IP Security (IPSec) provides a stable, long lasting base for providing network layer security.

IPSec supports all of the cryptographic algorithms in use today, and can also accommodate newer,
more powerful algorithms as they become available. IPSec protocols address these major security
issues:
Data origin authentication -Verifies that each datagram was originated by the claimed sender.
Data integrity -Verifies that the contents of a datagram were not changed in transit, either
deliberately or due to random errors.
Data confidentiality -Conceals the content of a message, typically by using encryption.
Replay protection -Ensures that an attacker cannot intercept a datagram and play it back at some
later time.
Automated management of cryptographic keys and security associations-Ensures that your VPN
policy can be used throughout the extended network with little or no manual configuration.
VPN uses two IPSec protocols to protect data as it flows through the VPN:
Authentication Header (AH) and Encapsulating Security Payload (ESP). The other part of
IPSec enablement is the Internet Key Exchange (IKE) protocol, or key management. While IPSec
encrypts your data, IKE supports automated negotiation of security associations (SAs), and
automated generation and refreshing of cryptographic keys.
The principal IPSec protocols are listed below:
 Authentication Header
The Authentication Header (AH) protocol provides data origin authentication, data integrity,
and replay protection. However, AH does not provide data confidentiality, which means that
all of your data is sent in the clear.
 Encapsulating Security Payload
The Encapsulating Security Payload (ESP) protocol provides data confidentiality, and also
optionally provides data origin authentication, data integrity checking, and replay protection.
 AH and ESP combined
VPN allows you to combine AH and ESP for host-to-host connections in transport mode.
 Enhanced Cryptographic Algorithms
Cryptographic algorithms supported in the VPN selection for Key Exchange Policy and Data
policy security association attributes.

1. The Authentication Header (AH) protocol provides data origin authentication, data integrity,
and replay protection. However, AH does not provide data confidentiality, which means that all of
your data is sent in the clear.
AH ensures data integrity with the checksum that a message authentication code, like MD5,
generates. To ensure data origin authentication, AH includes a secret shared key in the algorithm
that it uses for authentication. To ensure replay protection, AH uses a sequence number field within
the AH header. It is worth noting here, that these three distinct functions are often lumped together
and referred to as authentication. In the simplest terms, AH ensures that your data has not been
tampered with en route to its final destination.
Although AH authenticates as much of the IP datagram as possible, the values of certain fields in
the IP header cannot be predicted by the receiver. AH does not protect these fields, known as
mutable fields. However, AH always protects the payload of the IP packet.
One can apply AH in two ways: transport mode or tunnel mode. In transport mode, the IP header
of the datagram is the outermost IP header, followed by the AH header and then the payload of the
datagram. AH authenticates the entire datagram, except the mutable fields. However, the
information contained in the datagram is transported in the clear and is, therefore, subject to
eavesdropping. Transport mode requires less processing overhead than tunnel mode, but does not
provide as much security.
Tunnel mode creates a new IP header and uses it as the outermost IP header of the datagram. The
AH header follows the new IP header. The original datagram (both the IP header and the original
payload) comes last. AH authenticates the entire datagram, which means that the responding system
can detect whether the datagram changed while in transit.
When either end of a security association is a gateway, use tunnel mode. In tunnel mode the source
and destination addresses in the outermost IP header do not need to be the same as those in the
original IP header. For example, two security gateways might operate an AH tunnel to authenticate
all traffic between the networks they connect together. In fact, this is a very typical configuration.
The main advantage to using tunnel mode, is that tunnel mode totally protects the encapsulated IP
datagram. In addition, tunnel mode makes it possible to use private addresses.In many cases, your
data only requires authentication. While the Encapsulating Security Payload (ESP) protocol can
perform authentication, AH does not affect your system performance as does ESP. Another
advantage of using AH, is that AH authenticates the entire datagram. ESP, however, does not
authenticate the leading IP header or any other information that comes before the ESP header.
In addition, ESP requires strong cryptographic algorithms in order to be put into effect. Strong
cryptography is restricted in some regions, while AH is not regulated and can be used freely around
the world.AH uses algorithms known as hashed message authentication codes (HMAC).
Specifically, VPN uses HMAC-MD5, HMAC-SHA, or AES-XCBC-MAC. Each of the algorithms
take variable-length input data and a secret key to produce fixed-length output data (called a hash or
MAC value). If the hashes of two messages match, then it is likely that the messages are the same.
The Internet Engineering Task Force (IETF) formally defines the algorithms in the following
Request for Comments (RFC):
 HMAC-MD5 in RFC 2085, HMAC-MD5 IP Authentication with Replay Prevention
 HMAC-SHA in RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH
 AES-XCBC-MAC in RFC 3566, The AES-XCBC-MAC-96 Algorithm and Its Use With IPse
2. The Encapsulating Security Payload (ESP) protocol provides data confidentiality, and also
optionally provides data origin authentication, data integrity checking, and replay protection.
The difference between ESP and the Authentication Header (AH) protocol is that ESP provides
encryption, while both protocols provide authentication, integrity checking, and replay protection.
With ESP, both communicating systems use a shared key for encrypting and decrypting the data
they exchange.
If you decide to use both encryption and authentication, then the responding system first
authenticates the packet and then, if the first step succeeds, the system proceeds with decryption.
This type of configuration reduces processing overhead, as well as reduces your vulnerability to
denial-of-service attacks.One can apply ESP in two ways: transport mode or tunnel mode. In
transport mode, the ESP header follows the IP header of the original IP datagram. If the datagram
already has an IPSec header, then the ESP header goes before it. The ESP trailer and the optional
authentication data follow the payload.
Transport mode does not authenticate or encrypt the IP header, which might expose your addressing
information to potential attackers while the datagram is in transit. Transport mode requires less
processing overhead than tunnel mode, but does not provide as much security. In most cases, hosts
use ESP in transport mode.
Tunnel mode creates a new IP header and uses it as the outermost IP header of the datagram,
followed by the ESP header and then the original datagram (both the IP header and the original
payload). The ESP trailer and the optional authentication data are appended to the payload. When
you use both encryption and authentication, ESP completely protects the original datagram because
it is now the payload data for the new ESP packet. ESP, however, does not protect the new IP
header. Gateways must use ESP in tunnel mode.
ESP uses a symmetric key that both communicating parties use to encrypt and decrypt the data they
exchange. The sender and the receiver must agree on the key before secure communication takes
place between them. VPN uses Data Encryption Standard (DES), triple-DES (3DES), Advanced
Encryption Standard (AES), or AES-CBC and AES-CTR for encryption.
If you choose the AES algorithm for encryption then you might want to enable Extended Sequence
Number (ESN). ESN allows you to transmit large volumes of data at a high speed. The VPN
connection uses a 64-bit sequence numbers instead of 32-bit numbers over IPSec. Using 64-bit
sequence numbers allows more time before re-keying, which prevents sequence number exhaustion
and minimizes the use of system resources.
The Internet Engineering Task Force (IETF) formally defines the algorithms in the following
Request for Comments (RFC):
 DES in Request for Comment (RFC) 1829, The ESP DES-CBC Transform
 3DES in RFC 1851, The ESP Triple DES Transform
 AES-CBC in RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec
 AES-CTR in RFC 3686, Using Advanced Encryption Standard (AES) Counter Mode with
IPSec Encapsulating Security Payload (ESP)

Key management
A dynamic VPN provides additional security for your communications by using the Internet Key
Exchange (IKE) protocol for key management. IKE allows the VPN servers on each end of the
connection to negotiate new keys at specified intervals.
With each successful negotiation, the VPN servers regenerate the keys that protect a connection,
thus making it more difficult for an attacker to capture information from the connection.
Additionally, if you use perfect forward secrecy, attackers cannot derive future keys based on past
keying information.
The VPN key manager is IBM's implementation of the Internet Key Exchange (IKE) protocol. The
key manager supports the automatic negotiation of security associations (SAs), as well as the
automatic generation and refresh of cryptographic keys.
A security association (SA) contains information that is necessary to use the IPSec protocols. For
example, an SA identifies algorithm types, key lengths and lifetimes, participating parties, and
encapsulation modes.
Cryptographic keys, as the name implies, lock, or protect, your information until it safely reaches its
final destination.• ESP provides encryption and optional authentication. It includes header and
trailer fields to support the encryption and optional authentication. Encryption for the IP payload is
supported in transport mode and for the entire packet in the tunnel mode. Authentication applies to
the ESP header and the encrypted data.
IPSec Transport and Tunnel Mode Transport Mode provides a secure connection between two
endpoints as it encapsulates IP payload, while Tunnel Mode encapsulates the entire IP packet to
provide a virtual "secure hop" between two gateways.Tunnel Mode forms the more familiar VPN
functionality, where entire IP packets are encapsulated inside another and delivered to the
destination. It encapsulates the full IP header as well as the payload.
Security Associations (SAs) and Child Sas
An Internet Key Exchange-Security Association (IKE-SA) is used to secure IKE comicality. SA is
identifiedby two,eight-byte Security Parameter Indices (SPIs) shared by each peer during the initial
IKE exchange.Both SPIs are carried in all subsequent messages.A Child-SA is created by IKE for
use in AH or ESP security. Two Child-SAs are created as a result of oneexchange – Inbound and
Outbound. A Child-SA is identified by a single four-byte SPI, Protocol and GatewayIP Address and
is carried in each AH/ESP packet.Each SA (IKE or Child) has an associated lifetime. After the
expiry of lifetime, SAs are deleted. To proactively establish an SA before the last one expires, SAs
are rekeyed on soft lifetime expiry. Both IKE and Child Sas may be rekeyed.

An intrusion detection system (IDS)

An intrusion detection system (IDS) is an application that monitors network traffic and
searches for known threats and suspicious or malicious activity. The IDS sends alerts to IT and
security teams when it detects any security risks and threats.
Most IDS solutions simply monitor and report suspicious activity and traffic when they detect an
anomaly. However, some can go a step further by taking action when it detects anomalous activity,
such as blocking malicious or suspicious traffic.
IDS tools typically are software applications that run on organizations’ hardware or as a network
security solution. There are also cloud-based IDS solutions that protect organizations’ data,
resources, and systems in their cloud deployments and environments.

Types Of Intrusion Detection Systems (IDS)

IDS solutions come in a range of different types and varying capabilities. Common types
of intrusion detection systems (IDS) include:
1. Network intrusion detection system (NIDS): A NIDS solution is deployed at strategic
points within an organization’s network to monitor incoming and outgoing traffic. This IDS
approach monitors and detects malicious and suspicious traffic coming to and going from all
devices connected to the network.
 2. Host intrusion detection system (HIDS): A HIDS system is installed on individual devices
that are connected to the internet and an organization’s internal network. This solution can
detect packets that come from inside the business and additional malicious traffic that a
NIDS solution cannot. It can also discover malicious threats coming from the host, such as a
host being infected with malware attempting to spread it across the organization’s system.
3. Signature-based intrusion detection system (SIDS): A SIDS solution monitors all packets
on an organization’s network and compares them with attack signatures on a database of
known threats.
4. Anomaly-based intrusion detection system (AIDS): This solution monitors traffic on a
network and compares it with a predefined baseline that is considered "normal." It detects
anomalous activity and behavior across the network, including bandwidth, devices, ports,
and protocols. An AIDS solution uses machine-learning techniques to build a baseline of
normal behavior and establish a corresponding security policy. This ensures businesses can
discover new, evolving threats that solutions like SIDS cannot.
5. Perimeter intrusion detection system (PIDS): A PIDS solution is placed on a network to
detect intrusion attempts taking place on the perimeter of organizations’ critical
infrastructures.
6. Virtual machine-based intrusion detection system (VMIDS): A VMIDS solution detects
intrusions by monitoring virtual machines. It enables organizations to monitor traffic across
all the devices and systems that their devices are connected to.
7. Stack-based intrusion detection system (SBIDS): SBIDS is integrated into an
organization’s Transmission Control Protocol/Internet Protocol (TCP/IP), which is used as a
communications protocol on private networks. This approach enables the IDS to watch
packets as they move through the organization’s network and pulls malicious packets before
applications or the operating system can process them.
IDS solutions excel in monitoring network traffic and detecting anomalous activity. They are placed
at strategic locations across a network or on devices themselves to analyze network traffic and
recognize signs of a potential attack.
An IDS works by looking for the signature of known attack types or detecting activity that deviates
from a prescribed normal. It then alerts or reports these anomalies and potentially malicious actions
to administrators so they can be examined at the application and protocol layers.
This enables organizations to detect the potential signs of an attack beginning or being carried out
by an attacker. IDS solutions do this through several capabilities, including:
1. Monitoring the performance of key firewalls, files, routers, and servers to detect, prevent,
and recover from cyberattacks
2. Enabling system administrators to organize and understand their relevant operating
system audit trails and logs that are often difficult to manage and track
3. Providing an easy-to-use interface that allows staff who are not security experts to help
with the management of an organization’s systems
4. Providing an extensive database of attack signatures that can be used to match and detect
known threats
5. IDS solutions excel in monitoring network traffic and detecting anomalous activity.
They are placed at strategic locations across a network or on devices themselves to
analyze network traffic and recognize signs of a potential attack.
 An IDS works by looking for the signature of known attack types or detecting activity that
deviates from a prescribed normal. It then alerts or reports these anomalies and potentially
malicious actions to administrators so they can be examined at the application and protocol
layers.
This enables organizations to detect the potential signs of an attack beginning or being carried
out by an attacker. IDS solutions do this through several capabilities, including:
1. Monitoring the performance of key firewalls, files, routers, and servers to detect, prevent,
and recover from cyberattacks
2. Enabling system administrators to organize and understand their relevant operating
system audit trails and logs that are often difficult to manage and track
3. Providing an easy-to-use interface that allows staff who are not security experts to help
with the management of an organization’s systems
4. Providing an extensive database of attack signatures that can be used to match and detect
known threats
5. Providing a quick and effective reporting system when anomalous or malicious activity
occurs, which enables the threat to be passed up the stack
6. Generating alarms that notify the necessary individuals, such as system administrators and
security teams, when a breach occurs
7. In some cases, reacting to potentially malicious actors by blocking them and their access
to the server or network to prevent them from carrying out any further actio
6. Providing a quick and effective reporting system when anomalous or malicious activity
occurs, which enables the threat to be passed up the stack
7. Generating alarms that notify the necessary individuals, such as system administrators and
security teams, when a breach occurs
8. In some cases, reacting to potentially malicious actors by blocking them and their access
to the server or network to prevent them from carrying out any further actio

Benefits of intrusion detection systems

IDS solutions offer major benefits to organizations, primarily around identifying potential security
threats being posed to their networks and users. A few common benefits of deploying an IDS
include:
1. Understanding risk: An IDS tool helps businesses understand the number of attacks being
targeted at them and the type and level of sophistication of risks they face.
2. Shaping security strategy: Understanding risk is crucial to establishing and evolving a
comprehensive cybersecurity strategy that can stand up to the modern threat landscape. An
IDS can also be used to identify bugs and potential flaws in organizations’ devices and
networks, then assess and adapt their defenses to address the risks they may face in the
future.
3. Regulatory compliance: Organizations now face an ever-evolving list of increasingly
stringent regulations that they must comply with. An IDS tool provides them with visibility
on what is happening across their networks, which eases the process of meeting these
regulations. The information it gathers and saves in its logs is also vital for businesses to
document that they are meeting their compliance requirements.
 4. Faster response times: The immediate alerts that IDS solutions initiate allow organizations
to discover and prevent attackers more quickly than they would through manual monitoring
of their networks. The sensors that an IDS uses can also inspect data in network packets and
operating systems, which is also faster than manually collecting this information.

Intrusion detection system (IDS) challenges

While IDS solutions are important tools in monitoring and detecting potential threats, they are not
without their challenges. These include:
1. False alarms: Also known as false positives, these leave IDS solutions vulnerable to
identifying potential threats that are not a true risk to the organization. To avoid this,
organizations must configure their IDS to understand what normal looks like, and as a result,
what should be considered as malicious activity.
2. False negatives: This is a bigger concern, as the IDS solution mistakes an actual security
threat for legitimate traffic. An attacker is allowed to pass into the organization’s network,
with IT and security teams oblivious to the fact that their systems have been infiltrated.
As the threat landscape evolves and attackers become more sophisticated, it is preferable for IDS
solutions to provide false positives than false negatives. In other words, it is better to discover a
potential threat and prove it to be wrong than for the IDS to mistake attackers for legitimate users.
Furthermore, IDS solutions increasingly need to be capable of quickly detecting new threats and
signs of malicious behavior.

computer virus is an ill-natured software application or authored code that can attach itself
to other programs, self-replicate, and spread itself onto other devices. When executed, a virus
modifies other computer programs by inserting its code into them. If the virus’s replication is
successful, the affected device is considered “infected” with a computer virus.
The malicious activity carried out by the virus’s code can damage the local file system, steal data,
interrupt services, download additional malware, or any other actions the malware author coded into
the program. Many viruses pretend to be legitimate programs to trick users into executing them on
their devices, delivering the computer virus payload.

Types of Computer Viruses

Every computer virus has a payload that performs an action. The threat actor can code any
malicious activity into the virus payload, including simple, innocuous pranks that don’t do any
harm. While a few viruses have harmless payloads, most of them cause damage to the system and
its data. There are nine main virus types, some of which could be packaged with other malware to
increase the chance of infection and damage. The nine major categories for viruses on computers
are:
Boot Sector Virus
Your computer drive has a sector solely responsible for pointing to the operating system so that it
can boot into the interface. A boot sector virus damages or controls the boot sector on the drive,
rendering the machine unusable. Attackers usually use malicious USB devices to spread this
computer virus. The virus is activated when users plug in the USB device and boot their machine.
Web Scripting Virus
Most browsers have defenses against malicious web scripts, but older, unsupported browsers have
vulnerabilities allowing attackers to run code on the local device.
Browser Hijacker
A computer virus that can change the settings on your browser will hijack browser favorites, the
home page URL, and your search preferences and redirect you to a malicious site. The site could be
a phishing site or an adware page used to steal data or make money for the attacker.
Resident Virus
A virus that can access computer memory and sit dormant until a payload is delivered is considered
a resident virus. This malware may stay dormant until a specific date or time or when a user
performs an action.
Direct Action Virus
When a user executes a seemingly harmless file attached to malicious code, direct-action viruses
deliver a payload immediately. These computer viruses can also remain dormant until a specific
action is taken or a timeframe passes.
Polymorphic Virus
Malware authors can use polymorphic code to change the program’s footprint to avoid detection.
Therefore, it’s more difficult for an antivirus to detect and remove them.
File Infector Virus
To persist on a system, a threat actor uses file infector viruses to inject malicious code into critical
files that run the operating system or important programs. The computer virus is activated when the
system boots or the program runs.
Multipartite Virus
These malicious programs spread across a network or other systems by copying themselves or
injecting code into critical computer resources.
Macro Virus
Microsoft Office files can run macros that can be used to download additional malware or run
malicious code. Macro viruses deliver a payload when the file is opened and the macro runs.

Operating system security aims to defend the OS against various dangers, such as
misconfigurations, remote intrusions, and malicious software like worms, trojan horses, and other
viruses. It's crucial for the overall health of your computer as well. Effective malware and virus
prevention makes programs run more quickly and smoothly by preventing viruses.

Why is Operating System Security important?

1. The Operating system is a crucial core component in the technology stack, which connects
various hardware devices that are shared among the software running.
2. Unauthorized access to hardware resources can be eliminated with strict controls over the
OS software and configuration.
 3. A weaker code in the OS kernel exposes the risk level of all software which are built on this
OS.
4. Encryption of the Data at Rest and Data in transit largely depends on the strengthening of
OS software libraries.

Aim of the
Operating System Security
1. Patching the OS on a regular basis.
2. Installing engine updates and updating antivirus software.
 3. Examining all incoming and outgoing network traffic through a firewall.
4. Creating secure accounts with only the essential rights granted.

Software /program security is the concept of implementing mechanisms in the

construction of security to help it remain functional (or resistant) to attacks. This means that a piece
of software undergoes software security testing before going to market to check its ability to
withstand malicious attacks.
The idea behind software security is building software that is secure from the get-go without having
to add additional security elements to add additional layers of security (although in many cases this
still happens). The next step is teaching users to use the software in the right manner to avoid being
prone or open to attacks.
Software security is critical because a malware attack can cause extreme damage to any piece of
software while compromising integrity, authentication, and availability. If programmers take this
into account in the programming stage and not afterward, damage can be stopped before it begins.
There are a wide variety of software security tools and solutions. Just like any other security
practice, you’ll have to build a strategy in order to make sure that your software security solutions
remain relevant and working in your benefit.
Keep software up-to-date and patched
Every piece of software has issues at times. There’s no way to avoid that. But, this is one of the
most common ways that hackers take action on software users. This is why regular patching and
staying up-to-date on software is an important step in ensuring software security.
Software security services and tools can help software users stay on track when it comes to
maintenance and inventory of a wide range of software programs.
Least privilege
Least privilege is the concept of giving software users minimal access to programs in order to get
their jobs done. In other words, don’t give them access to features, access rights, and controls that
they don’t need to use.
By enforcing a least privilege policy, you’ll reduce the risk of attacks by making sure that no one
accidentally changes access rights by mistake or has access to information that they don’t need.
Don’t forget to reevaluate privileges when employees change positions, finish projects, and of
course, leave the company.
Consider automation for software security tasks
Large companies or enterprises can’t keep track of the wide range of tasks that they need to perform
on a regular basis manually. This is where automation comes into play (if the hackers are using it,
you should be too).
IT departments should automate regular tasks that are important for computer security software
such as security configurations, analyzing firewall changes, and more. In order to automate,
companies need to invest in the right software security tools and solutions.
Document, monitor, and measure
Write all of your software security policies down so that everyone onboard has access and a
thorough understanding of the processes involved (don’t forget to show them to new employees!).
It encompasses all the steps taken to ensure confidentiality, integrity and availability of software
systems throughout the software development life cycle. Software security is critical because
software vulnerabilities can lead to cyber-attacks, data breaches, and major disruptions of computer
systems.