All Network Security

Guide to Network Security Fundamentals
C
Chapter 1
Learning Objectives
Understand network security Understand security threat trends and their ramifications Understand the goals of network security Determine the factors involved in a secure network strategy
Understanding Network Security

Network security
o
Process by which digital information assets are protected Maintain integrity Protect confidentiality Assure availability
Goals
o o o
Understanding Network Security

Security ensures that users:
Perform only tasks they are authorized to do Obtain only information they are authorized to have o Cannot cause damage to data, applications, or operating environment
o o
Security Threats
Identity theft Privacy concerns Wireless access
To Offset Security Threats

Integrity
o
Assurance that data is not altered or destroyed in an unauthorized manner Protection of data from unauthorized disclosure to a third party Continuous operation of computing systems
Confidentiality
o
Availability
o
Security Ramifications: Costs of Intrusion

Causes of network security threats
o o o o
Technology weaknesses Configuration weaknesses Policy weaknesses Human error
Technology Weaknesses
TCP/IP Operating systems Network equipment
Configuration Weaknesses
Unsecured accounts System accounts with easily guessed passwords Misconfigured Internet services Unsecured default settings Misconfigured network equipment Trojan horse programs Vandals Viruses
Policy Weaknesses
Lack of a written security policy Politics High turnover Concise access controls not applied Software and hardware installation and changes do not follow policy Proper security Nonexistent disaster recovery plan
Human Error
Accident Ignorance Workload Dishonesty Impersonation Disgruntled employees Snoops Denial-of-service attacks
Goals of Network Security

Achieve the state where any action that is not expressly permitted is prohibited
o o o o
Eliminate theft Determine authentication Identify assumptions Control secrets
Creating a Secure Network Strategy

Address both internal and external threats Define policies and procedures Reduce risk across across perimeter security, the Internet, intranets, and LANs

Human factors Know your weaknesses Limit access Achieve security through persistence
o
Develop change management process
Remember physical security Perimeter security

o
Control access to critical network applications, data, and services
continued

Firewalls
o o o o o
Prevent unauthorized access to or from private network Create protective layer between network and outside world Replicate network at point of entry in order to receive and transmit authorized data Have built-in filters Log attempted intrusions and create reports
continued

Web and file servers Access control
o
Ensures that only legitimate traffic is allowed into or out of the network
Passwords PINs Smartcards
continued

Change management
o o
Document changes to all areas of IT infrastructure Ensures messages cannot be intercepted or read by anyone other than the intended person(s)
Encryption
continued

Intrusion detection system (IDS)
o o o
Provides 24/7 network surveillance Analyzes packet data streams within the network Searches for unauthorized activity
Chapter Summary
Understanding network security Security threats Security ramifications Goals of network security Creating a secure network strategy
10
Authentication
Chapter 2
Learning Objectives
Create strong passwords and store them securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication is and why it is necessary Understand how digital certificates are created and why they are used
continued
Learning Objectives
Understand what tokens are and how they function Understand biometric authentication processes and their strengths and weaknesses Understand the benefits of multifactor authentication
Security of System Resources

Three-step process (AAA)
o
Authentication
Positive identification of person/system seeking access to secured information/services
o o
Authorization
Predetermined level of access to resources
Accounting
Logging use of each asset
Authentication Techniques
Usernames and passwords Kerberos Challenge Handshake Authentication Protocol (CHAP) Mutual authentication Digital certificates Tokens Biometrics Multifactor authentication
Usernames and Passwords

Username
o
Unique alphanumeric identifier used to identify an individual when logging onto a computer/network Secret combination of keystrokes that, when combined with a username, authenticates a user to a computer/network
Password
o
Basic Rules for Password Protection

1. Memorize passwords; do not write them down 2. Use different passwords for different functions 3. Use at least 6 characters 4. Use mixture of uppercase and lowercase letters, numbers, and other characters 5. Change periodically
Strong Password Creation Techniques

Easy to remember; difficult to recognize Examples:
o
First letters of each word of a simple phrase; add a number and punctuation
Asb4M?
Combine two dissimilar words and place a number between them

SleigH9ShoE
Substitute numbers for letters (not obviously)
Techniques to Use Multiple Passwords

Group Web sites or applications by appropriate level of security
o o
Use a different password for each group Cycle more complex passwords down the groups, from most sensitive to least
Storing Passwords
Written
o o o o
Keep in a place you are not likely to lose it Use small type Develop a personal code to apply to the list Use a specifically designed application (encrypts data)
Electronic
Kerberos
Provides secure and convenient way to access data and services through:
o o o o o o o
Session keys Tickets Authenticators Authentication servers Ticket-granting tickets Ticket-granting servers Cross-realm authentication
Kerberos in a Simple Environment

Session key
o
Secret key used during logon session between client and a service Set of electronic information used to authenticate identity of a principal to a service Device (eg, PPP network server) that requires authentication from a peer and specifies authentication protocol used in the configure request during link establishment phase
Ticket
o
Authenticator
o
continued

Checksum
Small, fixed-length numerical value Computed as a function of an arbitrary number of bits in a message o Used to verify authenticity of sender
o o
Kerberos in a More Complex Environment

Ticket-granting ticket (TGT)
o
Data structure that acts as an authenticating proxy to principals master key for set period of time Server that grants ticket-granting tickets to a principal
Ticket-granting server (TGS)

o
Kerberos in a More Complex Environment
Kerberos in Very Large Network Systems

Cross-realm authentication
o
Allows principal to authenticate itself to gain access to services in a distant part of a Kerberos system
Cross-Realm Authentication
Security Weaknesses of Kerberos

Does not solve password-guessing attacks Must keep password secret Does not prevent denial-of-service attacks Internal clocks of authenticating devices must be loosely synchronized Authenticating device identifiers must not be recycled on a short-term basis
Challenge Handshake Authentication Protocol (CHAP)

PPP mechanism used by an authenticator to authenticate a peer Uses an encrypted challenge-and-response sequence
10
CHAP Challenge-and-Response Sequence
CHAP Security Benefits

Multiple authentication sequences throughout Network layer protocol session
o
Limit time of exposure to any single attack
Variable challenge values and changing identifiers

o
Provide protection against playback attacks
11
CHAP Security Issues

Passwords should not be the same in both directions Not all implementations of CHAP terminate the link when authentication process fails, but instead limit traffic to a subset of Network layer protocols
o
Possible for users to update passwords
Mutual Authentication
Process by which each party in an electronic communication verifies the identity of the other party
12
Digital Certificates
Electronic means of verifying identity of an individual/organization Digital signature
o
Piece of data that claims that a specific, named individual wrote or agreed to the contents of an electronic document to which the signature is attached
Electronic Encryption and Decryption Concepts

Encryption
o o o o
Converts plain text message into secret message Converts secret message into plain text message Uses only one key Uses a key pair (private key and public key)
Decryption Symmetric cipher Asymmetric cipher
continued
13
Electronic Encryption and Decryption Concepts

Certificate authority (CA)
o
Trusted, third-party entity that verifies the actual identity of an organization/individual before providing a digital certificate Practice of using a trusted, third-party entity to verify the authenticity of a party who sends a message
Nonrepudiation
o
14
How Much Trust Should One Place in a CA?

Reputable CAs have several levels of authentication that they issue based on the amount of data collected from applicants Example: VeriSign
Security Tokens
Authentication devices assigned to specific user Small, credit card-sized physical devices Incorporate two-factor authentication methods Utilize base keys that are much stronger than short, simple passwords a person can remember
15
Types of Security Tokens

Passive
o o o
Act as a storage device for the base key Do not emit, or otherwise share, base tokens
Active
Actively create another form of a base key or encrypted form of a base key that is not subject to attack by sniffing and replay o Can provide variable outputs in various circumstances
One-Time Passwords
Used only once for limited period of time; then is no longer valid Uses shared keys and challenge-andresponse systems, which do not require that the secret be transmitted or revealed Strategies for generating one-time passwords
o o
Counter-based tokens Clock-based tokens
16
Biometrics
Biometric authentication
Uses measurements of physical or behavioral characteristics of an individual o Generally considered most accurate of all authentication methods o Traditionally used in highly secure areas o Expensive
o
How Biometric Authentication Works

1.Biometric is scanned after identity is verified 2.Biometric information is analyzed and put into an electronic template 3.Template is stored in a repository 4.To gain access, biometric is scanned again 5.Computer analyzes biometric data and compares it to data in template 6.If data from scan matches data in template, person is allowed access 7.Keep a record, following AAA model
17
False Positives and False Negatives

False positive
o
Occurrence of an unauthorized person being authenticated by a biometric authentication process Occurrence of an authorized person not being authenticated by a biometric authentication process when they are who they claim to be
False negative
o
Different Kinds of Biometrics

Physical characteristics
o o o o o o o
Fingerprints Hand geometry Retinal scanning Iris scanning Facial scanning Handwritten signatures Voice
Behavioral characteristics
18
Fingerprint Biometrics
Hand Geometry Authentication
19
Retinal Scanning
Iris Scanning
20
Signature Verification
General Trends in Biometrics

Authenticating large numbers of people over a short period of time (eg, smart cards) Gaining remote access to controlled areas
21
Multifactor Authentication
Identity of individual is verified using at least two of the three factors of authentication
o o o
Something you know (eg, password) Something you have (eg, smart card) Something about you (eg, biometrics)
Chapter Summary
Authentication techniques
o o o o o o o o
Usernames and passwords Kerberos CHAP Mutual authentication Digital certificates Tokens Biometrics Multifactor authentication
22
Attacks and Malicious Code

Chapter 3
Learning Objectives
Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major components used in a DDoS attack and how they are installed Understand major types of spoofing attacks Discuss man-in-the-middle attacks, replay attacks, and TCP session hijacking
continued
Learning Objectives
Detail three types of social-engineering attacks and explain why they can be incredibly damaging List major types of attacks used against encrypted data List major types of malicious software and identify a countermeasure for each one
Denial-of-Service Attacks
Any malicious act that causes a system to be unusable by its real user(s) Take numerous forms Are very common Can be very costly Major types
o o
SYN flood Smurf attack
SYN Flood
Exploits the TCP three-way handshake Inhibits servers ability to accept new TCP connections
TCP Three-Way Handshake
Smurf
Non-OS specific attack that uses the network to amplify its effect on the victim Floods a host with ICMP Saturates Internet connection with bogus traffic and delays/prevents legitimate traffic from reaching its destination
IP Fragmentation Attacks: Ping of Death

Uses IP packet fragmentation techniques to crash remote systems
Ping of Death
Distributed Denial-of-Service Attacks

Use hundreds of hosts on the Internet to attack the victim by flooding its link to the Internet or depriving it of resources Used by hackers to target government and business Internet sites Automated tools; can be executed by script kiddies Result in temporary loss of access to a given site and associated loss in revenue and prestige
Conducting DDoS Attacks
DDoS Countermeasures
Security patches from software vendors Antivirus software Firewalls Ingress (inbound) and egress (outbound) filtering
Ingress and Egress Filtering
Preventing the Network from Inadvertently Attacking Others

Filter packets coming into the network destined for a broadcast address Turn off directed broadcasts on internal routers Block any packet from entering the network that has a source address that is not permissible on the Internet (see Figures 3-8 and 3-9)
continued
Preventing the Network from Inadvertently Attacking Others

Block at the firewall any packet that uses a protocol or port that is not used for Internet communications on the network Block packets with a source address originating inside your network from entering your network
Ingress Filtering of Packets with RFC 1918 Addresses
10
Filtering of Packets with RFC 2827 Addresses
Spoofing
Act of falsely identifying a packets IP address, MAC address, etc Four primary types
o o o o
IP address spoofing ARP poisoning Web spoofing DNS spoofing
11
IP Address Spoofing
Used to exploit trust relationships between two hosts Involves creating an IP address with a forged source address
12
ARP Poisoning
Used in man-in-the-middle and session hijacking attacks; attacker takes over victims IP address by corrupting ARP caches of directly connected machines Attack tools
o o o
ARPoison Ettercap Parasite
Web Spoofing
Convinces victim that he or she is visiting a real and legitimate site Considered both a man-in-the-middle attack and a denial-of-service attack
13
Web Spoofing
DNS Spoofing
Aggressor poses as the victims legitimate DNS server Can direct users to a compromised server Can redirect corporate e-mail through a hackers server where it can be copied or modified before sending mail to final destination
14
To Thwart Spoofing Attacks

IP spoofing
o o
Disable source routing on all internal routers Filter out packets entering local network from the Internet that have a source address of the local network Use network switches that have MAC binding features
ARP poisoning
o
continued
To Thwart Spoofing Attacks

Web spoofing
o o o
Educate users Thoroughly secure DNS servers Deploy anti-IP address spoofing measures
DNS spoofing
15
Man in the Middle

Class of attacks in which the attacker places himself between two communicating hosts and listens in on their session To protect against
o
Configure routers to ignore ICMP redirect packets
Man-in-the-Middle Attacks
16
Man-in-the-Middle Applications
Web spoofing TCP session hijacking Information theft Other attacks (denial-of-service attacks, corruption of transmitted data, traffic analysis to gain information about victims network)
Man-in-the-Middle Methods
ARP poisoning ICMP redirects DNS poisoning
17
Replay Attacks
Attempts to circumvent authentication mechanisms by:
Recording authentication messages from a legitimate user o Reissuing those messages in order to impersonate the user and gain access to systems
o
Replay Attack
18
TCP Session Hijacking

Attacker uses techniques to make the victim believe he or she is connected to a trusted host, when in fact the victim is communicating with the attacker Well-known tool
o
Hunt (Linux)
19
Attacker Using Victims TCP Connection
Social Engineering
Class of attacks that uses trickery on people instead of computers Goals
o o o o o
Fraud Network intrusion Industrial espionage Identity theft Desire to disrupt the system or network
20
Dumpster Diving
Online Attacks
Use chat and e-mails venues to exploit trust relationships
21
Social Engineering Countermeasures

Take proper care of trash and discarded items Ensure that all system users have periodic training about network security
Attacks Against Encrypted Data

Weak keys Mathematical attacks Birthday attack Password guessing Brute force Dictionary
22
Weak Keys
Secret keys used in encryption that exhibit regularities in encryption, or even a poor level of encryption
Mathematical Attack
Attempts to decrypt encrypted data using mathematics to find weaknesses in the encryption algorithm Categories of cryptanalysis
o o o
Cyphertext-only analysis Known plaintext attack Chosen plaintext attack
23
Birthday Attack
Class of brute-force mathematical attacks that exploits mathematical weaknesses of hash algorithms and one-way hash functions
Password Guessing
Tricks authentication mechanisms by determining a users password using techniques such as brute force or dictionary attacks
24
Brute Force
Method of breaking passwords that involves computation of every possible combination of characters for a password of a given character length
25
Dictionary
Method of breaking passwords by using a predetermined list of words as input to the password hash Only works against poorly chosen passwords
Software Exploitation
Utilizes software vulnerabilities to gain access and compromise systems Example
o o
Buffer overflow attach Stay appraised of latest security patches provided by software vendors
To stop software exploits
26
Malicious Software
Viruses
Self-replicating programs that spread by infecting other programs Damaging and costly
27
Virus Databases
28
Evolution of Virus Propagation Techniques
Protecting Against Viruses

Enterprise virus protection solutions
o o o
Desktop antivirus programs Virus filters for e-mail servers Network appliances that detect and remove viruses
Instill good behaviors in users and system administrators

o
Keep security patches and virus signature databases up to date
29
Backdoor
Remote access program surreptitiously installed on user computers that allows attacker to control behavior of victims computer Also known as remote access Trojans Examples
o o o o
Back Orifice 2000 (BO2K) NetBus Up-to-date antivirus software Intrusion detection systems (IDS)
Detection and elimination
30
Trojan Horses
Class of malware that uses social engineering to spread Types of methods
Sending copies of itself to all recipients in users address book o Deleting or modifying files o Installing backdoor/remote control programs
o
31
Logic Bombs
Set of computer instructions that lie dormant until triggered by a specific event Once triggered, the logic bomb performs a malicious task Almost impossible to detect until after triggered Often the work of former employees For example: macro virus
o
Uses auto-execution feature of specific applications
Worms
Self-contained program that uses security flaws such as buffer overflows to remotely compromise a victim and replicate itself to that system Do not infect other executable programs Account for 80% of all malicious activity on Internet Examples: Code Red, Code Red II, Nimda
32
Defense Against Worms

Latest security updates for all servers Network and host-based IDS Antivirus programs
Chapter Summary
Mechanisms, countermeasures, and best practices for:
o o o o o
Malicious software Denial-of-service attacks Software exploits Social engineering Attacks on encrypted data
33
Remote Access
Chapter 4
Learning Objectives
Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing remote access to networks Understand how RADIUS authentication works Understand how TACACS+ operates Understand how PPTP works and when it is used
continued
Learning Objectives
Understand how L2TP works and when it is used Understand how SSH operates and when it is used Understand how IPSec works and when it is used Understand the vulnerabilities associated with telecommuting
IEEE 802.1x
Internet standard created to perform authentication services for remote access to a central LAN Uses SNMP to define levels of access control and behavior of ports providing remote access to LAN environment Uses EAP over LAN (EAPOL) encapsulation method
802.1x General Topology
Telnet
Standard terminal emulation protocol within TCP/IP protocol suite defined by RFC 854 Utilizes UDP port 23 to communicate Allows users to log on to remote networks and use resources as if locally connected
Controlling Telnet
Assign enable password as initial line of defense Use access lists that define who has access to what resources based on specific IP addresses Use a firewall that can filter traffic based on ports, IP addresses, etc
Virtual Private Network

Secures connection between user and home office using authentication mechanisms and encryption techniques
o o o
Encrypts data at both ends IPSec PPTP
Uses two technologies
VPN Diagram
Tunneling
Enables one network to send its data via another networks connections Encapsulates a network protocol within packets carried by the second network
Tunneling
VPN Options
Install/configure client computer to initiate necessary security communications Outsource VPN to a service provider
o
Encryption does not happen until data reaches providers network
Service Providing Tunneling
VPN Drawbacks
Not completely fault tolerant Diverse implementation choices
o
Software solutions
Tend to have trouble processing all the simultaneous connections on a large network
Hardware solutions
Require higher costs
Remote Authentication Dial-in User Service (RADIUS)

Provides a client/server security system Uses distributed security to authenticate users on a network Includes two pieces
o o
Authentication server Client protocols
Authenticates users through a series of communications between client and server using UDP
Authenticating with a RADIUS Server
Benefits of Distributed Approach to Network Security

Greater security Scalable architecture Open protocols Future enhancements
Terminal Access Controller Access Control System (TACACS+)

Authentication protocol developed by Cisco Uses TCP a connection-oriented transmission instead of UDP Offers separate acknowledgement that request has been received regardless of speed of authentication mechanism Provides immediate indication of a crashed server
10
Advantages of TACACS+ over RADIUS

Addresses need for scalable solution Separates authentication, authorization, and accounting Offers multiple protocol support
Point-to-Point Tunneling Protocol

Multiprotocol that offers authentication, methods of privacy, and data compression Built upon PPP and TCP/IP Achieves tunneling by providing encapsulation (wraps packets of information within IP packets)
o o
Data packets Control packets
Provides users with virtual node on corporate LAN or WAN
11
PPTP Tasks
Queries status of communications servers Provides in-band management Allocates channels and places outgoing calls Notifies Windows NT Server of incoming calls Transmits and receives user data with bidirectional flow control Notifies Windows NT Server of disconnected calls Assures data integrity; coordinates packet flow
Layer Two Tunneling Protocol

PPP defines an encapsulation mechanism for transporting multiprotocol packets across layer two point-to-point links L2TP extends PPP model by allowing layer two and PPP endpoints to reside on different devices interconnected by a packet-switched network
continued
12
Layer Two Tunneling Protocol

Allows separation of processing of PPP packets and termination of layer two circuit
o
Connection may terminate at a (local) circuit concentrator
Solves splitting problems by projecting a PPP session to a location other than the point at which it is physically received
Secure Shell (SSH)

Secure replacement for remote logon and file transfer programs (Telnet and FTP) that transmit data in unencrypted text Uses public key authentication to establish an encrypted and secure connection from users machine to remote machine Used to:
o o o
Log on to another computer over a network Execute command in a remote machine Move files from one machine to another
13
Key Components of an SSH Product

Engine Administration server Enrollment gateway Publishing server
IP Security Protocol
Set of protocols developed by the IETF to support secure exchange of packets at IP layer Deployed widely to implement VPNs Works with existing and future IP standards Transparent to users Promises painless scalability Handles encryption at packet level using Encapsulating Security Payload (ESP)
14
IPSec Security Payload
ESP and Encryption Models

Supports many encryption protocols Encryption support is designed for use by symmetric encryption algorithms Provides secure VPN tunneling
15
Telecommuting Vulnerabilities
16
17
Remote Solutions
Microsoft Terminal Server Citrix Metaframe Virtual Network Computing
18
Chapter Summary
Paramount need for remote access security Use of technologies to mitigate some of the risk of compromising the information security of a home network Importance of keeping pace with technology changes
19
E-mail
Chapter 5
Learning Objectives
Understand the need for secure e-mail Outline benefits of PGP and S/MIME Understand e-mail vulnerabilities and how to safeguard against them Explain the dangers posed by e-mail hoaxes and spam, as well as actions that can be taken to counteract them
Challenges to Utility and Productivity Gains Offered by E-mail

E-mail security Floods of spam Hoaxes
E-mail Security Technologies

Two main standards
o o
Pretty good privacy (PGP) Secure/Multipurpose Internet Mail Extension (S/MIME)
These competing standards:

Seek to ensure integrity and privacy of information by wrapping security measures around e-mail data itself o Use public key encryption techniques (alternative to securing communication link itself, as in VPN)
o
Secure E-mail and Encryption

Secure e-mail
o
Uses cryptography to secure messages transmitted across insecure networks E-mail can be transmitted over unsecured links E-mail can be stored in encrypted form Encryption Digital signatures Digital certificates
Advantages of e-mail encryption

o o o o o
Key cryptography concepts
Main Features of Secure E-mail

Confidentiality Integrity Authentication Nonrepudiation
Encryption
Passes data and a value (key) through a series of mathematical formulas that make the data unusable and unreadable To recover information, reverse the process using the appropriate key Two main types
o o
Conventional cryptography Public key cryptography
Encryption
Hash Functions
Produce a message digest that cannot be reversed to produce the original Two major hash functions in use
o o
SHA-1 (Secure Hash Algorithm 1) MD5 (Message Digest algorithm version 5)
Digital Signatures
Electronic identification of a person or thing created by using a public key algorithm Verify (to a recipient) the integrity of data and identity of the sender Provide same features as encryption, except confidentiality Created by using hash functions
Electronic document attached to a public key by a trusted third party Provide proof that the public key belongs to a legitimate owner and has not been compromised Consist of:
o o o
Owners public key Information unique to owner Digital signatures or an endorser
Combining Encryption Methods

Hybrid cryptosystems
Take advantage of symmetric and public key cryptography o Example: PGP/MIME
o
Conventional encryption
o o
Fast, but results in key distribution problem Private key and public key
Public key encryption
Public Key Encryption
How Secure E-mail Works

Encryption
1.Message is compressed 2.Session key is created 3.Message is encrypted using session key with symmetrical encryption method 4.Session key is encrypted with an asymmetrical encryption method 5.Encrypted session key and encrypted message are bound together and transmitted to recipient
Decryption: reverse the process
Secure E-mail Decryption
Background on PGP
Current de facto standard Written by Phil Zimmerman 1991 Supports major conventional encryption methods
o o o o
CAST International Data Encryption Algorithm (IDEA) Triple Data Encryption Standard (3DES) Twofish
PGP Certificates
More flexible and extensible than X.509 certificates A single certificate can contain multiple signatures
10
PGP Certificate Format
S/MIME
Specification designed to add security to e-mail messages in MIME format Security services
o o
Authentication (using digital signatures) Privacy (using encryption)
11
What S/MIME Defines

Format for MIME data Algorithms that must be used for interoperability
o o o o o
RSA RC2 SHA-1 ANSI X.509 certificates Transport over the Internet
Additional operational concerns
S/MIME Background
Four primary standards
o o o o
RFC 2630
Cryptographic Message Syntax
RFC 2633
S/MIME version 3 Message Specification
RFC 2632
S/MIME version 3 Certificate Handling
RFC 2634
Enhanced Security Services for S/MIME
12
S/MIME Encryption Algorithms

Three symmetric encryption algorithms
o o o
DES 3DES RC2
PKCS (Public Key Cryptography Standards) S/MIME prevents exposure of signature information to eavesdropper
o
Applies digital signature first; then encloses signature and original message in an encrypted digital envelope
X.509 Certificates
Rather than define its own certificate type (like PGP), S/MIME relies on X.509 Issued by a certificate authority (CA)
13
S/MIME Trust Model: Certificate Authorities

Purely hierarchical model Line of trust goes up the chain to a CA, whose business is verifying identity and assuring validity of keys or certificates
14
Differences Between PGP and S/MIME

Features Structure of messages S/MIME3 OpenPGP Binary, based on PGP CMS PGP 3DES
Structure of digital X.509 certificates Algorithm: symmetric encryption 3DES
Algorithm: digital Diffie-Hellman signature
EIGamal
continued

Features Algorithm: hash S/MIME3 SHA-1 OpenPGP SHA-01
MIME Choice of Multipart/signed encapsulation for multipart/signed orwith ASCII armor signed data CMS format MIME Application/ encapsulation for PKCS#7-MIME encrypted data Trust model Hierarchical Multipart/ encrypted Web of trust
continued
15

Features S/MIME3 OpenPGP Current encryption standard Some PGP, Inc. products absorbed into McAfee line Configuration not intuitive; must create certificates; general use straight-forward
continued
Marketplace Growing quickly adoption Marketplace Microsoft, RSA, advocates VeriSign Ease of use Configuration not intuitive; must obtain and install certificates; general use straight-forward

Features Software S/MIME3 OpenPGP Already integrated PGP software must in Microsoft and be downloaded Netscape products and installed Must be purchased PGP certificates from CA; yearly fee can be generated by anyone; free Easy, but you must Harder; user must trust CA make decisions on validity of identities
continued
Cost of certificates Key management
16

Features S/MIME3 OpenPGP Compatible with MIME and non-MIME e-mail formats, but recipient must have PGP installed Status is in doubt Compatibility Transparently works with any vendors MIME email client, but not compatible with non-MIME e-mail formats Centralized Possible through management PKI
E-mail Vulnerabilities
continued
17
E-mail Vulnerabilities
Spam
Act of flooding the Internet with many copies of the same message in an attempt to force the message on people who would not otherwise choose to receive it Unrequested junk mail
18
E-mail Spam
Targets individual users with direct mail messages Creates lists by:
o o o
Scanning Usenet postings Stealing Internet mailing lists Searching the Web for addresses
Uses automated tools to subscribe to as many mailing lists as possible
Hoaxes and Chain Letters

E-mail messages with content designed to get the reader to spread them by:
o o o o
Appealing to be an authority to exploit trust Generating excitement about being involved Creating a sense of importance/belonging Playing on peoples gullibility/greed
Do not carry malicious payload, but are usually untrue or resolved
19
Costs of Hoaxes and Chain Letters

Lost productivity Damaged reputation Relaxed attitude toward legitimate virus warnings
20
Countermeasures for Hoaxes

Effective security awareness campaign Good e-mail policy E-mail content filtering solutions
21
Guidelines for Hoax Countermeasures

Create a policy and train users on what to do when they receive a virus warning Establish the intranet site as the only authoritative source for advice on virus warnings Ensure that the intranet site displays up-todate virus and hoax information on the home page Inform users that if the virus warning is not listed on the intranet site, they should forward it to a designated account
Chapter Summary
PGP
o o o o
Current de facto e-mail encryption standard Basis of OpenPGP standard Emerging standard in e-mail encryption Uses X.509 certificates used by Microsoft and Netscape browser and e-mail client software
S/MIME
E-mail vulnerabilities and scams, and how to combat them

o o
Spam Hoaxes and e-mail chain letters
22
Web Security
Chapter 6
Learning Objectives
Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates to SSL Explore common uses of instant messaging applications and identify vulnerabilities associated with those applications
continued
Learning Objectives
Understand the vulnerabilities of JavaScript, buffer overflow, ActiveX, cookies, CGI, applets, SMTP relay, and how they are commonly exploited
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

Commonly used protocols for managing the security of a message transmission across the insecure Internet
Secure Sockets Layer (SSL)

Developed by Netscape for transmitting private documents via the Internet Uses a public key to encrypt data that is transferred over the SSL connection URLs that require an SSL connection start with https: instead of http:
Transport Layer Security (TLS)

Latest version of SSL Not as widely available in browsers
SSL/TLS Protocol
Runs on top of the TCP and below higherlevel protocols Uses TCP/IP on behalf of higher-level protocols Allows SSL-enabled server to authenticate itself to SSL-enabled client Allows client to authenticate itself to server Allows both machines to establish an encrypted connection
Secure Sockets Layer Protocol
SSL/TLS Protocol
Uses ciphers to enable encryption of data between two parties Uses digital certificates to enable authentication of the parties involved in a secure transaction
Cipher Types Used by SSL/TLS

Asymmetric encryption (public key encryption) Symmetric encryption (secret key encryption)
Components
o o o o
Certificate users name Entity for whom certificate is being issued Public key of the subject Time stamp
Typically issued by a CA that acts as a trusted third party

o o
Public certificate authorities Private certificate authorities
Secure Hypertext Transfer Protocol (HTTPS)

Communications protocol designed to transfer encrypted information between computers over the World Wide Web An implementation of HTTP Often used to enable online purchasing or exchange of private information over insecure networks Combines with SSL to enable secure communication between a client and a server
Instant Messaging (IM)

Communications service that enables creation of a private chat room with another individual Based on client/server architecture Typically alerts you whenever someone on your private list is online Categorized as enterprise IM or consumer IM systems Examples: AOL Instant Messenger, ICQ, NetMessenger, Yahoo! Messenger
IM Security Issues
Cannot prevent transportation of files that contain viruses and Trojan horses Misconfigured file sharing can provide access to sensitive or confidential data Lack of encryption Could be utilized for transportation of copyrighted material; potential for substantial legal consequences Transferring files reveals network addresses of hosts; could be used for Denial-of-Service attack
IM Applications
Do not use well-known TCP ports for communication and file transfers; use registered ports Ports can be filtered to restrict certain functionalities or prevent usage altogether
Vulnerabilities of Web Tools

Security of Web applications and online services is as important as intended functionality
o o o o o o o
JavaScript ActiveX Buffers Cookies Signed applets Common Gateway Interface (CGI) Simple Mail Transfer Protocol (SMTP) relay
JavaScript
Scripting language developed by Netscape to enable Web authors to design interactive sites Code is typically embedded into an HTML document and placed between the <head> and </head> tags Programs can perform tasks outside users control
JavaScript Security Loopholes

Monitoring Web browsing Reading password and other system files Reading browsers preferences
ActiveX
Loosely defined set of technologies developed by Microsoft
o
Outgrowth of OLE (Object Linking and Embedding) and COM (Component Object Model)
Provides tools for linking desktop applications to WWW content Utilizes embedded Visual Basic code that can compromise integrity, availability,and confidentiality of a target system
Buffer
Temporary storage area, usually in RAM Acts as a holding area, enabling the CPU to manipulate data before transferring it to a device
10
Buffer Overflow Attacks

Triggered by sending large amounts of data that exceeds capacity of receiving application within a given field Take advantage of poor application programming that does not check size of input field Not easy to coordinate; prerequisites:
Place necessary code into programs address space o Direct application to read and execute embedded code through effective manipulation of registers and memory of system
o
Cookies
Messages given to Web browsers by Web servers
o o
Browser stores message in a text file Message is sent back to server each time browser requests a page from server
Verify a users session Designed to enhance browsing experience
11
Vulnerabilities of Cookies
Contain tools that are easily exploited to provide information about users without consent
Attacker convinces user to follow malicious hyperlink to targeted server to obtain the cookie through error handling process on the server o User must be logged on during time of attack
o
To guard against EHE attacks

o o
Do not return unescaped data back to user Do not echo 404 file requests back to user
Java Applets
Internet applications (written in Java programming language) that can operate on most client hardware and software platforms Stored on Web servers from where they can be downloaded onto clients when first accessed With subsequent server access, the applet is already cached on the client and can be executed with no download delay
12
Signed Applets
Technique of adding a digital signature to an applet to prove that it came unaltered from a particular trusted source Can be given more privileges than ordinary applets Unsigned applets are subject to sandbox restrictions
Unsigned Applets
13
Sandbox Model
Prevent the applet from:
Performing required operations on local system resources o Connecting to any Web site except the site from which the applet was loaded o Accessing clients local printer o Accessing clients system clipboard and properties
o
Signed Applets
14
Reasons for Using Code Signing Features

To release the application from sandbox restrictions imposed on unsigned code To provide confirmation regarding source of the applications code
Common Gateway Interface (CGI)

Interface specification that allows communication between client programs and Web servers that understand HTTP Uses TCP/IP Can be written in any programming language Parts of a CGI script
o o
Executable program on the server (the script itself) HTML page that feeds input to the executable
15
Typical Form Submission
CGI
Interactive nature leads to security loopholes
o
Allowing input from other systems to a program that runs on a local server exposes the system to potential security hazards
16
Precautions to Take When Running Scripts on a Server

Deploy IDS, access list filtering, and screening on the border of the network Design and code applications to check size and content of input received from clients Create different user groups with different permissions; restrict access to hierarchical file system based on those groups Validate security of a prewritten script before deploying it in your production environment
Simple Mail Transfer Protocol (SMTP)

Standard Internet protocol for global e-mail communications Transaction takes place between two SMTP servers Designed as a simple protocol
o o
Easy to understand and troubleshoot Easily exploited by malicious users
17
Vulnerabilities of SMTP Relay

Spam via SMTP relay can lead to:
o o
Loss of bandwidth Hijacked mail servers that may no longer be able to serve their legitimate purpose
Mail servers of innocent organizations can be subject to blacklisting
Chapter Summary
Protocols commonly implemented for secure message transmissions
o o
Secure Socket Layer Transport Layer Security
Data encryption across the Internet through Secure Hyper Text Transfer Protocol in relation to SSL/TSL
continued
18
Chapter Summary
Instant Messaging
o o
Common uses Vulnerabilities
Well-known vulnerabilities associated with web development tools
19
Directory and File Transfer Services

Chapter 7
Learning Objectives
Explain benefits offered by centralized enterprise directory services such as LDAP over traditional authentication systems Identify major vulnerabilities of the FTP method of exchanging data Describe S/FTP, the major alternative to using FTP, in order to better secure your network infrastructure Illustrate the threat posed to your network by unmonitored file shares
Directory Services
Network services that uniquely identify users and can be used to authenticate and authorize them to use network resources Allow users to look up username or resource information, just as DNS does
Lightweight Directory Access Protocol (LDAP)

Accesses directory data based on ISOs X.500 standard, but includes TCP/IP support and simplified client design Exchanges directory information with clients (is not a database that stores the information) Allows users to search using a broad set of criteria (name, type of service, location)
continued
LDAP
Provides additional features including authentication and authorization
o
Each person uses only one username and password regardless of client software and OS Versatile directory system that is standards based and platform independent
Key feature and benefit

o
Major LDAP Products
Common Applications of LDAP

Single sign-on (SSO) User administration Public key infrastructure (PKI)
LDAP Operations
LDAP Framework
Directory Information Tree (DIT)
Data structure that actually contains directory information about network users and services o Hierarchical structure
o
Directory Information Tree
LDAP Framework
DN example
cn=Jonathan Q Public o ou=Information Security Department o o=XYZ Corp. o c=United States
o
LDAP Security Benefits

Authentication
o o
Ensures users identities Three levels

No authentication Simple authentication Simple Authentication and Security Layer (SASL)
Authorization
Determines network resources the user may access o Determined by access control lists (ACLs)
o
Encryption
o
Utilizes other protocols through (SASL)
LDAP Security Vulnerabilities

Denial of service Man in the middle Attacks against data confidentiality
File Transfer Services

Ability to share programs and data around the world is an essential aspect of the Internet Critical to todays networked organizations
File Transfer Protocol (FTP)

Commonly used but very insecure Two standard data transmission methods active FTP and passive FTP
In both, client initiates a TCP session using destination port 21 (command connection) o Differences are in the data connection that is set up when user wants to transfer data between two machines
o
Setup of FTP Control Connection
Active FTP
FTPs default connection FTP server creates data connection by opening a TCP session using source port of 20 and destination port greater than 1023 (contrary to TCPs normal operation)
Setup of the Active FTP Data Connection
Passive FTP
Not supported by all FTP implementations Client initiates data connection to the server with a source and destination port that are both random high ports
Setup of the Passive FTP Data Connection
10
FTP Security Issues

Bounce attack Clear text authentication and data transmission Glob vulnerability Software exploits and buffer overflow vulnerabilities Anonymous FTP and blind FTP access
FTP Countermeasures
Do not allow anonymous access unless a clear business requirement exists Employ a state-of-the-art firewall Ensure that server has latest security patches and has been properly configured to limit user access Encrypt data before placing it on FTP server
continued
11
FTP Countermeasures
Encrypt FTP data flow using a VPN connection Switch to a secure alternative
Secure File Transfers

Secure File Transfer Protocol (S/FTP)
o
Replacement for FTP that uses SSH version 2 as a secure framework for encrypting data transfers
12
Benefits of S/FTP over FTP

Offers strong authentication using a variety of methods including X.509 certificates Encrypts authentication, commands, and all data transferred between client and server using secure encryption algorithms Easy to configure a firewall to permit S/FTP communications (uses a single, well-behaved TCP connection) Requires no negotiation to open a second connection
SecureFTP Implementation Programs
13
File Sharing
Originally intended to share files on a LAN Easy to set up Uses Windows graphical interface Can be configured as peer-to-peer or as client/server shares
14
File Sharing Risks

Confidentiality of data Some viruses spread via network shares Other types of critical information beside user documentation could become compromised if files shares are misconfigured
Protecting Your File Shares

Define and communicate a policy Conduct audits of file shares using commercial scanning and audit tools
15
Chapter Summary
Key resources used to support mission-critical business applications
o o
Directory services
LDAP
File transfer mechanisms

FTP S/FTP
16
Wireless and Instant Messaging

Chapter 8
Learning Objectives
Understand security issues related to wireless data transfer Understand the 802.11x standards Understand Wireless Application Protocol (WAP) and how it works Understand Wireless Transport Layer Security (WTLS) protocol and how it works
continued
Learning Objectives
Understand Wired Equivalent Privacy (WEP) and how it works Conduct a wireless site survey Understand instant messaging
802.11
IEEE group responsible for defining interface between wireless clients and their network access points in wireless LANs First standard finalized in 1997 defined three types of transmission at Physical layer
Diffused infrared - based on infrared transmissions Direct sequence spread spectrum (DSSS) - radiobased o Frequency hopping spread spectrum (FHSS) radio-based
o o
continued
802.11
Established WEP as optional security protocol Specified use of 2.4 GHz industrial, scientific, and medical (ISM) radio band Mandated 1 Mbps data transfer rate and optional 2 Mbps data transfer rate Most prominent working groups: 802.11b, 802.11a, 802.11i, and 802.11g
802.11a
High-Speed Physical Layer in the 5 GHz Band Sets specifications for wireless data transmission of up to 54 Mbps in the 5 GHz band Uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS Approved in 1999
802.11b
Higher-Speed Layer Extension in the 2.4 GHz Band Establishes specifications for data transmission that provides 11 Mbps transmission (with fallback to 5.5, 2, and 1 Mbps) at 2.4 GHz band Sometimes referred to as Wi-Fi when associated with WECA certified devices Uses only DSSS Approved in 1999
802.11c
Worked to establish MAC bridging functionality for 802.11 to operate in other countries Folded into 802.1D standard for MAC bridging
802.11d
Responsible for determining requirements necessary for 802.11 to operate in other countries Continuing
802.11e
Responsible for creating a standard that will add multimedia and quality of service (QoS) capabilities to wireless MAC layer and therefore guarantee specified data transmission rates and error percentages Proposal in draft form
802.11f
Responsible for creating a standard that will allow for better roaming between multivendor access points and distribution systems Ongoing
802.11g
Responsible for providing raw data throughput over wireless networks at a throughput rate of 22 Mbps or more Draft created in January 2002; final approval expected in late 2002 or early 2003
802.11h
Responsible for providing a way to allow for European implementation requests regarding the 5 GHz band Requirements
Limits PC card from emitting more radio signal than needed o Allows devices to listen to radio wave activity before picking a channel on which to broadcast
o
Ongoing; not yet approved
802.11i
Responsible for fixing security flaws in WEP and 802.1x Hopes to eliminate WEP altogether and replace it with Temporal Key Integrity Protocol (TKIP), which would require replacement of keys within a certain amount of time Ongoing; not yet approved
802.11j
Worked to create a global standard in the 5 GHz band by making high-performance LAN (HiperLAN) and 802.11a interoperable Disbanded after efforts in this area were mostly successful
Wireless Application Protocol (WAP)

Open, global specification created by the WAP Forum Designed to deliver information and services to users of handheld digital devices Compatible with most wireless networks Can be built on any operating system
WAP-Enabled Devices
WAP-Enabled Devices
How WAP 1x Works

WAP 1.x Stack
Set of protocols created by the WAP Forum that alters the OSI model o Five layers lie within the top four (of seven) layers of the OSI model o Leaner than the OSI model
o Each WAP protocol makes data transactions as compressed as possible and allows for more dropped packets than OSI model
10
WAP 1.x Stack Compared to OSI/Web Stack
Differences Between Wireless and Wired Data Transfer

WAP 1.x stack protocols require that data communications between clients (wireless devices) and servers pass through a WAP gateway Network architectural structures
11
WAP versus Wired Network
The WAP 2.0 Stack

Eliminates use of WTLS; relies on a lighter version of TLS the same protocol used on the common Internet stack which allows end-to-end security and avoids any WAP gaps Replaces all other layers of WAP 1.x by standard Internet layers Still supports the WAP 1.x stack in order to facilitate legacy devices and systems
12
Additional WAP 2.0 Features

WAP Push User agent profile Wireless Telephony Application Extended Functionality Interface (EFI) Multimedia Messaging Service (MMS)
13
Wireless Transport Layer Security (WTLS) Protocol

Provides authentication, data encryption, and privacy for WAP 1.x users Three classes of authentication
o
Class 1
Anonymous; does not allow either the client or the gateway to authenticate each other
o o
Class 2
Only allows the client to authenticate the gateway
Class 3
Allows both the client and the gateway to authenticate each other
WTLS Protocol: Steps of Class 2 Authentication

1.WAP device sends request for authentication 2.Gateway responds, then sends a copy of its certificate which contains gateways public key to the WAP device 3.WAP device receives the certificate and public key and generates a unique random value 4.WAP gateway receives encrypted value and uses its own private key to decrypt it
14
WTLS Security Concerns

Security threats posed by WAP gap Unsafe use of service set identifiers (SSIDs)
Wired Equivalent Privacy (WEP)

Optional security protocol for wireless local area networks defined in the 802.11b standard Designed to provide same level of security as a wired LAN Not considered adequate security without also implementing a separate authentication process and providing for external key management
15
Wireless LAN (WLAN)

Connects clients to network resources using radio signals to pass data through the ether Employs wireless access points (AP)
o o
Connected to the wired LAN Act as radio broadcast stations that transmit data to clients equipped with wireless network interface cards (NICs)
How a WLAN Works
16
APs
NICs
17
How WEP Works

Uses a symmetric key (shared key) to authenticate wireless devices (not wireless device users) and to guarantee integrity of data by encrypting transmissions Each of the APs and clients need to share the same key Client sends a request to the AP asking for permission to access the wired network
continued
How WEP Works

If WEP has not been enabled (default), the AP allows the request to pass If WEP has been enabled, client begins a challenge-and-response authentication process
18
WEPs Weaknesses
Problems related to the initialization vector (IV) that it uses to encrypt data and ensure its integrity
o o
Can be picked up by hackers Is reused on a regular basis
Problems with how it handles keys
Other WLAN Security Loopholes

War driving Unauthorized users can attach themselves to WLANs and use their resources, set up their own access points and jam the network WEP authenticates clients, not users Wireless network administrators and users must be educated about inherent insecurity of wireless systems and the need for care
19
Conducting a Wireless Site Survey

1. Conduct a needs assessment of network users 2. Obtain a copy of the sites blueprint 3. Do a walk-through of the site 4. Identify possible access point locations 5. Verify access point locations 6. Document findings
Instant Messaging (IM)

AOL Instant Messenger (AIM) MSN Messenger Yahoo! Messenger ICQ Internet Relay Chat (IRC)
20
Definition of IM
Uses a real-time communication model Allows users to keep track of online status and availability of other users who are also using IM applications Can be used on both wired and wireless devices Easy and fast
continued
Definition of IM
Operates in two models:
o o
Peer-to-peer model
May cause client to expose sensitive information
Peer-to-network model
Risk of network outage and DoS attacks making IM communication unavailable
21
Problems Facing IM
Lack of default encryption enables packet sniffing Social engineering overcomes even encryption
Technical Issues Surrounding IM

Files transfers Application sharing
22
Legal Issues Surrounding IM

Possible threat of litigation or criminal indictment should the wrong message be sent or overheard by the wrong person Currently immune to most corporate efforts to control it Must be monitored in real time
Blocking IM
Install a firewall to block ports that IM products use; IM will be unavailable to all employees Limited blocking not currently possible
23
Cellular Phone Simple Messaging Service (SMS)

Messages are typed and sent immediately Problems
o o
Tracking inappropriate messages Risk of having messages sniffed
Chapter Summary
Efforts of IEEE, specifically 802.11x standards, to standardize wireless security Security issues related to dominant wireless protocols
o
WAP
Connects mobile telephones, PDAs, pocket computers, and other mobile devices to the Internet
WEP
Used in WLANs
continued
24
Chapter Summary
WTLS protocol Conducting a site survey in advance of building a WLAN Security threats related to using (IM)
25
Devices
Chapter 9
Learning Objectives
Understand the purpose of a network firewall and the kinds of firewall technology available on the market Understand the role of routers, switches, and other networking hardware in security Determine when VPN or RAS technology works to provide a secure network connection
Firewalls
Hardware or software device that provides a means of securing a computer or network from unwanted intrusion
Dedicated physical device that protects network from intrusion o Software feature added to a router, switch, or other device that prevents traffic to or from part of a network
o
Management Cycle for Firewall Protection

1.Draft a written security policy 2.Design the firewall to implement the policy 3.Implement the design by installing selected hardware and software 4.Test the firewall 5.Review new threats, requirements for additional security, and updates to systems and software; repeat process from first step
Drafting a Security Policy

What am I protecting? From whom? What services does my company need to access over the network? Who gets access to what resources? Who administers the network?
Available Targets and Who Is Aiming at Them

Common areas of attack
o o o o o o
Web servers Mail servers FTP servers Databases Sport hackers Malicious hackers
Intruders
Who Gets Access to Which Resources?

List employees or groups of employees along with files and file servers and databases and database servers they need to access List which employees need remote access to the network
Who Administers the Network?

Determine individual(s) and scope of individual management control
Designing the Firewall to Implement the Policy

Select appropriate technology to deploy the firewall
What Do Firewalls Protect Against?

Denial of service (DoS) Ping of death Teardrop or Raindrop attacks SYN flood LAND attack Brute force or smurf attacks IP spoofing
How Do Firewalls Work?

Network address translation (NAT) Basic packet filtering Stateful packet inspection (SPI) Application gateways Access control lists (ACL)
Network Address Translation (NAT)

Only technique used by basic firewalls Enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic Each active connection requires a unique external address for duration of communication Port address translation (PAT)
o o
Derivative of NAT Supports thousands of simultaneous connections on a single public IP address
Basic Packet Filtering

Firewall system examines each packet that enters it and allows through only those packets that match a predefined set of rules Can be configured to screen information based on many data fields:
o o o o
Protocol type IP address TCP/UDP port Source routing information
Stateful Packet Inspection (SPI)

Controls access to network by analyzing incoming/outgoing packets and letting them pass or not based on IP addresses of source and destination
o
Examines a packet based on information in its header
Enhances security by allowing the filter to distinguish on which side of firewall a connection was initiated; essential to blocking IP spoofing attaches
Access Control Lists (ACL)

Rules built according to organizational policy that defines who can access portions of the network
Routers
Network management device that sits between network segments and routes traffic from one network to another Allows networks to communicate with one another Allows Internet to function Act as digital traffic cop (with addition of packet filtering)
How a Router Moves Information

Examines electronic envelope surrounding a packet; compares address to list of addresses contained in routers lookup tables Determines which router to send the packet to next, based on changing network conditions
How a Router Moves Information
Beyond the Firewall

Demilitarized zone (DMZ) Bastion hosts (potentially)
10
Demilitarized Zone
Area set aside for servers that are publicly accessible or have lower security requirements Sits between the Internet and internal networks line of defense
Stateful device fully protects other internal systems o Packet filter allows external traffic only to services provided by DMZ servers
o
Allows a company to host its own Internet services without sacrificing unauthorized access to its private network
11
Bastion Hosts
Computers that reside in a DMZ and that host Web, mail, DNS, and/or FTP services Gateway between an inside network and an outside network Defends against attacks aimed at the inside network; used as a security measure Unnecessary programs, services, and protocols are removed; unnecessary network ports are disabled Do not share authentication services with trusted hosts within the network
Application Gateways
Also known as proxy servers Monitor specific applications (FTP, HTTP, Telnet) Allow packets accessing those services to go to only those computers that are allowed Good backup to packet filtering
12
Application Gateways
Security advantages
o o o o
Information hiding Robust authentication and logging Simpler filtering rules Two steps are required to connect inbound or outbound traffic; can increase processor overhead
Disadvantage
OSI Reference Model

Architecture that classifies most network functions Seven layers
o o o o o o o
Application Presentation Session Transport Network Data-Link Physical
13
The OSI Stack

Layers 4 and 5
o
Where TCP and UDP ports that control communication sessions operate Routes IP packets Delivers data frames across LANs
Layer 3
o o
Layer 2
14
Limitations of Packet-Filtering Routers

ACL can become long, complicated, and difficult to manage and comprehend Throughput decreases as number of rules being processed increases Unable to determine specific content or data of packets at layers 3 through 5
Switches
Provide same function as bridges (divide collision domains), but employ applicationspecific integrated circuits (ASICs) that are optimized for the task Reduce collision domain to two nodes (switch and host) Main benefit over hubs
o
Separation of collision domains limits the possibility of sniffing
15
Switches
Switch Security
ACLs Virtual Local Area Networks (VLANs)
16
Virtual Local Area Network

Uses public wires to connect nodes Broadcast domain within a switched network Uses encryption and other security mechanisms to ensure that
o o o o
Only authorized users can access the network Data cannot be intercepted Increases security from hackers Reduces possibility of broadcast storm
Clusters users in smaller groups
Security Problems with Switches

Common ways of switch hijacking
Try default passwords which may not have been changed o Sniff network to get administrator password via SNMP or Telnet
o
17
Securing a Switch
Isolate all management interfaces Manage switch by physical connection to a serial port or through secure shell (SSH) or other encrypted method Use separate switches or hubs for DMZs to physically isolate them from the network and prevent VLAN jumping
continued
Securing a Switch
Put switch behind dedicated firewall device Maintain the switch; install latest version of software and security patches Read product documentation Set strong passwords
18
Example of a Compromised VLAN
Wireless
Almost anyone can eavesdrop on a network communication Encryption is the only secure method of communicating with wireless technology
19
Modems
DSL versus Cable Modem Security

DSL
o
Direct connection between computer/network and the Internet
Cable modem
Connected to a shared segment; party line Most have basic firewall capabilities to prevent files from being viewed or downloaded o Most implement the Data Over Cable Service Interface Specification (DOCSIS) for authentication and packet filtering
o o
20
Dynamic versus Static IP Addressing

Static IP addresses
o o o
Provide a fixed target for potential hackers
Dynamic IP addresses
Provide enhanced security By changing IP addresses of client machines, DHCP server makes them moving targets for potential hackers o Assigned by the Dynamic Host Configuration Protocol (DHCP)
Remote Access Service (RAS)

Provides a mechanism for one computer to securely dial in to another computer Treats modem as an extension of the network Includes encryption and logging Accepts incoming calls Should be placed in the DMZ
21
Security Problems with RAS

Behind physical firewall; potential for network to be compromised Most RAS systems offer encryption and callback as features to enhance security
Telecom/Private Branch Exchange (PBX)

PBX
Private phone system that offers features such as voicemail, call forwarding, and conference calling o Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability
o
22
IP-Based PBX
PBX Security Concerns

Remote PBX management Hoteling or job sharing
o
Many move codes are standardized and posted on the Internet
23
Virtual Private Networks

Provide secure communication pathway or tunnel through public networks (eg, Internet) Lowest levels of TCP/IP are implemented using existing TCP/IP connection Encrypts either underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery Further enhances security by implementing Internet Protocol Security (IPSec)
24
Internet Protocol Security (IPSec)

Allows encryption of either just the data in a packet (transport mode) or the packet as a whole (tunnel mode) Enables a VPN to eliminate packet sniffing and identity spoofing Requirement of Internet Protocol version 6 (IPv6) specification
Intrusion Detection Systems (IDS)

Monitor networks and report on unauthorized attempts to access any part of the system Available from many vendors Forms
o o o o
Software (computer-based IDS) Dedicated hardware devices (network-based IDS) Anomaly-based detection Signature-based detection
Types of detection
25
Computer-based IDS
Software applications (agents) are installed on each protected computer
Make use of disk space, RAM, and CPU time to analyze OS, applications, system audit trails o Compare these to a list of specific rules o Report discrepancies
o
Can be self-contained or remotely managed Easy to upgrade software, but do not scale well
Network-based IDS
Monitors activity on a specific network segment Dedicated platforms with two components
o o
Sensor
Passively analyzes network traffic
Management system
Displays alarm information from the sensor
26
Anomaly-based Detection
Builds statistical profiles of user activity and then reacts to any activity that falls outside these profiles Often leads to large number of false positives
Users do not access computers/network in static, predictable ways o Cost of building a sensor that could hold enough memory to contain the entire profile and time to process the profiles is prohibitively large
o
27
Signature-based Detection
Similar to antivirus program in its method of detecting potential attacks Vendors produce a list of signatures used by the IDS to compare against activity on the network or host When a match is found, the IDS take some action (eg, logging the event) Can produce false positives; normal network activity may be construed as malicious
Network Monitoring and Diagnostics

Essential steps in ensuring safety and health of a network (along with IDS) Can be either stand-alone or part of a networkmonitoring platform
o o o o
HPs OpenView IBMs Netview/AIX Fidelias NetVigil Aprismas Spectrum
28
Ensuring Workstation and Server Security

Remove unnecessary protocols such as NetBIOS or IPX Remove unnecessary user accounts Remove unnecessary shares Rename the administrator account Use strong passwords
Personal Firewall Software Packages

Offer application-level blocking, packet filtering, and can put your computer into stealth mode by turning off most if not all ports Many products available, including:
o o o o
Norton Firewall ZoneAlarm Black Ice Defender Tiny Softwares Personal Firewall
29
Firewall Product Example
Antivirus Software Packages

Necessary even on a secure network Many vendors, including:
o o o o
McAffee Norton Computer Associates Network Associates
30
Mobile Devices
Can open security holes for any computer with which these devices communicate
Chapter Summary
Virtual isolation of a computer or network by implementing a firewall through software and hardware techniques:
o o o o
Routers Switches Modems Various software packages designed to run on servers, workstations, and PDAs
continued
31
Chapter Summary
Virtual private networks (VPNs) Private branch exchanges (PBX) Remote Access Services (RAS)
32
Media and Medium

Chapter 10
Learning Objectives
Identify and discuss the various types of transmission media Explain how to physically protect transmission media adequately Identify and discuss the various types of storage media Know how to lessen the risk of catastrophic loss of information
continued
Learning Objectives
Understand the various ways to encrypt data Properly maintain or destroy stored data
Transmission Media
Coaxial cable Twisted pair copper cable
o o
Shielded Unshielded
Fiber-optic cable Wireless connections
Coaxial Cable
Hollow outer cylinder surrounds a single inner wire conductor
Coaxial Cable
More expensive than traditional telephone wiring Less prone to interference Typically carries larger amounts of data Easily spliced; allows unauthorized users access to the network Two types (not interchangeable)
o o
50-ohm 75-ohm
50-Ohm Coaxial Cable

Uses unmodulated signal over a single channel Two standards
o o
10Base2 (ThinNet) 10Base5 (ThickNet)
50-Ohm Coaxial Cable

Advantages
o o
Simple to implement and widely available Low cost alternative that provides relatively high rates of data transmission Can only carry data and voice Limited in distance it can transmit signals
Disadvantages
o o
10Base2 (ThinNet)
Uses a thin coaxial cable in an Ethernet environment Capable of covering up to 180 meters Allows daisy chaining Not highly susceptible to noise interference Transmits at 10 Mbps Can support up to 30 nodes per segment
10Base5 (ThickNet)
Primarily used as a backbone in an office LAN environment Often connects wiring closets Can transmit data at speeds up to 10 Mbps Covers distances up to 500 meters Can accommodate up to 100 nodes per segment Rigid and difficult to work with
75-ohm Coaxial Cable

For analog signaling and high-speed digital signaling
75-ohm Coaxial Cable

Advantages
o o
Allows for data, voice, and video capabilities Can cover greater distances and offers more bandwidth Requires hardware to connect via modems More difficult to maintain
Disadvantages
o o
Twisted Pair Copper Cable

Individual copper wires are twisted together to prevent cross talk between pairs and to reduce effects of EMI and RFI Inexpensive alternative to coaxial cable, but cannot support the same distances Long been used by telephone companies Types
o o
Unshielded twisted pair (UTP) Shielded twisted pair (STP)
Unshielded Twisted Pair (UTP)

Most common medium for both voice and data Currently supports up to 1 Gbps protocols
Shielded Twisted Pair (STP)

Extra foil shield wrapped between copper pairs provides additional insulation from EMI Used extensively in LAN wiring
Shielded Twisted Pair (STP)
Twisted Pair Categories

Category 3 (CAT 3) Category 5 (CAT 5) Category 6 (CAT 6)
Twisted Pair CAT 3

For voice and data transmission
Twisted Pair CAT 5

Supports fast Ethernet Utilizes an 8-pin configuration that can be modified for use as a crossover cable, straightthrough cable, or customized cable
Twisted Pair CAT 6

Supports Gigabit Ethernet Offers backwards compatibility Uses an 8-pin configuration
10
Twisted Pair
Connects to hardware using an RJ-45 connector
Fiber-Optic Cable
Glass core encased in plastic outer covering Smaller, lighter, more fragile and susceptible to damage than coaxial or twisted pair cable Carries light
11
Fiber-Optic Cable
Fiber-Optic Cable
Advantages
Capable of transmitting more data much further than other wiring types o Completely immune to effects of EMI o Nearly impossible to splice without detection
o
Disadvantages
o o
Expensive Difficult to install and manipulate
12
Comparison of Wired Transmission Media

Media Coaxial cable Advantages High bandwidth Long distances EMI immunity Inexpensive Widely used Easy to add nodes Disadvantages Physical dimensions (difficult to work with) Easily tapped Most sensitive to EMI Supports short distances Limited bandwidth capabilities Easily tapped
Twisted pair copper cable
Fiber-optic cable
Very high bandwidth Difficult to implement EMI immunity Expensive Long distances Fragile High security Small size
Unguided Transmission
Uses various technologies (microwave, radio and infrared) to receive and transmit through the air Vulnerable to security breaches in which unauthorized users intercept data flow Difficult to secure; unguided connections cannot be physically contained easily
13
Securing Transmission Media

Common attacks on data flow include interception and interruption of traffic Use lock and key Install closed circuit security cameras Use equipment that limits or eliminates signal leaks Use dry methods for fire extinguishing
continued
Securing Transmission Media

Deploy an uninterruptible power supply Implement a redundant network Utilize a VPN or other encryption technology when using wireless LANs Map out cabling and deploy fiber optics in unsecured areas
14
Storage Media
Provides a way to hold data at rest Hard disk drive
o o o o o
Developed by IBM in 1970s Ubiquitous Magnetic Optical Solid-state
Removable storage media
Magnetic Storage Media

Coated with iron oxide When data is recorded:
o
Electromagnet inside disk drive rearranges the iron oxide particles into a series of patterns that represent 0s and 1s
When data is retrieved:

Reading disk drive uses a magnetic field to read the pattern o Pattern is translated into data that is sent to computer in binary form
o
15
Types of Magnetic Storage Media
Floppy Disk
3.5 inch, high density 1.44 MB capacity Circular magnetic piece of plastic inside a rigid plastic case
16
Zip Disk
High-capacity floppy disk developed by Iomega Corporation 100 MB and 250 MB capacity Relatively inexpensive and durable Ideal for transporting larger multimedia files Can be used for backup
Optical Storage Media

Light and reflection transmit data Most common: CD
Plastic disc covered by a layer of aluminum and a layer of acrylic o Typically can store 700 MB of data o Commonly used to store multimedia
o
17
Compact Disc
Data is recorded by creating very small bumps in the aluminum layer on long tiny tracks Data is read by a laser beam, detected by an optoelectronic sensor, and the pattern translated into bits and sent to the computer
CD-ROMs
Most common type of CD Material can be written or recorded to the disc only once Hold prerecorded materials to be used on a computer (eg, software, graphic images, short video clips, audio)
18
Compact Disc-Recordable (CD-R)

User records data onto surface of a blank disc Has layer of light-sensitive dye on top of layer of reflective gold High-powered laser beam burns data on the disc
o
Changes color of light-sensitive dye by pulsing in patterns
Write once, read many (WORM) type of media Next step: compact disc-rewritable (CD-RW)
Digital Versatile Disc (DVD)

Can store much more data than a CD
o o
Tracks are thinner and closer to each other Readable on both sides of the disc
Made out of plastic with a layer of gold, covered by a thin layer of clear polymer Used to store full-length feature films
19
Solid-State Storage Media

Uses a microchip upon which data is recorded directly in digital form Reliable and durable; no moving parts Very small, yet can contain up to 192 MB of memory Flash memory
o
Used primarily in digital cameras, digital video cameras, digital audio recorders
Solid-State Storage Media

CompactFlash card SmartMedia card Memory Sticks
20
CompactFlash Card
Stores up to 1 GB High data transfer rate Resistant to extreme weather conditions
SmartMedia Card
Used in digital still cameras, MP3 recorders, newer printing devices Stores up to 64 MB of data Less expensive than CompactFlash cards High data transfer rate Resistant to extreme weather conditions
21
Memory Stick
Holds up to 128 MB of data Commonly used with digital still cameras, digital music players (MP3), digital voice recorders High data transfer rate Resistance to extreme temperatures High storage capacity
Secure Digital/Multimedia Cards

Commonly used in MP3 players and digital cameras Developed to help enforce copyright protections for publishers of music and images Range in size from 4 MB to 128 MB
22
Avoiding Catastrophic Loss

Make backup copies of sensitive information and store them at a separate, secure location, preferably in a fire safe Use a type of media that is less likely to be corrupted or damaged (ie, solid-state)
Encryption
Implement a thorough encryption policy to guarantee that sensitive information does not fall into the wrong hands Educate the entire organization about the importance of safeguarding sensitive data
23
Storing Media
Have a policy that tracks content and location of each disk Mark each medium using a standardized naming scheme Store copies in a secure location
Destruction of Media
Physically destroy the media Erase the data
24
Chapter Summary
Transmission media Storage media Impact of different forms of transmission media and storage media on information security
25
Network Security Topologies

Chapter 11
Learning Objectives
Explain network perimeters importance to an organizations security policies Identify place and role of the demilitarized zone in the network Explain how network address translation is used to help secure networks Spell out the role of tunneling in network security Describe security features of virtual local area networks
Perimeter Security Topologies

Put in place using firewalls and routers on network edge Permit secure communications between the organization and third parties Key enablers for many mission-critical network services Include demilitarized zones (DMZs) extranets, and intranets
continued
Perimeter Security Topologies

Selectively admit or deny data flows from other networks based on several criteria:
o o o o
Type (protocol) Source Destination Content
Three-tiered Architecture
Outermost perimeter Internal perimeters Innermost perimeter
Outermost Perimeter
Router used to separate network from ISPs network Identifies separation point between assets you control and those you do not Most insecure area of a network infrastructure Normally reserved for routers, firewalls, public Internet servers (HTTP, FTP, Gopher) Not for sensitive company information that is for internal use only
Internal Perimeters
Represent additional boundaries where other security measures are in place
Network Classifications
Trusted Semi-trusted Untrusted
Trusted Networks
Inside network security perimeter The networks you are trying to protect
Semi-Trusted Networks
Allow access to some database materials and email May include DNS, proxy, and modem servers Not for confidential or proprietary information Referred to as the demilitarized zone (DMZ)
Untrusted Networks
Outside your security perimeter Outside your control
Creating and Developing Your Security Design

Know your enemy Count the cost Identify assumptions Control secrets Know your weaknesses Limit the scope of access Understand your environment Limit your trust
DMZ
Used by a company to host its own Internet services without sacrificing unauthorized access to its private network Sits between Internet and internal networks line of defense, usually some combination of firewalls and bastion hosts Traffic originating from it should be filtered
continued
DMZ
Typically contains devices accessible to Internet traffic
o o o o
Web (HTTP) servers FTP servers SMTP (e-mail) servers DNS servers
Optional, more secure approach to a simple firewall; may include a proxy server
DMZ Design Goals

Minimize scope of damage Protect sensitive data on the server Detect the compromise as soon as possible Minimize effect of the compromise on other organizations
Intranet
Either a network topology or application (usually a Web portal) used as a single point of access to deliver services to employees Typically a collection of all LANs inside the firewall Shares company information and computing resources among employees
continued
10
Intranet
Allows access to public Internet through firewalls that screen communications in both directions to maintain company security Also called a campus network
Extranet
Private network that uses Internet protocol and public telecommunication system to provide various levels of accessibility to outsiders Can be accessed only with a valid username and password Identity determines which parts of the extranet you can view
continued
11
Extranet
Requires security and privacy
Firewall management Issuance and use of digital certificates or other user authentication o Encryption of messages o Use of VPNs that tunnel through the public network
o o
Network Address Translation (NAT)

Internet standard that enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic Able to translate addresses contained in an IP packet
12
Main Purposes of NAT

Provide a type of firewall by hiding internal IP addresses Enable a company to use more internal IP addresses
NAT
Most often used to map IPs from nonroutable private address spaces defined by RFC 1918 Static NAT and dynamic NAT Port Address Translation (PAT)
Variation of dynamic NAT Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers o Commonly implemented on SOHO routers
o o
13
Tunneling
Enables a network to securely send its data through untrusted/shared network infrastructure Encrypts and encapsulates a network protocol within packets carried by second network Best-known example: virtual private networks Replacing WAN links because of security and low cost An option for most IP connectivity requirements
Example of a Tunnel
14
Virtual Local Area Networks (VLANs)

Deployed using network switches Used throughout networks to segment different hosts from each other Often coupled with a trunk, which allows switches to share many VLANs over a single physical link
Benefits of VLANs
Network flexibility Scalability Increased performance Some security features
15
16
Security Features of VLANs

Can be configured to group together users in same group or team Offer some protection when sniffers are inserted into the network Protect unused switch ports Use an air gap to separate trusted from untrusted networks
Vulnerabilities of VLAN Trunks

Trunk autonegotiation
o o
Prevention: Disable autonegotiation on all ports Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them
Trunk VLAN membership and pruning
17
Chapter Summary
Technologies used to create network topologies that secure data and networked resources
o o o
Perimeter networks Network address translation (NAT) Virtual local area networks (VLANs)
18
Intrusion Detection
Chapter 12
Learning Objectives
Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products Detail the differences between host-based and network-based intrusion detection Identify active detection and passive detection features of both host- and network-based IDS products
continued
Learning Objectives
Explain what honeypots are and how they are employed to increase network security Clarify the role of security incident response teams in the organization
Intrusion Detection System (IDS)

Detects malicious activity in computer systems
o Identifies
and stops attacks in
progress o Conducts forensic analysis once attack is over
The Value of IDS

Monitors network resources to detect intrusions and attacks that were not stopped by preventative techniques (firewalls, packet-filtering routers, proxy servers) Expands available options to manage risk from threats and vulnerabilities
Negatives and Positives

IDS must correctly identify intrusions and attacks
o o o o
True positives True negatives IDS missed an attack Benign activity reported as malicious
False negatives False positives
Dealing with False Negatives and False Positives

False negatives
Obtain more coverage by using a combination of network-based and host-based IDS o Deploy NICS at multiple strategic locations in the network
o
False positives
o
Reduce number using the tuning process
Types of IDS
Network-based (NIDS)
o o o o
Monitors network traffic Provides early warning system for attacks Monitors activity on host machine Able to stop compromises while they are in progress
Host-based (HIDS)
Network-based IDS
Uses a dedicated platform for purpose of monitoring network activity Analyzes all passing traffic Sensors have two network connections
One operates in promiscuous mode to sniff passing traffic o An administrative NIC sends data such as alerts to a centralized management system
o
Most commonly employed form of IDS
NIDS Monitoring and Management Interfaces
NIDS Architecture
Place IDS sensors strategically to defend most valuable assets Typical locations of IDS sensors
o o o o
Just inside the firewall On the DMZ On the server farm segment On network segments connecting mainframe or midrange hosts
Connecting the Monitoring Interface

Using Switch Port Analyzer (SPAN) configurations, or similar switch features Using hubs in conjunction with switches Using taps in conjunction with switches
SPAN
Allows traffic sent or received in one interface to be copied to another monitoring interface Typically used for sniffers or NIDS sensors
How SPAN Works
Limitations of SPAN
Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link Switch may offer limited number of SPAN ports or none at all
Hub
Device for creating LANs that forward every packet received to every host on the LAN Allows only a single port to be monitored
Using a Hub in a Switched Infrastructure
Tap
Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures
10
NIDS Signature Types

Signature-based IDS Port signature Header signatures
Network IDS Reactions

TCP resets IP session logging Shunning or blocking
11
Host-based IDS
Primarily used to protect only critical servers Software agent resides on the protected system Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity Use of resources can have impact on system performance
HIDS Method of Operation

Auditing logs (system logs, event logs, security logs, syslog) Monitoring file checksums to identify changes Elementary network-based signature techniques including port activity Intercepting and evaluating requests by applications for system resources before they are processed Monitoring of system processes for suspicious activity
12
HIDS Software
Host wrappers
o o
Inexpensive and deployable on all machines Do not provide in-depth, active monitoring measures of agent-based HIDS products More suited for single purpose servers
Agent-based software
o
HIDS Active Monitoring Capabilities

Log the event Alert the administrator Terminate the user login Disable the user account
13
Advantages of Host-based IDS

Verifies success or failure of attack by reviewing HIDS log entries Monitors use and system activities; useful in forensic analysis of the attack Protects against attacks that are not network based Reacts very quickly to intrusions
continued
Advantages of Host-based IDS

Not reliant on particular network infrastructure; not limited by switched infrastructures Installed on protected server itself; requires no additional hardware to deploy and no changes to network infrastructure
14
Passive Detection Systems

Can take passive action (logging and alerting) when an attack is identified Cannot take active actions to stop an attack in progress
Active Detection Systems

Have logging, alerting, and recording features of passive IDS, with additional ability to take action against offending traffic Options
o o
IDS shunning or blocking TCP reset
Used in networks where IDS administrator has carefully tuned the sensors behavior to minimize number of false positive alarms
15
TCP Reset
16
Signature-based and Anomaly-based IDS

Signature detections
o o
Also know as misuse detection IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures
Anomaly detection
Baseline is defined to describe normal state of network or host o Any activity outside baseline is considered to be an attack
o
Intrusion Detection Products

Aladdin Knowledge Systems Entercept Security Technologies Cisco Systems, Inc. Computer Associates International Inc. CyberSafe Corp. Cylant Technology Enterasys Networks Inc. Internet Security Systems Inc. Intrusion.com Inc. family of IDS products
continued
17
Intrusion Detection Products

NFR Security Network-1 Security Solutions Raytheon Co. Recourse Technologies Sanctum Inc. Snort Sourcefire, Inc. Symantec Corp. TripWire Inc.
Honeypots
False systems that lure intruders and gather information on methods and techniques they use to penetrate networksby purposely becoming victims of their attacks Simulate unsecured network services Make forensic process easy for investigators
18
Commercial Honeypots
ManTrap Specter Smoke Detector NetFacade
Open Source Honeypots

BackOfficer Friendly BigEye Deception Toolkit LaBrea Tarpit Honeyd Honeynets User Mode Linux
19
Honeypot Deployment
Goal
o
Gather information on hacker techniques, methodology, and tools Conduct research into hacker methods Detect attacker inside organizations network perimeter
Options
o o
Honeypot Design
Must attract, and avoid tipping off, the attacker Must not become a staging ground for attacking other hosts inside or outside the firewall
20
Honeypots, Ethics, and the Law

Nothing wrong with deceiving an attacker into thinking that he/she is penetrating an actual host Honeypot does not convince one to attack it; it merely appears to be a vulnerable target Doubtful that honeypots could be used as evidence in court
Incident Response
Every IDS deployment should include two documents to answer what now questions
o o
IDS monitoring policy and procedure Incident response plan
21
IDS Monitoring
Requires well-documented monitoring procedures that detail actions for specific alerts
Information Security Incident Response Team (SIRT)

Responsible for assigning personnel to assemble resources required to handle security incidents
22
Typical SIRT Objectives

Determine how incident happened Establish process for avoiding further exploitations of the same vulnerability Avoid escalation and further incidents Assess impact and damage of the incident Recover from the incident
continued
Typical SIRT Objectives

Update procedures as needed Determine who was responsible Involve legal counsel and law enforcement officials, as appropriate
23
Chapter Summary
Two major types of intrusion detection
o o
Network-based IDS (monitor network traffic) Host-based IDS (monitor activity on individual computers)
Honeypots Incident response
24
Security Baselines
Chapter 13
Learning Objectives
Gain an understanding of OS/NOS vulnerabilities and hardening practices Understand the operation of a file system and how to secure a file system Explore common network hardening practices, including firmware updates and configuration best practices
continued
Learning Objectives
Identify network services commonly exploited by attackers and learn best practices for writing access control lists Explore vulnerabilities regarding network services such as Web, FTP, DNS, DHCP, Mail, File/Print Servers and Data Repositories as well as best practices in securing such services
Operating System (OS)

Performs basic tasks
o o o o
Recognizes input from keyboard Sends output to display screen Keeps track of files and directories on the disk Controls peripheral devices (disk drives, printers)
Network Operating System (NOS)

Includes special functions for connecting computers and devices into a LAN Some have built-in networking functions
OS/NOS Hardening
Process of modifying an OSs default configuration to make it more secure to outside threats May include removal of unnecessary programs and services May include application of patches to system kernel to limit vulnerability
OS/NOS Hardening
Actions that Can Disrupt Functionality of a System

Attacks Malfunctions Errors
Best Practices for System Hardening

Remove unused applications, services, and unused or unnecessary file shares Implement and enforce strong password policies; remove or disable expired or unneeded accounts Limit number of administrative accounts Set account lockout policies to discourage password cracking
continued
Best Practices for System Hardening

Keep track of latest security updates and hot fixes Maintain logging of all user account and administrative activity Back up the system periodically Keep external log of each critical system Maintain records of backups and upgrades
File Systems
Store data that enable communication between an application and its supporting disk drives Setting privileges and access controls protect information stored on the computer
Common privileges: read, write (modify), lock, append, and execute o Group users by common needs o Additional rights can be granted to a single user in a group o Principle of least privilege
o
Creating Needed User Groups

System administrator configures operating system to recognize certain user groups Individual users are assigned to appropriate groups
Configuring Access Controls

System administrator configures access controls for all protected files, directories, devices, and other objects
Common Practices for Setting File and Data Privileges

Disable write and execute privileges for all executable and binary files Restrict access of OS source files, configuration files, and their directories For UNIX systems:
o o
No world-writable files unless specifically required Mount files systems as read only and nosuid
continued
Common Practices for Setting File and Data Privileges

For NT systems
o
No permissions allowing Everyone group to modify files
Assign access permission of immutable to all kernel files Establish all log files as append only Prevent users from installing, removing, or editing scripts Pay attention to access control inheritance when defining categories of files and users
Installing and Configuring File Encryption Capabilities

File encryption is useful if the OS
Lacks adequate access controls to maintain confidentiality o Does not support access control lists
o
Encryption is resource-consuming; carefully weigh benefits
Systematic Approach for Addressing Updates

Establish procedures for monitoring securityrelated information Evaluate updates for applicability Plan installation of applicable updates Install updates using a documented plan Deploy new systems with latest software
Network Hardening
Crucial to have a network with availability as well as adequate security
Firmware Updates
Made available by vendors as vulnerabilities and malfunctions are discovered with previous versions
Configuration
Routing functions
Designed to route packets efficiently and reliably, but not securely o Not to be used to implement a security policy
o
Firewall systems
Should govern security of information flow in and out of the network o Provide a policy enforcement mechanism at a security domain boundary
o
10
Assigning Network Addresses for Interfaces on a Firewall Device

For the Internet
o
Obtain IP addresses from ISP that connects to the firewall Obtain IP addresses from within the organization, typically from RFC 1918 specification
For internal networks

o
Establishing Routing Configuration

Should be performed in an environment isolated from the production network Should specify what connectivity is to be permitted with the specific statements and deny all other connectivity Derived from network topology; should not be used to implement aspects of a security policy
11
Best Practices for Configuring Router and Firewall Systems

Keep copy of current configurations of network devices in safe location Never allow IP-directed broadcasts through the system Configure devices with meaningful names Use a description for each interface Specify bandwidth on the interfaces
continued
Best Practices for Configuring Router and Firewall Systems

Configure a loopback address Handle SNMP with care Avoid common names for password and naming schemes Deploy logging about interface status, events, and debugging Restrict data traffic to required ports and protocols only
12
Access Control List (ACL)

Set of data that informs a computers OS which permissions (access rights) each user or group has to a specific system object Control flow of packets through a device based on certain parameters and information contained within a packet Implement a certain type of security policy, but not considered a policy by themselves Implement packet filtering
Packet Filtering
Process of deciding disposition of each packet that can pass through a router Provides basic protection mechanism for a routing firewall device through inspection of packet contents Can be based on intrinsic or extrinsic information pertaining to a data packet
13
Best Practices for Designing Filtering Rules for New Networks

Add deny all rule to articulate the security policy more completely Design antispoofing rules and place them at top of the ACL Identify protocols, ports, and source and destination addresses that need to be serviced
continued
Best Practices for Designing Filtering Rules for New Networks

Configure filtering rule set of the ACL by protocol and by port Collapse matching protocols rows and consecutive ports rows together into one new row that specifies a range Place all permission rules between antispoofing rules and deny all rule at the end of the rule set
14
Enabling and Disabling of Services and Protocols

Many services can be easily targeted by attackers unless disabled by system administrators Evaluate every service for need and risks; remove unnecessary ones Evaluate and install required services in a manner to lower potential risk
Commonly Exploited Services

Remote Procedure Call (RPC) Network File System (NFS) Web services Simple Mail Transfer Protocol (SMTP) Bootstrap Protocol DoS attacks are successful when unnecessary services are running on network devices
15
Commonly Exploited Services on Cisco Platforms

Cisco Discovery Protocol (CDP) TCP small servers UDPT small servers Finger HTTP server Bootp server Configuration autoloading IP source Proxy ARP
continued
Commonly Exploited Services on Cisco Platforms

IP-directed broadcast Classless routing behavior IP unreachable notifications IP mask relay IP redirects NTP service Simple Network Management Protocol Domain Name Service
16
Application Hardening
Process of making applications software secure by ensuring that the software contains security enabling technology:
Sign in capabilities for authenticated network connections o Ability to run properly in secured configurations
o
Applications that Need Hardening

Web servers E-mail servers FTP servers DNS servers NNTP servers File and print servers DHCP servers Data repositories Directory services
17
Web Servers
Associated with more attacks and vulnerabilities than any type of server Designed to make information accessible, rather than to protect it
High Level Best Practices for Securing Web Servers

Isolate a Web server on a DMZ Configure a Web server for access privileges Identify and enable Web server-specific logging tools Consider security implications Configure authentication and encryption
18
Isolating a Web Server on a DMZ
E-mail Servers
Serious risks associated with ability to receive email from the outside world
o o o
Attachments with malicious contents E-mails with abnormal MIME headers Scripts embedded into HTML-enabled mail
19
Protecting Against E-mail Vulnerabilities

Use latest software updates and patches on e-mail server Deploy dedicated e-mail relay (gateway) server between internal network and Internet Deploy virus-scanning tools on the server Use attachment-checking mechanisms on the server Use HTML Active Content removal
FTP Servers
File Transfer Protocol
o
Used to transfer files between a workstation and an FTP server
20
Vulnerabilities Associated with FTP

Protecting against bouncebacks Restricting areas Protecting usernames and passwords Port stealing Other documented vulnerabilities
DNS Servers
Domain Name Service (DNS)
o
Collective name for system of servers that translate names into addresses in a process transparent to the end user
21
Vulnerabilities Associated with DNS

Inaccurate data on IP address ownership Customer registry communication DNS spoofing and cache poisoning Out-of-date root.hints file Recursive queries Denial-of-service attacks
22
NNTP Servers
Network News Transfer Protocol (NNTP)
Delivers news articles to users on the Internet Stores articles in a central database; users choose only items of interest o Makes few demands on structure, content, or storage of news articles
o o
NNTP servers can index and cross reference messages, and allow for notification of expiration
23
NNTP Servers
Similar vulnerabilities to other network services Effective methods of preventing attacks
o o o
Use proper authentication mechanisms Disable unneeded services Apply relevant software and OS patches
File and Print Servers

Store many of an organizations most valuable and confidential information resources
24
Protecting Against File and Print Server Vulnerabilities

Offer only essential network and OS services on a server Configure servers for user authentication Configure server operating systems Manage logging and other data collection mechanisms Configure servers for file backups
DHCP Servers
Dynamic Host Configuration Protocol (DHCP)
Software that assigns dynamic IP addresses to devices on a network o Reduces administrative burden o No security provisions
o
25
Preventing Attacks on DHCP Servers

Assign permanent addresses
o
Collect Media Access Control (MAC) addresses of all computers on network and bind them to corresponding IP addresses
Use dynamic addressing, but monitor log files Use intrusion detection tools
continued
Preventing Attacks on DHCP Servers

Configure DHCP server to force stations with new MAC addresses on the network to register with the DHCP server Implement latest software and patches
26
Data Repositories
Store data for archiving and user access Contain an organizations most valuable assets in terms of information Should be carefully protected
Directory Services
Lightweight Directory Access Protocol (LDAP)
Industry standard protocol for providing networking directory services for the TCP/IP model o Can store and locate information about entities and other network resources o Based on simple, treelike hierarchy called a Directory Information Tree (DIT)
o
27
Directory Service-Oriented Threats

Unauthorized access to data by monitoring or spoofing authorized users operations Unauthorized access to resources by physically taking over authenticated connections and sessions Unauthorized modification or deletion of data or configuration parameters Spoofing of directory services Excessive use of resources
28
Nondirectory Service-Oriented Threats

Common network-based attacks against LDAP servers to compromise availability of resources Attacks against hosts by physically accessing the resources Attacks against back-end databases that provide directory services
Security of LDAP Is Dependent on

Authentication
o o o
Anonymous Simple Simple Authentication and Security Layer (SASL) for LDAPv3
Authorization
29
Principles of Security to Protect Databases

Authentication of users and applications Administration policies and procedures Initial configuration Auditing Backup and recovery procedures
Chapter Summary
Role of operating and file systems as they relate to security of information resources stored on computer systems Operating system vulnerabilities Use of OS hardening practices to prevent attacks and system failures
continued
30
Chapter Summary
Vulnerabilities associated with common services installed on computer systems (WWW services, FTP, DNS) and best practices in protecting against threats to these services Maintenance and upgrade of computer systems
31
Cryptography
Chapter 14
Learning Objectives
Understand the basics of algorithms and how they are used in modern cryptography Identify the differences between asymmetric and symmetric algorithms Have a basic understanding of the concepts of cryptography and how they relate to network security
continued
Learning Objectives
Discuss characteristics of PKI certificates and the policies and procedures surrounding them Understand the implications of key management and a certificates lifecycle
Cryptography
Study of complex mathematical formulas and algorithms used for encryption and decryption Allows users to transmit sensitive information over unsecured networks Can be either strong or weak
Cryptography Terminology
Plaintext
o o
Data that can be read without any manipulation Method of disguising plaintext to hide its substance Plaintext that has been encrypted and is an unreadable series of symbols and numbers
Encryption Ciphertext
o
How Encryption and Decryption Work
Algorithms
Mathematical functions that work in tandem with a key Same plaintext data encrypts into different ciphertext with different keys Security of data relies on:
o o
Strength of the algorithm Secrecy of the key
Hashing
Method used for verifying data integrity Uses variable-length input that is converted to a fixed-length output string (hash value)
Symmetric versus Asymmetric Algorithms

Type of Algorithm Symmetric Advantages Single key Disadvantages Requires sender and receiver to agree on a key before transmission of data Security lies only with the key High cost Encryption and Security of keys can be decryption keys are compromised when different malicious users post phony Decryption key cannot keys be calculated from encryption key
Asymmetric
Symmetric Algorithms
Usually use same key for encryption and decryption Encryption key can be calculated from decryption key and vice versa Require sender and receiver to agree on a key before they communicate securely Security lies with the key Also called secret key algorithms, single-key algorithms, or one-key algorithms
Encryption Using a Symmetric Algorithm
Categories of Algorithms
Stream algorithms
o o
Operate on the plaintext one bit at a time Encrypt and decrypt data in groups of bits, typically 64 bits in size
Block algorithms
Asymmetric Algorithms
Use different keys for encryption and decryption Decryption key cannot be calculated from the encryption key Anyone can use the key to encrypt data and send it to the host; only the host can decrypt the data Also known as public key algorithms
Common Encryption Algorithms

Lucifer (1974) Diffie-Hellman (1976) RSA (1977) DES (1977) Triple DES (1998) IDEA (1992) Blowfish (1993) RC5 (1995)
Primary Functions of Cryptography

Confidentiality Authentication Integrity Nonrepudiation
Digital Signatures
Based on asymmetric algorithms, allow the recipient to verify whether a public key belongs to its owner
Certificates
Credentials that allow a recipient to verify whether a public key belongs to its owner
o
Verify senders information with identity information that is bound to the public key Public key One or more digital signatures Certificate information (eg, users name, ID)
Components
o o o
Public Key Infrastructure (PKI) Certificates

Certificate storage facility that provides certification management functionality (eg, ability to issue, revoke, store, retrieve, and trust certificates) Certification authority (CA)
Primary feature of PKI Trusted person or group responsible for issuing certificates to authorized users on a system o Creates certificates and digitally signs them using a private key
o o
10
PKI Policies and Practices

Validity establishes that a public key certificate belongs to its owner CA issues certificates to users by binding a public key to identification information of the requester User can manually check certificates fingerprint
PKI Revocation
Certificates have a restricted lifetime; a validity period is created for all certificates Certificate revocation list (CRL)
o
Communicates which certificates within a PKI have been revoked
11
Trust Models
Techniques that establish how users validate certificates
o o o
Direct trust Hierarchical trust Web of trust
Direct Trust Model

User trusts a key because the user knows where it came from
12
Hierarchical Trust Model

Based on a number of root certificates
13
Web of Trust
Combines concepts of direct trust and hierarchical trust Adds the idea that trust is relative to each requester Central theme: the more information available, the better the decision
Key and Certificate Life Cycle Management

Setup or initialization Administration of issued keys and certificates Certificate cancellation and key history
14
Setup and Initialization

Registration Key pair generation Certificate creation Certificate distribution Certificate dissemination Key backup
Registration
User requests certificate from CA CA verifies identity and credentials of user Certificate practice statement
o
Published document that explains CA structure to users Who may serve as CA What types of certificates may be issued How they should be issued and managed
Certificate policy establishes:

o o o
15
Key Pair Generation

Involves creation of one or more key pairs using different algorithms Dual or multiple keys are often utilized to perform different roles to support distinct services Key pair can be restricted by policy to certain roles based on usage factors Multiple key pairs usually require multiple certificates
Certificates
Distinguished name (DN)
Unique identifier that is bound to a certificate by a CA o Uses a sequence of character(s) that is unique to each user
o
Appropriate certificate policies govern creation and issuance of certificates
16
Certificate Dissemination Techniques

Securely make certificate information available to requester without too much difficulty
o o o o
Out-of-band distribution In-band distribution Publication Centralized repositories with controlled access
Key Backup
Addresses lost keys Helps recover encrypted data Essential element of business continuity and disaster recovery planning
17
Key Escrow
Key administration process that utilizes a third party Initialization phase involves:
o o
Certificate retrieval and validation Key recovery and key update
Cancellation Procedures
Certificate expiration Certificate revocation Key history Key archive
18
Certificate Expiration
Occurs when validity period of a certificate expires Options upon expiration
o o
Certificate renewal Certificate update
Certificate Revocation
Implies cancellation of a certificate prior to its natural expiration Revocation delay
o
Delay associated with the revocation requirement and subsequent notification
19
Certificate Revocation
How notification is accomplished
o o o o o o
Certificate revocation lists (CRLs) CRL distribution points Certificate revocation trees (CRTs) Redirect/Referral CRLs Short certificate lifetimes Single-entity approvals
Notification is unnecessary for:
Key History
Deals with secure and reliable storage of expired keys for later retrieval to recover encrypted data Applies more to encryption keys than signing keys
20
Key Archive
Service undertaken by a CA or third party to store keys and verification certificates Meets audit requirements and handles resolution of disputes when used with other services (eg, time stamping and notarization)
Setting up an Enterprise PKI

Extremely complex task with enormous demands on financial, human, hardware, and software resources Areas to explore
o o o
Basic support Training Documentation issues
21
Areas to Explore in Detail When Setting up an Enterprise PKI

Support for standards, protocols, and third-party applications Issues related to cross-certification, interoperability, and trust models Multiple key pairs and key pair uses How to PKI-enable applications and client-side software availability
continued
Areas to Explore in Detail When Setting up an Enterprise PKI

Impact on end user for key backup, key or certificate update, and nonrepudiation services Performance, scalability, and flexibility issues regarding distribution, retrieval, and revocation systems Physical access control to facilities
22
Chapter Summary
Ways that algorithms and certificate mechanisms are used to encrypt data flows Concepts of cryptography Key and certificate life cycle management
23
Physical Security
Chapter 15
Learning Objectives
Understand the importance of physical security Discuss the impact of location on a facilitys security Identify major material factors when constructing a facility Understand how various physical barriers can enhance protection of vital resources
continued
Learning Objectives
Discuss the various biometric techniques used for access control Understand the importance of fire safety and fire detection
Physical Controls
When managing a network environment, it is critical to secure:
o o o o o
Equipment Data Power supplies Wiring Personnel with access to the location
Location and Environment Considerations

Visibility Accessibility Propensity for environmental problems
Construction
Wall materials
o
Fire rating, how well reinforced
Security of doors Ceilings

o o
Combustibility, load and weight bearing ratings Shatterproof, wired for alarms
Windows
continued
Construction
Location of shutoff valves for water and gas lines Location of fire detection and suppression devices
Physical Barriers
Address perimeter security Types of physical barriers
o o o
Locks Fencing Lighting
Types of Locks
Preset locks Cipher locks Biometric locks Multicriteria locks Device locks
Preset Locks
Typical locks that utilize a physical lock and key Least secure
Cipher Locks
Programmable locks that utilize a keypad for entering a PIN or password More expensive than preset locks Offer more security and flexibility Cipher lock options
o o o o
Door delay Key override Master keyring Hostage alarm
Cipher Locks
Cipher Locks
Biometric Locks
Verify users identity by a unique personal characteristic Complex, expensive, and secure
Multicriteria Locks
Combine strengths of other lock types As complexity increases, so does cost and security
Device Locks
Secure computer hardware and network devices Types
o o o o o
Cable lock (best known) Switch controls Slot locks Port controls Cable traps
Cable Locks
Fencing
Controls access to entrances Cost is directly related to:
o o o
Height Quality of material How well installed
Lighting
Deters intruders Provides safe environment for personnel
Physical Surveillance
Security guards Guard dogs
10
Technical Controls
Personnel access controls Surveillance Ventilation Power supply Fire detection and suppression
Personnel Access Controls

Password or personal identification numbers Identification cards or wireless proximity readers Biometric systems Common security breaches
o o
Social engineering attack Piggybacking
11
Identification Cards
Biometric Systems
Scan personal characteristics of a user and compare it to previous record created when user was added to the system
12
Types of Biometrics Systems

Fingerprints Palm prints Hand geometry Eye scans Signature dynamics Voiceprints
Technical Surveillance
Closed-circuit television cameras
Can be monitored at a central location Record all activity that takes place within critical areas o Allow security personnel to assess whether or not an area is being compromised
o o
13
Ventilation
Maintain air quality with a closed-loop recirculating air-conditioning system Control contamination from dust and other pollutants with positive pressurization and ventilation
Power Supply
Main methods to protect against power failure
o o
Uninterruptible power supply (UPS) Backup sources
14
Protecting Computing Facilities from Power Issues

Use surge protectors to protect from voltage fluctuation Follow proper shutdown and power-up procedures to ensure that devices are not damaged Shield long cable runs to help control impacts of electromagnetic interference
continued
Protecting Computing Facilities from Power Issues

Avoid fluorescent lighting Properly ground all equipment and racks Do not daisy chain power strips and extension cords together to create longer extension cords
15
Fire Suppression
Select fire suppression materials carefully Forms of fire detection response systems
Manual fire alarm pull-down devices o Automatic sensors
o
Fire Detection Response Systems

Usually used in tandem with automatic fire suppression system that uses:
o o o o
Halon gas Carbon dioxide Water Soda acid
16
Fire Prevention Solutions
Natural Disasters
Floods Lightening Earthquakes
17
Chapter Summary
Physical security
o
Physical controls
Location Construction Physical barriers
Technical controls
Personnel access controls Surveillance Ventilation
18

All Network Security

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

All Network Security

Diunggah oleh

Hak Cipta:

Format Tersedia

Guide to Network Security Fundamentals

Understanding Network Security

Understanding Network Security

To Offset Security Threats

Security Ramifications: Costs of Intrusion

Technology weaknesses Configuration weaknesses Policy weaknesses Human error

Goals of Network Security

Eliminate theft Determine authentication Identify assumptions Control secrets

Creating a Secure Network Strategy

Creating a Secure Network Strategy

Develop change management process

Remember physical security Perimeter security

Control access to critical network applications, data, and services

Creating a Secure Network Strategy

Creating a Secure Network Strategy

Creating a Secure Network Strategy

Creating a Secure Network Strategy

Security of System Resources

Usernames and Passwords

Basic Rules for Password Protection

Strong Password Creation Techniques

Combine two dissimilar words and place a number between them

Substitute numbers for letters (not obviously)

Techniques to Use Multiple Passwords

Kerberos in a Simple Environment

Kerberos in a Simple Environment

Kerberos in a Simple Environment

Kerberos in a More Complex Environment

Ticket-granting server (TGS)

Kerberos in a More Complex Environment

Kerberos in Very Large Network Systems

Security Weaknesses of Kerberos

Challenge Handshake Authentication Protocol (CHAP)

CHAP Challenge-and-Response Sequence

CHAP Security Benefits

Limit time of exposure to any single attack

Variable challenge values and changing identifiers

Provide protection against playback attacks

CHAP Security Issues

Possible for users to update passwords

Electronic Encryption and Decryption Concepts

Decryption Symmetric cipher Asymmetric cipher

Electronic Encryption and Decryption Concepts

How Much Trust Should One Place in a CA?

Types of Security Tokens

Counter-based tokens Clock-based tokens

How Biometric Authentication Works

False Positives and False Negatives

Different Kinds of Biometrics

Hand Geometry Authentication

General Trends in Biometrics

Attacks and Malicious Code

SYN flood Smurf attack

TCP Three-Way Handshake

IP Fragmentation Attacks: Ping of Death

Distributed Denial-of-Service Attacks

Conducting DDoS Attacks

Ingress and Egress Filtering

Preventing the Network from Inadvertently Attacking Others

Preventing the Network from Inadvertently Attacking Others

Ingress Filtering of Packets with RFC 1918 Addresses

Filtering of Packets with RFC 2827 Addresses

IP address spoofing ARP poisoning Web spoofing DNS spoofing