Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Network SecurityBible
Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley
01_573977 ffirs.qxd 12/7/04 3:35 PM Page iii
C1.jpg
01_573977 ffirs.qxd 12/7/04 3:35 PM Page ii
Network Security Bible
01_573977 ffirs.qxd 12/7/04 3:35 PM Page i
01_573977 ffirs.qxd 12/7/04 3:35 PM Page ii
Network SecurityBible
Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley
01_573977 ffirs.qxd 12/7/04 3:35 PM Page iii
Network Security Bible
Published byWiley Publishing, Inc.10475 Crosspoint BoulevardIndianapolis, IN 46256www.wiley.com
Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 0-7645-7397-7
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1B/SZ/RS/QU/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorizationthrough payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the LegalDepartment, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, E-Mail: [email protected].
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONSOR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK ANDSPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR APARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONALMATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION.THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL,ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICESOF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHORSHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE ISREFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOESNOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION ORWEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THATINTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORKWAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services or to obtain technical support, please contact our CustomerCare Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available inelectronic books.
Library of Congress Cataloging-in-Publication Data
Cole, Eric.Network security bible / Eric Cole, Ronald Krutz, James W. Conley.
p. cm.ISBN 0-7645-7397-7 (pbk.)1. Computer security. 2. Computer networks — Security measures. 1. Krutz, Ronald L., 1938- II. Conley,James W. III. Title.
QA76.9.A25C5985 2005005.8—dc22
2004025696
Trademarks: Wiley, the Wiley logo, and related trade dress are registered trademarks of John Wiley & Sons, Inc. and/or itsaffiliates, in the United States and other countries, and may not be used without written permission. All other trademarksare the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentionedin this book.
01_573977 ffirs.qxd 12/7/04 3:35 PM Page iv
www.wiley.com
To Kerry, Jackson, and Anna, who provide constant inspiration and energy. EBC
To my family — the real meaning of life. RLK
To my beautiful wife, Jill, and handsome children, Matthew and Andrew. JWC
01_573977 ffirs.qxd 12/7/04 3:35 PM Page v
CreditsAcquisitions EditorCarol Long
Technical EditorPatrick Santy
Editorial ManagerMary Beth Wakefield
Vice President & Executive GroupPublisherRichard Swadley
Vice President and PublisherJoseph B. Wikert
Project CoordinatorsMaridee EnnisErin Smith
Graphics and Production SpecialistsSean DeckerCarrie A. FosterDenny HagerJoyce Haughey
Quality Control TechnicianAmanda BriggsJohn GreenoughLeeann Harney
Proofreading and IndexingTECHBOOKS Production Services
01_573977 ffirs.qxd 12/7/04 3:35 PM Page vi
About the AuthorsDr. Eric Cole is the best-selling author of Hackers Beware and one of the highest-rated speakers on the training circuit. Eric has earned rave reviews for his abilityto educate and train network security professionals worldwide. He has appeared onCNN and has been interviewed on various TV programs, including “CBS News” and“60 Minutes.”
An information security expert for more than 15 years, Eric holds several profes-sional certificates and helped develop several certifications and correspondingcourses. He obtained his M.S. in Computer Science at the New York Institute ofTechnology and recently earned his Doctorate degree in Network Steganographyfrom Pace University.
Eric has created and directed corporate security programs for several large organi-zations, built numerous security consulting practices, and worked for more thanfive years at the Central Intelligence Agency. He is currently Chief Scientist for TheSytex Group, Inc Information Research Center, where he heads up cutting-edgeresearch.
Dr. Ronald L. Krutz is a Senior Information Security Researcher in the AdvancedTechnology Research center of The Sytex Group, Inc. In this capacity, he works witha team responsible for advancing the state of the art in information systems secu-rity. He has more than 30 years of experience in distributed computing systems,computer architectures, real-time systems, information assurance methodologies,and information security training. He holds the CISSP and ISSEP information secu-rity certifications.
He has been an information security consultant at REALTECH Systems Corporationand BAE Systems, an associate director of the Carnegie Mellon Research Institute(CMRI), and a professor in the Carnegie Mellon University Department of Electricaland Computer Engineering. Ron founded the CMRI Cybersecurity Center and wasfounder and director of the CMRI Computer, Automation, and Robotics Group. He isa former lead instructor for the (ISC)2 CISSP Common Body of Knowledge reviewseminars. Ron is also a Distinguished Special Lecturer in the Center for ForensicComputer Investigation at the University of New Haven, a part-time instructor in theUniversity of Pittsburgh Department of Electrical and Computer Engineering, and aRegistered Professional Engineer. In addition, he is the author of six best-sellingpublications in the area of information systems security. Ron holds B.S., M.S., andPh.D. degrees in Electrical and Computer Engineering.
James W. Conley is a Senior Researcher in the Advanced Technology ResearchCenter of The Sytex Group, Inc. He has more than 20 years of experience in security,beginning as a Security Officer in the United States Navy, then as a Senior SecuritySpecialist on CIA development efforts, and now as a security professional with certi-fications of CISSP/Security+/CCNA. Additionally, he has over 18 years of experience
01_573977 ffirs.qxd 12/7/04 3:35 PM Page vii
in project management, software engineering, and computer science. He has astrong foundation in personnel management, software development, and systemsintegration. Prior to joining Sytex, he held prominent positions in various compa-nies, such as Chief Information Officer, Director of Security, Vice President ofSecurity Solutions, and finally as President/CEO (ThinkSecure, LLC). Jim has exten-sive experience developing applications and securing systems in both UNIX andWindows environments, and has a B.S. in Physics, M.S. in Computer Science, and ispursuing a Ph.D. in Machine Learning at George Mason University, Fairfax, Virginia.
01_573977 ffirs.qxd 12/7/04 3:35 PM Page viii
Contents at a GlanceAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Part I: Security Principles and Practices . . . . . . . . . . . . . . . . . . 1Chapter 1: Information System Security Principles . . . . . . . . . . . . . . . . . . 3Chapter 2: Information System Security Management . . . . . . . . . . . . . . . . 43Chapter 3: Access Control Considerations . . . . . . . . . . . . . . . . . . . . . . 79
Part II: Operating Systems and Applications . . . . . . . . . . . . . . 97Chapter 4: Windows Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Chapter 5: UNIX and Linux Security . . . . . . . . . . . . . . . . . . . . . . . . . . 155Chapter 6: Web Browser and Client Security . . . . . . . . . . . . . . . . . . . . . 201Chapter 7: Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Chapter 8: E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Chapter 9: Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . 309Chapter 10: Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Part III: Network Security Fundamentals . . . . . . . . . . . . . . . . 365Chapter 11: Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367Chapter 12: Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381Chapter 13: Network Architecture Fundamentals . . . . . . . . . . . . . . . . . . 417
Part IV: Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 445Chapter 14: Secret Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 447Chapter 15: Covert Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 479Chapter 16: Applications of Secure/Covert Communication . . . . . . . . . . . . 529
Part V: The Security Threat and the Response . . . . . . . . . . . . . 555Chapter 17: Intrusion Detection and Response . . . . . . . . . . . . . . . . . . . 557Chapter 18: Security Assessments, Testing, and Evaluation . . . . . . . . . . . . 591Chapter 19: Putting Everything Together . . . . . . . . . . . . . . . . . . . . . . . 613
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
02_573977 ftoc.qxd 12/7/04 3:35 PM Page ix
02_573977 ftoc.qxd 12/7/04 3:35 PM Page x
ContentsAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Part I: Security Principles and Practices 1
Chapter 1: Information System Security Principles . . . . . . . . . . . . 3Key Principles of Network Security . . . . . . . . . . . . . . . . . . . . . . . . 3
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Other important terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Formal Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5The systems engineering process . . . . . . . . . . . . . . . . . . . . . 5The Information Assurance Technical Framework . . . . . . . . . . . . 6The Information Systems Security Engineering process . . . . . . . . 11The Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . 21Information systems security and the SDLC . . . . . . . . . . . . . . . 22
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Risk management and the SDLC . . . . . . . . . . . . . . . . . . . . . . 33
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 2: Information System Security Management . . . . . . . . . 43Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Senior management policy statement . . . . . . . . . . . . . . . . . . . 44Standards, guidelines, procedures, and baselines . . . . . . . . . . . . 45
Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Measuring awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Managing the Technical Effort . . . . . . . . . . . . . . . . . . . . . . . . . . 48Program manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Program management plan . . . . . . . . . . . . . . . . . . . . . . . . 48Systems engineering management plan . . . . . . . . . . . . . . . . . 48
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Primary functions of configuration management . . . . . . . . . . . . 56Definitions and procedures . . . . . . . . . . . . . . . . . . . . . . . . . 57
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xi
xii Contents
Business Continuity and Disaster Recovery Planning . . . . . . . . . . . . 59Business continuity planning . . . . . . . . . . . . . . . . . . . . . . . 60Disaster recovery planning . . . . . . . . . . . . . . . . . . . . . . . . . 64
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Environmental issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Fire suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Object reuse and data remanence . . . . . . . . . . . . . . . . . . . . . 74
Legal and Liability Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Types of computer crime . . . . . . . . . . . . . . . . . . . . . . . . . . 75Electronic monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 3: Access Control Considerations . . . . . . . . . . . . . . . . 79Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Discretionary access control . . . . . . . . . . . . . . . . . . . . . . . . 79Mandatory access control . . . . . . . . . . . . . . . . . . . . . . . . . 80Non-discretionary access control . . . . . . . . . . . . . . . . . . . . . 81
Types of Access Control Implementations . . . . . . . . . . . . . . . . . . . 81Preventive/Administrative . . . . . . . . . . . . . . . . . . . . . . . . . 81Preventive/Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Preventive/Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Detective/Administrative . . . . . . . . . . . . . . . . . . . . . . . . . . 82Detective/Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Detective/Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Centralized/Decentralized access controls . . . . . . . . . . . . . . . . 84
Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . 84Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Relational databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Other database types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93TACACS and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Password Authentication Protocol . . . . . . . . . . . . . . . . . . . . 94Challenge Handshake Authentication Protocol . . . . . . . . . . . . . 94Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xii
xiiiContents
Part II: Operating Systems and Applications 97
Chapter 4: Windows Security . . . . . . . . . . . . . . . . . . . . . . . . 99Windows Security at the Heart of the Defense . . . . . . . . . . . . . . . . 101
Who would target me? . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Be afraid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Microsoft recommendations . . . . . . . . . . . . . . . . . . . . . . . 103
Out-of-the-Box Operating System Hardening . . . . . . . . . . . . . . . . . 105Prior to system hardening . . . . . . . . . . . . . . . . . . . . . . . . 105The general process of system hardening . . . . . . . . . . . . . . . 105Windows 2003 new installation example . . . . . . . . . . . . . . . . 107Specifics of system hardening . . . . . . . . . . . . . . . . . . . . . . 110Securing the typical Windows business workstation . . . . . . . . . 114Securing the typical Windows gaming system . . . . . . . . . . . . . 114
Installing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Antivirus protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Personal firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Secure FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Putting the Workstation on the Network . . . . . . . . . . . . . . . . . . . . 120Test the hardened workstation . . . . . . . . . . . . . . . . . . . . . . 120Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Intrusion detection systems . . . . . . . . . . . . . . . . . . . . . . . 122
Operating Windows Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Separate risky behavior . . . . . . . . . . . . . . . . . . . . . . . . . . 122Physical security issues . . . . . . . . . . . . . . . . . . . . . . . . . . 124Configuration issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Configuration control . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Operating issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Upgrades and Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Keep current with Microsoft upgrades and patches . . . . . . . . . . 138Keep current with application upgrades and patches . . . . . . . . . 139Keep current with antivirus signatures . . . . . . . . . . . . . . . . . 139Use the most modern Windows version . . . . . . . . . . . . . . . . . 140
Maintain and Test the Security . . . . . . . . . . . . . . . . . . . . . . . . . 140Scan for vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . 141Test questionable applications . . . . . . . . . . . . . . . . . . . . . . 141Be sensitive to the performance of the system . . . . . . . . . . . . . 141Replace old Windows systems . . . . . . . . . . . . . . . . . . . . . . 142Periodically re-evaluate and rebuild . . . . . . . . . . . . . . . . . . . 142Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Logging and auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xiii
xiv Contents
Clean up the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Prepare for the eventual attack . . . . . . . . . . . . . . . . . . . . . . 145
Attacks Against the Windows Workstation . . . . . . . . . . . . . . . . . . 145Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Trojan horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Spyware and ad support . . . . . . . . . . . . . . . . . . . . . . . . . 148Spyware and “Big Brother” . . . . . . . . . . . . . . . . . . . . . . . . 149Physical attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149TEMPEST attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Denial-of-service attacks . . . . . . . . . . . . . . . . . . . . . . . . . 151File extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Packet sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Hijacking and session replay . . . . . . . . . . . . . . . . . . . . . . . 152Social engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Chapter 5: UNIX and Linux Security . . . . . . . . . . . . . . . . . . . 155The Focus of UNIX/Linux Security . . . . . . . . . . . . . . . . . . . . . . . 155
UNIX as a target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155UNIX/Linux as a poor target . . . . . . . . . . . . . . . . . . . . . . . 157Open source issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Limiting access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Detecting hardware changes . . . . . . . . . . . . . . . . . . . . . . . 162Disk partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Prepare for the eventual attack . . . . . . . . . . . . . . . . . . . . . . 164
Controlling the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 166Installed packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Kernel configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Operating UNIX Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Controlling processes . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Controlling users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Encryption and certificates . . . . . . . . . . . . . . . . . . . . . . . . 194
Hardening UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Configuration items . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196TCP wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Checking strong passwords . . . . . . . . . . . . . . . . . . . . . . . . 198Packet filtering with iptables . . . . . . . . . . . . . . . . . . . . . . . 199
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Chapter 6: Web Browser and Client Security . . . . . . . . . . . . . . 201Web Browser and Client Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Privacy versus security . . . . . . . . . . . . . . . . . . . . . . . . . . 202Web browser convenience . . . . . . . . . . . . . . . . . . . . . . . . 202
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xiv
xvContents
Web browser productivity and popularity . . . . . . . . . . . . . . . 202Web browser evolution . . . . . . . . . . . . . . . . . . . . . . . . . . 203Web browser risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Issues working against the attacker . . . . . . . . . . . . . . . . . . . 205
How a Web Browser Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 205HTTP, the browser protocol . . . . . . . . . . . . . . . . . . . . . . . 205Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Maintaining state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Secure Socket Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Web Browser Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Hijacking attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Replay attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Browser parasites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Operating Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Keeping current with patches . . . . . . . . . . . . . . . . . . . . . . 220Avoiding viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Using secure sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Securing the network environment . . . . . . . . . . . . . . . . . . . 222Using a secure proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Avoid using private data . . . . . . . . . . . . . . . . . . . . . . . . . 223General recommendations . . . . . . . . . . . . . . . . . . . . . . . . 224
Web Browser Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 225Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Netscape-specific issues . . . . . . . . . . . . . . . . . . . . . . . . . . 230Internet Explorer–specific issues . . . . . . . . . . . . . . . . . . . . . 231
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Chapter 7: Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . 237What Is HTTP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237How Does HTTP Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
HTTP implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Persistent connections . . . . . . . . . . . . . . . . . . . . . . . . . . 244The client/server model . . . . . . . . . . . . . . . . . . . . . . . . . . 248Put . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Get . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Burstable TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Server Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252CGI scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252PHP pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Client Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xv
xvi Contents
State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260What is state? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260How does it relate to HTTP? . . . . . . . . . . . . . . . . . . . . . . . 260What applications need state? . . . . . . . . . . . . . . . . . . . . . . 260Tracking state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Web bugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264URL tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Hidden frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Hidden fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Attacking Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Account harvesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266SQL injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
E-commerce Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Physical location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Chapter 8: E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . 273The E-mail Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Data vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Simple e-mail versus collaboration . . . . . . . . . . . . . . . . . . . 274Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Maintaining e-mail confidentiality . . . . . . . . . . . . . . . . . . . . 288Maintaining e-mail integrity . . . . . . . . . . . . . . . . . . . . . . . . 289E-mail availability issues . . . . . . . . . . . . . . . . . . . . . . . . . 290
The E-mail Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
E-mail Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Plain login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Login authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297APOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297NTLM/SPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298+OK logged onPOP before SMTP . . . . . . . . . . . . . . . . . . . . . 299Kerberos and GSSAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Operating Safely When Using E-mail . . . . . . . . . . . . . . . . . . . . . . 300Be paranoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Mail client configurations . . . . . . . . . . . . . . . . . . . . . . . . . 301Application versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Architectural considerations . . . . . . . . . . . . . . . . . . . . . . . 302SSH tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303PGP and GPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xvi
xviiContents
Chapter 9: Domain Name System . . . . . . . . . . . . . . . . . . . . 309Purpose of DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Forward lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Reverse lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Alternative Approaches to Name Resolution . . . . . . . . . . . . . . . . . 318Security Issues with DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Misconfigurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Predictable query IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Recursion and iterative queries . . . . . . . . . . . . . . . . . . . . . 325
DNS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Simple DNS attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Cache poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Designing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Split-split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Master Slave DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Detailed DNS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Chapter 10: Server Security . . . . . . . . . . . . . . . . . . . . . . . . 333General Server Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Security by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Maintain a security mindset . . . . . . . . . . . . . . . . . . . . . . . 335Establishing a secure development environment . . . . . . . . . . . 340Secure development practices . . . . . . . . . . . . . . . . . . . . . . 344Test, test, test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Operating Servers Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354Controlling the server configuration . . . . . . . . . . . . . . . . . . . 354Controlling users and access . . . . . . . . . . . . . . . . . . . . . . . 356Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357Monitoring, auditing, and logging . . . . . . . . . . . . . . . . . . . . 357
Server Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358Data sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358Peer to peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Instant messaging and chat . . . . . . . . . . . . . . . . . . . . . . . . 363
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Part III: Network Security Fundamentals 365
Chapter 11: Network Protocols . . . . . . . . . . . . . . . . . . . . . . 367Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367The Open Systems Interconnect Model . . . . . . . . . . . . . . . . . . . . 368
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xvii
xviii Contents
The OSI Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369The Application layer . . . . . . . . . . . . . . . . . . . . . . . . . . . 369The Presentation layer . . . . . . . . . . . . . . . . . . . . . . . . . . 370The Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370The Transport layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371The Network layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372The Data Link layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373The Physical layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
The TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375TCP/IP Model Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . 379Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Chapter 12: Wireless Security . . . . . . . . . . . . . . . . . . . . . . . 381Electromagnetic Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381The Cellular Phone Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 383Placing a Cellular Telephone Call . . . . . . . . . . . . . . . . . . . . . . . . 385Wireless Transmission Systems . . . . . . . . . . . . . . . . . . . . . . . . . 386
Time Division Multiple Access . . . . . . . . . . . . . . . . . . . . . . 386Frequency Division Multiple Access . . . . . . . . . . . . . . . . . . . 386Code Division Multiple Access . . . . . . . . . . . . . . . . . . . . . . 387Wireless transmission system types . . . . . . . . . . . . . . . . . . . 388
Pervasive Wireless Data Network Technologies . . . . . . . . . . . . . . . 393Spread spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Spread spectrum basics . . . . . . . . . . . . . . . . . . . . . . . . . . 393
IEEE Wireless LAN Specifications . . . . . . . . . . . . . . . . . . . . . . . . 397The PHY layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398The MAC layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
IEEE 802.11 Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . 400WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400WEP security upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . 402802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Wireless Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 414Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Chapter 13: Network Architecture Fundamentals . . . . . . . . . . . 417Network Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Public networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Semi-private networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Private networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Perimeter Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . 420Basic Architecture Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422Subnetting, Switching, and VLANs . . . . . . . . . . . . . . . . . . . . . . . 424Address Resolution Protocol and Media Access Control Addresses . . . . 426
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xviii
xixContents
Dynamic Host Configuration Protocol and Addressing Control . . . . . . . 428Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Packet filtering firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 430Stateful packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . 432Proxy firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433Disadvantages of firewalls . . . . . . . . . . . . . . . . . . . . . . . . . 434
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 435Types of intrusion detection systems . . . . . . . . . . . . . . . . . . 436Methods and modes of intrusion detection . . . . . . . . . . . . . . . 439
Responses to Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . 442Common Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Part IV: Communications 445
Chapter 14: Secret Communication . . . . . . . . . . . . . . . . . . . 447General Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448Historic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Substitution ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449Ciphers that shaped history . . . . . . . . . . . . . . . . . . . . . . . 455
The Four Cryptographic Primitives . . . . . . . . . . . . . . . . . . . . . . 455Random number generation . . . . . . . . . . . . . . . . . . . . . . . 456
Cast Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Stream ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462Block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Sharing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Asymmetric Encryption (Two-Key Encryption) . . . . . . . . . . . . . . . . 467Using a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . 468Using a web of trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471Keyed hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Putting These Primitives Together to Achieve CIA . . . . . . . . . . . . . . 473The Difference Between Algorithm and Implementation . . . . . . . . . . 475Proprietary Versus Open Source Algorithms . . . . . . . . . . . . . . . . . 476Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Chapter 15: Covert Communication . . . . . . . . . . . . . . . . . . . 479Where Hidden Data Hides . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Where Did It Come From? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481Where Is It Going? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482Overview of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Why do we need steganography? . . . . . . . . . . . . . . . . . . . . 483Pros of steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xix
xx Contents
Cons of steganography . . . . . . . . . . . . . . . . . . . . . . . . . . 485Comparison to other technologies . . . . . . . . . . . . . . . . . . . . 485
History of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488Using steganography in the fight for the Roman Empire . . . . . . . 488Steganography during war . . . . . . . . . . . . . . . . . . . . . . . . 489
Core Areas of Network Security and Their Relation to Steganography . . . 490Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491Additional goals of steganography . . . . . . . . . . . . . . . . . . . . 491
Principles of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . 492Steganography Compared to Cryptography . . . . . . . . . . . . . . . . . . 493
Protecting your ring example . . . . . . . . . . . . . . . . . . . . . . . 493Putting all of the pieces together . . . . . . . . . . . . . . . . . . . . . 494
Types of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495Original classification scheme . . . . . . . . . . . . . . . . . . . . . . 496New classification scheme . . . . . . . . . . . . . . . . . . . . . . . . 497Color tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Products That Implement Steganography . . . . . . . . . . . . . . . . . . . 503S-Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503Hide and Seek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506Jsteg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508EZ-Stego . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511Image Hide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512Digital Picture Envelope . . . . . . . . . . . . . . . . . . . . . . . . . . 514Camouflage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516Gif Shuffle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517Spam Mimic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Steganography Versus Digital Watermarking . . . . . . . . . . . . . . . . . 520What is digital watermarking? . . . . . . . . . . . . . . . . . . . . . . 521Why do we need digital watermarking? . . . . . . . . . . . . . . . . . 521Properties of digital watermarking . . . . . . . . . . . . . . . . . . . . 521
Types of Digital Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . 522Invisible watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . 522Visible watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Goals of Digital Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . 523Digital Watermarking and Stego . . . . . . . . . . . . . . . . . . . . . . . . . 524
Uses of digital watermarking . . . . . . . . . . . . . . . . . . . . . . . 524Removing digital watermarks . . . . . . . . . . . . . . . . . . . . . . . 526
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Chapter 16: Applications of Secure/Covert Communication . . . . . 529E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
POP/IMAP protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xx
xxiContents
Working Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Public and private keys . . . . . . . . . . . . . . . . . . . . . . . . . . 538Key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540Web of trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541Design issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543IPSec-based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544IPsec header modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545PPTP/PPP-based VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . 547Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Secure Sockets Layer/Transport Layer Security . . . . . . . . . . . . . . . 549SSL Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Part V: The Security Threat and the Response 555
Chapter 17: Intrusion Detection and Response . . . . . . . . . . . . 557Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557Review of Common Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Denial-of-service/Distributed denial-of-service attacks . . . . . . . . 559Back door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560Man-in-the-middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561TCP/Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561Fragmentation attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 562Weak keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562Mathematical attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 563Social engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563Port scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Dumpster diving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Birthday attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Password guessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Software exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Inappropriate system use . . . . . . . . . . . . . . . . . . . . . . . . . 566Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566War driving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567TCP sequence number attacks . . . . . . . . . . . . . . . . . . . . . . 567War dialing/demon dialing attacks . . . . . . . . . . . . . . . . . . . . 567
Intrusion Detection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 567Antivirus approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Intrusion detection and response . . . . . . . . . . . . . . . . . . . . 568IDS issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xxi
xxii Contents
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573Honeypot categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574When to use a honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . 575When not to use a honeypot . . . . . . . . . . . . . . . . . . . . . . . 575Current solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576Honeynet Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577CERT/CC practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578Internet Engineering Task Force guidance . . . . . . . . . . . . . . . 583Layered security and IDS . . . . . . . . . . . . . . . . . . . . . . . . . 584Computer Security and Incident Response Teams . . . . . . . . . . . 585Security Incident Notification Process . . . . . . . . . . . . . . . . . 587Automated notice and recovery mechanisms . . . . . . . . . . . . . 588
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Chapter 18: Security Assessments, Testing, and Evaluation . . . . . 591Information Assurance Approaches and Methodologies . . . . . . . . . . 591
The Systems Security Engineering Capability Maturity Model . . . . 592NSA Infosec Assessment Methodology . . . . . . . . . . . . . . . . . 594Operationally Critical Threat, Asset,
and Vulnerability Evaluation . . . . . . . . . . . . . . . . . . . . . 595Federal Information Technology Security
Assessment Framework . . . . . . . . . . . . . . . . . . . . . . . . 595Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . 596
The National Information Assurance Certification and Accreditation Process . . . . . . . . . . . . . . . . . . . . . . . 596
Four phases of NIACAP . . . . . . . . . . . . . . . . . . . . . . . . . . 597DoD Information Technology Security Certification
and Accreditation Process . . . . . . . . . . . . . . . . . . . . . . . 598The four phases of DITSCAP . . . . . . . . . . . . . . . . . . . . . . . 599
Federal Information Processing Standard 102 . . . . . . . . . . . . . . . . . 600OMB Circular A-130 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601The National Institute of Standards and Technology
Assessment Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602SP 800-14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603SP 800-27 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604SP 800-30 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604SP 800-64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607Internal penetration test . . . . . . . . . . . . . . . . . . . . . . . . . 608External penetration test . . . . . . . . . . . . . . . . . . . . . . . . . 609Full knowledge test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609Partial knowledge test . . . . . . . . . . . . . . . . . . . . . . . . . . . 609Zero knowledge test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xxii
xxiiiContents
Closed-box test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Open-box test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Auditing and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Chapter 19: Putting Everything Together . . . . . . . . . . . . . . . . 613Critical Problems Facing Organizations . . . . . . . . . . . . . . . . . . . . 613
How do I convince management security is a problem and that they should spend money on it? . . . . . . . . . . . . . . 613
How do I keep up with the increased number of attacks? . . . . . . . 615How do you make employees part of the solution and
not part of the problem? . . . . . . . . . . . . . . . . . . . . . . . . 615How do you analyze all of the log data? . . . . . . . . . . . . . . . . . 616How do I keep up with all of the different systems across
my enterprise and make sure they are all secure? . . . . . . . . . 617How do I know if I am a target of corporate espionage
or some other threat? . . . . . . . . . . . . . . . . . . . . . . . . . 617Top 10 common mistakes . . . . . . . . . . . . . . . . . . . . . . . . . 618
General Tips for Protecting a Site . . . . . . . . . . . . . . . . . . . . . . . . 620Defense in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620Principle of least privilege . . . . . . . . . . . . . . . . . . . . . . . . 621Know what is running on your system . . . . . . . . . . . . . . . . . 621Prevention is ideal but detection is a must . . . . . . . . . . . . . . . 622Apply and test patches . . . . . . . . . . . . . . . . . . . . . . . . . . 623Regular checks of systems . . . . . . . . . . . . . . . . . . . . . . . . 623
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xxiii
02_573977 ftoc.qxd 12/7/04 3:35 PM Page xxiv
Acknowledgments
John Wiley is a wonderful publisher to work with. Carol Long is an insightful andenergetic executive editor who provides continual support. Marcia Ellett pro-vided constant guidance and expertise, and without all of her help and hard work,this book would not be where it is today.
As deadlines approach you reach out to your co-workers who are truly friends totap into the expertise and knowledge. Sandy Ring, Bill Speirs, and Vignesh Kumarall wrote or helped write chapters in the book. Their technical knowledge is topnotch and their input was critical to the success of the book.
The authors would not be working together or be able to complete the book with-out having the opportunity to work for such a great company, TSGI (The SytexGroup, Inc.). Continuing thanks to Syd Martin for understanding the importance ofresearch and for allowing creative minds to think of solutions to complex technicalproblems. Syd’s support is critical to the success of this book and the success ofthe cutting-edge research the team produces.
Most of all we want to thank God for blessing us with a great life and a wonderfulfamily.
Eric has Kerry, who is a loving and supportive wife. Without her none of this wouldbe possible. Eric’s wonderful son, Jackson, and his princess, Anna, bring joy andhappiness to him everyday.
Ron is blessed with an understanding and supporting wife; children, Sheri and Lisa;and wonderful grandchildren, Patrick, Ryan, Aaron, and Emma.
Jim receives unlimited love and support from his lovely wife, Jill, and his exceptionalchildren, Matthew and Andrew.
In addition, we thank all of our friends, family, and co-workers who have supportedus in a variety of ways through this entire process.
03_573977 flast.qxd 12/7/04 3:36 PM Page xxv
03_573977 flast.qxd 12/7/04 3:36 PM Page xxvi
Introduction
Network security spans a large number of disciplines, ranging from manage-ment and policy topics to operating system kernel fundamentals.Historically, the coverage of these and the other network security areas was pre-sented in multiple, specialized publications or given a high-level treatment that wasnot suited to the practitioner. Network Security Bible approaches network securityfrom the view of the individual who wants to learn and apply the associated net-work security best practices without having to sort through a myriad of extraneousmaterial from multiple sources. The information provided in this text includes“secrets” learned by practicing professionals in the field of network securitythrough many years of real-world experience.
The Goal of This BookNetwork Security Bible provides comprehensive coverage of the fundamental con-cepts of network security and the processes and means required to implement asecure network. The goal of this text is to provide the reader with an understandingof security engineering processes and network security best practices, including in-depth specifics on the following topics:
✦ Windows
✦ UNIX
✦ Linux
✦ The World Wide Web
✦ Risk management
✦ Server applications
✦ Domain Name Systems (DNS)
✦ Communications security
Other topics are aimed at providing the reader with insight into information assurancethrough clear and thorough tutorials on the latest information, including securityassessment, evaluation, and testing techniques. This up-to-date and applicable knowl-edge will benefit practitioners in the commercial, government, and industrial sectors.
03_573977 flast.qxd 12/7/04 3:36 PM Page xxvii
xxviii Introduction
Network Security Bible meets the needs of information security professionals andother individuals who have to deal with network security in their everyday activi-ties. It is truly an all-inclusive reference that tells you why and how to achieve asecure network in clear and concise terms.
The Five Parts of This BookNetwork Security Bible is organized into the following five parts:
✦ Part I: Security Principles and Practices
✦ Part II: Operating Systems and Applications
✦ Part III: Network Security Fundamentals
✦ Part IV: Communications
✦ Part V: The Security Threat and Response
The flow of the material is designed to provide a smooth transition from fundamen-tal principles and basic knowledge to the practical details of network security.In this manner, the text can serve as a learning mechanism for people new to thefield as well as a valuable reference and guide for experienced professionals.
Part I: Security Principles and PracticesPart I provides a background in the fundamentals of information system security.Specifically, it comprises chapters on information system security principles, infor-mation system security management, and access control.
✦ Chapter 1: Information System Security Principles. It is important that thenetwork security practitioner be intimately familiar with the fundamentaltenets of information system security, particularly the concepts of confiden-tiality, integrity, and availability (CIA). These topics are explained in detail inthis chapter and then related to threats, vulnerabilities, and possible impactsof threats realized. After covering these basic topics, the formal processes ofsystems engineering (SE), information systems security engineering (ISSE),the systems development life cycle (SDLC), and the relationship of networksecurity to the SDLC are explained. These subject areas provide the readerwith an excellent understanding of applying standard rules to incorporateinformation system security into system development activities. These skillsare particularly valuable to individuals working in large companies that needthe discipline provided by these methods and to government organizationsrequired to apply formal information security approaches in their everydayoperations.
03_573977 flast.qxd 12/7/04 3:36 PM Page xxviii