Chapter 5

Network Security and

Applications

Marks: 20 Hours: 10
Module 5 Network Security and Applications 4/22/2021 1
 Module Contents

• Network security basics: TCP/IP vulnerabilities (Layer

wise), Packet Sniffing, ARP spoofing, port scanning, IP
spoofing, TCP syn flood, DNS Spoofing.
• Denial of Service: Classic DOS attacks, Source Address
spoofing, ICMP flood, SYN flood, UDP flood, Distributed
Denial of Service, Defenses against Denial of Service Attacks.
• Internet Security Protocols: SSL, IPSEC, Secure Email:
PGP, Firewalls, IDS and types, Honey pots
Module 5 Network Security and Applications 4/22/2021 2
 Secure Socket Layer (SSL)

Transport layer security service

Originally developed by Netscape
Version 3 designed with public input
Subsequently became internet standard known as TLS (transport
layer security)

Uses TCP to provide a reliable end-to-end service

SSL has two layers of protocols

Module 5 Network Security and Applications 4/22/2021 3

 Secure Socket Layer (SSL)

• SSL is the standard security technology for establishing an

encrypted link between the two systems.
• These can be browser to server, server to server or client to
server.
• Basically, SSL ensures that the data transfer between the
two systems remains encrypted and private.
• The https is essentially http over SSL.
• SSL establishes an encrypted link using an SSL certificate
which is also known as a digital certificate.
Module 5 Network Security and Applications 4/22/2021 4
 SSL Communication

Module 5 Network Security and Applications 4/22/2021 5

 SSL Architecture

Module 5 Network Security and Applications

Figure 1. SSL Architecture 4/22/2021 6
 Protocols in SSL
1. SSL Handshake Protocol
2. SSL Record Protocol
3. SSL Alert Protocol
4. SSL Change Cipher Spec Protocol

Module 5 Network Security and Applications 4/22/2021 7

 Handshake Protocol
• Allows The Server And Client
Authenticate Each Other
To Negotiate Encryption & MAC Algorithms
To Negotiate Cryptographic Keys To Be Used

• Comprises A Series Of Messages In Phases

1. Establish Security Capabilities
2. Server Authentication And Key Exchange
3. Client Authentication And Key Exchange
4. Finish

• This Protocol Is Used Before Any Application Data Is Sent.

• It Consists Of A Series Of Messages Exchanged By The Client And Server, All Of Which Have The
Format Shown In Figure 5.
Module 5 Network Security and Applications 4/22/2021 8
 Message Format of Handshake Protocol

• Each message has three fields:

1. Type (1 byte): Indicates one of 10 messages such as “hello
request” (see figure 4).
2. Length (3 bytes): The length of the message in bytes.
3. Content(≥ 0 byte): The parameters associated with this message
such version of SSL being used.

Module 5 Network Security and Applications 4/22/2021 9

 Messages in Handshake Protocols

Module 5 Network Security and Applications 4/22/2021 10

Figure 4: SSL Handshake protocol message types.
 Phases of SSL Handshake Protocol

• 4 phases of SSL protocol are as follows:

1. Phase-1: Establishing Securing Capabilities
2. Phase-2: Server Authentication and Key Exchange
3. Phase-3: Client Authentication and Key Exchange
4. Phase-4: Finalizing Handshake Protocol

Module 5 Network Security and Applications 4/22/2021 11

Module 5 Network Security and Applications 4/22/2021 12

Figure 6: Handshake protocol action.

 Four Phases of Handshake protocol

1. Establish security capabilities including protocol version,

session ID, cipher suite, compression method and initial
random numbers. This phase consists of the client hello
and server hello messages which contain the following
(for the client):
• Version: The highest SSL version understood by client
• Random: 32-bit timestamp and 28 byte nonce.
• Session ID: A variable length session identifier
Module 5 Network Security and Applications 4/22/2021 13
 • CipherSuite: List of cryptoalgorithms supported by client in
decreasing order of preference. Both key exchange and
CipherSpec (this includes fields such as CipherAlgorithm,
MacAlgorithm, CipherType, HashSize, Key Material and IV
Size) are defined.
• Compression Method: List of methods supported by client.
2. Server may send certificate, key exchange, and request
certificate it also signals end of hello message phase. The
certificate sent is one of a chain of X.509 certificates. The server
key exchange is sent only if required. A certificate may be
requested from the client if needs be by certificate request.
Module 5 Network Security and Applications 4/22/2021 14
 3. Upon receipt of the server done message, the client should
verify that the server provided a valid certificate, if
required, and check that the server hello parameters are
acceptable. If all is satisfactory, the client sends one or
more messages back to the server. The client sends
certificate if requested (if none available then it sends a
no certificate alert instead). Next the client sends client
key exchange message . Finally, the client may send
certificate verification.
4. Change cipher suite and finish. The secure connection is
now setup and the client and server may begin to
exchange application layer data.

Module 5 Network Security and Applications 4/22/2021 15

 SSL Record Protocol Services

This protocol provides two services for SSL connections:

Confidentiality - using conventional encryption.
Message Integrity - using a Message Authentication Code (MAC).
In order to operate on data the protocol performs the
following actions (see figure 2):

Module 5 Network Security and Applications 4/22/2021 16

 Actions Preformed in SSL Record Protocol

1. Fragmentation
2. Compression
3. Addition of MAC
4. Encryption
5. Prepared Header

Module 5 Network Security and Applications 4/22/2021 17

 Actions Preformed In SSL Record Protocol

Figure 2: SSL Record Protocol Operation.

Module 5 Network Security and Applications 4/22/2021 18
Module 5 Network Security and Applications Figure 3: SSL record protocol payload. 4/22/2021 19
 SSL Record Format

Figure 4. SSL Record Format

Module 5 Network Security and Applications 4/22/2021 20

 SSL Header

The header consists of the following fields:

Content type (8 bits) - The higher layer protocol used to
process the enclosed fragment.
Major Version (8 bits) - Indicates major version of SSL in use.
For SSLv3, the value is 3.
Minor Version (8 bits) - Indicates minor version in use. For
SSLv3, the value is 0.
Compressed Length (16 bits) - The length in bytes of the
compressed (or plaintext) fragment.

Module 5 Network Security and Applications 4/22/2021 21

 Alert Protocol

• This protocol is used to convey SSL-related alerts to the peer entity.

• It consists of two bytes the first of which takes the values 1 (warning)
or 2 (fatal).
• specific alert
• fatal: unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
• warning: close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown

• If the level is fatal SSL immediately terminates the connection.

• The second byte contains a code that indicates the specific alert.
Module 5 Network Security and Applications 4/22/2021 22
 Change Cipher Spec Protocol

•This consists of a single message which consists of a single

byte with the value 1.
•This is used to cause the pending state to be copied into
the current state which updates the cipher suite to be used
on this connection.

Module 5 Network Security and Applications 4/22/2021 23

 Questions on SSL
1. What is the need of SSL? Explain all the Phases of
SSL Handshake protocol in detail
2. List the functions of the different protocols of
SSL. Explain The handshake protocol.
3. Explain the services of the SSL Protocol
4. How client and server establish SSL connection?

Module 5 Network Security and Applications 4/22/2021 24

 IPSEC

Module 5 Network Security and Applications 4/22/2021 25

 Security architecture and protocol stack
Secure applications: PGP,
HTTPS, S-HTTP, SFTP,
…
Applicat. (HTTPS)
or
SSL/TLS Security down in the
protocol stack
TCP • SSL between TCP and
application layer
IPSEC • IPSEC between TCP and
IP
Module 5 Network Security and Applications IP 4/22/2021 26
 IP Security

• there exist several application specific security mechanisms

• – e.g. S/MIME, PGP, Kerberos, SSL/HTTPS however there
are security concerns that cut across protocol layers
• it is important to have a security protocol that can be used
by all applications
• IP security: security between IP and TCP

Module 5 Network Security and Applications 4/22/2021 27

 IPSec

• IP Security mechanism provides

– Data Integrity
– authentication
– confidentiality
– Non-repudtion
• mandatory in IPv6, optional in IPv4

Module 5 Network Security and Applications 4/22/2021 28

 IPSec

payload = actual data carried by the headers 29

Module 5 Network Security and Applications

4/22/2021
 Benefits of IPSec

• a firewall/router provides strong security to all

traffic crossing the perimeter
• is resistant to bypass
• is below transport layer, hence transparent to
applications
• can be transparent to end users (allow to realize
Virtual Private Networks)
• can provide security for individual users if
Module 5 Network Security and Applications 4/22/2021 30

desired
 Security Features

• implemented as extension headers that follow

the main IP header
– Authentication Header (AH) is the
extension header for authentication
– Encapsulating Security Payload (ESP) is the
extension header for encryption

Module 5 Network Security and Applications 4/22/2021 31

IPsec Document
Overview

ESP = Encapsulating Security Payload

AH = Authentication Header
DOI = Domain of Interpretation
Module 5 Network Security and Applications 4/22/2021 32
 Security Associations

• A security association (SA) is a one-way relationship

between sender & receiver that affords security for
traffic flow
– logical group of security parameters, that ease the sharing of
information to another entity

• Identified by 3 main parameters:

– Security Parameters Index (SPI)
– IP Destination Address
– Security Protocol Identifier (AH or ESP)
Module 5 Network Security and Applications 4/22/2021 33

• There is a database of Security Associations (SADB)

 SA, continued 1

• bi-directional traffic flows secured by 2 SAs

• choice of encryption and authentication algorithms
(from a defined list) left to IPsec administrator
• protection for outgoing packet determined by
– Security Parameter Index (SPI), i.e. index to the SADB
– destination address in packet header
• similar procedure for incoming packets, where IPsec
gathers decryption and verification keys from SADB
Module 5 Network Security and Applications 4/22/2021 34
 SA, continued 2

• For multicast, SA is provided for the group, and is

duplicated across all authorized receivers of the
group.
• There may be more than one SA for a group, using
different SPIs, thereby
• allowing multiple levels and sets of security within a group.
• Note that the relevant standard does not describe how
the association is chosen and
• duplicated across the group; it is assumed
• that a responsible party will have made the choice.
Module 5 Network Security and Applications 4/22/2021 35
 SA's parameters

• Sequence Number Counter

– 32-bit value used to generate the Sequence Number field
in AH or ESP headers
• Sequence Counter Overflow
– flag indicating whether overflow of the Sequence Number
Counter should generate an
• auditable event and prevent further transmission
of packets on this SA
• Anti-Replay Window
– used to determine whether an inbound AH or ESP packet
Module 5 Network Security and Applications 4/22/2021 36
is a replay
 SA's parameters

• AH Information
– Authentication algorithm, keys, key lifetimes,
and related parameters being used with AH
• ESP Information
– Encryption and authentication algorithm, keys,
initialization values, key lifetimes, and related
parameters being used with ESP
Module 5 Network Security and Applications 4/22/2021 37
 SA's parameters

• Lifetime of This Security Association

– A time interval or byte count after which an
• SA must be replaced with a new SA (and new
• SPI) or terminated, plus an indication of which of these actions should occur
• IPSec Protocol Mode
– Tunnel, transport, or wildcard
• Path MTU
– Any observed path maximum transmission unit
• (maximum size of a packet that can be
• transmitted without fragmentation) and aging variables

Module 5 Network Security and Applications 4/22/2021 38

 Transport & Tunnel Modes

4/22/2021 39
Module 5 Network Security and Applications
 Transport Mode

• Used for host-to-host communications

• Only payload (the data you transfer) of IP packet is
encrypted and/or authenticated
• Routing is intact, since the IP header is neither
modified nor encrypted
• – however, when the authentication header is used, the IP
addresses cannot be translated (NAT), as this will
invalidate the hash value
Module 5 Network Security and Applications 4/22/2021 40
 Transport mode, continued

• Transport and application layers are always secured

by hash, so they cannot be modified in any way (for
example by translating the port numbers)
• A means to encapsulate IPsec messages for NAT
traversal has been defined (see RFCs 3715, 3947,
3948), describing the NAT-T mechanism

Module 5 Network Security and Applications 4/22/2021 41

 Tunnel Mode

• The entire IP packet (data and IP header) is

encrypted and/or authenticated. It is then
encapsulated into a new IP packet with a new IP
header.
• Tunnel mode is used to create Virtual Private
Networks (VPN) for network-to- network
communications (e.g. between routers to link sites),
host-to-network communications (e.g. remote user
access), and host-to-host communications (e.g.
private chat)
Module 5 Network Security and Applications 4/22/2021 42
 Transport & Tunnel Modes

Module 5 Network Security and Applications 4/22/2021 43

 Authentication Header (AH)

• provides support for data integrity & authentication

of IP packets
– end system/router can authenticate user/app
– prevents address spoofing attacks by tracking sequence numbers
• does not provide support for
confidentiality
• based on use of a MAC
– HMAC-MD5-96 or HMAC-SHA-1-96
• users must share a secret key
Module 5 Network Security and Applications 44
4/22/2021
 Authentication
higher level protocol,
Header
e.g. TCP

Module 5 Network Security and Applications 4/22/2021 45

not restarting 29
 AH protocol

• AH protects the IP payload and all header

fields of an IP datagram except for mutable
fields
• – In IPv4, mutable (and therefore
unauthenticated) IP header fields include TOS,
Flags, Fragment Offset, TTL and Header
Checksum.
• AH operates directly on top of IP, using IP
protocol number 51
Module 5 Network Security and Applications 4/22/2021 46
 Encapsulating Security Payload (ESP)

• provides message content confidentiality & limited

traffic flow confidentiality
• can optionally provide the same
authentication services as AH
• supports range of ciphers, modes, padding
– DES, Triple-DES, RC5, IDEA, CAST etc
– CBC most common
– padding to meet blocksize of the packet
– HMAC (same as AH)
Module 5 Network Security and Applications 4/22/2021 47
 Encapsulating Security Payload

Module 5 Network Security and Applications 4/22/2021 48

 ESP - encoding and authentication:
Transport mode

Module 5 Network Security and Applications 4/22/2021 49

 ESP - encoding and authentication: Tunnel
mode

Module 5 Network Security and Applications 4/22/2021 50

 Transport vs Tunnel Mode ESP

• transport mode is used to encrypt & optionally

authenticate IP data
– data protected but header left in clear
– adversary can try traffic analysis
– good for host to host traffic
• tunnel mode encrypts entire IP packet
– add new header for next hop
– slow
– good for VPNs (Virtual Private Networks, gateway to
4/22/2021 51

gateway security)
Module 5 Network Security and Applications
 Transport vs Tunnel Mode ESP

4/22/2021

Module 5 Network Security and Applications 52

 Summary

• have considered:
– IPSec security framework
– AH
– ESP
– key management & Oakley/ISAKMP

Module 5 Network Security and Applications 4/22/2021 53

 (PGP)

Pretty Good Privacy

 Email Security Enhancements

• confidentiality
• protection from disclosure
• authentication
• of sender of message
• message integrity
• protection from modification
• non-repudiation of origin
• protection from denial by sender
 Pretty Good Privacy (PGP)

• widely used de facto secure email

• selected best available crypto algorithm to use
• integrated into a single program
• originally free, now commercial versions is also available
 PGP Operation – Authentication

1. sender creates message

2. make SHA-1160-bit hash of message
3. attached RSA signed hash to message
4. receiver decrypts & recovers hash code
5. receiver verifies received message hash
PGP Operation – Authentication
 PGP Operation – Confidentiality

1. sender forms 128-bit random session key

2. encrypts message with session key
3. attaches session key encrypted with RSA
4. receiver decrypts & recovers session key
5. session key is used to decrypt message
PGP Operation – Confidentiality
 PGP Operation – Confidentiality &
Authentication
• can use both services on same message
• create signature & attach to message
• encrypt both message & signature
• attach RSA/ElGamal encrypted session key
PGP Operation – Confidentiality & Authentication
 PGP Operation – Compression

• by default PGP compresses message after signing but before

encrypting
• so can store uncompressed message & signature for later
verification
• & because compression is non deterministic
• uses ZIP compression algorithm
 PGP Operation – Email Compatibility
• when using PGP will have binary data to send (encrypted
message etc)
• however email was designed only for text
• hence PGP must encode raw binary data into printable
ASCII characters
• uses radix-64 algorithm
• maps 3 bytes to 4 printable chars
• also appends a CRC
• PGP also segments messages if too big
PGP Operation – Summary
 PGP Session Keys

• need a session key for each message

• of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit
Triple-DES
• generated using ANSI X12.17 mode
• uses random inputs taken from previous uses and from
keystroke timing of user
 PGP Key Rings

• each PGP user has a pair of keyrings:

• public-key ring contains all the public-keys of other PGP users
known to this user, indexed by key ID
• private-key ring contains the public/private key pair(s) for this
user, indexed by key ID & encrypted keyed from a hashed
passphrase
• security of private keys thus depends on the pass-phrase
security
PGP Key Rings
Firewalls
 Firewall
• A firewall is any device used to prevent outsiders from
gaining access to your network.
• It checks each packet against a list of rules to permit or deny
its transmission
• Firewalls commonly implement exclusionary schemes or
rules that sort out wanted and unwanted addresses.
• They filter all traffic between a protected (“inside”) network and a less
trustworthy (“outside”) network
Firewall
 Firewall Composition?
• Firewalls can be composed of software, hardware, or, most
commonly, both.
• The software components can be either proprietary, shareware, or
freeware.
• The hardware is typically any hardware that supports the firewall
software.
 Firewall Design Goals
• All traffic in both direction must pass through the firewall
• Only authorized traffic should be allowed to pass
• Firewall should itself be immune to penetration
• Compromised firewall can completely undermine the network
security
• Tradeoff between security and productivity
• Internal network could be completely secure, but employees may
not be able to communicate
 Firewall
Types

• There are different kinds of firewalls, and each type has its
advantages & disadvantages.
• Firewalls can be classified in two broad categories
• Network Level Firewalls
• Personal Firewalls
 Firewall Network Level Firewalls
• Network-level firewalls are usually router based.
• Rules of who & what can access your network is applied at router level.
• Scheme is applied through a technique called packet filtering
• Network Level Firewalls can be classified as
• Packet-Filtering Firewalls
• The simplest and most effective type of firewalls
• Stateful Inspection Firewalls
• Maintain state info from a packet to another in the input stream
• Application-Level Firewalls (Proxies)
• Proxy server, a relay of application-level traffic
 Firewall Packet Filtering
• Packet Filtering is the process of examining the packets that
come to the router from the outside world.
• Packet headers are inspected by a firewall or router to make
a decision to block the packet or allow access
• Two Approaches:
• Stateless (a.k.a. static)
• Stateful
 Firewall Stateless Packet Filtering
• Ignores the “state” of the connection
• Each packet header is examined individually and compared
to a “rule base”
• Packet data is ignored
• Common criteria to filter on:
• Protocol Type
• IP address
• Port Number
• Message Type
 Firewall Stateful Packet Filtering
• Maintains a record of the state of the connection (referred
to as state table)
• Packet is compared against both rule base and state table
• Some stateful filters can examine both packet header and
content
• Called “stateful” because it permits outgoing sessions while
denying incoming sessions
 Firewall Application Gateway Firewall
• When a remote user contacts a network running an
application gateway, the gateway blocks the remote
connection.
• Instead of passing the connection along, the gateway
examines various fields in the request.
• If these meet a set of predefined rules, the gateway creates
a bridge between the remote host and the internal host.
 Firewall Access Policy
• A list of rules describing which packets are to be forwarded
• Each packet is compared against this list
• The longer the list the greater the latency (delay)
• Examples:
• From any to any port 80 permit
• From any to any PORT any deny
• From *.albany.edu to any PORT any DENY
 Firewall Limitations
• Firewalls are not a complete solution to all computer
security problems, limitations:
• The firewall cannot protect against attacks that bypass the
firewall
• The firewall does not protect against internal threats
• The firewall cannot protect against the transfer of
virus-infected programs or files
 Firewall Configuration Strategies

Screening Router
• Simple
• Filters traffic to
internal computers
• Provides minimal
security

Source: Guide To Firewalls and Network Security

 Firewall Configuration Strategies

Screening Host
• Host makes Internet request
• Gateway receives client request
and makes a request on behalf
of the client
• Host IP address never
displayed to public

Source: Guide To Firewalls and Network Security

Intrusion Detection
Systems (IDS)
 Intrusion Detection Systems (IDS)
• Firewalls allow traffic only to legitimate hosts and services

• Traffic to the legitimate hosts/services may contain attacks

• Solution?
• Intrusion Detection Systems
• Monitor data and behavior
• Report when identify attacks
85
 Definition

• Intrusion : a security event, or combination of multiple security

events, that constitutes a security incident in which an intruder gains,
or attempts to gain, access to a system (or system resource) without
having authorization to do so
• Intruder – Insider and Outsider
• An intrusion detection system (IDS) monitors systems and analyzes
network traffic to detect signs of intrusion.
• An IDS can detect a variety of attacks in progress as well as well as
attempts to scan a network for weaknesses.
• An IDS can be a dedicated network appliance or a software solution
installed on a host computer.
 Intrusion Detection Methods

1. Signature Based Detection

2. Anomaly Based Detection
i. Profile based Detection
ii. Threshold detection
 IDS Detection Methodologies

1. Signature-based detection
- Compares known threat signatures to observed events to identify incidents

2. Anomaly-based detection
- Compares definitions of what activity is considered normal against observed
events to identify significant deviations

3. Stateful protocol analysis

- compares predetermined profiles of generally accepted definitions of benign
protocol activity for each protocol state against observed events to identify
deviations.
 Signature-based IDS

• Characteristics:
• Uses known pattern matching to signify
attack
• Can identify intrusions from packet header/data
• May use Boolean operators in rule set
• ‘this_string’
• ‘this_variable’ AND ‘that_number’
• ‘this_string’ AND ‘that_variable’ NOT ‘that_tcp_flag’
 Signature-based IDS

• Advantages
• Widely available
• Easy to implement
• Easy to update

• Disadvantages
• Cannot detect attacks for which it has no signature
• Must be updated for each new attack and attack variant
• Lag time from new exploit to update can be dangerous
• ‘New’ attack variant can be created by changing a single string
• May be resource intensive
 Anomaly-based IDS

•Characteristics
•Uses statistical models or a machine learning engine to characterize
normal usage behaviors

•Recognizes departures from normal as potential intrusions

 Anomaly-based IDS

• Advantages
• Can detect attempts to exploit new and unforeseen vulnerabilities
• Can recognize unusual traffic based on a number of characteristics:
• Payload
• Source address
• Time
• Can recognize authorized usage that falls outside the normal pattern

• Disadvantages
• Generally slower, more resource intensive compared to signature-based IDS
• Greater complexity, difficult to configure
• Higher percentages of false alerts
• Link between abnormal and intrusive may be weak
 Types of IDS

NETWORK HOST BASED WIRELESS IDS

BASED IDS IDS
 Host-based IDSs

• The software is installed on the server you’re attempting to

protect, like antivirus software
• Used to protect a critical network server or database server
• Characteristics:
• Runs on a single host
• Can analyze audit-trails, logs, integrity of files and directories, etc.
• May report to central administrative console
 Host-based IDS

• Advantages:
• Relatively easy to deploy and to manage
• Only one machine is involved
• May require only one administrator
• Creates single source of log and alert information
• Generally not resource intensive - in most cases
• Often will not require CPU, memory, etc. beyond what is needed for OS and
applications
• Disadvantages:
• Works well for a single machine; extremely labor-intensive to monitor
multiple machines each running a host-based IDS
• If the host is compromised, the IDS may cease to function and thus no more
alerts will be generated

95
 Host-based IDS

• Typical deployment environments:

• A single mission-critical machine

• User’s desktop machine

96
 Network-Based IDSs

• Network-based IDSs
• Monitor activity on network segments
• They sniff traffic and alert a security administrator when
something suspicious occurs
• See link Ch 13o
 Network-based IDS
• Network monitor
• Passively captures traffic and
inspects it
• Can also function in a client-server model
• Sensors are located on multiple machines across the
network
• All sensors feed data to console
• Console machine handles logging and alerting

98
 Network-based IDS

• Advantages
• Positioned properly, can test effectiveness of firewalls, router access lists, etc.
• Can monitor multiple machines from one physical and logical location
• Console can generate an alert if a monitored machine/network has ceased to send
information

• Disadvantages:
• Since it is capturing all network packets, can produce large log/alert files
• Can be difficult to cull through vast amount of information
• Console machine generally must be quite powerful, similar to a workgroup server
• If console machine goes down then multiple machines may be left unmonitored
• Communication from sensors to console may increase overall network traffic levels

99
Honeypot
 Honeypot
• A honeypot is a single machine set up to appear to be an
important (and possibly vulnerable) server
• All traffic to the machine is suspicious; no legitimate users
should connect
• Honeypots can be configured to emulate many server services
• Honeypots can help track and catch hackers
• A honeynet is a network set up with intentional vulnerabilities;
its purpose is to invite attack, so that an attacker's...
101
 Honeypot

102
 Honeynet

103