All Network Security

8/3/2019 All Network Security

1/336

Guide to Network SecurityFundamentals

Chapter 1

C


2/336

Learning Objectives Understand network security Understand security threat trends and their

ramifications Understand the goals of network security Determine the factors involved in a secure

network strategy

Understanding Network Security Network security

o Process by which digital information assets areprotected

Goalso Maintain integrityo Protect confidentialityo Assure availability


3/336

Understanding Network Security Security ensures that users:

o Perform only tasks they are authorized to doo Obtain only information they are authorized to

haveo Cannot cause damage to data, applications, or

operating environment

Security Threats Identity theft Privacy concerns Wireless access


4/336

To Offset Security Threats Integrity

o Assurance that data is not altered or destroyed inan unauthorized manner

Confidentialityo Protection of data from unauthorized disclosure to

a third party

Availabilityo Continuous operation of computing systems

Security Ramifications:Costs of Intrusion

Causes of network security threatso Technology weaknesseso Configuration weaknesseso Policy weaknesseso Human error


5/336

Technology Weaknesses TCP/IP Operating systems Network equipment

Configuration Weaknesses Unsecured accounts System accounts with easily guessed

passwords Misconfigured Internet services

Unsecured default settings Misconfigured network equipment Trojan horse programs Vandals Viruses


6/336

Policy Weaknesses Lack of a written security policy Politics High turnover Concise access controls not applied Software and hardware installation and

changes do not follow policy Proper security

Nonexistent disaster recovery plan

Human Error Accident Ignorance Workload Dishonesty

Impersonation Disgruntled employees Snoops Denial-of-service attacks


7/336

Goals of Network Security Achieve the state where any action that is not

expressly permitted is prohibitedo Eliminate thefto Determine authenticationo Identify assumptionso Control secrets

Creating a Secure NetworkStrategy Address both internal and external threats Define policies and procedures Reduce risk across across perimeter security, the

Internet, intranets, and LANs


8/336

Creating a Secure Network

Strategy Human factors Know your weaknesses Limit access Achieve security through persistence

o Develop change management process

Remember physical security Perimeter security

o

Control access to critical network applications,data, and services

continued

Creating a Secure NetworkStrategy Firewalls

o Prevent unauthorized access to or from privatenetwork

o Create protective layer between network andoutside world

o Replicate network at point of entry in order toreceive and transmit authorized data

o Have built-in filterso Log attempted intrusions and create reports

continued


9/336


Strategy Web and file servers Access control

o Ensures that only legitimate traffic is allowed intoor out of the network Passwords PINs Smartcards

continued

Creating a Secure NetworkStrategy Change management

o Document changes to allareas of IT infrastructure

Encryptiono Ensures messages cannot be intercepted or read

by anyone other than the intended person(s)

continued


10/336


Strategy Intrusion detection system (IDS)

o Provides 24/7 network surveillanceo Analyzes packet data streams within the networko Searches for unauthorized activity

Chapter Summary Understanding network security Security threats Security ramifications Goals of network security Creating a secure network strategy


11/336

Chapter 2

Authentication

Learning Objectives Create strong passwords and store them

securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication is and

why it is necessary Understand how digital certificates are created

and why they are used

continued


12/336

Learning Objectives Understand what tokens are and how they

function Understand biometric authentication processes

and their strengths and weaknesses Understand the benefits of multifactor

authentication

Security of System Resources Three-step process (AAA)

o Authentication Positive identification of person/system seeking access to

secured information/services

o Authorization Predetermined level of access to resources

o Accounting Logging use of each asset


13/336

Authentication Techniques

Usernames and passwords Kerberos Challenge Handshake Authentication Protocol

(CHAP) Mutual authentication Digital certificates Tokens Biometrics Multifactor authentication

Usernames and Passwords Username

o Unique alphanumeric identifier used to identify anindividual when logging onto a computer/network

Passwordo Secret combination of keystrokes that, when

combined with a username, authenticates a userto a computer/network


14/336

Basic Rules for Password Protection

1.Memorize passwords; do not write them down2.Use different passwords for different functions3.Use at least 6 characters4.Use mixture of uppercase and lowercase letters,

numbers, and other characters5.Change periodically

Strong Password CreationTechniques

Easy to remember; difficult to recognize Examples:

o First letters of each word of a simple phrase; adda number and punctuation Asb4M?

o Combine two dissimilar words and place a numberbetween them SleigH9ShoE

o Substitute numbers for letters (not obviously)


15/336

Techniques to Use MultiplePasswords

Group Web sites or applications by appropriatelevel of securityo Use a different password for each groupo Cycle more complex passwords down the groups,

from most sensitive to least

Storing Passwords Written

o Keep in a place you are not likely to lose ito Use small typeo Develop a personal code to apply to the list

Electronico Use a specifically designed application (encrypts

data)


16/336

Kerberos

Provides secure and convenient way toaccess data and services through:o Session keyso Ticketso Authenticatorso Authentication serverso Ticket-granting ticketso Ticket-granting serverso Cross-realm authentication

Kerberos in a Simple Environment Session key

o Secret key used during logon session betweenclient and a service

Ticketo Set of electronic information used to authenticate

identity of a principal to a service

Authenticatoro Device (eg, PPP network server) that requires

authentication from a peer and specifiesauthentication protocol used in the configurerequest during link establishment phase

continued


17/336

Kerberos in a Simple Environment Checksum

o Small, fixed-length numerical valueo Computed as a function of an arbitrary number of

bits in a messageo Used to verify authenticity of sender

Kerberos in a Simple Environment


18/336

Kerberos in a More ComplexEnvironment

Ticket-granting ticket (TGT)o Data structure that acts as an authenticating proxy

to principals master key for set period of time Ticket-granting server (TGS)

o Server that grants ticket-granting tickets to aprincipal

Kerberos in a More ComplexEnvironment


19/336

Kerberos in Very LargeNetwork Systems

Cross-realm authenticationo Allows principal to authenticate itself to gain

access to services in a distant part of a Kerberossystem

Cross-Realm Authentication


20/336

Security Weaknesses of Kerberos Does not solve password-guessing attacks Must keep password secret Does not prevent denial-of-service attacks Internal clocks of authenticating devices must be

loosely synchronized Authenticating device identifiers must not be

recycled on a short-term basis

Challenge Handshake AuthenticationProtocol (CHAP)

PPP mechanism used by an authenticator toauthenticate a peer

Uses an encrypted challenge-and-responsesequence


21/336

CHAP Challenge-and-ResponseSequence

CHAP Security Benefits Multiple authentication sequences throughout

Network layer protocol sessiono Limit time of exposure to any single attack

Variable challenge values and changingidentifierso Provide protection against playback attacks


22/336

CHAP Security Issues Passwords should not be the same in both

directions Not all implementations of CHAP terminate the

link when authentication process fails, but insteadlimit traffic to a subset of Network layer protocolso Possible for users to update passwords

Mutual Authentication Process by which each party in an electronic

communication verifies the identity of the otherparty


23/336

Digital Certificates Electronic means of verifying identity of an

individual/organization Digital signature

o Piece of data that claims that a specific, namedindividual wrote or agreed to the contents of anelectronic document to which the signature isattached

Electronic Encryption andDecryption Concepts

Encryptiono Converts plain text message into secret message

Decryptiono Converts secret message into plain text message

Symmetric ciphero Uses only one key

Asymmetric ciphero Uses a key pair (private key and public key)

continued


24/336

Electronic Encryption andDecryption Concepts

Certificate authority (CA)o Trusted, third-party entity that verifies the actual

identity of an organization/individual beforeproviding a digital certificate

Nonrepudiationo Practice of using a trusted, third-party entity to

verify the authenticity of a party who sends amessage


25/336

How Much TrustShould One Place in a CA?

Reputable CAs have several levels ofauthentication that they issue based on theamount of data collected from applicants

Example: VeriSign

Security Tokens Authentication devices assigned to specific user Small, credit card-sized physical devices Incorporate two-factor authentication methods Utilize base keys that are much stronger than

short, simple passwords a person can remember


26/336

Types of Security Tokens Passive

o Act as a storage device for the base keyo Do not emit, or otherwise share, base tokens

Activeo Actively create another form of a base key or

encrypted form of a base key that is not subject toattack by sniffing and replay

o Can provide variable outputs in variouscircumstances

One-Time Passwords Used only once for limited period of time; then

is no longer valid Uses shared keys and challenge-and-

response systems, which do not require thatthe secret be transmitted or revealed

Strategies for generating one-time passwordso Counter-based tokenso Clock-based tokens


27/336

Biometrics Biometric authentication

o Uses measurements of physical or behavioralcharacteristics of an individual

o Generally considered most accurate of allauthentication methods

o Traditionally used in highly secure areaso Expensive

How Biometric Authentication Works

1.Biometric is scanned after identity is verified2.Biometric information is analyzed and put into

an electronic template3.Template is stored in a repository4.To gain access, biometric is scanned again5.Computer analyzes biometric data and

compares it to data in template

6.If data from scan matches data in template,person is allowed access7.Keep a record, following AAA model


28/336

False Positives and FalseNegatives False positive

o Occurrence of an unauthorized person beingauthenticated by a biometric authenticationprocess

False negativeo Occurrence of an authorized person not being

authenticated by a biometric authenticationprocess when they are who they claim to be

Different Kinds of Biometrics Physical characteristics

o Fingerprintso Hand geometryo Retinal scanningo Iris scanningo Facial scanning

Behavioral characteristicso Handwritten signatures

o Voice


29/336

Fingerprint Biometrics

Hand Geometry Authentication


30/336

Retinal Scanning

Iris Scanning


31/336

Signature Verification

General Trends in Biometrics Authenticating large numbers of people over a

short period of time (eg, smart cards) Gaining remote access to controlled areas


32/336

Multifactor Authentication Identity of individual is verified using at least two

of the three factors of authenticationo Something you know (eg, password)o Something you have (eg, smart card)o Something about you (eg, biometrics)

Chapter Summary Authentication techniques

o Usernames and passwordso Kerberoso CHAPo Mutual authenticationo Digital certificateso Tokenso Biometricso

Multifactor authentication


33/336

Chapter 3

Attacks and Malicious Code

Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major components used in a DDoS attack

and how they are installed Understand major types of spoofing attacks Discuss man-in-the-middle attacks, replay

attacks, and TCP session hijacking

continued


34/336

Learning Objectives Detail three types of social-engineering attacks

and explain why they can be incredibly damaging List major types of attacks used against

encrypted data List major types of malicious software and

identify a countermeasure for each one

Denial-of-Service Attacks Any malicious act that causes a system to be

unusable by its real user(s) Take numerous forms Are very common Can be very costly Major types

o SYN floodo Smurf attack


35/336

SYN Flood Exploits the TCP three-way handshake Inhibits servers ability to accept new TCP

connections

TCP Three-Way Handshake


36/336


37/336

Smurf Non-OS specific attack that uses the network to

amplify its effect on the victim Floods a host with ICMP Saturates Internet connection with bogus traffic

and delays/prevents legitimate traffic fromreaching its destination


38/336

IP Fragmentation Attacks:Ping of Death

Uses IP packet fragmentation techniques tocrash remote systems

Ping of Death


39/336

Distributed Denial-of-Service Attacks

Use hundreds of hosts on the Internet toattack the victim by flooding its link to theInternet or depriving it of resources

Used by hackers to target government andbusiness Internet sites

Automated tools; can be executed by scriptkiddies

Result in temporary loss of access to a givensite and associated loss in revenue and

prestige


40/336

Conducting DDoS Attacks

DDoS Countermeasures Security patches from software vendors Antivirus software Firewalls Ingress (inbound) and egress (outbound) filtering


41/336

Ingress and Egress Filtering

Preventing the Network fromInadvertently Attacking Others

Filter packets coming into the network destinedfor a broadcast address

Turn off directed broadcasts on internal routers Block any packet from entering the network that

has a source address that is not permissible onthe Internet (see Figures 3-8 and 3-9)

continued


42/336

Preventing the Network fromInadvertently Attacking Others

Block at the firewall any packet that uses aprotocol or port that is not used for Internetcommunications on the network

Block packets with a source address originatinginside your network from entering your network

Ingress Filtering of Packetswith RFC 1918 Addresses


43/336

Filtering of Packetswith RFC 2827 Addresses

Spoofing Act of falsely identifying a packets IP address,

MAC address, etc Four primary types

o IP address spoofingo ARP poisoningo Web spoofingo DNS spoofing


44/336

IP Address Spoofing Used to exploit trust relationships between two

hosts Involves creating an IP address with a forged

source address


45/336

ARP Poisoning Used in man-in-the-middle and session hijacking

attacks; attacker takes over victims IP addressby corrupting ARP caches of directly connectedmachines

Attack toolso ARPoisono Ettercapo Parasite

Web Spoofing Convinces victim that he or she is visiting a real

and legitimate site Considered both a man-in-the-middle attack and

a denial-of-service attack


46/336

Web Spoofing

DNS Spoofing Aggressor poses as the victims legitimate DNS

server Can direct users to a compromised server Can redirect corporate e-mail through a hackers

server where it can be copied or modified beforesending mail to final destination


47/336

To Thwart Spoofing Attacks IP spoofing

o Disable source routing on all internal routerso Filter out packets entering local network from the

Internet that have a source address of the localnetwork

ARP poisoningo Use network switches that have MAC binding

features

continued

To Thwart Spoofing Attacks Web spoofing

o Educate users DNS spoofing

o Thoroughly secure DNS serverso Deploy anti-IP address spoofing measures


48/336

Man in the Middle Class of attacks in which the attacker places

himself between two communicating hosts andlistens in on their session

To protect againsto Configure routers to ignore ICMP redirect packets

Man-in-the-Middle Attacks


49/336

Man-in-the-Middle Applications Web spoofing TCP session hijacking Information theft Other attacks (denial-of-service attacks,

corruption of transmitted data, traffic analysis togain information about victims network)

Man-in-the-Middle Methods ARP poisoning ICMP redirects DNS poisoning


50/336

Replay Attacks Attempts to circumvent authentication

mechanisms by:o Recording authentication messages from a

legitimate usero Reissuing those messages in order to

impersonate the user and gain access to systems

Replay Attack


51/336

TCP Session Hijacking Attacker uses techniques to make the victim

believe he or she is connected to a trusted host,when in fact the victim is communicating with theattacker

Well-known toolo Hunt (Linux)


52/336

Attacker Using Victims TCPConnection

Social Engineering Class of attacks that uses trickery on people

instead of computers Goals

o Fraudo Network intrusiono Industrial espionageo Identity thefto Desire to disrupt the system or network


53/336

Dumpster Diving

Online Attacks Use chat and e-mails venues to exploit trust

relationships


54/336

Social Engineering Countermeasures

Take proper care of trash and discarded items Ensure that all system users have periodic

training about network security

Attacks Against Encrypted Data Weak keys Mathematical attacks Birthday attack Password guessing Brute force Dictionary


55/336

Weak Keys Secret keys used in encryption that exhibit

regularities in encryption, or even a poor level ofencryption

Mathematical Attack Attempts to decrypt encrypted data using

mathematics to find weaknesses in theencryption algorithm

Categories of cryptanalysiso Cyphertext-only analysiso Known plaintext attacko Chosen plaintext attack


56/336

Birthday Attack Class of brute-force mathematical attacks that

exploits mathematical weaknesses of hashalgorithms and one-way hash functions

Password Guessing Tricks authentication mechanisms by determining

a users password using techniques such asbrute force or dictionary attacks


57/336

Brute Force Method of breaking passwords that involves

computation of every possible combination ofcharacters for a password of a given characterlength


58/336

Dictionary Method of breaking passwords by using a

predetermined list of words as input to thepassword hash

Only works against poorly chosen passwords

Software Exploitation Utilizes software vulnerabilities to gain access

and compromise systems Example

o Buffer overflow attach To stop software exploits

o Stay appraised of latest security patches providedby software vendors


59/336

Malicious Software

Viruses Self-replicating programs that spread by

infecting other programs Damaging and costly


60/336

Virus Databases


61/336

Evolution of Virus PropagationTechniques

Protecting Against Viruses Enterprise virus protection solutions

o Desktop antivirus programso Virus filters for e-mail serverso Network appliances that detect and remove

viruses

Instill good behaviors in users and systemadministratorso Keep security patches and virus signature

databases up to date


62/336


63/336

Trojan Horses Class of malware that uses social engineering to

spread Types of methods

o Sending copies of itself to all recipients in usersaddress book

o Deleting or modifying fileso Installing backdoor/remote control programs


64/336

Logic Bombs

Set of computer instructions that lie dormantuntil triggered by a specific event

Once triggered, the logic bomb performs amalicious task

Almost impossible to detect until aftertriggered

Often the work of former employees For example: macro virus

o Uses auto-execution feature of specific

applications

Worms Self-contained program that uses security flaws

such as buffer overflows to remotely compromisea victim and replicate itself to that system

Do not infect other executable programs Account for 80% of all malicious activity on

Internet Examples: Code Red, Code Red II, Nimda


65/336

Defense Against Worms Latest security updates for all servers Network and host-based IDS Antivirus programs

Chapter Summary Mechanisms, countermeasures, and best

practices for:o Malicious softwareo Denial-of-service attackso Software exploitso Social engineeringo Attacks on encrypted data


66/336

Chapter 4

Remote Access

Learning Objectives Understand implications of IEEE 802.1x and

how it is used Understand VPN technology and its uses for

securing remote access to networks Understand how RADIUS authentication

works Understand how TACACS+ operates

Understand how PPTP works and when it isused

continued


67/336

Learning Objectives Understand how L2TP works and when it is used Understand how SSH operates and when it is

used Understand how IPSec works and when it is used Understand the vulnerabilities associated with

telecommuting

IEEE 802.1x Internet standard created to perform

authentication services for remote access to acentral LAN

Uses SNMP to define levels of access controland behavior of ports providing remote access toLAN environment

Uses EAP over LAN (EAPOL) encapsulationmethod


68/336

802.1x General Topology


69/336

Telnet Standard terminal emulation protocol within

TCP/IP protocol suite defined by RFC 854 Utilizes UDP port 23 to communicate Allows users to log on to remote networks and

use resources as if locally connected

Controlling Telnet Assign enable password as initial line of defense Use access lists that define who has access to

what resources based on specific IP addresses Use a firewall that can filter traffic based on ports,

IP addresses, etc


70/336

Virtual Private Network Secures connection between user and home

office using authentication mechanisms andencryption techniqueso Encrypts data at both ends

Uses two technologieso IPSeco PPTP

VPN Diagram


71/336

Tunneling Enables one network to send its data via another

networks connections Encapsulates a network protocol within packets

carried by the second network

Tunneling


72/336

VPN Options Install/configure client computer to initiate

necessary security communications Outsource VPN to a service provider

o Encryption does not happen until data reachesproviders network

Service Providing Tunneling


73/336

VPN Drawbacks Not completely fault tolerant Diverse implementation choices

o Software solutions Tend to have trouble processing all the simultaneous

connections on a large network

o Hardware solutions Require higher costs

Remote Authentication Dial-in UserService (RADIUS)

Provides a client/server security system Uses distributed security to authenticate users

on a network Includes two pieces

o Authentication servero Client protocols

Authenticates users through a series ofcommunications between client and serverusing UDP


74/336

Authenticating with a RADIUS Server

Benefits of Distributed Approach toNetwork Security

Greater security Scalable architecture Open protocols Future enhancements


75/336

Terminal Access Controller AccessControl System (TACACS+)

Authentication protocol developed by Cisco Uses TCP a connection-oriented

transmission instead of UDP Offers separate acknowledgement that

request has been received regardless ofspeed of authentication mechanism

Provides immediate indication of a crashedserver


76/336

Advantages of TACACS+over RADIUS

Addresses need for scalable solution Separates authentication, authorization, and

accounting Offers multiple protocol support

Point-to-Point Tunneling Protocol Multiprotocol that offers authentication,

methods of privacy, and data compression Built upon PPP and TCP/IP Achieves tunneling by providing encapsulation

(wraps packets of information within IPpackets)o Data packetso Control packets

Provides users with virtual node on corporateLAN or WAN


77/336

PPTP Tasks

Queries status of communications servers Provides in-band management Allocates channels and places outgoing calls Notifies Windows NT Server of incoming calls Transmits and receives user data with bi-

directional flow control Notifies Windows NT Server of disconnected

calls Assures data integrity; coordinates packet

flow

Layer Two Tunneling Protocol PPP defines an encapsulation mechanism for

transporting multiprotocol packets across layertwo point-to-point links

L2TP extends PPP model by allowing layer twoand PPP endpoints to reside on different devicesinterconnected by a packet-switched network

continued


78/336

Layer Two Tunneling Protocol Allows separation of processing of PPP packets

and termination of layer two circuito Connection may terminate at a (local) circuit

concentrator Solves splitting problems by projecting a PPP

session to a location other than the point at whichit is physically received

Secure Shell (SSH) Secure replacement for remote logon and file

transfer programs (Telnet and FTP) thattransmit data in unencrypted text

Uses public key authentication to establish anencrypted and secure connection from usersmachine to remote machine

Used to:o Log on to another computer over a networko Execute command in a remote machineo Move files from one machine to another


79/336

Key Components of an SSH Product

Engine Administration server Enrollment gateway Publishing server

IP Security Protocol Set of protocols developed by the IETF to

support secure exchange of packets at IPlayer

Deployed widely to implement VPNs Works with existing and future IP standards Transparent to users Promises painless scalability

Handles encryption at packet level usingEncapsulating Security Payload (ESP)


80/336

IPSec Security Payload

ESP and Encryption Models Supports many encryption protocols Encryption support is designed for use by

symmetric encryption algorithms Provides secure VPN tunneling


81/336

Telecommuting Vulnerabilities



82/336




83/336


Remote Solutions Microsoft Terminal Server Citrix Metaframe Virtual Network Computing


84/336


85/336

Chapter 5

E-mail

Learning Objectives Understand the need for secure e-mail Outline benefits of PGP and S/MIME Understand e-mail vulnerabilities and how to

safeguard against them Explain the dangers posed by e-mail hoaxes and

spam, as well as actions that can be taken tocounteract them


86/336

Challenges to Utility and ProductivityGains Offered by E-mail

E-mail security Floods of spam Hoaxes

E-mail Security Technologies Two main standards

o Pretty good privacy (PGP)o Secure/Multipurpose Internet Mail Extension

(S/MIME)

These competing standards:o Seek to ensure integrity and privacy of information

by wrapping security measures around e-mail dataitself

o Use public key encryption techniques (alternativeto securing communication link itself, as in VPN)


87/336

Secure E-mail and Encryption

Secure e-mailo Uses cryptography to secure messages

transmitted across insecure networks

Advantages of e-mail encryptiono E-mail can be transmitted over unsecured linkso E-mail can be stored in encrypted form

Key cryptography conceptso Encryptiono Digital signatureso Digital certificates

Main Features of Secure E-mail Confidentiality Integrity Authentication Nonrepudiation


88/336

Encryption Passes data and a value (key) through a series

of mathematical formulas that make the dataunusable and unreadable

To recover information, reverse the processusing the appropriate key

Two main typeso Conventional cryptographyo Public key cryptography

Encryption


89/336

Hash Functions Produce a message digest that cannot be

reversed to produce the original Two major hash functions in use

o SHA-1 (Secure Hash Algorithm 1)o MD5 (Message Digest algorithm version 5)

Digital Signatures Electronic identification of a person or thing

created by using a public key algorithm Verify (to a recipient) the integrity of data and

identity of the sender Provide same features as encryption, except

confidentiality Created by using hash functions


90/336

Digital Certificates Electronic document attached to a public key

by a trusted third party Provide proof that the public key belongs to a

legitimate owner and has not beencompromised

Consist of:o Owners public keyo Information unique to ownero Digital signatures or an endorser


91/336

Combining Encryption Methods Hybrid cryptosystems

o Take advantage of symmetric and public keycryptography

o Example: PGP/MIME Conventional encryption

o Fast, but results in key distribution problem Public key encryption

o Private key and public key


92/336

Public Key Encryption

How Secure E-mail Works Encryption

1.Message is compressed2.Session key is created3.Message is encrypted using session key with

symmetrical encryption method4.Session key is encrypted with an asymmetrical

encryption method5.Encrypted session key and encrypted message

are bound together and transmitted to recipient Decryption: reverse the process


93/336

Secure E-mail Decryption


94/336

Background on PGP

Current de facto standard Written by Phil Zimmerman 1991 Supports major conventional encryption

methodso CASTo International Data Encryption Algorithm (IDEA)o Triple Data Encryption Standard (3DES)o Twofish

PGP Certificates More flexible and extensible than X.509

certificates A single certificate can contain multiple

signatures


95/336

PGP Certificate Format

S/MIME Specification designed to add security to

e-mail messages in MIME format Security services

o Authentication (using digital signatures)o Privacy (using encryption)


96/336

What S/MIME Defines

Format for MIME data Algorithms that must be used for

interoperabilityo RSAo RC2o SHA-1

Additional operational concernso ANSI X.509 certificateso Transport over the Internet

S/MIME Background Four primary standards

o RFC 2630 Cryptographic Message Syntax

o RFC 2633 S/MIME version 3 Message Specification

o RFC 2632 S/MIME version 3 Certificate Handling

o RFC 2634 Enhanced Security Services for S/MIME


97/336

S/MIME Encryption Algorithms

Three symmetric encryption algorithmso DESo 3DESo RC2

PKCS (Public Key Cryptography Standards) S/MIME prevents exposure of signature

information to eavesdroppero Applies digital signature first; then encloses

signature and original message in an encrypteddigital envelope

X.509 Certificates Rather than define its own certificate type (like

PGP), S/MIME relies on X.509 Issued by a certificate authority (CA)


98/336

S/MIME Trust Model:Certificate Authorities

Purely hierarchical model Line of trust goes up the chain to a CA, whose

business is verifying identity and assuring validityof keys or certificates


99/336

Differences BetweenPGP and S/MIME

Features S/MIME3 OpenPGP

Structure ofmessages

Binary, based onCMS

PGP

Structure of digitalcertificates

X.509 PGP

Algorithm:symmetricencryption

3DES 3DES

Algorithm: digitalsignature

Diffie-Hellman EIGamal

continued



Algorithm: hash SHA-1 SHA-01

MIMEencapsulation forsigned data

Choice ofmultipart/signed orCMS format

Multipart/signedwith ASCII armor

MIMEencapsulation forencrypted data

Application/PKCS#7-MIME Multipart/encrypted

Trust model Hierarchical Web of trust

continued


100/336



Marketplaceadoption

Growing quickly Current encryptionstandard

Marketplaceadvocates

Microsoft, RSA,VeriSign

Some PGP, Inc.products absorbedinto McAfee line

Ease of use Configuration notintuitive; must obtain

and installcertificates; generaluse straight-forward

Configuration notintuitive; must

create certificates;general usestraight-forward

continued



Software Already integratedin Microsoft andNetscape products

PGP software mustbe downloadedand installed

Cost ofcertificates

Must be purchasedfrom CA; yearly fee

PGP certificatescan be generatedby anyone; free

Keymanagement

Easy, but you musttrust CA

Harder; user mustmake decisions onvalidity of identities

continued


101/336



Compatibility Transparentlyworks with anyvendors MIME e-mail client, but notcompatible withnon-MIMEe-mail formats

Compatible withMIME and non-MIMEe-mail formats, butrecipient must havePGP installed

Centralized

management

Possible through

PKI

Status is in doubt

E-mail Vulnerabilities

continued


102/336

E-mail Vulnerabilities

Spam Act of flooding the Internet with many copies of

the same message in an attempt to force themessage on people who would not otherwisechoose to receive it

Unrequested junk mail


103/336

E-mail Spam Targets individual users with direct mail

messages Creates lists by:

o Scanning Usenet postingso Stealing Internet mailing listso Searching the Web for addresses

Uses automated tools to subscribe to as manymailing lists as possible

Hoaxes and Chain Letters E-mail messages with content designed to get

the reader to spread them by:o Appealing to be an authority to exploit trusto Generating excitement about being involvedo Creating a sense of importance/belongingo Playing on peoples gullibility/greed

Do not carry malicious payload, but are usuallyuntrue or resolved


104/336

Costs of Hoaxes and ChainLetters Lost productivity Damaged reputation Relaxed attitude toward legitimate virus warnings


105/336

Countermeasures for Hoaxes Effective security awareness campaign Good e-mail policy E-mail content filtering solutions


106/336

Guidelines for HoaxCountermeasures

Create a policy and train users on what to dowhen they receive a virus warning

Establish the intranet site as the onlyauthoritative source for advice on viruswarnings

Ensure that the intranet site displays up-to-date virus and hoax information on the homepage

Inform users that if the virus warning is not

listed on the intranet site, they should forwardit to a designated account

Chapter Summary PGP

o Current de facto e-mail encryption standardo Basis of OpenPGP standard

S/MIMEo Emerging standard in e-mail encryptiono Uses X.509 certificates used by Microsoft and

Netscape browser and e-mail client software

E-mail vulnerabilities and scams, and how to

combat themo Spamo Hoaxes and e-mail chain letters


107/336

Chapter 6

Web Security

Learning Objectives Understand SSL/TLS protocols and their

implementation on the Internet Understand HTTPS protocol as it relates to SSL Explore common uses of instant messaging

applications and identify vulnerabilitiesassociated with those applications

continued


108/336

Learning Objectives Understand the vulnerabilities of JavaScript,

buffer overflow, ActiveX, cookies, CGI, applets,SMTP relay, and how they are commonlyexploited

Secure Sockets Layer (SSL) andTransport Layer Security (TLS)

Commonly used protocols for managing thesecurity of a message transmission across theinsecure Internet


109/336

Secure Sockets Layer (SSL) Developed by Netscape for transmitting private

documents via the Internet Uses a public key to encrypt data that is

transferred over the SSL connection URLs that require an SSL connection start with

https: instead of http:

Transport Layer Security (TLS) Latest version of SSL Not as widely available in browsers


110/336

SSL/TLS Protocol

Runs on top of the TCP and below higher-level protocols

Uses TCP/IP on behalf of higher-levelprotocols

Allows SSL-enabled server to authenticateitself to SSL-enabled client

Allows client to authenticate itself to server Allows both machines to establish an

encrypted connection

Secure Sockets Layer Protocol


111/336

SSL/TLS Protocol Uses ciphers to enable encryption of data

between two parties Uses digital certificates to enable authentication

of the parties involved in a secure transaction

Cipher Types Used by SSL/TLS Asymmetric encryption (public key encryption) Symmetric encryption (secret key encryption)


112/336

Digital Certificates

Componentso Certificate users nameo Entity for whom certificate is being issuedo Public key of the subjecto Time stamp

Typically issued by a CA that acts as a trustedthird partyo Public certificate authoritieso Private certificate authorities

Secure Hypertext Transfer Protocol(HTTPS)

Communications protocol designed to transferencrypted information between computersover the World Wide Web

An implementation of HTTP Often used to enable online purchasing or

exchange of private information over insecurenetworks

Combines with SSL to enable securecommunication between a client and a server


113/336

Instant Messaging (IM)

Communications service that enables creationof a private chat room with another individual

Based on client/server architecture Typically alerts you whenever someone on

your private list is online Categorized as enterprise IM or consumer IM

systems Examples: AOL Instant Messenger, ICQ,

NetMessenger, Yahoo! Messenger

IM Security Issues Cannot prevent transportation of files that

contain viruses and Trojan horses Misconfigured file sharing can provide access

to sensitive or confidential data Lack of encryption Could be utilized for transportation of

copyrighted material; potential for substantial

legal consequences Transferring files reveals network addressesof hosts; could be used for Denial-of-Serviceattack


114/336

IM Applications Do not use well-known TCP ports for

communication and file transfers; use registeredports

Ports can be filtered to restrict certainfunctionalities or prevent usage altogether

Vulnerabilities of Web Tools Security of Web applications and online

services is as important as intendedfunctionalityo JavaScripto ActiveXo Bufferso Cookieso Signed applets

o Common Gateway Interface (CGI)o Simple Mail Transfer Protocol (SMTP) relay


115/336

JavaScript Scripting language developed by Netscape to

enable Web authors to design interactive sites Code is typically embedded into an HTML

document and placed between the and tags

Programs can perform tasks outside userscontrol

JavaScript Security Loopholes Monitoring Web browsing Reading password and other system files Reading browsers preferences


116/336

ActiveX

Loosely defined set of technologies developedby Microsofto Outgrowth of OLE (Object Linking and

Embedding) and COM (Component Object Model)

Provides tools for linking desktop applicationsto WWW content

Utilizes embedded Visual Basic code that cancompromise integrity, availability,andconfidentiality of a target system

Buffer Temporary storage area, usually in RAM Acts as a holding area, enabling the CPU to

manipulate data before transferring it to a device


117/336

Buffer Overflow Attacks

Triggered by sending large amounts of datathat exceeds capacity of receiving applicationwithin a given field

Take advantage of poor applicationprogramming that does not check size of inputfield

Not easy to coordinate; prerequisites:o Place necessary code into programs address

space

o Direct application to read and execute embeddedcode through effective manipulation of registersand memory of system

Cookies Messages given to Web browsers by Web

serverso Browser stores message in a text fileo Message is sent back to server each time browser

requests a page from server Verify a users session Designed to enhance browsing experience


118/336

Vulnerabilities of Cookies

Contain tools that are easily exploited toprovide information about users withoutconsento Attacker convinces user to follow malicious

hyperlink to targeted server to obtain the cookiethrough error handling process on the server

o User must be logged on during time of attack

To guard against EHE attackso Do not return unescaped data back to usero Do not echo 404 file requests back to user

Java Applets Internet applications (written in Java

programming language) that can operate onmost client hardware and software platforms

Stored on Web servers from where they canbe downloaded onto clients when firstaccessed

With subsequent server access, the applet is

already cached on the client and can beexecuted with no download delay


119/336

Signed Applets Technique of adding a digital signature to an

applet to prove that it came unaltered from aparticular trusted source

Can be given more privileges than ordinaryapplets

Unsigned applets are subject to sandboxrestrictions

Unsigned Applets


120/336

Sandbox Model Prevent the applet from:

o Performing required operations on local systemresources

o Connecting to any Web site except the site fromwhich the applet was loaded

o Accessing clients local printero Accessing clients system clipboard and properties

Signed Applets


121/336

Reasons for UsingCode Signing Features

To release the application from sandboxrestrictions imposed on unsigned code

To provide confirmation regarding source of theapplications code

Common Gateway Interface (CGI) Interface specification that allows

communication between client programs andWeb servers that understand HTTP

Uses TCP/IP Can be written in any programming language Parts of a CGI script

o Executable program on the server (the script itself)o HTML page that feeds input to the executable


122/336

Typical Form Submission

CGI Interactive nature leads to security loopholes

o Allowing input from other systems to a programthat runs on a local server exposes the system topotential security hazards


123/336

Precautions to Take When RunningScripts on a Server

Deploy IDS, access list filtering, andscreening on the border of the network

Design and code applications to check sizeand content of input received from clients

Create different user groups with differentpermissions; restrict access to hierarchical filesystem based on those groups

Validate security of a prewritten script beforedeploying it in your production environment

Simple Mail Transfer Protocol(SMTP)

Standard Internet protocol for globale-mail communications

Transaction takes place between two SMTPservers

Designed as a simple protocolo Easy to understand and troubleshooto Easily exploited by malicious users


124/336

Vulnerabilities of SMTP Relay Spam via SMTP relay can lead to:

o Loss of bandwidtho Hijacked mail servers that may no longer be able

to serve their legitimate purpose Mail servers of innocent organizations can be

subject to blacklisting

Chapter Summary Protocols commonly implemented for secure

message transmissionso Secure Socket Layero Transport Layer Security

Data encryption across the Internet throughSecure Hyper Text Transfer Protocol in relationto SSL/TSL

continued


125/336

Chapter Summary Instant Messaging

o Common useso Vulnerabilities

Well-known vulnerabilities associated with webdevelopment tools


126/336

Chapter 7

Directory and File Transfer Services

Learning Objectives Explain benefits offered by centralized

enterprise directory services such as LDAPover traditional authentication systems

Identify major vulnerabilities of the FTPmethod of exchanging data

Describe S/FTP, the major alternative to usingFTP, in order to better secure your network

infrastructure Illustrate the threat posed to your network byunmonitored file shares


127/336

Directory Services Network services that uniquely identify users and

can be used to authenticate and authorize themto use network resources

Allow users to look up username or resourceinformation, just as DNS does

Lightweight Directory Access Protocol(LDAP)

Accesses directory data based on ISOs X.500standard, but includes TCP/IP support andsimplified client design

Exchanges directory information with clients (isnota database that stores the information)

Allows users to search using a broad set ofcriteria (name, type of service, location)

continued


128/336

LDAP Provides additional features including

authentication and authorizationo Each person uses only one username and

password regardless of client software and OS Key feature and benefit

o Versatile directory system that is standards basedand platform independent

Major LDAP Products


129/336

Common Applications of LDAP Single sign-on (SSO) User administration Public key infrastructure (PKI)

LDAP Operations


130/336

LDAP Framework Directory Information Tree (DIT)

o Data structure that actually contains directoryinformation about network users and services

o Hierarchical structure

Directory Information Tree


131/336

LDAP Framework

DN exampleo cn=Jonathan Q

Publico ou=Information

Security Departmento o=XYZ Corp.o c=United States

LDAP Security Benefits Authentication

o Ensures users identitieso Three levels

No authentication Simple authentication Simple Authentication and Security Layer (SASL)

Authorizationo Determines network resources the user may

accesso Determined by access control lists (ACLs)

Encryptiono Utilizes other protocols through (SASL)


132/336

LDAP Security Vulnerabilities Denial of service Man in the middle Attacks against data confidentiality

File Transfer Services Ability to share programs and data around the

world is an essential aspect of the Internet Critical to todays networked organizations


133/336

File Transfer Protocol (FTP) Commonly used but very insecure Two standard data transmission methods

active FTP and passive FTPo In both, client initiates a TCP session using

destination port 21 (command connection)o Differences are in the data connection that is set

up when user wants to transfer data between twomachines

Setup of FTP Control Connection


134/336

Active FTP FTPs default connection FTP server creates data connection by opening a

TCP session using source port of 20 anddestination port greater than 1023 (contrary toTCPs normal operation)

Setup of theActive FTP Data Connection


135/336

Passive FTP Not supported by all FTP implementations Client initiates data connection to the server with

a source and destination port that are bothrandom high ports

Setup of thePassive FTP Data Connection


136/336

FTP Security Issues Bounce attack Clear text authentication and data transmission Glob vulnerability Software exploits and buffer overflow

vulnerabilities Anonymous FTP and blind FTP access

FTP Countermeasures Do not allow anonymous access unless a clear

business requirement exists Employ a state-of-the-art firewall Ensure that server has latest security patches

and has been properly configured to limit useraccess

Encrypt data before placing it on FTP server

continued


137/336

FTP Countermeasures Encrypt FTP data flow using a VPN connection Switch to a secure alternative

Secure File Transfers Secure File Transfer Protocol (S/FTP)

o Replacement for FTP that uses SSH version 2 asa secure framework for encrypting data transfers


138/336

Benefits of S/FTP over FTP

Offers strong authentication using a variety ofmethods including X.509 certificates

Encrypts authentication, commands, and alldata transferred between client and serverusing secure encryption algorithms

Easy to configure a firewall to permit S/FTPcommunications (uses a single, well-behavedTCP connection)

Requires no negotiation to open a second

connection

SecureFTP Implementation Programs


139/336

File Sharing Originally intended to share files on a LAN Easy to set up Uses Windows graphical interface Can be configured as peer-to-peer or as

client/server shares


140/336

File Sharing Risks Confidentiality of data Some viruses spread via network shares Other types of critical information beside user

documentation could become compromised iffiles shares are misconfigured

Protecting Your File Shares Define and communicate a policy Conduct audits of file shares using commercial

scanning and audit tools


141/336

Chapter Summary Key resources used to support mission-critical

business applicationso Directory services

LDAP

o File transfer mechanisms FTP S/FTP


142/336

Chapter 8

Wireless and Instant Messaging

Learning Objectives Understand security issues related to wireless

data transfer Understand the 802.11x standards Understand Wireless Application Protocol (WAP)

and how it works Understand Wireless Transport Layer Security

(WTLS) protocol and how it works

continued


143/336

Learning Objectives Understand Wired Equivalent Privacy (WEP) and

how it works Conduct a wireless site survey Understand instant messaging

802.11 IEEE group responsible for defining interface

between wireless clients and their networkaccess points in wireless LANs

First standard finalized in 1997 defined threetypes of transmission at Physical layero Diffused infrared - based on infrared transmissionso Direct sequence spread spectrum (DSSS) - radio-

basedo Frequency hopping spread spectrum (FHSS) -

radio-based

continued


144/336

802.11 Established WEP as optional security protocol Specified use of 2.4 GHz industrial, scientific, and

medical (ISM) radio band Mandated 1 Mbps data transfer rate and optional

2 Mbps data transfer rate Most prominent working groups: 802.11b,

802.11a, 802.11i, and 802.11g

802.11a High-Speed Physical Layer in the 5 GHz Band Sets specifications for wireless data transmission

of up to 54 Mbps in the5 GHz band

Uses an orthogonal frequency divisionmultiplexing encoding scheme rather than FHSSor DSSS

Approved in 1999


145/336

802.11b

Higher-Speed Layer Extension in the 2.4GHz Band

Establishes specifications for datatransmission that provides 11 Mbpstransmission (with fallback to 5.5, 2, and 1Mbps) at 2.4 GHz band

Sometimes referred to as Wi-Fi whenassociated with WECA certified devices

Uses only DSSS

Approved in 1999

802.11c Worked to establish MAC bridging functionality

for 802.11 to operate in other countries Folded into 802.1D standard for MAC bridging


146/336

802.11d Responsible for determining requirements

necessary for 802.11 to operate in othercountries

Continuing

802.11e Responsible for creating a standard that will add

multimedia and quality of service (QoS)capabilities to wireless MAC layer and thereforeguarantee specified data transmission rates anderror percentages

Proposal in draft form


147/336

802.11f Responsible for creating a standard that will allow

for better roaming between multivendor accesspoints and distribution systems

Ongoing

802.11g Responsible for providing raw data throughput

over wireless networks at a throughput rate of 22Mbps or more

Draft created in January 2002; final approvalexpected in late 2002 or early 2003


148/336

802.11h

Responsible for providing a way to allow forEuropean implementation requests regardingthe 5 GHz band

Requirementso Limits PC card from emitting more radio signal

than neededo Allows devices to listen to radio wave activity

before picking a channel on which to broadcast

Ongoing; not yet approved

802.11i Responsible for fixing security flaws in WEP and

802.1x Hopes to eliminate WEP altogether and replace it

with Temporal Key Integrity Protocol (TKIP),which would require replacement of keys within acertain amount of time

Ongoing; not yet approved


149/336

802.11j Worked to create a global standard in the

5 GHz band by making high-performance LAN(HiperLAN) and 802.11a interoperable

Disbanded after efforts in this area were mostlysuccessful


150/336

Wireless Application Protocol(WAP) Open, global specification created by the WAP

Forum Designed to deliver information and services to

users of handheld digital devices Compatible with most wireless networks Can be built on any operating system

WAP-Enabled Devices


151/336

WAP-Enabled Devices

How WAP 1x Works WAP 1.x Stack

o Set of protocols created by the WAP Forum thatalters the OSI model

o Five layers lie within the top four (of seven) layersof the OSI model

o Leaner than the OSI model Each WAP protocol makes data transactions as

compressed as possible and allows for more droppedpackets than OSI model


152/336

WAP 1.x Stack Compared toOSI/Web Stack

Differences Between Wireless andWired Data Transfer

WAP 1.x stack protocols require that datacommunications between clients (wirelessdevices) and servers pass through a WAPgateway

Network architectural structures


153/336

WAP versus Wired Network

The WAP 2.0 Stack Eliminates use of WTLS; relies on a lighter

version of TLS the same protocol used onthe common Internet stack which allowsend-to-end security and avoids any WAPgaps

Replaces all other layers of WAP 1.x bystandard Internet layers

Still supports the WAP 1.x stack in order tofacilitate legacy devices and systems


154/336

Additional WAP 2.0 Features WAP Push User agent profile Wireless Telephony Application Extended Functionality Interface (EFI) Multimedia Messaging Service (MMS)


155/336

Wireless Transport Layer Security(WTLS) Protocol

Provides authentication, data encryption, andprivacy for WAP 1.x users

Three classes of authenticationo Class 1

Anonymous; does not allow either the client or thegateway to authenticate each other

o Class 2 Only allows the client to authenticate the gateway

o Class 3 Allows both the client and the gateway to authenticate

each other

WTLS Protocol:Steps of Class 2 Authentication

1.WAP device sends request for authentication2.Gateway responds, then sends a copy of its

certificate which contains gateways publickey to the WAP device

3.WAP device receives the certificate and publickey and generates a unique random value

4.WAP gateway receives encrypted value and

uses its own private key to decrypt it


156/336

WTLS Security Concerns Security threats posed by WAP gap Unsafe use of service set identifiers (SSIDs)

Wired Equivalent Privacy (WEP) Optional security protocol for wireless local

area networks defined in the 802.11bstandard

Designed to provide same level of security asa wired LAN

Not considered adequate security without alsoimplementing a separate authentication

process and providing for external keymanagement


157/336

Wireless LAN (WLAN) Connects clients to network resources using

radio signals to pass data through the ether Employs wireless access points (AP)

o Connected to the wired LANo Act as radio broadcast stations that transmit data

to clients equipped with wireless network interfacecards (NICs)

How a WLAN Works


158/336

APs

NICs


159/336

How WEP Works Uses a symmetric key (shared key) to

authenticate wireless devices(not wirelessdevice users) and to guarantee integrity of databy encrypting transmissions

Each of the APs and clients need to share thesame key

Client sends a request to the AP asking forpermission to access the wired network

continued

How WEP Works If WEP has not been enabled (default), the AP

allows the request to pass If WEP hasbeen enabled, client begins a

challenge-and-response authentication process


160/336

WEPs Weaknesses Problems related to the initialization vector (IV)

that it uses to encrypt data and ensure itsintegrityo Can be picked up by hackerso Is reused on a regular basis

Problems with how it handles keys

Other WLAN Security Loopholes War driving Unauthorized users can attach themselves to

WLANs and use their resources, set up theirown access points and jam the network

WEP authenticates clients, not users Wireless network administrators and users

must be educated about inherent insecurity of

wireless systems and the need for care


161/336

Conducting a Wireless SiteSurvey1.Conduct a needs assessment of network users2.Obtain a copy of the sites blueprint3.Do a walk-through of the site4.Identify possible access point locations5.Verify access point locations6.Document findings

Instant Messaging (IM) AOL Instant Messenger (AIM) MSN Messenger Yahoo! Messenger ICQ Internet Relay Chat (IRC)


162/336

Definition of IM Uses a real-time communication model Allows users to keep track of online status and

availability of other users who are also using IMapplications

Can be used on both wired and wireless devices Easy and fast

continued

Definition of IM Operates in two models:

o Peer-to-peer model May cause client to expose sensitive information

o Peer-to-network model Risk of network outage and DoS attacks making IM

communication unavailable


163/336

Problems Facing IM Lack of default encryption enables packet sniffing Social engineering overcomes even encryption

Technical Issues Surrounding IM Files transfers Application sharing


164/336

Legal Issues Surrounding IM Possible threat of litigation or criminal indictment

should the wrong message be sent or overheardby the wrong person

Currently immune to most corporate efforts tocontrol it

Must be monitored in real time

Blocking IM Install a firewall to block ports that IM products

use; IM will be unavailable to all employees Limited blocking not currently possible


165/336

Cellular Phone Simple MessagingService (SMS)

Messages are typed and sent immediately Problems

o Tracking inappropriate messageso Risk of having messages sniffed

Chapter Summary Efforts of IEEE, specifically 802.11x standards, to

standardize wireless security Security issues related to dominant wireless

protocolso WAP

Connects mobile telephones, PDAs, pocket computers,and other mobile devices to the Internet

o WEP Used in WLANs

continued


166/336

Chapter Summary WTLS protocol Conducting a site survey in advance of building a

WLAN Security threats related to using (IM)


167/336

Chapter 9

Devices

Learning Objectives Understand the purpose of a network firewall and

the kinds of firewall technology available on themarket

Understand the role of routers, switches, andother networking hardware in security

Determine when VPN or RAS technology worksto provide a secure network connection


168/336

Firewalls Hardware or software device that provides a

means of securing a computer or network fromunwanted intrusiono Dedicated physical device that protects network

from intrusiono Software feature added to a router, switch, or

other device that prevents traffic to or from part ofa network

Management Cycle forFirewall Protection

1.Draft a written security policy2.Design the firewall to implement the policy3.Implement the design by installing selected

hardware and software4.Test the firewall5.Review new threats, requirements for

additional security, and updates to systems

and software; repeat process from first step


169/336

Drafting a Security Policy What am I protecting? From whom? What services does my company need to access

over the network? Who gets access to what resources? Who administers the network?

Available Targets andWho Is Aiming at Them

Common areas of attacko Web serverso Mail serverso FTP serverso Databases

Intruderso Sport hackerso Malicious hackers


170/336

Who Gets Access to WhichResources?

List employees or groups of employees alongwith files and file servers and databases anddatabase servers they need to access

List which employees need remote access to thenetwork


171/336

Who Administers the Network? Determine individual(s) and scope of individual

management control

Designing the Firewallto Implement the Policy

Select appropriate technology to deploy thefirewall


172/336

What Do Firewalls ProtectAgainst? Denial of service (DoS) Ping of death Teardrop or Raindrop attacks SYN flood LAND attack Brute force or smurf attacks IP spoofing

How Do Firewalls Work? Network address translation (NAT) Basic packet filtering Stateful packet inspection (SPI) Application gateways Access control lists (ACL)


173/336

Network Address Translation(NAT)

Only technique used by basic firewalls Enables a LAN to use one set of IP addresses

for internal traffic and a second set forexternal traffic

Each active connection requires a uniqueexternal address for duration ofcommunication

Port address translation (PAT)o Derivative of NATo Supports thousands of simultaneous connections

on a single public IP address

Basic Packet Filtering Firewall system examines each packet that

enters it and allows through only thosepackets that match a predefined set of rules

Can be configured to screen informationbased on many data fields:o Protocol typeo IP addresso TCP/UDP porto Source routing information


174/336

Stateful Packet Inspection (SPI)

Controls access to network by analyzingincoming/outgoing packets and letting thempass or not based on IP addresses of sourceand destinationo Examines a packet based on information in its

header

Enhances security by allowing the filter todistinguish on which side of firewall aconnection was initiated; essential to blocking

IP spoofing attaches

Access Control Lists (ACL) Rules built according to organizational policy that

defines who can access portions of the network


175/336

Routers Network management device that sits between

network segments and routes traffic from onenetwork to another

Allows networks to communicate with oneanother

Allows Internet to function Act as digital traffic cop (with addition of packet

filtering)

How a Router Moves Information Examines electronic envelope surrounding a

packet; compares address to list of addressescontained in routers lookup tables

Determines which router to send the packet tonext, based on changing network conditions


176/336

How a Router Moves Information

Beyond the Firewall Demilitarized zone (DMZ) Bastion hosts (potentially)


177/336

Demilitarized Zone

Area set aside for servers that are publiclyaccessible or have lower securityrequirements

Sits between the Internet and internalnetworks line of defenseo Stateful device fully protects other internal

systemso Packet filter allows external traffic only to services

provided by DMZ servers

Allows a company to host its own Internetservices without sacrificing unauthorizedaccess to its private network


178/336

Bastion Hosts

Computers that reside in a DMZ and that hostWeb, mail, DNS, and/or FTP services

Gateway between an inside network and anoutside network

Defends against attacks aimed at the insidenetwork; used as a security measure

Unnecessary programs, services, andprotocols are removed; unnecessary networkports are disabled

Do not share authentication services withtrusted hosts within the network

Application Gateways Also known as proxy servers Monitor specific applications (FTP, HTTP, Telnet) Allow packets accessing those services to go to

only those computers that are allowed Good backup to packet filtering


179/336

Application Gateways Security advantages

o Information hidingo Robust authentication and loggingo Simpler filtering rules

Disadvantageo Two steps are required to connect inbound or

outbound traffic; can increase processor overhead

OSI Reference Model Architecture that classifies most network

functions Seven layers

o Applicationo Presentationo Sessiono Transporto Network

o Data-Linko Physical


180/336

The OSI Stack Layers 4 and 5

o Where TCP and UDP ports that controlcommunication sessions operate

Layer 3o Routes IP packets

Layer 2o Delivers data frames across LANs


181/336

Limitations ofPacket-Filtering Routers

ACL can become long, complicated, and difficultto manage and comprehend

Throughput decreases as number of rules beingprocessed increases

Unable to determine specific content or data ofpackets at layers 3 through 5

Switches Provide same function as bridges (divide

collision domains), but employ application-specific integrated circuits (ASICs) that areoptimized for the task

Reduce collision domain to two nodes (switchand host)

Main benefit over hubso Separation of collision domains limits the

possibility of sniffing


182/336

Switches

Switch Security ACLs Virtual Local Area Networks (VLANs)


183/336

Virtual Local Area Network

Uses public wires to connect nodes Broadcast domain within a switched network Uses encryption and other security

mechanisms to ensure thato Only authorized users can access the networko Data cannot be intercepted

Clusters users in smaller groupso Increases security from hackerso Reduces possibility of broadcast storm

Security Problems with Switches Common ways of switch hijacking

o Try default passwords which may not have beenchanged

o Sniff network to get administrator password viaSNMP or Telnet


184/336

Securing a Switch Isolate all management interfaces Manage switch by physical connection to a serial

port or through secure shell (SSH) or otherencrypted method

Use separate switches or hubs for DMZs tophysically isolate them from the network andprevent VLAN jumping

continued

Securing a Switch Put switch behind dedicated firewall device Maintain the switch; install latest version of

software and security patches Read product documentation Set strong passwords


185/336

Example of a Compromised VLAN

Wireless Almost anyone can eavesdrop on a network

communication Encryption is the only secure method of

communicating with wireless technology


186/336

Modems

DSL versus Cable Modem

Security DSL

o Direct connection between computer/network andthe Internet

Cable modemo Connected to a shared segment; party lineo Most have basic firewall capabilities to prevent

files from being viewed or downloadedo Most implement the Data Over Cable Service

Interface Specification (DOCSIS) forauthentication and packet filtering


187/336

Dynamic versus Static IP Addressing

Static IP addresseso Provide a fixed target for potential hackers

Dynamic IP addresseso Provide enhanced securityo By changing IP addresses of client machines,

DHCP server makes them moving targets forpotential hackers

o Assigned by the Dynamic Host ConfigurationProtocol (DHCP)

Remote Access Service (RAS) Provides a mechanism for one computer to

securely dial in to another computer Treats modem as an extension of the network Includes encryption and logging Accepts incoming calls Should be placed in the DMZ


188/336

Security Problems with RAS Behind physical firewall; potential for network to

be compromised Most RAS systems offer encryption and callback

as features to enhance security

Telecom/Private Branch Exchange(PBX)

PBXo Private phone system that offers features such as

voicemail, call forwarding, and conference callingo Failure to secure a PBX can result in toll fraud,

theft of information, denial of service, andenhanced susceptibility to legal liability


189/336

IP-Based PBX

PBX Security Concerns Remote PBX management Hoteling or job sharing

o Many move codes are standardized and postedon the Internet


190/336

Virtual Private Networks

Provide secure communication pathway ortunnel through public networks (eg, Internet)

Lowest levels of TCP/IP are implementedusing existing TCP/IP connection

Encrypts either underlying data in a packet orthe entire packet itself before wrapping it inanother IP packet for delivery

Further enhances security by implementingInternet Protocol Security (IPSec)


191/336

Internet Protocol Security (IPSec) Allows encryption of either just the data in a

packet (transport mode) or the packet as a whole(tunnel mode)

Enables a VPN to eliminate packet sniffing andidentity spoofing

Requirement of Internet Protocol version 6 (IPv6)specification

Intrusion Detection Systems (IDS) Monitor networks and report on unauthorized

attempts to access any part of the system Available from many vendors Forms

o Software (computer-based IDS)o Dedicated hardware devices (network-based IDS)

Types of detectiono Anomaly-based detectiono Signature-based detection


192/336

Computer-based IDS

Software applications (agents) are installedon each protected computero Make use of disk space, RAM, and CPU time to

analyze OS, applications, system audit trailso Compare these to a list of specific ruleso Report discrepancies

Can be self-contained or remotely managed Easy to upgrade software, but do not scale

well

Network-based IDS Monitors activity on a specific network segment Dedicated platforms with two components

o Sensor Passively analyzes network traffic

o Management system Displays alarm information from the sensor


193/336

Anomaly-based Detection Builds statistical profiles of user activity and

then reacts to any activity that falls outsidethese profiles

Often leads to large number of false positiveso Users do not access computers/network in static,

predictable wayso Cost of building a sensor that could hold enough

memory to contain the entire profile and time to

process the profiles is prohibitively large


194/336

Signature-based Detection

Similar to antivirus program in its method ofdetecting potential attacks

Vendors produce a list of signatures used bythe IDS to compare against activity on thenetwork or host

When a match is found, the IDS take someaction (eg, logging the event)

Can produce false positives; normal networkactivity may be construed as malicious

Network Monitoring and Diagnostics

Essential steps in ensuring safety and health of anetwork (along with IDS)

Can be either stand-alone or part of a network-monitoring platformo HPs OpenViewo IBMs Netview/AIXo Fidelias NetVigilo Aprismas Spectrum


195/336

Ensuring Workstation andServer Security

Remove unnecessary protocols such as NetBIOSor IPX

Remove unnecessary user accounts Remove unnecessary shares Rename the administrator account Use strong passwords

Personal Firewall Software Packages

Offer application-level blocking, packetfiltering, and can put your computer intostealth mode by turning off most if not all ports

Many products available, including:o Norton Firewallo ZoneAlarmo Black Ice Defendero Tiny Softwares Personal Firewall


196/336

Firewall Product Example

Antivirus Software Packages Necessary even on a secure network Many vendors, including:

o McAffeeo Nortono Computer Associateso Network Associates


197/336

Mobile Devices

Can open securityholes for anycomputer with whichthese devicescommunicate

Chapter Summary Virtual isolation of a computer or network by

implementing a firewall through software andhardware techniques:o Routerso Switcheso Modemso Various software packages designed to run on

servers, workstations, and PDAs

continued


198/336

Chapter Summary Virtual private networks (VPNs) Private branch exchanges (PBX) Remote Access Services (RAS)


199/336

Chapter 10

Media and Medium

Learning Objectives Identify and discuss the various types of

transmission media Explain how to physically protect transmission

media adequately Identify and discuss the various types of storage

media Know how to lessen the risk of catastrophic loss

of information

continued


200/336

Learning Objectives Understand the various ways to encrypt data Properly maintain or destroy stored data

Transmission Media Coaxial cable Twisted pair copper cable

o Shieldedo Unshielded

Fiber-optic cable Wireless connections


201/336

Coaxial Cable Hollow outer cylinder surrounds a single inner

wire conductor

Coaxial Cable More expensive than traditional telephone

wiring Less prone to interference Typically carries larger amounts of data Easily spliced; allows unauthorized users

access to the network Two types (not interchangeable)

o 50-ohmo 75-ohm


202/336

50-Ohm Coaxial Cable Uses unmodulated signal over a single channel Two standards

o 10Base2 (ThinNet)o 10Base5 (ThickNet)

50-Ohm Coaxial Cable Advantages

o Simple to implement and widely availableo Low cost alternative that provides relatively high

rates of data transmission Disadvantages

o Can only carry data and voiceo Limited in distance it can transmit signals


203/336

10Base2 (ThinNet) Uses a thin coaxial cable in an Ethernet

environment Capable of covering up to 180 meters Allows daisy chaining Not highly susceptible to noise interference Transmits at 10 Mbps Can support up to 30 nodes per segment

10Base5 (ThickNet) Primarily used as a backbone in an office LAN

environment Often connects wiring closets Can transmit data at speeds up to 10 Mbps Covers distances up to 500 meters Can accommodate up to 100 nodes per segment Rigid and difficult to work with


204/336

75-ohm Coaxial Cable For analog signaling and high-speed digital

signaling

75-ohm Coaxial Cable Advantages

o Allows for data, voice, and video capabilitieso Can cover greater distances and offers more

bandwidth Disadvantages

o Requires hardware to connect via modemso More difficult to maintain


205/336

Twisted Pair Copper Cable

Individual copper wires are twisted together toprevent cross talk between pairs and toreduce effects of EMI and RFI

Inexpensive alternative to coaxial cable, butcannot support the same distances

Long been used by telephone companies Types

o Unshielded twisted pair (UTP)o Shielded twisted pair (STP)

Unshielded Twisted Pair (UTP) Most common medium for both voice and data Currently supports up to 1 Gbps protocols


206/336

Shielded Twisted Pair (STP) Extra foil shield wrapped between copper pairs

provides additional insulation from EMI Used extensively in LAN wiring

Shielded Twisted Pair (STP)


207/336

Twisted Pair Categories Category 3 (CAT 3) Category 5 (CAT 5) Category 6 (CAT 6)

Twisted Pair CAT 3 For voice and data transmission


208/336

Documents

All Network Security