 443 [ACK] Seq-775 Ack-7213 188 Application Data 147 Client Kay Exchange, Change Cipher Sp 68 51798 [SYN, ACK] Seq-U Ack-1 win 54 51790 80 [ACK] Sen-I Ack=1 in-2621 291 GET /gtsio1/MFIWUDBOMESAJBgUrDgMCG Figure 2.14 Analysis of IP addresses - التعليم 173-1445 G Google search engine page The Hypertext Transfer Protocol (HTTP) is being used

Detecting Suspicious Activity on a Network Wireshark is used to detect suspicious activities on the network. You will check Address Resolution Protocol (ARP) messages and packets that pass using this protocol to detect devices that are trying to perform suspicious operations. Detect ARP requests: > In the Edit tab, click Preferences. → > In the Preferences window, select the Protocols option. > Choose the ARP/RARP protocol. > Check the Detect ARP request storms box. > Click OK. > In the Package List Pane, you can check for suspicious activity. Address Resolution Protocal (ARP) The Address Resolution Protocol (ARP) is a communication protocol used for resolving the network layer addresses (IPv4 addresses! of a device to its corresponding data link layer address (MAC address) on a local network ARP is essential for enabling devices to communicate with each other on a local network by mapping IP addresses to MAC addresses. File View Crature Am Stat Tales кровения QUIT 27 178 71 176 Configuration Profiles Qu-Shi+A ロール 2 وزارة التعليم 2173-1865 Neg 3 5 4 ATM ATMICR AUT 6 77

35.JALLES ZE BEN Sourge 9.9.35 Http 12 ઘેલુ લો કે 119 TERVI 17m fac 10 TEM1.2 4-15) S L YUSIA 2 TOMI TO 22 54 bytes Iteer II, sell (482 bits) 54 bytes capt (432 bitx) (5:4), st Sormet Frans Verrion 4. See 26 ona Tyson Ctral Protioli; sed part: SAEP, Out Pinay 5254a, Sy as Jewingung Medb 14 2 T h of c Y THE HIP De L Pralin Defail Figure 2.15: Detect ARP requests In the Packet List Pane, the capture results show that suspicious network activity has been detected. More specifically, there is a device that sends data without showing the destination to which it is sent, and it eavesdrops on other devices on the network. It checks if IP 199.0.0.203 is in use, and the response is returned to IP 199.0.0.32. From this information, we can conclude that someone may be trying to detect if IP 199.0.0.203 is in use, as shown in figure 2.16. If it isn't, a potential intruder can use this IP address to connect to the network. 27 8.216840 26 9.216866 29 0.231972 30 0.234015 31 0.24819 32 0.248100 33 0 30482 وزارة التعليم 159.0.0.45 199.0.0.154 199.0.0.45 Hewlett_a1:10:ee 190.0.0.46 199.0.0.154 190.0.0.46 409.0.0.154 199.9.5.46 10.0.0.154 Broadcast 199.0.0.154 159.0.0.46 199.0 0.154 TLSv1.2 TCP TLSv1.2 ARP TLSVI. Tue TLSv1.2 104 Application Data 54 3389-51549 [ACK] Seq=2634 Ack-857 104 Application Data 60 iho has 99.0.0.283 Tell 199.0.0.32 104 Application Dute 5 3349-51549 AC] Seq=2634 Ack-957 97 Application Outa Hgum 2.18: An unknown user trying to defect II IP 199.0.0 203 is in use Someone may be trying to detect IFIP 199.0.0.203 is in use 78 1173-1449

Analyzing Data Flow with Expert Information Wireshark offers an Expert Information option to identify network problems and suspicious behavior, which aids non-professionals in recognizing such activity. Activating Expert Information: > In the Analyze tab, click the Expert Information option, > Suspicious activity is recognized by the Expert Information system. ALAY that, 200 Duplin Elite Expression Covation Fil 8-45-42 Cl- PAS (Iftirfry 248 12 1 Marcacion Brandcont Type A (Q Fedding Hardwars cype Exer Proton 4 2 Ser | Winestrark - Excient Information Extreme Target addr Semilly Summary وزارة التعليم 3173-1845 Grup P T comic PC) Звинност Sevence 1143 Ogl Stol Naming Photocal -016 15 Tim Tot a pacis in a to ma socal Narincil Colicos Flock Standy mas Spinal C P4 PH4 O quest 117 154 Step 2000 AAA ski-cal M Stey Sice Soquace P 194 P14 Scal P4 all quest Sequence 194 117 357 PU Saved Respond local QMo Sandy) Men Sinical Out Soquimce Знесе 607 -20 Dejuice Figure 2.17 Activating Expen Intorinanon 79

Connecting to a VPN Service on your Windows Machine The Windows operating system has a built-in VPN connector that you can use to protect your machine. This method is widely used, as it allows users to securely access remote resources, especially after the increase in the need for employees to work remotely from their homes. This means the organizations need to provide secure access for their remote employees. An employee can securely connect to the organization's servers through a VPN service without worrying about their login data or other sensitive data being intercepted if they connect from home or anywhere outside the organization's building. VPN User VPN clas Internet Service Pandi VPN Sun Jammet No VON User Internet Service Provider Internet Figure 2.18: VPN service is a secure method for remote employer Your Windows computer can connect to a VPN for business or personal use. A VPN connection provides more security in accessing your corporate network and the Internet in public places or through unsecured networks such as in restaurants and airports. Suppose you have a VPN service installed on your computer which is named my-vpn-server, and you want to connect to it. Connecting to a VPN Service: > In the Windows Start menu, click Settings. > In the Windows Settings window, click Network & internet. > Click on the VPN tab. > Click on the Add a VPN connection button. > In the VPN provider dropdown, select the Windows (built-in) option. > Type VPN in the Connection name field. > Type my-vpn-server in the Server name or address field. 16 the Type of Sign-in info field, choose the User name and password field. Pick Save. Во Pictures Sumings 1 Power Windows Settings 2

HOME VPN 4 யெம் Advanced Options Allow VPN over work 3 VPN A VPN connection Created AddVPN con work Internat VPN Figure 2:19. Connecting to a VPN Service Activating the VPN service After configuring the VPN service, you must connect to it to activate its features. Activating a VPN service: > In the Windows Notification area, click the Network button. > Choose the VPN connection you want to use, in this case: VPN > Click Connect. > Enter the username name & password. > Click OK. > When the connection 2173-1465 sestablished, the word Connected will appear below the name of the VAN network. D VAN 2 3 Cont Network & Internet setungs 1 4JAM Sign in 4 5 9 5 6 7 8 6 Figure 2 20 Acovaning a VPN service 81

1 Exercises I Read the sentences and tick True or False. 1. Network transmission media include twisted-pair, coaxial, and fiber-optic cables. 2. Routers are responsible for directing traffic within a local area network (LAN). 3. Cross-site scripting (XSS) is a type of web-based attack. 4. IPSec is a commonly used network protocol. 5. Firewalls can be implemented as software or hardware. 6 Intrusion Detection Systems (IDS) monitor file transfers. 7. Secure Sockets Layer (SSL) is a protocol for encrypting data during transmission. 8. The Domain Name System (DNS) translates IP addresses into human- readable domain names. 9. Wireshark is used for packet sniffing processes. True False 2 List the difference between the FTP and HTTPS protocols in terms of security. وزارة التعليم 82

3 Explain how Demilitarized Zones (DMZS) are used to protect internal networks from external threats. Evaluate the effectiveness of Virtual Private Networks (VPNs) in maintaining user privacy. وزارة التعليم

5 Evaluate how firewalls and Intrusion Detection Systems (IDSs) can be used to protect networks from attacks. 8 Explain the difference between network-based and host-based Intrusion Detection Systems (ID56) وزارة التعليم

7 Capture and analyze network traffic: • Start Wireshark and select your network Interface. Start the packet capture. • Browse the internet for a few minutes. Open a few websites, watch a video, etc. ⚫ Stop the packet capture and save the data • Analyze the traffic Extract some header info such as the source IP/Port, destination IP/Port, and capture time. BARP request analysis. • Start a new live capture on your Ethernet interface. ⚫Filter the results for ARP by typing "arp" Into the filter bar. • Analyze the results. How many ARP requests are there? Can you identify the source and destination MAC addresses? 9 Detecting unusual network activity in Wireshark ⚫Load the file Scan results pcaping provided by your teacher • Use the Expert Information tab to identify any potential issues or unusual activity ■ Take note of any anomalies and try to identify what might be causing them. Could any of these be a sign of a potential security threat? وزارة الكلية 95