Network SecurityBible

Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley

01_573977 ffirs.qxd 12/7/04 3:35 PM Page iii

C1.jpg

01_573977 ffirs.qxd 12/7/04 3:35 PM Page ii

Network Security Bible

01_573977 ffirs.qxd 12/7/04 3:35 PM Page i

01_573977 ffirs.qxd 12/7/04 3:35 PM Page ii

Network SecurityBible

Dr. Eric Cole, Dr. Ronald Krutz, and James W. Conley

01_573977 ffirs.qxd 12/7/04 3:35 PM Page iii

Network Security Bible

Published byWiley Publishing, Inc.10475 Crosspoint BoulevardIndianapolis, IN 46256www.wiley.com

Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 0-7645-7397-7

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

1B/SZ/RS/QU/IN

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorizationthrough payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the LegalDepartment, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, E-Mail: brandreview@wiley.com.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONSOR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK ANDSPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR APARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONALMATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION.THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL,ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICESOF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHORSHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE ISREFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOESNOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION ORWEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THATINTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORKWAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services or to obtain technical support, please contact our CustomerCare Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available inelectronic books.

Library of Congress Cataloging-in-Publication Data

Cole, Eric.Network security bible / Eric Cole, Ronald Krutz, James W. Conley.

p. cm.ISBN 0-7645-7397-7 (pbk.)1. Computer security. 2. Computer networks — Security measures. 1. Krutz, Ronald L., 1938- II. Conley,James W. III. Title.

QA76.9.A25C5985 2005005.8—dc22

2004025696

Trademarks: Wiley, the Wiley logo, and related trade dress are registered trademarks of John Wiley & Sons, Inc. and/or itsaffiliates, in the United States and other countries, and may not be used without written permission. All other trademarksare the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentionedin this book.

01_573977 ffirs.qxd 12/7/04 3:35 PM Page iv

www.wiley.com

To Kerry, Jackson, and Anna, who provide constant inspiration and energy. EBC

To my family — the real meaning of life. RLK

To my beautiful wife, Jill, and handsome children, Matthew and Andrew. JWC

01_573977 ffirs.qxd 12/7/04 3:35 PM Page v

CreditsAcquisitions EditorCarol Long

Technical EditorPatrick Santy

Editorial ManagerMary Beth Wakefield

Vice President & Executive GroupPublisherRichard Swadley

Vice President and PublisherJoseph B. Wikert

Project CoordinatorsMaridee EnnisErin Smith

Graphics and Production SpecialistsSean DeckerCarrie A. FosterDenny HagerJoyce Haughey

Quality Control TechnicianAmanda BriggsJohn GreenoughLeeann Harney

Proofreading and IndexingTECHBOOKS Production Services

01_573977 ffirs.qxd 12/7/04 3:35 PM Page vi

About the AuthorsDr. Eric Cole is the best-selling author of Hackers Beware and one of the highest-rated speakers on the training circuit. Eric has earned rave reviews for his abilityto educate and train network security professionals worldwide. He has appeared onCNN and has been interviewed on various TV programs, including “CBS News” and“60 Minutes.”

An information security expert for more than 15 years, Eric holds several profes-sional certificates and helped develop several certifications and correspondingcourses. He obtained his M.S. in Computer Science at the New York Institute ofTechnology and recently earned his Doctorate degree in Network Steganographyfrom Pace University.

Eric has created and directed corporate security programs for several large organi-zations, built numerous security consulting practices, and worked for more thanfive years at the Central Intelligence Agency. He is currently Chief Scientist for TheSytex Group, Inc Information Research Center, where he heads up cutting-edgeresearch.

Dr. Ronald L. Krutz is a Senior Information Security Researcher in the AdvancedTechnology Research center of The Sytex Group, Inc. In this capacity, he works witha team responsible for advancing the state of the art in information systems secu-rity. He has more than 30 years of experience in distributed computing systems,computer architectures, real-time systems, information assurance methodologies,and information security training. He holds the CISSP and ISSEP information secu-rity certifications.

He has been an information security consultant at REALTECH Systems Corporationand BAE Systems, an associate director of the Carnegie Mellon Research Institute(CMRI), and a professor in the Carnegie Mellon University Department of Electricaland Computer Engineering. Ron founded the CMRI Cybersecurity Center and wasfounder and director of the CMRI Computer, Automation, and Robotics Group. He isa former lead instructor for the (ISC)2 CISSP Common Body of Knowledge reviewseminars. Ron is also a Distinguished Special Lecturer in the Center for ForensicComputer Investigation at the University of New Haven, a part-time instructor in theUniversity of Pittsburgh Department of Electrical and Computer Engineering, and aRegistered Professional Engineer. In addition, he is the author of six best-sellingpublications in the area of information systems security. Ron holds B.S., M.S., andPh.D. degrees in Electrical and Computer Engineering.

James W. Conley is a Senior Researcher in the Advanced Technology ResearchCenter of The Sytex Group, Inc. He has more than 20 years of experience in security,beginning as a Security Officer in the United States Navy, then as a Senior SecuritySpecialist on CIA development efforts, and now as a security professional with certi-fications of CISSP/Security+/CCNA. Additionally, he has over 18 years of experience

01_573977 ffirs.qxd 12/7/04 3:35 PM Page vii

in project management, software engineering, and computer science. He has astrong foundation in personnel management, software development, and systemsintegration. Prior to joining Sytex, he held prominent positions in various compa-nies, such as Chief Information Officer, Director of Security, Vice President ofSecurity Solutions, and finally as President/CEO (ThinkSecure, LLC). Jim has exten-sive experience developing applications and securing systems in both UNIX andWindows environments, and has a B.S. in Physics, M.S. in Computer Science, and ispursuing a Ph.D. in Machine Learning at George Mason University, Fairfax, Virginia.

01_573977 ffirs.qxd 12/7/04 3:35 PM Page viii

Contents at a GlanceAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Part I: Security Principles and Practices . . . . . . . . . . . . . . . . . . 1Chapter 1: Information System Security Principles . . . . . . . . . . . . . . . . . . 3Chapter 2: Information System Security Management . . . . . . . . . . . . . . . . 43Chapter 3: Access Control Considerations . . . . . . . . . . . . . . . . . . . . . . 79

Part II: Operating Systems and Applications . . . . . . . . . . . . . . 97Chapter 4: Windows Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Chapter 5: UNIX and Linux Security . . . . . . . . . . . . . . . . . . . . . . . . . . 155Chapter 6: Web Browser and Client Security . . . . . . . . . . . . . . . . . . . . . 201Chapter 7: Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Chapter 8: E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Chapter 9: Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . 309Chapter 10: Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Part III: Network Security Fundamentals . . . . . . . . . . . . . . . . 365Chapter 11: Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367Chapter 12: Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381Chapter 13: Network Architecture Fundamentals . . . . . . . . . . . . . . . . . . 417

Part IV: Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 445Chapter 14: Secret Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 447Chapter 15: Covert Communication . . . . . . . . . . . . . . . . . . . . . . . . . . 479Chapter 16: Applications of Secure/Covert Communication . . . . . . . . . . . . 529

Part V: The Security Threat and the Response . . . . . . . . . . . . . 555Chapter 17: Intrusion Detection and Response . . . . . . . . . . . . . . . . . . . 557Chapter 18: Security Assessments, Testing, and Evaluation . . . . . . . . . . . . 591Chapter 19: Putting Everything Together . . . . . . . . . . . . . . . . . . . . . . . 613

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

02_573977 ftoc.qxd 12/7/04 3:35 PM Page ix

02_573977 ftoc.qxd 12/7/04 3:35 PM Page x

ContentsAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Part I: Security Principles and Practices 1

Chapter 1: Information System Security Principles . . . . . . . . . . . . 3Key Principles of Network Security . . . . . . . . . . . . . . . . . . . . . . . . 3

Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Other important terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Formal Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5The systems engineering process . . . . . . . . . . . . . . . . . . . . . 5The Information Assurance Technical Framework . . . . . . . . . . . . 6The Information Systems Security Engineering process . . . . . . . . 11The Systems Development Life Cycle . . . . . . . . . . . . . . . . . . . 21Information systems security and the SDLC . . . . . . . . . . . . . . . 22

Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Risk management and the SDLC . . . . . . . . . . . . . . . . . . . . . . 33

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Chapter 2: Information System Security Management . . . . . . . . . 43Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Senior management policy statement . . . . . . . . . . . . . . . . . . . 44Standards, guidelines, procedures, and baselines . . . . . . . . . . . . 45

Security Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Measuring awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Managing the Technical Effort . . . . . . . . . . . . . . . . . . . . . . . . . . 48Program manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Program management plan . . . . . . . . . . . . . . . . . . . . . . . . 48Systems engineering management plan . . . . . . . . . . . . . . . . . 48

Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Primary functions of configuration management . . . . . . . . . . . . 56Definitions and procedures . . . . . . . . . . . . . . . . . . . . . . . . . 57

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xi

xii Contents

Business Continuity and Disaster Recovery Planning . . . . . . . . . . . . 59Business continuity planning . . . . . . . . . . . . . . . . . . . . . . . 60Disaster recovery planning . . . . . . . . . . . . . . . . . . . . . . . . . 64

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Environmental issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Fire suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Object reuse and data remanence . . . . . . . . . . . . . . . . . . . . . 74

Legal and Liability Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Types of computer crime . . . . . . . . . . . . . . . . . . . . . . . . . . 75Electronic monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 3: Access Control Considerations . . . . . . . . . . . . . . . . 79Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Discretionary access control . . . . . . . . . . . . . . . . . . . . . . . . 79Mandatory access control . . . . . . . . . . . . . . . . . . . . . . . . . 80Non-discretionary access control . . . . . . . . . . . . . . . . . . . . . 81

Types of Access Control Implementations . . . . . . . . . . . . . . . . . . . 81Preventive/Administrative . . . . . . . . . . . . . . . . . . . . . . . . . 81Preventive/Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Preventive/Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Detective/Administrative . . . . . . . . . . . . . . . . . . . . . . . . . . 82Detective/Technical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Detective/Physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Centralized/Decentralized access controls . . . . . . . . . . . . . . . . 84

Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . 84Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Relational databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Other database types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93TACACS and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Password Authentication Protocol . . . . . . . . . . . . . . . . . . . . 94Challenge Handshake Authentication Protocol . . . . . . . . . . . . . 94Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xii

xiiiContents

Part II: Operating Systems and Applications 97

Chapter 4: Windows Security . . . . . . . . . . . . . . . . . . . . . . . . 99Windows Security at the Heart of the Defense . . . . . . . . . . . . . . . . 101

Who would target me? . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Be afraid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Microsoft recommendations . . . . . . . . . . . . . . . . . . . . . . . 103

Out-of-the-Box Operating System Hardening . . . . . . . . . . . . . . . . . 105Prior to system hardening . . . . . . . . . . . . . . . . . . . . . . . . 105The general process of system hardening . . . . . . . . . . . . . . . 105Windows 2003 new installation example . . . . . . . . . . . . . . . . 107Specifics of system hardening . . . . . . . . . . . . . . . . . . . . . . 110Securing the typical Windows business workstation . . . . . . . . . 114Securing the typical Windows gaming system . . . . . . . . . . . . . 114

Installing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Antivirus protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Personal firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Secure FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Putting the Workstation on the Network . . . . . . . . . . . . . . . . . . . . 120Test the hardened workstation . . . . . . . . . . . . . . . . . . . . . . 120Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Intrusion detection systems . . . . . . . . . . . . . . . . . . . . . . . 122

Operating Windows Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Separate risky behavior . . . . . . . . . . . . . . . . . . . . . . . . . . 122Physical security issues . . . . . . . . . . . . . . . . . . . . . . . . . . 124Configuration issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Configuration control . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Operating issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Upgrades and Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Keep current with Microsoft upgrades and patches . . . . . . . . . . 138Keep current with application upgrades and patches . . . . . . . . . 139Keep current with antivirus signatures . . . . . . . . . . . . . . . . . 139Use the most modern Windows version . . . . . . . . . . . . . . . . . 140

Maintain and Test the Security . . . . . . . . . . . . . . . . . . . . . . . . . 140Scan for vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . 141Test questionable applications . . . . . . . . . . . . . . . . . . . . . . 141Be sensitive to the performance of the system . . . . . . . . . . . . . 141Replace old Windows systems . . . . . . . . . . . . . . . . . . . . . . 142Periodically re-evaluate and rebuild . . . . . . . . . . . . . . . . . . . 142Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Logging and auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xiii

xiv Contents

Clean up the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Prepare for the eventual attack . . . . . . . . . . . . . . . . . . . . . . 145

Attacks Against the Windows Workstation . . . . . . . . . . . . . . . . . . 145Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Trojan horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Spyware and ad support . . . . . . . . . . . . . . . . . . . . . . . . . 148Spyware and “Big Brother” . . . . . . . . . . . . . . . . . . . . . . . . 149Physical attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149TEMPEST attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Denial-of-service attacks . . . . . . . . . . . . . . . . . . . . . . . . . 151File extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Packet sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Hijacking and session replay . . . . . . . . . . . . . . . . . . . . . . . 152Social engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Chapter 5: UNIX and Linux Security . . . . . . . . . . . . . . . . . . . 155The Focus of UNIX/Linux Security . . . . . . . . . . . . . . . . . . . . . . . 155

UNIX as a target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155UNIX/Linux as a poor target . . . . . . . . . . . . . . . . . . . . . . . 157Open source issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Limiting access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Detecting hardware changes . . . . . . . . . . . . . . . . . . . . . . . 162Disk partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Prepare for the eventual attack . . . . . . . . . . . . . . . . . . . . . . 164

Controlling the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 166Installed packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Kernel configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Operating UNIX Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Controlling processes . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Controlling users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Encryption and certificates . . . . . . . . . . . . . . . . . . . . . . . . 194

Hardening UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Configuration items . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196TCP wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198Checking strong passwords . . . . . . . . . . . . . . . . . . . . . . . . 198Packet filtering with iptables . . . . . . . . . . . . . . . . . . . . . . . 199

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Chapter 6: Web Browser and Client Security . . . . . . . . . . . . . . 201Web Browser and Client Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Privacy versus security . . . . . . . . . . . . . . . . . . . . . . . . . . 202Web browser convenience . . . . . . . . . . . . . . . . . . . . . . . . 202

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xiv

xvContents

Web browser productivity and popularity . . . . . . . . . . . . . . . 202Web browser evolution . . . . . . . . . . . . . . . . . . . . . . . . . . 203Web browser risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Issues working against the attacker . . . . . . . . . . . . . . . . . . . 205

How a Web Browser Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 205HTTP, the browser protocol . . . . . . . . . . . . . . . . . . . . . . . 205Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208Maintaining state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Secure Socket Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Web Browser Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Hijacking attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Replay attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Browser parasites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Operating Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Keeping current with patches . . . . . . . . . . . . . . . . . . . . . . 220Avoiding viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Using secure sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Securing the network environment . . . . . . . . . . . . . . . . . . . 222Using a secure proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Avoid using private data . . . . . . . . . . . . . . . . . . . . . . . . . 223General recommendations . . . . . . . . . . . . . . . . . . . . . . . . 224

Web Browser Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 225Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Netscape-specific issues . . . . . . . . . . . . . . . . . . . . . . . . . . 230Internet Explorer–specific issues . . . . . . . . . . . . . . . . . . . . . 231

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Chapter 7: Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . 237What Is HTTP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237How Does HTTP Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

HTTP implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Persistent connections . . . . . . . . . . . . . . . . . . . . . . . . . . 244The client/server model . . . . . . . . . . . . . . . . . . . . . . . . . . 248Put . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Get . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Burstable TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Server Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252CGI scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252PHP pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Client Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xv

xvi Contents

State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260What is state? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260How does it relate to HTTP? . . . . . . . . . . . . . . . . . . . . . . . 260What applications need state? . . . . . . . . . . . . . . . . . . . . . . 260Tracking state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Web bugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264URL tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Hidden frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265Hidden fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Attacking Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Account harvesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266SQL injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

E-commerce Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Physical location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Chapter 8: E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . 273The E-mail Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Data vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Simple e-mail versus collaboration . . . . . . . . . . . . . . . . . . . 274Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Maintaining e-mail confidentiality . . . . . . . . . . . . . . . . . . . . 288Maintaining e-mail integrity . . . . . . . . . . . . . . . . . . . . . . . . 289E-mail availability issues . . . . . . . . . . . . . . . . . . . . . . . . . 290

The E-mail Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

E-mail Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Plain login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Login authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297APOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297NTLM/SPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298+OK logged onPOP before SMTP . . . . . . . . . . . . . . . . . . . . . 299Kerberos and GSSAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Operating Safely When Using E-mail . . . . . . . . . . . . . . . . . . . . . . 300Be paranoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Mail client configurations . . . . . . . . . . . . . . . . . . . . . . . . . 301Application versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Architectural considerations . . . . . . . . . . . . . . . . . . . . . . . 302SSH tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303PGP and GPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xvi

xviiContents

Chapter 9: Domain Name System . . . . . . . . . . . . . . . . . . . . 309Purpose of DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Forward lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Reverse lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Alternative Approaches to Name Resolution . . . . . . . . . . . . . . . . . 318Security Issues with DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Misconfigurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Zone transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Predictable query IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Recursion and iterative queries . . . . . . . . . . . . . . . . . . . . . 325

DNS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Simple DNS attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Cache poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Designing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Split-split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Master Slave DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Detailed DNS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Chapter 10: Server Security . . . . . . . . . . . . . . . . . . . . . . . . 333General Server Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Security by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Maintain a security mindset . . . . . . . . . . . . . . . . . . . . . . . 335Establishing a secure development environment . . . . . . . . . . . 340Secure development practices . . . . . . . . . . . . . . . . . . . . . . 344Test, test, test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Operating Servers Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354Controlling the server configuration . . . . . . . . . . . . . . . . . . . 354Controlling users and access . . . . . . . . . . . . . . . . . . . . . . . 356Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357Monitoring, auditing, and logging . . . . . . . . . . . . . . . . . . . . 357

Server Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358Data sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358Peer to peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362Instant messaging and chat . . . . . . . . . . . . . . . . . . . . . . . . 363

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Part III: Network Security Fundamentals 365

Chapter 11: Network Protocols . . . . . . . . . . . . . . . . . . . . . . 367Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367The Open Systems Interconnect Model . . . . . . . . . . . . . . . . . . . . 368

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xvii

xviii Contents

The OSI Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369The Application layer . . . . . . . . . . . . . . . . . . . . . . . . . . . 369The Presentation layer . . . . . . . . . . . . . . . . . . . . . . . . . . 370The Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370The Transport layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371The Network layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372The Data Link layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373The Physical layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

The TCP/IP Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375TCP/IP Model Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . 379Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Chapter 12: Wireless Security . . . . . . . . . . . . . . . . . . . . . . . 381Electromagnetic Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381The Cellular Phone Network . . . . . . . . . . . . . . . . . . . . . . . . . . . 383Placing a Cellular Telephone Call . . . . . . . . . . . . . . . . . . . . . . . . 385Wireless Transmission Systems . . . . . . . . . . . . . . . . . . . . . . . . . 386

Time Division Multiple Access . . . . . . . . . . . . . . . . . . . . . . 386Frequency Division Multiple Access . . . . . . . . . . . . . . . . . . . 386Code Division Multiple Access . . . . . . . . . . . . . . . . . . . . . . 387Wireless transmission system types . . . . . . . . . . . . . . . . . . . 388

Pervasive Wireless Data Network Technologies . . . . . . . . . . . . . . . 393Spread spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Spread spectrum basics . . . . . . . . . . . . . . . . . . . . . . . . . . 393

IEEE Wireless LAN Specifications . . . . . . . . . . . . . . . . . . . . . . . . 397The PHY layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398The MAC layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

IEEE 802.11 Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . 400WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400WEP security upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . 402802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Wireless Application Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 414Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Chapter 13: Network Architecture Fundamentals . . . . . . . . . . . 417Network Segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Public networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Semi-private networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Private networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Perimeter Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . 420Basic Architecture Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422Subnetting, Switching, and VLANs . . . . . . . . . . . . . . . . . . . . . . . 424Address Resolution Protocol and Media Access Control Addresses . . . . 426

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xviii

xixContents

Dynamic Host Configuration Protocol and Addressing Control . . . . . . . 428Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Packet filtering firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 430Stateful packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . 432Proxy firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433Disadvantages of firewalls . . . . . . . . . . . . . . . . . . . . . . . . . 434

Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 435Types of intrusion detection systems . . . . . . . . . . . . . . . . . . 436Methods and modes of intrusion detection . . . . . . . . . . . . . . . 439

Responses to Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . 442Common Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Part IV: Communications 445

Chapter 14: Secret Communication . . . . . . . . . . . . . . . . . . . 447General Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448Historic Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Substitution ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449Ciphers that shaped history . . . . . . . . . . . . . . . . . . . . . . . 455

The Four Cryptographic Primitives . . . . . . . . . . . . . . . . . . . . . . 455Random number generation . . . . . . . . . . . . . . . . . . . . . . . 456

Cast Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Stream ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462Block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Sharing keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Asymmetric Encryption (Two-Key Encryption) . . . . . . . . . . . . . . . . 467Using a Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . 468Using a web of trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471Keyed hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Putting These Primitives Together to Achieve CIA . . . . . . . . . . . . . . 473The Difference Between Algorithm and Implementation . . . . . . . . . . 475Proprietary Versus Open Source Algorithms . . . . . . . . . . . . . . . . . 476Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Chapter 15: Covert Communication . . . . . . . . . . . . . . . . . . . 479Where Hidden Data Hides . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Where Did It Come From? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481Where Is It Going? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482Overview of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Why do we need steganography? . . . . . . . . . . . . . . . . . . . . 483Pros of steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xix

xx Contents

Cons of steganography . . . . . . . . . . . . . . . . . . . . . . . . . . 485Comparison to other technologies . . . . . . . . . . . . . . . . . . . . 485

History of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488Using steganography in the fight for the Roman Empire . . . . . . . 488Steganography during war . . . . . . . . . . . . . . . . . . . . . . . . 489

Core Areas of Network Security and Their Relation to Steganography . . . 490Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491Additional goals of steganography . . . . . . . . . . . . . . . . . . . . 491

Principles of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . 492Steganography Compared to Cryptography . . . . . . . . . . . . . . . . . . 493

Protecting your ring example . . . . . . . . . . . . . . . . . . . . . . . 493Putting all of the pieces together . . . . . . . . . . . . . . . . . . . . . 494

Types of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495Original classification scheme . . . . . . . . . . . . . . . . . . . . . . 496New classification scheme . . . . . . . . . . . . . . . . . . . . . . . . 497Color tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Products That Implement Steganography . . . . . . . . . . . . . . . . . . . 503S-Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503Hide and Seek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506Jsteg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508EZ-Stego . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511Image Hide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512Digital Picture Envelope . . . . . . . . . . . . . . . . . . . . . . . . . . 514Camouflage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516Gif Shuffle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517Spam Mimic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Steganography Versus Digital Watermarking . . . . . . . . . . . . . . . . . 520What is digital watermarking? . . . . . . . . . . . . . . . . . . . . . . 521Why do we need digital watermarking? . . . . . . . . . . . . . . . . . 521Properties of digital watermarking . . . . . . . . . . . . . . . . . . . . 521

Types of Digital Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . 522Invisible watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . 522Visible watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

Goals of Digital Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . 523Digital Watermarking and Stego . . . . . . . . . . . . . . . . . . . . . . . . . 524

Uses of digital watermarking . . . . . . . . . . . . . . . . . . . . . . . 524Removing digital watermarks . . . . . . . . . . . . . . . . . . . . . . . 526

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Chapter 16: Applications of Secure/Covert Communication . . . . . 529E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

POP/IMAP protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xx

xxiContents

Working Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Public and private keys . . . . . . . . . . . . . . . . . . . . . . . . . . 538Key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540Web of trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541Design issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543IPSec-based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544IPsec header modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545PPTP/PPP-based VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . 547Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Secure Sockets Layer/Transport Layer Security . . . . . . . . . . . . . . . 549SSL Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Part V: The Security Threat and the Response 555

Chapter 17: Intrusion Detection and Response . . . . . . . . . . . . 557Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557Review of Common Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 559

Denial-of-service/Distributed denial-of-service attacks . . . . . . . . 559Back door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560Man-in-the-middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561TCP/Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561Fragmentation attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 562Weak keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562Mathematical attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 563Social engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563Port scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Dumpster diving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Birthday attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564Password guessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Software exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . 565Inappropriate system use . . . . . . . . . . . . . . . . . . . . . . . . . 566Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566War driving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567TCP sequence number attacks . . . . . . . . . . . . . . . . . . . . . . 567War dialing/demon dialing attacks . . . . . . . . . . . . . . . . . . . . 567

Intrusion Detection Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 567Antivirus approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Intrusion detection and response . . . . . . . . . . . . . . . . . . . . 568IDS issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xxi

xxii Contents

Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573Honeypot categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574When to use a honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . 575When not to use a honeypot . . . . . . . . . . . . . . . . . . . . . . . 575Current solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576Honeynet Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577CERT/CC practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578Internet Engineering Task Force guidance . . . . . . . . . . . . . . . 583Layered security and IDS . . . . . . . . . . . . . . . . . . . . . . . . . 584Computer Security and Incident Response Teams . . . . . . . . . . . 585Security Incident Notification Process . . . . . . . . . . . . . . . . . 587Automated notice and recovery mechanisms . . . . . . . . . . . . . 588

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589

Chapter 18: Security Assessments, Testing, and Evaluation . . . . . 591Information Assurance Approaches and Methodologies . . . . . . . . . . 591

The Systems Security Engineering Capability Maturity Model . . . . 592NSA Infosec Assessment Methodology . . . . . . . . . . . . . . . . . 594Operationally Critical Threat, Asset,

and Vulnerability Evaluation . . . . . . . . . . . . . . . . . . . . . 595Federal Information Technology Security

Assessment Framework . . . . . . . . . . . . . . . . . . . . . . . . 595Certification and Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . 596

The National Information Assurance Certification and Accreditation Process . . . . . . . . . . . . . . . . . . . . . . . 596

Four phases of NIACAP . . . . . . . . . . . . . . . . . . . . . . . . . . 597DoD Information Technology Security Certification

and Accreditation Process . . . . . . . . . . . . . . . . . . . . . . . 598The four phases of DITSCAP . . . . . . . . . . . . . . . . . . . . . . . 599

Federal Information Processing Standard 102 . . . . . . . . . . . . . . . . . 600OMB Circular A-130 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601The National Institute of Standards and Technology

Assessment Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602SP 800-14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603SP 800-27 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604SP 800-30 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604SP 800-64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607Internal penetration test . . . . . . . . . . . . . . . . . . . . . . . . . 608External penetration test . . . . . . . . . . . . . . . . . . . . . . . . . 609Full knowledge test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609Partial knowledge test . . . . . . . . . . . . . . . . . . . . . . . . . . . 609Zero knowledge test . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xxii

xxiiiContents

Closed-box test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Open-box test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Auditing and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

Chapter 19: Putting Everything Together . . . . . . . . . . . . . . . . 613Critical Problems Facing Organizations . . . . . . . . . . . . . . . . . . . . 613

How do I convince management security is a problem and that they should spend money on it? . . . . . . . . . . . . . . 613

How do I keep up with the increased number of attacks? . . . . . . . 615How do you make employees part of the solution and

not part of the problem? . . . . . . . . . . . . . . . . . . . . . . . . 615How do you analyze all of the log data? . . . . . . . . . . . . . . . . . 616How do I keep up with all of the different systems across

my enterprise and make sure they are all secure? . . . . . . . . . 617How do I know if I am a target of corporate espionage

or some other threat? . . . . . . . . . . . . . . . . . . . . . . . . . 617Top 10 common mistakes . . . . . . . . . . . . . . . . . . . . . . . . . 618

General Tips for Protecting a Site . . . . . . . . . . . . . . . . . . . . . . . . 620Defense in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620Principle of least privilege . . . . . . . . . . . . . . . . . . . . . . . . 621Know what is running on your system . . . . . . . . . . . . . . . . . 621Prevention is ideal but detection is a must . . . . . . . . . . . . . . . 622Apply and test patches . . . . . . . . . . . . . . . . . . . . . . . . . . 623Regular checks of systems . . . . . . . . . . . . . . . . . . . . . . . . 623

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xxiii

02_573977 ftoc.qxd 12/7/04 3:35 PM Page xxiv

Acknowledgments

John Wiley is a wonderful publisher to work with. Carol Long is an insightful andenergetic executive editor who provides continual support. Marcia Ellett pro-vided constant guidance and expertise, and without all of her help and hard work,this book would not be where it is today.

As deadlines approach you reach out to your co-workers who are truly friends totap into the expertise and knowledge. Sandy Ring, Bill Speirs, and Vignesh Kumarall wrote or helped write chapters in the book. Their technical knowledge is topnotch and their input was critical to the success of the book.

The authors would not be working together or be able to complete the book with-out having the opportunity to work for such a great company, TSGI (The SytexGroup, Inc.). Continuing thanks to Syd Martin for understanding the importance ofresearch and for allowing creative minds to think of solutions to complex technicalproblems. Syd’s support is critical to the success of this book and the success ofthe cutting-edge research the team produces.

Most of all we want to thank God for blessing us with a great life and a wonderfulfamily.

Eric has Kerry, who is a loving and supportive wife. Without her none of this wouldbe possible. Eric’s wonderful son, Jackson, and his princess, Anna, bring joy andhappiness to him everyday.

Ron is blessed with an understanding and supporting wife; children, Sheri and Lisa;and wonderful grandchildren, Patrick, Ryan, Aaron, and Emma.

Jim receives unlimited love and support from his lovely wife, Jill, and his exceptionalchildren, Matthew and Andrew.

In addition, we thank all of our friends, family, and co-workers who have supportedus in a variety of ways through this entire process.

03_573977 flast.qxd 12/7/04 3:36 PM Page xxv

03_573977 flast.qxd 12/7/04 3:36 PM Page xxvi

Introduction

Network security spans a large number of disciplines, ranging from manage-ment and policy topics to operating system kernel fundamentals.Historically, the coverage of these and the other network security areas was pre-sented in multiple, specialized publications or given a high-level treatment that wasnot suited to the practitioner. Network Security Bible approaches network securityfrom the view of the individual who wants to learn and apply the associated net-work security best practices without having to sort through a myriad of extraneousmaterial from multiple sources. The information provided in this text includes“secrets” learned by practicing professionals in the field of network securitythrough many years of real-world experience.

The Goal of This BookNetwork Security Bible provides comprehensive coverage of the fundamental con-cepts of network security and the processes and means required to implement asecure network. The goal of this text is to provide the reader with an understandingof security engineering processes and network security best practices, including in-depth specifics on the following topics:

✦ Windows

✦ UNIX

✦ Linux

✦ The World Wide Web

✦ E-mail

✦ Risk management

✦ Server applications

✦ Domain Name Systems (DNS)

✦ Communications security

Other topics are aimed at providing the reader with insight into information assurancethrough clear and thorough tutorials on the latest information, including securityassessment, evaluation, and testing techniques. This up-to-date and applicable knowl-edge will benefit practitioners in the commercial, government, and industrial sectors.

03_573977 flast.qxd 12/7/04 3:36 PM Page xxvii

xxviii Introduction

Network Security Bible meets the needs of information security professionals andother individuals who have to deal with network security in their everyday activi-ties. It is truly an all-inclusive reference that tells you why and how to achieve asecure network in clear and concise terms.

The Five Parts of This BookNetwork Security Bible is organized into the following five parts:

✦ Part I: Security Principles and Practices

✦ Part II: Operating Systems and Applications

✦ Part III: Network Security Fundamentals

✦ Part IV: Communications

✦ Part V: The Security Threat and Response

The flow of the material is designed to provide a smooth transition from fundamen-tal principles and basic knowledge to the practical details of network security.In this manner, the text can serve as a learning mechanism for people new to thefield as well as a valuable reference and guide for experienced professionals.

Part I: Security Principles and PracticesPart I provides a background in the fundamentals of information system security.Specifically, it comprises chapters on information system security principles, infor-mation system security management, and access control.

✦ Chapter 1: Information System Security Principles. It is important that thenetwork security practitioner be intimately familiar with the fundamentaltenets of information system security, particularly the concepts of confiden-tiality, integrity, and availability (CIA). These topics are explained in detail inthis chapter and then related to threats, vulnerabilities, and possible impactsof threats realized. After covering these basic topics, the formal processes ofsystems engineering (SE), information systems security engineering (ISSE),the systems development life cycle (SDLC), and the relationship of networksecurity to the SDLC are explained. These subject areas provide the readerwith an excellent understanding of applying standard rules to incorporateinformation system security into system development activities. These skillsare particularly valuable to individuals working in large companies that needthe discipline provided by these methods and to government organizationsrequired to apply formal information security approaches in their everydayoperations.

03_573977 flast.qxd 12/7/04 3:36 PM Page xxviii