GSJ: VOLUME 6, ISSUE 5, May 2018 9 GSJ: Volume 6, Issue 5, May 2018, Online: ISSN 2320-9186 www.globalscientificjournal.com SECURITY ENHANCEMENT & SOLUTION FOR AUTHENTICATION IN CORPORATE NETWORK WITH FIREWALL CONFIGURATION AND AUTHENTICATION FOR SERVER PROTOCOL Syed Jamaluddin Ahmad, Roksana Khandoker, Farzana Nawrin ABSTRACT Farzana Nawrin, Lecturer, Department of Computer Science & Engineering, Shanto-Mariam University of Creative Technology, City: Firewalls are used to protect networks from Dhaka, Country: Bangladesh, Mobile No.: +8801686521152 (Email: [email protected]) malicious traffic from the outside and Limit the flow of information from inside protected INTRODUCTION networks to the outside world. Most firewalls In ancient times, towns and villages were based filter traffic based on network addresses and around market-places, where goods from many packet contents. Unfortunately, one major goal sources could be traded freely. Over time, as of firewalling that of limiting the users and towns grew into cities and gathered wealth, programs that can communicate, is not well barbarians grew envious of the city-dwellers. In served by such designs: it is difficult to response to this threat, cities erected defensive accurately map network addresses and packet walls to protect against outsiders. However, as contents to user and program names. Firewalls the cities were still dependent on trade, the walls can solve the problem of securely mapping user needed to have many gates to allow passage in names to addresses when filtering inbound traffic and out of the cities; guards monitored who from un trusted networks through the use of entered and exited and attempted to keep the covert authentication systems such as port barbarians out. knocking and single packet authorization. Egress So it is with the Internet. When first created, it firewalls can identify users and programs on was designed to foster sharing and collaboration. trusted networks through the use of application True to this goal, it was built to be as open as filters. In this thesis, I survey the current state of possible, with few to no restrictions. Later, as both types of systems, describe their weaknesses, threats grew, network administrators deployed and introduce techniques to alleviate some of firewalls, which restrict the network traffic these weaknesses. allowed to enter and leave local networks, while still allowing ―legitimate‖ traffic to pass. Tools: SMTP, SPA, NAT, HTTP, UDP, GRE, Unfortunately, discriminating between ICMP, TLS. etc. ―legitimate‖ and ―illegitimate‖ traffic is not easy. The best practice is to allow only traffic that is Syed Jamaluddin Ahmad, Assistant Professor, Department of Computer explicitly recognized as legitimate while Science & Engineering, Shanto-Mariam University of Creative Technology, City: Dhaka, Country: Bangladesh, blocking everything else, but this is easier said Mobile No.: +8801633628612 (Email: [email protected]) than done. Factors to take into account when Roksana Khandoker, Senior Lecturer, Department of Computer examining traffic include sources, destinations, Science & Engineering, University of South Asia, City: Dhaka, Country: the users and programs that sent or will receive Bangladesh, Mobile No.: +8801737157856 (Email: [email protected]) the traffic, the information being exchanged, the format of the information being exchanged, the GSJ© 2018 www.globalscientificjournal.com GSJ: VOLUME 6, ISSUE 5, May 2018 10 time of day, the volume of traffic that has been disallowing outbound connections to sent by the source, and others; while not all of anything except TCP ports 80 (HTTP), 443 these are necessarily appropriate under all (HTTPS), and 20 and 21 (FTP). circumstances, others that are important are Unfortunately, this isn‘t particularly frequently ignored due to lack of information or effective: non-standard services may be the difficulty of checking. Also, no defensive running on these allowed ports. Whereas measure is perfect: walls can be scaled with application-layer firewalls can easily filter ladders or battered down by trebuchets, and traffic that doesn‘t match the expected security software can be disabled or bypassed by protocol for a port, it is much more difficult exploiting software or configuration to detect disallowed applications that tunnel vulnerabilities. For this reason, security (of both traffic through standard protocols on standard cities and computers) depends on the principle of ports. For instance, tunneling various defense in depth: the principle that security protocols through port 80, normally used for comes in layers, where the defeat of one layer unencrypted WWW traffic, has become quite doesn‘t leave everything vulnerable and that common [Alb04, BP04], and encryption attackers must bypass multiple layers to reach renders most application layer filters useless. anything important. Also, standard protocols can run on standard ports and still be used for unauthorized Problems with Existing Firewall Technology purposes. Restricting network access to only 1. Firewalls can easily limit what services can authorized local users and programs has the be reached from outside. However, it may potential to alleviate these problems, but also be necessary to limit which users can information about the users and applications connect to those services. A common that generated or will receive network traffic assumption, made by many modern firewalls, is usually only available at the source or is that trusted users only connect from small destination hosts themselves, and isn‘t sets of trusted hosts with specific addresses; necessarily reliable. they implement user filtering by blocking incoming packets with source addresses not 1.1 Contributions of this thesis in these sets. Unfortunately, the source This thesis introduces and describes methods for addresses on incoming packets tell little addressing both of these problems. The first can about the user who sent them; malicious be addressed by using covert authentication users can spoof trusted hosts, and trusted systems, systems that allow users to authenticate users can connect from un trusted hosts. without making their presence easy for attackers Since many trusted hosts may have dynamic to detect, to allow legitimate users to inform (DHCP-assigned) IP addresses, opening a ingress firewalls of their current network firewall to one trusted host may require addresses and request that subsequent opening it to thousands of IP addresses, connections be accepted. Two such systems used making it easier for an attacker to find an today are port knocking and single packet address to spoof or a machine with a trusted authorization (SPA); I survey existing designs address to hijack. Adjusting the set of trusted for both and highlight their strengths and IP addresses typically involves either manual weaknesses. Of particular concern are their reconfiguration by a firewall administrator or weaknesses: both are frequently implemented connecting to some world-accessible with insecure authentication systems, do not authentication service, which itself may be authenticate servers to clients, fail in the vulnerable to attack. presence of network address translation, are susceptible to denial-of-service attacks, and do 2. Although users usually can be accurately not logically associate authentication exchanges linked to IP addresses within a local network, with the network connections that they enable. it can be difficult to limit the services with Port knocking in particular is highly vulnerable which those users are allowed to to packet loss and reordering. With these flaws in communicate. Firewalls generally attempt to mind, I then propose techniques that can be used filter outbound traffic by restricting the ports to improve on existing port knocking and SPA to which users may connect: for example, systems. Challenge-response authentication GSJ© 2018 www.globalscientificjournal.com GSJ: VOLUME 6, ISSUE 5, May 2018 11 provides both cryptographically secure presents a general overview of networking, authentication and a method to authentication cryptography, and relevant offensive and servers to clients; I propose port knocking and defensive computer security technologies. SPA designs using challenge-response authentication and show that the overhead 2.1 Bibliography of Networking imposed by such a system is not unreasonable The Internet was designed in the 1960s, ‘70s and under most circumstances. I present experimental ‘80s as a robust communication system between analysis quantifying the degree of packet loss diverse local networks. Its design is based on a and re-ordering in packet streams typical of port stack of five protocol layers: knocking, and describe and compare several 1. Physical – responsible for encoding and techniques for ensuring that messages decoding signals over a transmission medium, transmitted by port knocking can be properly such as a wire, optical fiber, radio frequency, or reassembled on delivery, regardless of the degree avian carrier; of reordering. I also propose several novel 2. Data link – responsible for communication designs for port knocking systems and discuss between hosts on a physical network segment; their strengths and weaknesses compared to 3. Network – responsible for global addressing existing systems. Finally, I present and discuss and routing packets between physical network several methods for creating logical associations segments; between authentication exchanges and 4. Transport – responsible for