You are on page 1of 471

Security+

Kncw|ecçeNel
Secu(ily+
Student Guide
Version 1.0
© 2003 KnowIedgeNet.com, Inc. AII Rights Reserved.
KNOWLEDGENET is a registered trademark; and the K DESÌGN and THE BEST OF A NEW BREED are trademarks
of KnowledgeNet.com, Ìnc. All other trademarks are the property of their respective companies.
Copyright © 2003, KnowledgeNet.com, Ìnc. All rights reserved. KnowledgeNet Network+ i
MODULE 1 - HACKING, CRACKING, AND ATTACKS 1-1
Objectives 1-1
Outline 1-1
LESSON 1: WHY SECURITY IS NECESSARY 1-3
Why is Security Necessary? 1-5
Structured Threats 1-7
Unstructured Threats 1-8
Ìnternal Threats 1-9
External Threats 1-10
Summary 1-11
LESSON 2: RECONNAISSANCE TECHNIQUES 1-13
Sniffing 1-15
Ping Sweeps 1-16
Port Sweeps 1-18
Evasive Sweeps 1-20
OS Ìdentification 1-21
Summary 1-22
LESSON 3: ACCESS TECHNIQUES 1-25
Replay 1-27
Session Hijacking 1-28
Man-in-the-middle 1-29
Backdoor 1-30
Social Engineering 1-31
Technology Exploitation 1-32
Protocol Exploitation 1-33
TCP 1-34
UDP 1-36
ÌCMP 1-37
SNMP 1-38
SMTP 1-40
OS/System Hacks 1-41
Buffer Overflow 1-42
Cookies 1-43
Signed Applets 1-44
Weak keys 1-45
Mathematical 1-47
Birthday 1-48
Password Attacks 1-49
Brute Force Attacks 1-51
Dictionary Attacks 1-52
Summary 1-53
LESSON 4: DENIAL OF SERVICE ATTACKS 1-55
ii KnowledgeNet Network+ Copyright © 2003, KnowledgeNet.com, Ìnc. All rights reserved.
Spoofing 1-57
SYN Floods 1-58
Distributed Denial of Service (DDoS) 1-59
Malicious Code 1-60
Viruses 1-61
Trojan 1-62
Worms 1-63
Logic Bombs 1-64
Summary 1-65
MODULE 2 - MITIGATION TECHNIQUES 2-1
Objectives 2-1
Outline 2-1
LESSON 1: AUTHENTICATION 2-3
Overview 2-5
One way / Mutual 2-6
Username / Password 2-7
CHAP / PAP 2-8
Kerberos 2-10
One Time Passwords 2-11
Token Cards 2-12
Digital Certificates 2-13
Biometrics 2-14
Multi-Factor 2-15
Summary 2-16
LESSON 2: AUTHORIZATION 2-19
Overview 2-21
Mandatory Access Control 2-22
Discretionary Access Control 2-23
Role-based Access Control 2-24
Ìnformation Models 2-25
Clark-Wilson Model 2-26
Bell La-Padula Model 2-27
Biba Ìntegrity Model 2-29
Summary 2-30
LESSON 3: ACCOUNTING 2-33
Overview 2-35
Logging 2-36
System Scanning 3-37
Monitoring 2-38
Summary 2-39
MODULE 3: HARDENING 3-1
Objectives 3-1
Copyright © 2003, KnowledgeNet.com, Ìnc. All rights reserved. KnowledgeNet Network+ iii
Outline 3-1
LESSON 1: NOS\OS HARDENING 3-3
Hardening - Overview 3-5
NOS/OS Hardening 3-6
Operating System Updates 3-7
Patching 3-8
Hot Fixes 3-9
Service Packs 3-10
Application Hardening 3-11
Web Servers 3-12
Email Servers 3-13
FTP Servers 3-14
DNS Servers 3-15
NNTP Servers 3-16
File/Print Servers 3-17
DHCP Servers 3-18
Data Repositories 3-19
Directory Services 3-20
Databases 3-21
Summary 3-22
LESSON 2: FILTERS/FIREWALLS 3-25
Filters/Firewalls 3-27
Layer 3 filtering 3-28
Proxy Servers 3-29
Stateful Filtering 3-30
Hardening 3-31
Architecture 3-20
Summary 3-32
LESSON 3: INTRUSION DETECTION SYSTEMS 3-35
Host-Based Ìntrusion Detection 3-37
Network-Based Ìntrusion Detection 3-38
Summary 3-39
LESSON 4: ORGANIZATION 3-41
Ìntroduction 3-43
Physical Security 3-44
Access Control 3-46
Physical Barriers 3-47
Biometrics 3-48
Environmental Security 3-50
Wireless Cells 3-51
Location 3-52
Shielding 3-53
Fire Suppression 3-54
Disaster Recovery 3-56
iv KnowledgeNet Network+ Copyright © 2003, KnowledgeNet.com, Ìnc. All rights reserved.
Backups 3-57
Off-Site Storage 3-58
Secure Recovery 3-59
Alternate Sites 3-60
Disaster Recovery Plan 3-61
Business Continuity 3-62
Utilities 3-63
High Availability/Fault Tolerance 3-64
Policy and Procedures 3-66
Security Policy 3-67
Users Security Handbook (RFC2504) 3-68
Site Security Handbook (RFC2196) 3-69
Acceptable Use 3-70
Due Care 3-71
Privacy 3-73
Separation of Duties 3-74
Need to Know 3-75
Password/Certificate Management 3-76
SLA 3-78
Disposal/Destruction 3-78
HR Policy 3-79
Hiring 3-80
Termination 3-81
Code of Ethics 3-82
Honey Pots/Honey Nets 3-83
Summary 3-84
LESSON 5: FORENSICS 3-87
Ìntroduction 3-89
Chain of Custody 3-91
Preservation of Evidence 3-92
Collection of Evidence 3-93
Ìncident Response 3-94
Summary 3-95
MODULE 4 - INFRASTRUCTURE ACCESS POINTS 4-1
Objectives 4-1
Outline 4-1
LESSON 1: LAYER 1 ACCESS POINTS 4-3
Coaxial Cable 4-5
Security Risks Associated with Coaxial Cable 4-6
UTP and STP 4-7
UTP and STP Pin Configuration 4-8
Fiber 4-10
Ìnfrared 4-11
Radio Frequency 4-12
Microwave 4-13
Copyright © 2003, KnowledgeNet.com, Ìnc. All rights reserved. KnowledgeNet Network+ v
Modems 4-14
Summary 4-15
LESSON 2: LAYER 2 ACCESS POINTS 4-17
Hubs and Switches 4-18
Wireless Access Points 4-19
Summary 4-20
LESSON 3: LAYER 3 ACCESS POINTS 4-23
Routers 4-24
Remote Access Servers 4-25
Firewalls 4-26
Summary 4-27
LESSON 4: LAYER 4 AND ABOVE 4-29
Proxy Servers 4-30
Workstations 4-31
Servers 4-33
Removable Media 4-34
Tapes 4-35
CDR and DVD-R 4-36
Removable Hard Drives 4-37
Diskettes 4-38
Flashcards 4-39
Smartcards 4-40
Summary 4-41
MODULE 5 - INFRASTRUCTURE PROTOCOLS 5-1
Objectives 5-1
Outline 5-1
LESSON 1: REMOTE ACCESS 5-3
PPP 5-5
PPTP 5-6
ÌPSec 5-7
Telnet 5-8
Secure Shell 5-9
TACACS+ 5-10
RADÌUS 5-11
Wireless 5-12
802.11x 5-13
Wired Equivalent Privacy (WEP) 5-14
Wireless Application Protocol (WAP) 5-15
802.1x 5-16
WTLS 5-18
Extensible Authentication Protocol (EAP) 5-19
Lightweight EAP (LEAP) 5-20
vi KnowledgeNet Network+ Copyright © 2003, KnowledgeNet.com, Ìnc. All rights reserved.
EAP Over LANs (EAPOL) 5-22
Summary 5-23
LESSON 2: INTERNETWORK ACCESS 5-25
E-mail 5-27
MÌME 5-28
S/MÌME 5-29
PGP Technologies 5-30
E-Mail Vulnerabilities 5-31
SPAM 5-32
Hoaxes 5-33
SMTP Relay 5-34
Web 5-35
HTTP 5-36
HTTPS 5-37
Secure Sockets Layer (SSL) 5-38
Transport Layer Security (TLS) 5-39
Ìnstant Messaging 5-40
Java 5-41
Active X 5-42
Common Gateway Ìnterface (CGÌ) 5-43
8.3 Naming Convention 5-44
File Transfer 5-45
File Transfer Protocol (FTP) 5-46
S/FTP 5-48
Anonymous FTP 5-49
File Sharing 5-50
Directory 5-52
LDAP 5-53
Summary 5-54
MODULE 6 - INFRASTRUCTURE TOPOLOGIES 6-1
Objectives 6-1
Outline 6-1
LESSON 1: SECURITY ZONES 6-3
Ìntranet 6-4
Extranet 6-5
DMZ 6-6
Summary 6-7
LESSON 2: VLANS 6-9
LANs 6-11
VLANs 6-12
Summary 6-14
LESSON 3: NETWORK ADDRESS TRANSLATION 6-17
Copyright © 2003, KnowledgeNet.com, Ìnc. All rights reserved. KnowledgeNet Network+ vii
Network Address Translation (NAT) 6-18
Port Address Translation (PAT) 6-19
Summary 6-20
LESSON 4: TUNNELING 6-23
Tunneling 6-24
Ìnternet Protocol Security (ÌPSec) 6-25
Basics of Cryptography 6-26
Hash Algorithms 6-28
Message Digest 5 (MD5) 6-29
Secure Hash Algorithm 1 (SHA-1) 6-30
Hash Message Authentication Code (HMAC) 6-31
Encryption Algorithms 6-32
Symmetric Encryption Algorithms 6-33
DES 6-34
3DES 6-35
Advanced Encryption Standard (AES) 6-36
Asymmetric Algorithms 6-37
RSA 6-38
DSA 6-40
Diffie-Hellman (DH) 6-41
Concepts of Cryptography 6-43
Ìntegrity 6-44
Authentication of Endpoint 6-45
Data Ìntegrity 6-46
Digital Signatures 6-47
Non-repudiation 6-48
Confidentiality 6-49
Public Key Cryptography 6-50
Digital Certificates 6-51
Certificate Authorities 6-52
Trust Models 6-53
Revocation 6-54
Certificate Policies 6-55
Certificate Practice Statement (CPS) 6-56
Summary 6-57
LESSON 5: KEY MANAGEMENT/CERTIFICATION LIFECYCLE 6-61
Overview 6-63
Centralized versus Decentralized 6-64
Storage and Distribution 6-66
Escrow 6-68
Expiration 6-70
Revocation 6-71
Suspension 6-72
Recovery 6-73
Renewal 6-75
Destruction 6-76
viii KnowledgeNet Network+ Copyright © 2003, KnowledgeNet.com, Ìnc. All rights reserved.
Key Usage 6-77
Summary 6-78
MODULE 7 - INFRASTRUCTURE MANAGEMENT 7-1
Objectives 7-1
Outline 7-1
LESSON 1: PRIVILEGE MANAGEMENT 7-3
Overview 7-5
User/Group/Role Management 7-6
Single Sign-on 7-8
Centralized versus Decentralized 7-10
Auditing (privilege, usage, escalation) 7-12
MAC/DAC/RBAC 7-14
Summary 7-16
LESSON 2: RISK IDENTIFICATION 7-19
Overview 7-21
Asset Ìdentification 7-22
Risk Assessment 7-24
Threat Ìdentification 7-25
Vulnerabilities 7-27
Summary 7-28
LESSON 3: EDUCATION (TRAINING OF END USERS, EXECUTIVES, AND
HUMAN RESOURCES) 7-31
Overview 7-33
Communication 7-34
User Awareness 7-35
Training 7-36
Online Resources 7-37
Summary 7-38
LESSON 4: DOCUMENTATION 7-41
Overview 7-43
Standards and Guidelines 7-44
Systems Architecture 7-45
Change Documentation 7-46
Logs and Ìnventories 7-47
Classification/Notification 7-48
Retention/Storage/Destruction 7-49
Summary 7-50
1
Hacking, Cracking, and Attacks
Overview
Good administrators must know their competition. In this module we will explore some oI the
diIIerent way unauthorized access occurs and the security implications that open certain doors
to attack. This is by no means an exhaustive examination and a great administrator must
continue to perIorm research to keep apprised oI new techniques as they are developed.
Objectives
Upon completing this module, you will be able to:
IdentiIy diIIerent types oI security threats
Identity reconnaissance techniques
IdentiIy access techniques
IdentiIy Denial oI Service (DoS) techniques
1-2 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
The module contains these lessons:
Why Security is Necessary
Reconnaissance Techniques
Access Techniques
Denial oI Service (DoS) Techniques
Why Security is Necessary
Overview
This lesson explains why security is necessary in today`s networking environment.
Importance
The network/security administrator must know the tools hackers and crackers are using to
perIorm their various attacks.
Objectives
Upon completing this lesson, you will be able to:
IdentiIy Structured Threats
IdentiIy Unstructured Threats
IdentiIy Internal Threats
IdentiIy External Threats
OutIine
This lesson includes these sections:
Overview
Structured Threats
Unstructured Threats
Internal Threats
External Threats
1-4 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-5
Why is Security Necessary?
The section provides an overview oI what security can do Ior an organization.
This section deals with the question oI why security is necessary. II you ask this question to
100 diIIerent security administrators, you will most likely receive 100 diIIerent answers, oI
which 100 will be correct. So how do you deIine something with so broad an answer? You
cannot. Even iI you deIine security itselI, you will not have a clear deIinition oI why security is
necessary. You and only you can answer that question, because only you know what is
important to your company and your company goals.
Network security is not only about stopping someone Irom accessing conIidential resources,
denying viruses Irom entering your enterprise, stopping spooIing attacks, etc. Network security
must have a speciIic goal Ior your enterprise that must be achieved. For example, a network
that has no tolerance Ior downtime must have network components and business systems
available to your users at all times, no matter what happens. II your database contains hundreds
oI thousands oI credit card numbers, then authenticating and authorizing access to protected
servers and protecting your network Irom all Iorms oI intrusion is necessary. However, security
does not stop there. What about stopping someone Irom walking into your building, sitting
down in Iront oI a terminal and accessing resources directly? Should you back up your database
oII-site in case oI a natural disaster? How will you going to protect the oII-site database Irom
unauthorized personnel? Clearly, security is not a cut and dried subiect.
Remember something very important as you go through this book. Security is relative: there is
no such thing as something being completely secure. II someone wants something you have bad
enough and they have the time, money and resources available, they will obtain it. II they
cannot obtain the resource by knowledge or stealth, they will try a diIIerent method, such as
1-6 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
brute Iorce. The point is you can never be certain your resources are secure. All you can do is
create layers oI protection and be diligent in veriIying and validating your security
implementations. This book will help you on your way to achieving these goals.
This book uses several terms you should understand. First, you must understand the diIIerence
between hackers and crackers. Hackers are not the bad guys (although motion pictures will
have you think otherwise). Hackers are people who play around with soItware code in order to
understand how it works. They are not malicious, and in Iact, they can oIten be very helpIul.
More oIten than not, they Iind a problem or potential problem that someone motivated by
diIIerent reasons would use Ior diIIerent purposes.
Crackers are not trying to gain knowledge, but instead are motivated by a gain in wealth,
stature, or are iust plain being mean. They want what others have and use technology to obtain
it. II they cannot obtain a given resource, they sometimes try to make it so nobody can get it
either (this a known as a denial oI service attack). Crackers are the people Irom whom you must
protect your resources. They are smart, motivated, and knowledgeable in their art. You must
know the crackers' methodologies, tools, and strategies iI you plan to stop their attacks on your
resources.
The Iirst step in understanding security is recognizing the diIIerent types oI threats you are
likely to see.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-7
Structured Threats
This section introduces a method oI attacking in which the perpetrator oI the attack has a
certain goal in mind and the knowledge to achieve that goal.
Security administrators have to deal with many types oI threats against their networks. The
most diIIicult to identiIy, discover, recognize, and stop are structured threats. Structured threats
can be characterized by an individual or organization that has one or more oI the Iollowing:
 Intelligence support
 Extensive Iunding
 High level oI knowledge in an area or areas
 Long term goals
Crackers employ structured threats Ior a particular reason, Ior a particular goal, and aimed at a
particular resource. They have the time, money, and knowledge necessary to complete their
goal. For example, a programmer who knows a particular program (such as your typical web
server), Iinds a hole` in the soItware, and creates a script to slip though this hole is using a
structure attack. AIter applying the script, the cracker has access to everything the server has
privileges to. The program could be anything, such as a Iinancial package or a database. The
main point is the Iact that a structured attack is geared at a particular goal, and the cracker has
the knowledge to obtain that goal.
1-8 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Unstructured Threats
This section introduces an attack method in which the perpetrator has limited attacking
knowledge and skills, but instead uses tools built by others.
Unstructured threats are brought about by people who do not have speciIic knowledge oI
attacks or how to create attack tools. These attacks involve tools that are readily available on
the Internet. They usually have no goal in mind, other than an interest to see iI they can get a
speciIic tool to work. Crackers oI this sort are sometimes called "script kiddies."
An example oI a typical unstructured attack is a high school student visiting a 'hacking¨ site,
downloading a tool, and using that tool to attack his high school web site.
Unstructured threats cover the vast maiority oI attacks that occur on the Internet and are usually
the easiest to counter. The problem security administrators have is locating the structured
attacks, which can easily hide in the deluge oI unstructured attack traIIic.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-9
InternaI Threats
This section covers a type oI attack where the perpetrator has privileges inside a companies
network and exploits those privileges to achieve their goals.
People who already have access to a company's internal resources characterize internal threats.
Authorized users, including your employees, partners, and especially ex-employees, pose the
single largest threat to a company's well being. In Iact, Gartner estimates that '70° oI security
incidents that actually cause loss to enterprisesrather than mere annoyanceinvolve
insiders.¨
Your company can spend hundreds oI thousands oI dollars on Iirewalls, perimeter routers,
token cards, intrusion detections systems, and anti-virus soItware, but company employees pose
the single largest threat to its resources and assets. Protection Irom within is iust as important as
protecting Irom outside intruders.
An example oI an internal threat is a Iormer network manager whose authentication and
authorization privileges to the network equipment were never revoked. The ex-employee can
log into the equipment and schedule each router to reboot 2 minutes aIter the last router
reboots. In a network with hundreds oI routers it could possible take hours beIore the network
stabilizes to the point where critical traIIic can pass. This could potentially result in the loss oI
thousands to hundreds oI thousands oI dollars in downtime.
1-10 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
ExternaI Threats
This section covers a type oI attack where the perpetrator oI the attack does not have privilege
to a company's resources, but instead uses tools and knowledge to intrude and gain access or
cause an unwanted eIIect to take place.
External threats can be characterized as those attacks coming Irom an unauthorized source
directed by unauthorized personnel to some type oI internal resource. Most, iI not all, oI the
malicious traIIic hitting your perimeter routers is Irom some type oI external threat. Many oI
these attacks are easily thwarted, while some are not.
An example oI an external attack is a cracker who wants to obtain the code to his competitors
anti-sniIIing soItware at FindTheSniIIers, Inc. He does not have authentication or authorization
privileges, yet he carries out many types oI attacks in order to break into and obtain the code to
his competitors soItware.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-11
Summary
This section summarizes the key points discussed in this lesson.
Internal Threats
External Threats
Structured Threats
Unstructured Threats
Next Steps
AIter completing this lesson, go to:
Reconnaissance Techniques
1-12 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) The most common threat to an enterprise network comes in the Iorm oI which type oI
threat?
A) Internal threat
B) External threat
C) Structured threat
D) Unstructured threat
Q2) Cracker Joe, who is currently working Ior ABC Company, writes a script to search the
company`s Oracle database Ior conIidential inIormation. What type oI threat is Cracker
Joe?
A) Internal threat
B) External threat
C) Structured threat
D) Unstructured threat
Q3) Jane is a seasoned programmer Ior XYZ Company. At home, in her spare time, she
searches the web Ior cracking soItware. She downloads a particular exploit and uses it
against her company`s web servers. What type oI threat is Jane considered to be?
A) Internal threat
B) External threat
C) Structured threat
D) Unstructured threat
Q4) Script kiddies are considered which type oI threat?
A) Internal threat
B) External threat
C) Structured threat
D) Unstructured threat
Reconnaissance Techniques
Overview
BeIore experienced crackers openly begin attacking a network, they will Iirst attempt to map
out which devices are active, what their IP addresses are, and what type oI services they are
running. In other words, they will perIorm reconnaissance oI the target, whether it is a stand-
alone server or an entire company.
Importance
Knowing the reconnaissance techniques used by attackers will help to identity what systems are
being targeted, how they might be targeted, and warn oI possible Iuture attacks.
Objectives
Upon completing this lesson, you will be able to:
IdentiIy what sniIIers are and what they can do
Identity what ping sweeps are
Identity what port sweeps are
IdentiIy evasive sweeps
IdentiIy OS identiIication techniques
1-14 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
This lesson includes these sections:
Overview
SniIIing
Ping Sweeps
Port Sweeps
Evasive Sweeps
OS IdentiIication
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-15
Sniffing
This section covers the technique oI inIormation gathering whereby the cracker passively
listens on the wire` Ior certain phrases, such as 'username¨ or 'password.¨
A packet sniIIer is a device that eavesdrops on computer conversations. Packet sniIIers Iunction
similarly to FBI wiretaps, except the sniIIer works over a computer medium such as Ethernet or
wireless radio waves. The data collected by a sniIIer is iust a bunch oI 1`s and 0`s strung
together. That is why sniIIers also come bundled with a decoder, which converts the binary 1`s
and 0`s to readable code. This decoding is called protocol analysis and is the heart oI any
network-sniIIing device.
SniIIing is becoming less prevalent as more and more companies are moving toward switched
layer 2 networks, which are much less prone to sniIIing. In a normal multi-access environment,
all data on the wire is seen` by all workstations attached to the central hub, but only the two
speaking` partners will actually accept the inIormation on the wire. SniIIers work on a
promiscuous basis meaning they will accept any inIormation on the wire, whether intended Ior
the NIC or not. On switched layer 2 networks, data is only sent between the two speaking
peers, which means unless the sniIIer is directly connected to one oI the two wires, it will never
obtain the inIormation.
Crackers sniII network media in an attempt to gather clear-text passwords or obtain other types
oI sensitive inIormation. Network administrators use sniIIers also, but in more benign ways.
They use sniIIers Ior Iault analysis, perIormance analysis, and intrusion detection to name a
Iew.
Ngrep, Ethereal, Packet Inspector, and DsniII are all examples oI sniIIing programs.
1-16 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Ping Sweeps
This section covers the inIormation gathering technique oI discovering active devices on a
network.
Pinging allows you to answer a single question: is the device being pinged alive? II it responds
to the ping request, it is. Pings are usually used networks Ior troubleshooting purposes. Pings to
a single host can determine iI that host is alive or not, and ping sweeps ping multiple hosts to
determine which hosts are alive. Network administrators, hackers, and crackers alike use this
technique Ior the same purposes: to map which systems are alive in a particular network.
Ping sweeps (also known as ICMP sweeps) consists oI sending ICMP echo request packets to
each destination IP address on a particular network. All IP-based systems are conIigured to
respond to these ICMP echo requests with ICMP echo replies. Any systems that respond are
alive and running on the network, and those that do not reply are either turned oII, not
conIigured Ior IP, have had the ICMP echo request blocked beIore they were reached, or have a
network issue such as a disconnected cable.
Crackers use ping sweeps to determine which hosts are alive. This is one oI the Iirst phases
used in the cracking process. Once the cracker determines which machines are physically
connected, the cracker can determine what services the device is running.
You can stop machines Irom responding to ping requests by blocking ICMP echo requests at
the router. But remember, iI you do so, you will not be able to ping any host when
troubleshooting your own network. Also, crackers can determine iI a host is available using
other techniques, such as using ICMP timestamps or ICMP address mask requests.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-17
In general, network administrators allow ICMP echo requests within their network, but block
them inbound at their border routers. This allows them to ping within their network, but blocks
outside attempts to ping inside the internal network.
Iping, Network Sonar, Ping Sweep, and Pinger are some examples oI pinging utilities.
1-18 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Port Sweeps
This section discusses a method in which a person attempts to map which services are running
within a particular host or hosts.
Port sweeps are used to determine which services are active on a particular host. In the
evolution oI an attack, the cracker Iirst determines which servers are alive and reachable on the
network. This was perIormed using the ping sweep. Now that the cracker knows which IP
addresses he can attack, he will perIorm a port sweep on the systems that are alive. In this way,
the cracker can methodically map which services are running on particular hosts. AIter gaining
this inIormation, the cracker will then attempt to attack vulnerabilities in the active service.
Services on hosts are tied to port numbers. A single host can listen on any oI 65536 possible
ports. Those ports are divided into three ranges.
Common Ports- Well known ports have been assigned by the IANA Ior speciIic usages that
everyone should know and use. They are in the range 0 1023. Some examples include:
- FTP (control) TCP port 21
- SSH TCP port 22
- Telnet TCP port 23
- Domain UDP port 53
- www-http TCP port 80
Registered Ports- Registered ports Iall in the range 1024 49151. An application developer
can attempt to obtain a registered by my submitting an application to the IANA.
Dynamic/Private Ports- Private or Dynamic Ports are those that Iall in the range 49152
65535. They can be used by anyone Ior private use with their applications.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-19
It is important to remember that a port can only be attacked when a service is active on that
port. II the service is not running and not listening it cannot be attacked. One oI the Iirst steps in
securing a device is to turn oII all unnecessary services. II you have a web server running, it
needs to listen on TCP port 80. It should not be listening on any other port as you will introduce
the possibility oI an attacker gaining access on that port.
An example oI a port sweep is iI you wish to make sure that all unnecessary services on your
web server have been turned oII. You can run a port scanning utility against the web server to
veriIy that only TCP port 80 is listening. II you Iind other services listening, you will need to
research how to disable them.
Nmap, Nessus, IPEye, and SuperScan are all examples oI port scanning utilities.
1-20 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Evasive Sweeps
This section covers the topic oI perIorming sweeps in an evasive manner, which crackers use to
provide some measure oI selI-protection Irom being noticed as an attack on the network.
A problem crackers have seen when scanning networks is the Iact that their activity can be
easily logged and tracked when a connection is made to a particular host. In an attempt to evade
detection, crackers exploit some weaknesses that can help them avoid detection. These evasive
scan techniques are called stealth scans. They work by never making a connection, and thus not
leaving a Iingerprint`. A connection is created when a Iull 3-way handshake is completed
(SYN-~SYN/ACK-~ACK).
Some stealth scans hide the actual attack in a deluge oI garbage` packets, some perIorm
attacks over time to hide their trail, but the most eIIective type oI stealth scans are those that
take advantage oI known protocol weaknesses, such as SYN and FIN stealth scans. In these
scans, the attacker takes advantage oI the way errors are handled in an IP based host. The
cracker sends a modiIied packet to the host he is trying to gather inIormation about. For
example, he might set the FIN Ilag in the TCP header, which tells the receiving host to close
the connection. The receiving host, which has never made a connection to the cracker's
workstation, believes this to be an error in communication. Thus, it sends an error message to
the cracker iI the TCP service port is unavailable, or it simply ignores the packet iI the service
is available. Either way, no connection is made, which means a log message is never generated,
but the cracker now knows whether a particular service is running on the target host.
Nmap, IPEye, SuperScan, and AWSPS are examples oI evasive port scanning utilities.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-21
OS Identification
This section describes a technique hackers use to try to obtain which Operating System a target
system is running.
In order Ior a cracker to eIIectively generate attacks to a target system, he must know which
Operating System the target is running. Otherwise, he will perIorm many more attacks on the
system, which dramatically increases his chances oI being detected. Discovering the Operating
System running on a target system is oIten reIerred to as a process called enumeration and can
enable a cracker to compromise a system in a relatively short amount oI time. Why, because
the more a cracker knows about a target system, the greater his chances are oI achieving a
successIul attack? All they would have to do is attempt to match the Operating System against
a list oI known vulnerabilities.
In the past, you could determine a host's operating system with a simple ping. The OS would
display in the ping results. You could also try banner grabbing, where you examine the
response Irom certain services like Telnet, FTP, or HTTP. DiIIerent operating systems would
give diIIerent responses, which make it easy to identiIy which was which.
Today, crackers use active stack Iingerprinting to enumerate an OS by probing its stack. This
is similar to banner grabbing, except it is perIormed on the IP stack. This process works
because diIIerent programmers implemented the IP standards in diIIerent Iashions. For
example, iI a cracker sends a TCP packet to a target with the TCP FIN Ilag set, the standard
says the OS should not reply. However, some implementations, such as MicrosoIt Windows
NT, return a FIN/ACK, while others might send a RST. By actively probing the stack you can
determine which OS the target is running.
Nmap and Queso are examples oI OS identiIication utilities.
1-22 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
SniIIing
Ping Sweeps
Port Sweeps
Evasive Sweeps
OS IdentiIication
Next Steps
AIter completing this lesson, go to:
Access Techniques
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-23
Lesson Assessment
Q1) A cracker wants to 'scope¨ out which systems are alive on a particular network. What
type oI tool would he use? (Provide examples.)
Q2) A cracker has identiIied a target web server. He would like to Iind a list oI services
running on this server, but he wants to make sure the server does not log his activities.
What type oI tool would he use? (Provide examples.)
Q3) Nmap and Queso are tools used to perIorm what type oI activities?
Q4) A cracker writes code to place his wireless Network InterIace Card in promiscuous
mode. What malicious activity is he attempting to perIorm?
Q5) What do crackers do and look Ior when perIorming OS identiIication techniques?
1-24 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Access Techniques
Overview
AIter attackers obtain inIormation about a network, host, or Operating System, they next
attempt to obtain access in some manner. There are a myriad oI access techniques that attackers
can use, but all are attempting to achieve the same obiective, which is to obtain a resource (be it
a Iile, modiIication oI a Iile, password, or privilege level escalation).
Importance
Knowing what types oI access attacks crackers use will enable you to more thoroughly deIend
against them.
Objectives
Upon completing this lesson, you will be able to:
Describe access attacks such as Replay, hiiacking, and man-in-the-middle attacks
IdentiIy social engineering attacks
Describe Technology Exploitation attacks
Describe password attacks
1-26 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
This lesson includes these sections:
Overview
Replay Attacks
Session Hiiacking Attacks
Man-in-the-middle Attacks
Backdoor Attacks
Social Engineering Attacks
Technology Attacks
Password Attacks
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-27
RepIay
The section describes an access attack technique where an attacker will capture traIIic and
attempt to replay it at some Iuture time.
Replay attacks can be categorized as those attacks whereby an unauthorized third party obtains
valid transmission oI data and attempts to retransmit it at some Iuture date. There are many
types oI replay attacks, such as when a cracker sniIIs a username and password on the wire,
then logs into a domain or server to gain access. Another example is sniIIing the wire to obtain
a URL that contains a session ID string. Here the cracker simply copies the URL into his web
browser and automatically gains access to a particular service. The end user does not even have
to be logged into the service Ior the cracker to gain access.
1-28 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Session Hijacking
This section describes an attack where the cracker takes control oI an already created session
while removing access Irom the legitimate user.
Session hiiacking occurs when a cracker obtains some type oI authentication token to seize
control oI a legitimate users session while the user is still logged in. Obtaining the
authentication token can be accomplished via sniIIing, brute Iorce, or reverse-engineering.
When an attacker successIully accesses a users active session without proper identiIication, the
legitimate user usually loses or only has partial control oI the hiiacked session. This type oI
attack works by simply pasting a URL into the crackers web browser or by loading sniIIed or
stolen cookie data in the browser. This attack usually relies on a couple oI other access attack
methods (Replay and Brute Force).
A diIIerent type oI session hiiacking occurs when an attacker uses source-routed packets to a
destination Y, where X already has an open session. In this type oI attack, the cracker has pre-
determined when X will have an open session to Y, and what data needs to be inserted into the
stream oI packets being sent to Y.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-29
Man-in-the-middIe
This section describes a method oI attack where an unauthorized 3
rd
party places him or herselI
in a position to capture packets Irom two or more active speaking peers.
A man-in-the-middle attack occurs when a cracker is able to intercept and alter data as it passes
between two speaking peers. These attacks are usually directed at layer 4 applications such as
Telnet, rlogin, SMTP, FTP, HTTP, and other programs. They allow a cracker to intercept
conIidential inIormation, modiIy the data, then send that data to the receiving party.
For example, iI a cracker can obtain access to any router in the path between X and Y, he can
divert traIIic between these victims to his local workstation. Once he has the data, he can
instruct his script to insert or remove data. then send it to the intended recipient. In this way, X
and Y have no way oI knowing that their data has been tampered with.
1-30 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Backdoor
This section explains a type oI attack whereby a secret entrance into a service has been built-in,
generated, or exploited in the native code.
A backdoor is code inserted into a program that allows access into the program without using
normal authentication or authorization procedures. This backdoor can be deliberately created
by the author oI the program Ior troubleshooting purposes, inadvertently created by the author,
or inserted into the code by what is known as a backdoor virus.
A couple oI examples oI backdoor programs the inIamous BackOriIice and NetBus programs.
These programs allow anyone who knows the proper port number and password to gain remote
access to the host giving them complete control over the system.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-31
SociaI Engineering
This topic covers an access attack in which the cracker openly (under Ialse inIormation) asks
Ior and receives conIidential inIormation.
Social engineering attacks are based on the Iact that people trust each other. Using this Iact as a
basis oI attack is one oI the most overlooked subiects in the security world. InIormation is the
best way to deter this type oI attack. All employees in your company should have basic security
training so as not to be subiect to this type oI attack.
Imagine a cracker does some reconnaissance oI ABC Company and by asking an HR
representative learns that the CFO is named Stan Ree. He then walks into ABC Company,
pretends to lose his badge, and is allowed access into the Iacility by a Iriendly employee. He
Iinds an empty room with a computer already hooked up to the company network, and phones
the IT Department pretending to be Stan Ree. He tells the IT Department employee he Iorgot
his password and needs immediate access to the network to obtain a document Ior his big
meeting. The IT technician resets the password Ior Stan Ree one oI his choice. The cracker can
now use his regular hacking tools to obtain administrator status and create a Iew administrator
accounts. At this point, he can obtain remote access into the company using the Iorged
administrator accounts. This example should help you understand what is termed a social
engineering attack.
1-32 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
TechnoIogy ExpIoitation
This section explains a type oI access attack where a cracker exploits technology services to
obtain access to conIidential resources.
As a piece oI technology evolves Irom a single idea into a robust, upgraded, and complete
package oI services, it suIIers Irom various weaknesses at diIIerent phases. Malicious users can
Iind those weaknesses and exploit them, which leads to the technology being updated or
patched to secure it again. However, crackers will still Iind weaknesses, either in the patched
code or in other parts oI the original code. Both hardware and soItware Iall victim to this
problem. There are always holes waiting to be exploited in any particular technology. They
may not be known today, but most certainly will be known tomorrow.
This section will deal with some oI the better-known technologies, and how they have been
exploited Ior malicious use.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-33
ProtocoI ExpIoitation
The IP protocol stack was invented under the name Transport Control Protocol/Internet
Protocol (TCP/IP) in 1973.
TCP/IP was not created with security in mind: in Iact obtaining open access was the primary
concern behind the creation oI the protocol. In 1976, the DoD required TCP/IP as the protocol
Ior its ARPANET proiect. The ARPANET would eventually move out oI the hands oI the DoD
and into the hands oI the National Science Foundation (NSF), where it would be renamed the
Internet.
TCP/IP is a suite oI protocols used to transmit data across local area networks (LANs), wide
area networks (WANs), and the Internet. The rest oI this section covers a portion oI the suite oI
protocols that makes up TCP/IP.
The IP protocol itselI is in its 4
th
revision, which is identiIied in the identity version Iield in all
IP packets. IP version 6 is in its implementation stage, but has not oI yet been implemented in
any large degree in the Internet.
1-34 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
TCP
Transport Control Protocol (TCP) is a host-to-host layer 4 (transport) protocol that provides a
reliable, connection-oriented service Ior IP traIIic.
TCP sessions have very well deIined session establishment phases, which consist oI a three-
way handshake. In this handshake, each host attempts to initialize send/receive parameters with
its peer. This way both parties know exactly how data transIer will proceed. To invoke this
three-way handshake, the initiator sends a synchronization (SYN) request to its peer. II the
receiving host agrees to transIer data, it will reply with an acknowledgement (ACK). At this
point traIIic Ilows Irom initiator to destination, but TCP is a Iull duplex protocol, which means
that the destination must perIorm the same synchronization (SYN) request and receive an
acknowledgement (ACK) in return.
The process would look something like:
Initiator ------~ SYN Receiver (Start one way session establishment)
Initiator ACK ·------ Receiver (One way session established)
Initiator SYN ·------ Receiver (Start one way session establishment)
Initiator ------~ ACK Receiver (One way session established)
This looks like a Iour-way handshake, but iI we combine the receivers two separate messages
into a single message we get the Iollowing:
Initiator ------~ SYN Receiver (Start one way session establishment)
Initiator SYN/ACK ·------ Receiver (One way session established)
Initiator ------~ ACK Receiver (One way session established)
This is the complete session establishment three-way handshake (SYN SYN/ACK ACK).
AIter the session has been established, data transIer can take place.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-35
When the initiator (or the receiver) has completed the data transIer, they will send a Iinish
(FIN) signal to the opposite host, which ends the session. The opposite end should reply with
its own FIN to complete the session close phase.
At a high level, this is how all TCP based sessions occur. However, there are other possibilities
that may occur during data transIer, such as a segment getting lost during transit, or making
sure a segment is not buIIered on the receiving end (which introduces latency). Because oI
these necessities (and some others), the TCP protocol has additional Ilags other than the three
already discussed (SYN, ACK, FIN). These are push (PSH), which tells the receiver to deliver
the segment directly to the application without buIIering, the reset (RST) Ilag, which tells the
receiver to drop the connection, and the urgent (URG) Ilag, which marks a segment as high
priority.
Crackers can make use oI the diIIerent TCP Ilags Ior reasons other than what the creators had
in mind. For example, we have already seen how crackers can perIorm stealthy port sweeps by
not Iollowing the three-way handshake rule. There are many other diIIerent types oI attacks that
target the TCP protocol, such as SYN Iloods (described later), ACK DoS attacks, and session
hiiacking using TCP sequence number manipulation to name a Iew.
Attacks generated against TCP are not relegated to only the TCP Ilags, but to any portion oI the
TCP protocol itselI such as TCP sequence numbers, acknowledgement numbers, header length,
windows size, etc.
TCP can be identiIied as protocol number 6 in the layer 3 Iield protocol, which is used to
identiIy the next level layer 4 protocol.
1-36 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
UDP
UDP serves a Iunction similar to TCP in that it is an IP transport mechanism, but UDP serves
diIIerent types oI data Ilows.
There are situations where the entire overhead oI TCP is not needed. For example, video does
not need a Ieedback mechanism, so the extra overhead oI TCP is actually a burden.
UDP was created as a poor mans transport protocol. It is connectionless, meaning there is no
session establishment. There is no way Ior UDP to Iind out iI segments have been lost in
transit. However, UDP does transmit data very Iast in a very eIIicient manner.
Since UDP is much less robust than TCP, it can be implemented in code in a much smaller
Iootprint, which makes it much less susceptible to attack. Although there are many UDP based
attacks, UDP is much easier to guard against exploitation than its sibling TCP is.
The most common type oI UDP attacks are UDP Iloods (bombs, storms), and malIormed UDP
attacks.
UDP can be identiIied as protocol number 17 in the layer 3 protocol Iield, which is used to
identiIy the next level layer 4 protocol.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-37
ICMP
During normal traIIic Ilow in a network things sometimes go wrong, a link could Iail, routing
tables could get outdated, congestion could start packets to begin dropping, all oI which can
cause havoc in the network. Network hosts and routers need a method oI communication to tell
each other oI some type oI Iailure or problem. That is why the Internet Control Message
Protocol (ICMP) was created (RFC 792).
ICMP messages are generally unsolicited messages generated by hosts in response to some
anomaly in the network. For example, iI a router receives a packet Ior which is has no
destination, it will generate an error (Type 3- Destination Unreachable) to the source oI the
packet letting them know why the packet was not delivered to its requested destination. Other
messages are generated Ior other types oI errors.
Crackers can take advantage oI some oI the Ieatures oI ICMP to perIorm reconnaissance
attacks or Denial oI Service attacks.
An example oI a recon attack using ICMP is a simple ICMP echo (ping) to veriIy iI a particular
host is alive. An example oI DoS attack using ICMP is the legendary 'Ping oI Death¨, where
the cracker modiIies the ICMP packet`s stated length to be greater than the ICMP maximum
legal length limit. The target system receives the packet and attempts to read it according to its
standard operating procedures. Since the system has no method Ior dealing with this
impossible` packet, it crashes, causing any unsaved inIormation to be lost. Fortunately, this
was an easy DoS attack to counter and a patch was created to stop it.
ICMP can be identiIied as protocol number 1 in the layer 3 Iield 'protocol¨, which is used to
identiIy the next level layer 4 protocol.
1-38 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
SNMP
The Simple Network Management Protocol (SNMP) was created to Iacilitate network
management, perIormance management, troubleshooting, and easy maintenance Ior network
administrators.
SNMP was created to allow complete control oI a device Irom a remote workstation.
UnIortunately, it was created with minimal security methods in place. The cracker could obtain
complete control oI a device iI he could in some way exploit the SNMP protocol itselI.
Crackers Iound that they did not even have to crack the SNMP protocol itselI to obtain
complete access to a device. SNMP was created with two special types oI accounts, a read only
account (community), usually deIaulting to the name public,` and a read-write account, usually
deIaulting to the name private.` To read SNMP variables (called MIBs) the Network
Management Station (NMS) would send, 'in clear text,¨ the proper SNMP read string.
Crackers using sniIIers could then monitor the network Ior SNMP packets, locate the
authentication packet and discover the proper SNMP read string. The same sequence oI events
would take place when they wanted to learn the read-write string. This made SNMP a very
sought out protocol Ior crackers.
SNMP is currently in its 3
rd
revision. SNMP v3 is a Iar more secure protocol, unIortunately
most administrators do not implement it because oI its extra burdens placed on them. SNMP v2
is in use in today`s networks because oI its ease oI use and powerIul capabilities oI network
management, even though the community passwords are sent across the network in clear text.
When implemented, administrators must know how crackers can exploit the SNMP protocol
and take proper precautions to lower any attempt at unauthorized access.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-39
SNMP can be identiIied as using UDP port 161 Ior management requests and UDP port 162 Ior
unsolicited SNMP traps.
1-40 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
SMTP
The Simple Mail TransIer Protocol (SMTP) was created to allow e-mail messages to be sent
between parties and is documented in the current RFC standard RFC 2821.
SMTP in its inIancy (RFC 821) was designed as a mail transport and delivery protocol.
Security was not an issue. Crackers soon Iound that not only was the SMTP protocol itselI very
easy to exploit, the very nature oI sending e-mail in a clear text Iormat could produce extremely
valuable data to any malicious user with a sniIIer.
SMTP attacks come in a variety oI methods Irom reconnaissance, sniIIing, and spamming, to
Denial oI Service attacks. The protocol itselI can be exploited, as no authentication mechanism
is required to access the server itselI. This means crackers can Telnet to an SMTP server and,
by typing simple commands at the SMTP interIace, can send mail, access accounts, and
generally wreak havoc on the system.
Sending large amounts oI unsolicited e-mail using spooIed source email addresses can
overwhelm a server to the point oI exhausting its resources causing a Denial oI Service.
SMTP is one oI the crackers Iavorite protocols to exploit, obtain conIidential inIormation,
privilege escalation, and cause Denial oI Service attacks.
SMTP uses TCP port 25.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-41
OS/System Hacks
Operating system hacks can be considered those attacks where the cracker attempts to obtain
privileged status by exploiting certain operating system characteristics, such as misconIigured
services or exploiting services or extensions that the OS itselI uses.
A successIul system exploit gives the cracker the same privilege level the service itselI is
running at. For example, iI a particular service is used to transIer sensitive data (say user
authorization data) internally Ior another service, it must have privileged or superuser status. II
a cracker can break into this service, he theoretically should be able to execute any command
the superuser account could.
Operating system hacks can be Iound Ior every operating system in today`s networks, including
Windows, Palm devices, and Iirewalls. In general, the larger the OS code, the more services it
can perIorm, and the more likely the chance oI discovering new vulnerabilities.
1-42 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Buffer OverfIow
BuIIer overIlows exist when a particular program attempts to store more inIormation in a buIIer
'memory storage¨ than it was intended to hold.
Since the buIIer was only intended to hold a certain amount oI data, the additional data
overIlows into a diIIerent area oI memory. It`s this diIIerent area oI memory where overIlows
cause the problem.
For example, say you have two areas oI adiacent memory: one area assigned to normal user
privilege mode and another assigned to superuser privilege mode. Under normal circumstances,
the normal privilege service cannot enter into and execute commands in the superuser area oI
memory. II it is attempted, the operating system will deny access to the user service as its does
not have the correct privilege level. Now, take a situation where a buIIer overIlow occurs in the
user service. Data is written to memory and overIlows into the area oI memory where the
service running at superuser privilege is located. II the cracker knows the boundary between
where the two memory locations resides, he can include a code that will be written to the
superuser area that includes a command to execute an EXEC session Ior any user connecting to
a particular port. When the overIlow commands are executed via normal operations oI the
program running in superuser mode, the hack will take eIIect. The cracker needs only to
connect to port the port indicated above, and will have superuser level access to the EXEC
session Irom where he will have complete control oI the system.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-43
Cookies
Netscape Corporation developed a mechanism that helps alleviate the stateless nature oI the
HTTP protocol. As users visit a particular web site, each HTTP request is treated as an entirely
new interaction. The web server has no idea iI a particular request is Irom a new client or Irom
an existing client viewing the site. This stateless behavior makes it diIIicult Ior web sites to
create things like shopping carts that must remember` what items are being ordered. Cookies
were created to solve this problem.
Cookies are tiny text Iiles that many web sites place on your computer to help identiIy users or
store inIormation, such as Iorm data. Cookies themselves are recipients oI inIormation, but do
not gather inIormation on their own. Cookies are written and read on your computer by either
iava scripts included in the HTML code, or by commands sent by server side programs.
Cookies can be used to store much more than harmless time saving data though. They can be
used to store conIidential inIormation or track the movements you make through a web site or
sites. For this reason, many people do not like or allow cookies to be created on their system.
II cookies are used to store authentication parameters, session IDs and the like, they can greatly
assist the web server because the server never has to perIorm a database lookup. The browser
sends all the relevant inIormation to the server. However, cookies are sent in clear text and iI a
cracker sniIIs the wire and obtains this inIormation, they have all the proper credentials they
need to authenticate to the server.
1-44 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Signed AppIets
Applets are small iava application Iiles that perIorm certain Iunctions Ior a particular program.
These applets usually end with the extension .iar, which stands Ior Java ARchive Iiles. Web
programmers create these easily downloaded applications to perIorm various Iunctions on the
client, rather than have them executed on the server.
By deIault, applets have no access to system resources outside the directory Irom which they
were downloaded and launched. This means they may execute any code as long as they do not
try to access local system resources. However, sometimes an applet needs to access local
resources such as system conIiguration Iiles, but nobody wants a rouge application executing
code at the local access level on his or her computer. Here is where signed applets come in. A
signed applet can access local system resources as allowed by the local system's security policy.
Applets are usually signed with the private key oI a trusted third party. II you trust the third
party, you implicitly trust the signed applet.
II an applet containing hostile code can be signed by a trusted source, it will then execute this
code at the local access level and perIorm any Iunction the author had in mind. When the
signed applet attempts to run, the system displays a message asking iI it is should execute this
applet. II the end user clicks on 'OK¨ because they believe it is reputable code, they give
complete system access to the cracker.
In addition to the above scenario the code used to execute the applets can be susceptible to
exploitation. This code, the Java Virtual Machine, has seen many serious exploits where the
cracker can obtain access to all system resources.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-45
Weak Keys
Data is usually encrypted using an algorithm such as DES, 3DES, or AES. To encrypt data, the
program runs a mathematical algorithm on the data using a key.
In this way, the data is iumbled into cipher text (gibberish), which can be correctly decrypted
using the exact same algorithm (in reverse) and the exact same key. The algorithms themselves
have proven not to be susceptible to cryptographic attack, which means in order to obtain the
conIidential data, crackers must perIorm a brute Iorce attack on the key.
DES, which uses a key size oI 56-bits, has 72,057,594,037,927,936 (2`56) diIIerent possible
key values, which we call the key space. 72 quadrillion was a Iormidable number in the 1970`s
when DES was created, but the computing ability oI today`s supercomputers can search each
and every key in this key space in a relatively short period oI time. In 1999, using a specially
created computer, the Electronic Frontier Foundation broke a DES key in less than 24 hours.
Adding additional bits to the key increases its strength. Every time you add a bit, you double
the key strength. 3DES, a direct replacement Ior DES uses the DES algorithm three times to get
an eIIective 168-bit key space. But, due to some weaknesses in the algorithm itselI, the key
space Ior DES can eIIectively be called a 108-bit key. Still, 2`108 is a very, very large number.
To this day, no one has been able to crack a 3DES key and many have tried. But, with the
exponential advancement in CPU strength, the 3DES key size will not last Iorever.
To deter brute Iorce attacks on keys, use at least a 128-bit key algorithm. 2`128 is an
unimaginably large number. To put this number in perspective, assume today`s computers can
search 1° oI the DES key space in 1 second (this is not actually possible with today's
technology), so it can search 60° oI the key space in 1 minute. For this computer system to
1-46 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
crack a 128-bit key it would take approximately 146 billion millennia to search 1° oI the key
space. It would take 8 trillion millennia to search 50° oI the key space.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-47
MathematicaI
Cryptographic algorithms are based on very hard math equations.
Cryptographers create these algorithms in an attempt to create secure algorithms without
vulnerabilities. Attempts to exploit certain vulnerabilities in these algorithms also use very hard
math as well. When these mathematical attacks occur on the algorithms, this is called
cryptanalysis, while the attackers themselves are called cryptanalysts.
As weaknesses are Iound in algorithms, they are replaced by stronger algorithms. The stronger
ones make it into soItware and hardware that protects our data. These algorithms have been
attacked Irom every angle by many diIIerent people. They have passed the test oI time.
1-48 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Birthday
There are diIIerent types oI math attacks that do not attack the algorithms themselves, but
instead attack probabilities. One such attack is the birthday attack.
This attack is based on the so called "birthday paradox" which is well known in probability
theory. This says that iI 23 or more people are gathered in a room, there are better than even
odds that some pair oI them will share a common birthday. The odds oI a single person having
the same birthday as one other person is one in 365, but those odds improve Ior each person as
the number oI people increases.
Birthday attacks are oIten used to Iind collisions in hash algorithms, such as MD5 and SHA-1.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-49
Password Attacks
This section covers an attack whereby the cracker attempts privilege escalation by exploiting a
service to obtain valid usernames and passwords.
Password attacks are those that crackers use to perIorm privilege escalation to obtain a valid
username and password to gain access to an otherwise protected system. In most operating
systems there is one 'superuser¨ account, in UNIX it is called 'root¨, in MicrosoIt Windows it
is called 'Administrator¨. Once a cracker has the root or administrator password, they have
complete access to that system and all its resources.
Password attacks do not have to be aimed at the Superuser account. Many times obtaining a
normal user account is all that is needed to obtain the conIidential inIormation the cracker is
aIter.
Password attacks come in a Iew diIIerent varieties, including sniIIing. By sniIIing the wire to
obtain usernames and passwords, the cracker can quickly gain entry into the sensitive part oI
your network. For example, imagine an employee who knew he was going to be laid oII soon.
He connects a wireless access point to a maior hub in the company and hides it in the ceiling.
AIter the layoII, his account is disabled, but he connects to the access point and sniIIs the wire
until he Iinds the superuser account the company uses to conIigure its primary servers. At this
point, he could cause incredible amounts oI damage to the company in both time, data, and
costs.
Other types oI password attacks can be directed remotely, but they require the cracker to try
many, many diIIerent usernames and passwords beIore a hit` can be Iound.
Administrators attempt to counter password attacks by minimizing the number oI attempts that
can be tried beIore the system locks you out. Usually the administrator will limit the number oI
1-50 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
attempts to some small value such as three. This can be a problem, as sometimes a user will
have Caps Lock on or may inadvertently use an old password. Once the three tries have been
made, IT must re-activate the user's account.
The above scenario can be avoided iI the administrator allows additional tries, such as 10 or
even 20. 10 or 20 attempts to obtain a correct password on a particular account Ior crackers will
not signiIicantly increase their chances oI Iinding the correct password, as they usually need
hundreds iI not thousands oI attempts to obtain one.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-51
Brute Force Attacks
Brute Iorce attacks occur when a cracker attempts to obtain the correct password Ior an account
by trying every conceivable value hoping to stumble across the correct one.
For example, they may try administrator with the password oI a, then they try a password oI b,
then they try c, until they have tried every conceivable value Ior a single character. Next, they
try aa, then ab, and so on until they eventually stumble across the correct password.
Administrators have come up with ways to mitigate these types oI attacks. One oI the easiest is
to rename the administrator account to something else. In this way the cracker must know two
things, the account name and the password. Administrators also use long passwords, oIten at
least eight characters. This helps because it takes time to brute Iorce an attack on a password
that is at least eight characters long. HopeIully, the administrator will notice the attack and take
precautionary steps to block the cracker.
Crackers also have ways oI counteracting these deIenses. Instead oI attempting a brute Iorce
attack directly on the system, crackers attempt to Iirst exploit some weakness in the OS and
obtain the encrypted password database. This could be the shadow password Iile on UNIX or
the SAM database on windows. Once they obtain this Iile, they then attempt to perIorm an oII-
line attack on the password Iiles.
1-52 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Dictionary Attacks
Dictionary attacks are another Iorm oI brute Iorce attack and take advantage oI a well-known
Ilaw in the password authentication scheme.
That Ilaw is the Iact that many people use common words as the password Ior their account.
Crackers exploit this Iact by using a source Ior common words (the dictionary) to try to obtain a
password Ior an account. They simply try every possible word in the dictionary until a match is
Iound.
Dictionary attacks can be perIormed using ready made username Iiles and ready made
password Iiles. In this modiIied dictionary attack, the cracker uses two database Iiles, one with
proper names and a second with common password phrases, such as letmein, admin, or super.
The program will attempt to use the Iirst proper name in the Iirst database Ior the username
Iield, then will attempt each word in the common passwords Iile. II no match is made, the
second proper name is used, and again all common passwords will be attempted, and so on
until a match is made.
Common brute Iorce attacking utilities include L0phtCrack, Brutus, and John the Ripper.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-53
Summary
This section summarizes the key points discussed in this lesson.
Replay Attacks
Session Hiiacking Attacks
Man-in-the-middle Attacks
Backdoor Attacks
Social Engineering Attacks
Technology Attacks
Password Attacks
Next Steps
AIter completing this lesson, go to:
Denial oI Service Attacks
1-54 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) NetBUS and BO are examples oI which type oI utility?
Q2) Describe the concept behind a birthday attack?
Q3) True or False: Cookies can be programmed to execute binary Iiles.
Q4) Describe a buIIer overIlow exploit and why it is eIIective.
Q5) Give two types oI password attacks and describe the diIIerences between the two.
Q6) What protocol and ports do SMTP and SNMP use?
Denial oI Service Attacks
Overview
Denial oI Service attacks are carried out by crackers with an intent to stop legitimate users Irom
accessing certain resources. Their intent is malicious and not designed to obtain inIormation.
Importance
Denial oI Service attacks are usually the most Iormidable oI attacks to deal with as they usually
involve very large amounts oI traIIic that may or may not look` on the wire as valid
transmissions. Knowing how these attacks are sculpted and executed will allow the network
administrator to better deter them on their networks.
Objectives
Upon completing this lesson, you will be able to:
Describe what spooIing is and how it is accomplished
Describe SYN Ilood attacks and how they are accomplished
Describe Distributed Denial oI Service (DDoS) attacks
Describe and understand viruses, Troian horses, worms, and logic bombs
1-56 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
This lesson includes these sections:
Overview
SpooIing
SYN Floods
Distributed Denial oI Service (DDoS)
Malicious Code
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-57
Spoofing
This section covers an attack where the cracker attempts to disguise or hide his attack by
masquerading as another host.
Crackers use spooIing attacks to impersonate another host. Sometimes the cracker is only
trying to hide his own identity, and at other times the cracker wants to receive data that should
go to someone else.
In a DNS spooIing attack, the target machine is Iooled into thinking the attacker's system is the
machine that the target is trying to contact. When the target issues a DNS query, the cracker
intercepts it and replies with the spooIed IP address. The cracker can also tamper with the DNS
server itselI so that it responds with the spooIed IP address instead oI its own. Either way, the
target receives a Ialse IP address and attempts to contact it.
In a TCP takeover attack, the cracker attempts to insert malicious data into an already existing
TCP session between two hosts. In this type oI attack, the cracker attempts to either iniect Ialse
data into the conversation, or take over the session completely. This type oI attack is normally
used in coniunction with a DoS attack to stop the host it is impersonating Irom sending any
Iurther packets.
The DoS attack against the impersonated host uses spooIed packets. The attacker tries to hide
his identity Irom the host he took over the TCP session Irom, while the opposite end still
believes its ongoing session is with the original host.
1-58 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
SYN FIoods
This section describes a type oI DoS attack where the cracker uses the TCP three-way-
handshake to perIorm an attack that overwhelms a target to the point it crashes or is so busy
handling attack packets that legitimate traIIic cannot be serviced.
SYN Iloods take advantage oI TCP`s three-way-handshake as discussed earlier. In this DoS
attack, the cracker sends many thousands oI halI-Iormed or embryonic TCP connection
requests (SYN packets), usually with spooIed source addresses, to the target server. The server
receiving these connection requests sets aside a small amount oI memory Ior each connection
and replies with an SYN/ACK to the spooIed address. The spooIed host (iI it exists) receives
the SYN/ACK packet and discards it. This leaves the server with an open` or halI-Iormed
connection, which will remain so Ior three minutes as it waits Ior the connection to complete.
A Iew open connections will not cause harm to a server, but thousands upon thousands each
using a small amount oI memory will quickly consume all available resources on the server.
When all resources are consumed, the server will no longer respond to the SYN requests oI the
cracker. However, the server also cannot respond to any SYN request Irom a valid user, which
is the denial oI service the cracker is trying to perIorm.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-59
Distributed DeniaI of Service (DDoS)
This section describes an updated DoS attack where the cracker takes over many hundreds oI
machines and uses them all at the same time to attack a single target.
Distributed Denial oI Service (DDoS) attacks are coordinated DoS attacks. In normal DoS
attacks, a single machine perIorms the attack. In DDoS attacks many machines work in concert
to perIorm the same attack. This magniIies the attack and enables crackers to successIully
attack large high bandwidth, commercial sites such as Yahoo, Amazon, and eBay.
Many crackers working in concert can coordinate an attack, although this is rarely the case.
Most oIten, a single cracker perIorms these attacks in a very elegant Iashion. BeIore the cracker
attacks his target, he Iirst takes control oI unsuspecting user machines (or drones) in some
Iashion, such as Troian horses or OS exploits. These drone workstations can be located
anywhere in the world and will perIorm an 'attack at the same time¨ attack on a speciIic target
at the crackers whim.
A single computer will typically not have the bandwidth to shut down a large site. AmpliIier
attacks, even using spooIed packets can be tracked to the source iI the attack occurs Ior some
small amount oI time. However, when a site has 3000 machines attacking it, located all across
the world, it is impossible to trace each one, and extremely diIIicult to stop.
There are a Iew widely known DDoS attack tools, which include Trinoo, Stacheldraht, Tribal
Flood Network (TFN) and Tribal Flood Network 2000 (TFN2K). These programs all use a
client/server architecture, which allows a single cracker to simultaneously direct attacks by
many machines.
1-60 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
MaIicious Code
This section discusses soItware applications, utilities, and exploits that crackers use to perIorm
various types oI attacks.
Malicious code is any soItware that is directed by its author to perIorm some activity not
requested or accepted by a particular device, user, or network. Malicious code can be a
soItware utility created by a cracker and executed by the cracker, or it can be code hidden
inside what looks like a legitimate soItware application. Crackers use malicious code Ior
anything Irom playing a iingle on your computer to causing worldwide problems on the
Internet.
This section will deal with the more widely known types oI malicious code that crackers use to
cause havoc on unsuspecting individuals, servers or networks.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-61
Viruses
Viruses are malevolent code with selI-replicating abilities.
A host becomes inIected` by a virus by running an already inIected soItware program. When
the inIected program is executed, the virus is stored in memory waiting to inIect other programs
that are executed. The inIected Iile is then shared or downloaded by another unsuspecting
individual, who then begins inIecting applications on his system. In this way, viruses move
Irom program to program and eventually Irom host to host.
This inIection might not be immediately noticeable, as the outbreak can be executed upon some
particular action or event, or at an exact date and time. Some viruses are passive in nature and
do nothing more than create annoyances to a end user, while others can be quite destructive.
Viruses can be carried` not only by applications, but also by graphic Iiles (GIFs), macros, and
documents. The best deIense against inIection Irom viruses is obtaining an anti-virus soItware
package and keeping it updated as new viruses are discovered almost daily.
1-62 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Trojan Horse
A Troian Horse is a piece oI malicious code embedded in an application that an unsuspecting
user is tricked into downloading and executing.
Unlike viruses or worms, Troians have no replicating abilities: instead, Troians are usually
embedded into games or other soItware that look innocent. Once the application starts, the
Troian executes and perIorms its duties. Most Troians today install a piece oI soItware that
allows backdoor access to the system. These backdoor applications usually take the Iorm oI the
soItware packages BackOriIice or SubSeven.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-63
Worms
Worms are malicious code with selI-replicating capabilities.
Unlike viruses, worms do not require user intervention to propagate themselves. Worms are
selI-replicating pieces oI code that travel through an operating system seeking certain Iiles to
inIect. Most worms are email inIections, where the worm actively sends a copy oI itselI to
everyone in an address book. Thus, worms are commonly spread very quickly among Iriends
and relatives.
Worms can also inIect computers via downloading Iiles in chat rooms or downloading music
Iiles Irom music sharing sites such as Kazaa. Worms, like viruses can cause devastation to the
inIected computer. Some worms are capable oI disabling antivirus and security applications as
well as stealing passwords.
1-64 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Logic Bombs
Logic bombs lie dormant until they are triggered.
Triggering a logic bomb is up to the author oI the bomb and can be something like a date, time
oI day, number oI times a programs was executed, certain mouse movements, etc. Once a logic
bomb triggers, it can do anything Irom erasing a hard drive to randomly changing data in the
system or on the hard drive.
Logic bombs that randomly destroy data are very diIIicult to identiIy, as it is very diIIicult to
know the bomb has been triggered, while tremendous amounts oI data could be destroyed.
Even iI you can identiIy the logic bomb aIter its detonation, it is usually too late to salvage any
corrupted data. For this reason, it is a very good idea to maintain accurate backups oI your
valuable data and maintain adequate anti-virus protection that detects logic bombs.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hacking, Cracking, and Attacks 1-65
Summary
This section summarizes the key points discussed in this lesson.
SpooIing
SYN Floods
Distributed Denial oI Service (DDoS)
Malicious Code
Next Steps
AIter completing this lesson, go to:
Mitigation Techniques
1-66 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) Which oI the Iollowing are selI-replicating (Worms, viruses, Troians, or Logic
bombs)?
Q2) Describe an ampliIier attack and how it aIIects all parties?
Q3) Why is a SYN Ilood an eIIective DoS attack?
Q4) Code that is dormant and set to execute when a user opens his email can be described
as what type oI attack?
Q5) Which type oI attack(s) is normally carried out via email attachments?
Q6) Which type oI attack(s) is normally carried or stored inside another program?
2
Mitigation Techniques
Overview
It is critical to understand the use oI Authentication, Authorization and Accounting on a
production network. This module discusses the options available Ior Authentication,
Authorization and Accounting.
Objectives
Upon completing this module, you will be able to:
IdentiIy several methods oI perIorming authentication
Understand the access control methods used based on security policy
Describe methods used Ior auditing and accounting oI network use
2-2 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
The module contains these lessons:
Authentication
Authorization
Accounting
Authentication
Overview
Using authentication is one method oI mitigating unauthorized access to a network or system.
In this lesson, we discuss several options that may be used Ior authentication on a network.
Importance
Learning about multiple options Ior authentication adds more tools to your tool belt as you
secure a network.
Objectives
Upon completing this lesson, you will be able to:
Describe which types oI password systems are more secure and why
IdentiIy several diIIerent methods Ior perIorming user authentication
2-4 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Learner SkiIIs and KnowIedge
To Iully beneIit Irom this lesson, you must have these prerequisite skills and knowledge:
Have a basic understanding oI network protocols
OutIine
This lesson includes these sections:
Overview
One Way/Mutual
Username/Password
CHAP/PAP
Kerberos
OTP
Token Cards
Digital CertiIicates
Biometrics
Multi-Factor
Summary
Assessment Questions: Case Study
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-5
Overview
Authentication is the process oI determining whether someone or something is, in Iact, who or
what it is declared to be.
Authentication is the process oI determining whether someone or something is who or what it is
declared to be. In private and public computer networks (including the Internet), authentication
is commonly done through the use oI logon passwords. Knowledge oI the password is assumed
to guarantee that the user is authentic. Each user registers initially (or is registered by someone
else), using an assigned or selI-declared password. On each subsequent use, the user must know
and use the previously declared password. The weakness in this system Ior transactions that are
signiIicant (such as the exchange oI money) is that passwords can oIten be stolen, accidentally
revealed, or Iorgotten.
ExampIe
A central oIIice Access Server requires each client to prove their identity by providing a
username and password. By requiring authentication, the Access Server can identiIy a user
beIore providing access to the internal network.
2-6 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
One Way/MutuaI
One way and mutual authentication are two methods that can be used to Iacilitate
authentication.
Authentication can be 'one way¨ or 'mutual¨ authentication. With one-way authentication, the
PC dialup client has to prove, via a password, who the client is. The Access Server at the
central site does not have to prove to the dialup client using that it is the Access Server.
Using mutual authentication, both the client and the server have to authenticate each other
using some password mechanism.
ExampIe
A central oIIice Access Server requires each client to prove their identity by providing a
username and password. The client does not require the Access Server to provide a username
and password oI its own. This is an example oI one-way authentication.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-7
Username/Password
There are several methods oI authentication. One oI those methods is using a username and
password combination.
The most basic Iorm oI user or system authentication is a username and password combination.
A dialup client who wants to connect to a dialup Access Server will usually be required to
supply a username and password. This username and password, depending on the application,
may be conIigured beIore it tries to connect, or it may be prompted during the authentication
process. The username and password are checked by the Access Server to veriIy that the
username exists and that the password is correct beIore granting access to the user.
ExampIe
A computer user wants to dial up to an Internet Service Provider (ISP) Ior access to the
Internet. During the conIiguration oI the dialup soItware, or during the authentication itselI with
the ISP, the user provides the username and password oI the user. The ISP checks the username
and password to conIirm that they are valid, and upon conIirmation, gives access to the user.
2-8 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
CHAP/PAP
One oI the most common protocols used Ior dialup connectivity is the Point-to-Point Protocol
(PPP). One oI the beneIits oI PPP is the ability to use authentication along with PPP to veriIy
the remote host. CHAP and PAP are two popular options Ior providing this PPP authentication.
The Challenge Handshake Authentication Protocol (CHAP) veriIies the identity oI a peer using
a three-way handshake. The authenticator sends a challenge message to the peer. The peer
responds with a value calculated using a one-way hash Iunction (Message Digest 5 |MD5|).
The authenticator checks the response against its own calculation oI the expected hash value. II
the values match, the authentication is successIul. Otherwise, the connection is terminated.
This authentication method depends on a "secret" known only to the authenticator and the peer.
The secret is not sent over the link. Although the authentication is only one-way, by negotiating
CHAP in both directions, you can use the same secret set Ior mutual authentication. CHAP
authentication is usually done at the beginning oI a conversation, but Ior increased security, it
may also perIorm re-authentication during the conversation between the two devices.
Password Authentication Protocol, (PAP), can also be used in one-way or mutual
authentication over a PPP link. With PAP, the remote end challenges the local device Ior PAP
authentication. The remote sends the username and password in plain text, which makes it less
secure than CHAP authentication.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-9
ExampIe
A dialup client wants to make sure that he is connecting to the correct access server. The access
server requires users to pass authentication. To accomplish this, the dialup solution could
include mutual authentication using either PAP or CHAP.
2-10 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Kerberos
Kerberos provides an alternative approach whereby a trusted third-party authentication service
is used to veriIy users` identities.
Kerberos is a network authentication protocol designed to provide strong authentication Ior
client/server applications by using secret-key cryptography. There are three basic components
to Kerberos: the Key Distribution Center (KDC), which is a network service that supplies
session tickets and temporary session keys used in the Kerberos authentication protocol: the
ticket-granting service (TGS) service, which issues service tickets that allow users to
authenticate to services: and a ticket-granting ticket (TGT), which is a credential issued to a
user by the Kerberos KDC. The user presents the TGT to the KDC when requesting session
tickets Ior services. The TGT is also oIten reIerred to as a user ticket.
ExampIe
A company wants to avoid sending usernames and passwords in clear text, so it wants to ensure
that interactions between hosts and clients will be encrypted. One solution that would meet this
requirement would be to use Kerberos authentications with the services that support it.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-11
One Time Passwords
A One Time Password (OTP) can mitigate the threat oI sniIIing when a password must be sent
over an insecure medium.
When a password must be used over an insecure medium, a disposable password prevents the
threat oI someone stealing the password and using it in the Iuture. A one time password (OTP)
system uses a generated password that is valid only once. The user would has a password
generator that tells him the current password that is valid Ior that single use. II anyone tries to
use it in the Iuture, it will not succeed.
ExampIe
Remote users oIten log in Irom laptops, which may be in the presence oI others. The concern is
that iI someone sees what the keystrokes are Ior a given user, the onlooker may use the
password in the Iuture. An OTP system mitigates the threat oI eavesdropping or viewing the
password on the screen.
2-12 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Token Cards
One way oI implementing secure authentication is through the use oI a Token Card system.
Token cards are considered one oI the most secure authentication solutions available. A token
is an obiect the user carries to authenticate his or her identity. These devices can be token cards,
card readers, or biometric devices. They have the same purpose: to validate the user to the
system. The most prevalent Iorm is the card, an electric device that normally contains encoded
inIormation about the individual who is authorized to carry it. Tokens are typically used with
another type oI authentication. Many cipher locks have been replaced with token card access
systems.
Challenge-response tokens supply passcodes that are generated using a challenge Irom the
process that requests authentication (such as the Security Dynamics` SecurID). Users enter
their assigned user IDs and passwords plus a password supplied by the token card. This process
requires that the user supply something they possess (the token) and something that they know
(the challenge/response process). This process makes passcode sniIIing and brute Iorce attacks
Iutile.
ExampIe
A company is concerned about users writing down passwords which someone else can Iind,
then use to access the network. A solution to this would be to use a token card server, and issue
token cards to each users.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-13
DigitaI Certificates
A Digital CertiIicate can be used to authenticate users or systems across a network.
A Digital CertiIicate is similar to a government issued ID card. II two people need to veriIy the
identity oI each other, and they both have government issued ID cards, and both parties
recognize the issuer as a trusted party, authentication can be done via the IDs.
Similarly, iI two systems are issued Digital CertiIicates Irom a common, trusted third party
device, the two systems may use the Digital CertiIicates to Iacilitate authentication with each
other.
ExampIe
A company has 200 servers and 3000 clients worldwide. They want to allow authentication
between any oI the clients and servers. They conIigure digital certiIicates Ior each device, and
use security protocols that will use the digital certiIicates to perIorm authentication.
2-14 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Biometrics
Authentication oI a user can be done via the individual`s unique physiological characteristics.
Every person has unique physiological characteristics that can be examined and quantiIied.
Biometrics is the use oI these characteristics to provide positive personal identiIication.
Fingerprints and signatures have been used Ior years to prove an individual`s identity, but
individuals can be identiIied in many other ways. Computerized biometrics identiIication
systems examine a particular trait and use that inIormation to decide whether the user may
enter a building, unlock a computer, or access system inIormation.
Biometric devices use some type oI data input device, such as a video camera, retinal scanner,
or microphone, to collect inIormation that is unique to the individual. A digitized representation
oI a user`s biometric characteristic (Iingerprint, voice, etc.) is used in the authentication
process. This type oI authentication is virtually spooI-prooI and is never misplaced. The data
are relatively static but not necessarily secret. The advantage oI this authentication process is
that it provides the correct data to the input devices
ExampIe
A company wants to authenticate a user based on a unique biological Iactor beIore allowsing
access to a supercomputer. They purchase a retinal scanner that authenticates the user based on
the unique characteristics oI the user's leIt eye.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-15
MuIti-Factor
Multi-Factor authentication uses more than one method Ior authentication.
To authenticate a human user, authentication systems can depend on three diIIerent categories:
 Something the user knows (e.g. passwords, PINs)
 Something the user has (e.g. tokens, smartcards)
 Something the user is (e.g. Iingerprints, retinal scans)
Multi-Factor authentication is simply using more than 1 oI these methods beIore authentication
is considered successIul.
ExampIe
A company wants to ensure that the supercomputer is never accessed locally by an
unauthorized person. They implement authentication that requires a smartcard generated token,
the users social security number, and a retinal scan beIore access is granted.
2-16 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
In this lesson we discussed the various methods that may be used to authenticate users.
One way / mutual
Username / password
CHAP/PAP
Kerberos
OTP
Token Cards
Digital CertiIicates
Biometrics
Multi-Factor
Next Steps
AIter completing this lesson, go to:
Authorization
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-17
Lesson Assessment
Case Study: ACME INC
ACME Inc. needs to veriIy that only veriIied users are able to login to the Super Computer
locally at the central site. In addition, they have a Iew dozen remote scientists that need to
access the central database that has detailed notes regarding the research proiects they are
working on. Their primary access to the corporate site is through dialup networking, although a
Iew oI them are considering using VPN tunnels over the Internet. Each oI the scientists also
access the Internet via a local ISP using their modems.
Q1) What type(s) oI authentication would be used on the Iollowing iI we wanted to use very
strong authentication:
A) Local Access to the Super Computer
B) Access to the ISP Irom the remote Ior Internet access
C) Access to the central site using a modem and an access server at the central site
D) Access to the central site when the user has a VPN connection
Q2) What type(s) oI authentication would be considered the weakest Iorm oI authentication
Ior the above access, (not including the option oI NO authentication).
2-18 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Authorization
Overview
This lesson discusses the options Ior authorization and access control.
Importance
II a user passes authentication, you do not necessarily want the user to have Iull access.
Understanding the types oI authorization will help us implement security based on a security
policy.
Objectives
Upon completing this lesson, you will be able to:
Describe Mandatory Access Control
Describe Discretionary Access Control
Understand the concept oI Role-based Access Control
2-20 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Learner SkiIIs and KnowIedge
To Iully beneIit Irom this lesson, you must have these prerequisite skills and knowledge:
Have a basic understanding oI Local Area Networks (LANs)
OutIine
This lesson includes these sections:
Overview
Mandatory Access Control
Discretionary Access Control
Role-based Access Control
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-21
Overview
Security policies should dictate what access is allowed, when it is allowed, and who allows it.
Access control is the mechanism that enIorces the policy.
Access is the ability to do something with a computer resource (e.g., use, change, or view).
Access control is the means by which the ability is explicitly enabled or restricted in some way
(usually through physical and system-based controls). Computer-based access controls can
prescribe not only who or what process may have access to a speciIic system resource, but also
the type oI access that is permitted. These controls may be implemented in the computer system
or in external devices.
By understanding the diIIerent classiIications oI access control, you can implement security
policies on network devices.
ExampIe
A company has several company wide servers, and there are other servers that are managed by
local departments. They decide to implement access control based on the type oI server, and
who manages it. Using access control could enIorce this policy.
2-22 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Mandatory Access ControI
The need Ior mandatory access control (MAC) arises when the security policy speciIies that it
is required.
The need Ior a mandatory access control (MAC) mechanism occurs when the security policy
speciIies that protection decisions must not be decided by the user, and when the system must
enIorce the protections decisions even iI it is contrary to the wishes or intentions oI the user.
ExampIe
The log Iiles Ior a Iinancial application are kept in a separate Iolder, and no tampering oI the
log Iiles is permitted. MAC would not allow any modiIications to this Iolder and its respective
Iiles.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-23
Discretionary Access ControI
Discretionary access control leaves the access control in the hands oI the owner.
Discretionary Access Control (DAC) is used to control access by restricting a given user`s
access to a resource such as a Iile or printer. In this type oI access control the discretion oI the
owner oI the resource governs and controls other users` access regarding that resource.
ExampIe
The engineering department manages a server dedicated Ior their group. Occasionally other
departments need access to speciIic Iiles or Iolders. The engineering department, when they
Ieel like the need is iustiIied, permit access to the speciIic Iiles that are needed.
2-24 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
RoIe-Based Access ControI
Individuals may be given speciIic access based on their responsibilities and roles.
With role-based access control (RBAC), access decisions are based on the role(s) that
individual users have as part oI an organization. The process oI deIining roles should be based
on a thorough analysis oI how an organization operates and should include input Irom a wide
spectrum oI users in the organization.
ExampIe
Several individuals support the servers Ior ACME Inc. Some are network engineers, some are
help desk personnel, and others are network technicians. Each oI these people needs partial
access to the server. Using role-based access control would allow each user to have the access
they need to perIorm their iob.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-25
Information ModeIs
InIormation access control deIines the users in your network and the resources they are
authorized to access.
There are a Iew diIIerent models used Ior inIormation access control, each serving diIIerent
areas and methods oI access control. Every company should have a comprehensive access
control policy in place. They policies are usually created Irom one or more oI the better-known
access models, which include:
 Clark-Wilson Model
 Bell La-Padula Model
 Biba Model
2-26 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
CIark-WiIson ModeI
Clark and Wilson noted that an important mechanism existed in commercial environments.
That mechanism is called separation of function and means that no single person should be
allowed to carry out a particular Iunction, or Iunctions, that could lead to undetected Iraud.
The Clark-Wilson model was created to address integrity issues in commercial network
environments. This model separates integrity issues into two categories:
 Well-Iormed transactions
 Separation oI duties
For every well-Iormed transaction, such as an account receivables transaction or an account
payables transaction, a clear separation oI duties needs to be created. In this way, you would
not have a single person modiIying both the accounts receivable and accounts payable ledgers
to hide their tracks when committing Iraud.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-27
BeII La-PaduIa ModeI
The Bell La-Padula is an access control model that inductively proves that a system is secure.
It does this by assigning security classiIication to obiects and security clearance to users.
Military and government installations use this model because oI its very tight security control.
It can be implemented to support Mandatory Access Control or Discretionary Access Control.
The Bell La-Padula model states the Iollowing policies:
 A user can only read a Iile (obiect) with a security classiIication equal or less than their
security clearance
 A user can only write to a Iile (obiect) with a security classiIication equal to or higher
than their security clearance.
To achieve the above policies, the Bell La-Padula model Iollows three rules:
`-property (Star property)
This property states that a user is only allowed write access to an obiect (usually a Iile) iI the
security level oI the obiect is greater than or equal to the clearance level oI the subiect. This
property makes it impossible Ior highly classiIied data to be modiIied by someone with a lower
security clearance.
Simple Property
This property states that a user may only have read access to a Iile iI the security level oI the
user dominates that oI the Iile.
Tranquility Property
2-28 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
This property states that the security level oI an obiect cannot be changed while it is being
processed by a computer system.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-29
Biba Integrity ModeI
The Bell La-Padula model enIorces secrecy, but does not enIorce integrity issues.
For example, in the Bell La-Padula model, it is possible Ior someone with a low security
clearance to write to a classiIied Iile. They could not be able to read the Iile, but they could
blindly write to it. The Biba model is an add-on to the Bell La-Padula model, which addresses
this unauthorized modiIication oI data problem.
The Biba model places an integrity class label on Iiles. This guarantees that only high clearance
level personnel can write to high priority Iiles.
2-30 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
In this lesson we discussed three methods Ior Access Control.
Mandatory Access Control
Discretionary Access Control
Role-based Access Control
Next Steps
AIter completing this lesson, go to:
Accounting
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-31
Lesson Assessment
Case Study: ACME, Inc.
ACME, Inc. needs to implement a security policy and access control Ior the Iollowing servers:
Human Resources server with sensitive data
Engineering Iile server, managed by the local department with occasional access by other
groups in the department
Corporate Email servers
Q1) What types oI Access Control would be the most appropriate Ior each oI these
systems?
Q2) What are the pros and cons oI each oI these methods?
2-32 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Accounting
Overview
This lesson discusses the aspects oI Accounting in a network.
Importance
Many times, aIter an incident has occurred on a network, it is diIIicult to track down what
happened. With proper accounting, logs may be kept to provide a clearer picture oI the events
that have taken place on the network.
Objectives
Upon completing this lesson, you will be able to:
Describe Logging
Describe System Scanning
Describe Monitoring
2-34 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Learner SkiIIs and KnowIedge
To Iully beneIit Irom this lesson, you must have these prerequisite skills and knowledge:
Basic understanding oI local area networks (LANs)
OutIine
This lesson includes these sections:
Overview
Logging
System Scanning
Monitoring
Summary
Assessment (Case Study): ACME Inc.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-35
Overview
The ability to audit a network depends greatly on the steps you take beIore the audit is required.
Several things may be done to provide visibility to events that have taken place on the network.
Preparation includes the conIiguration oI logging, scanning and monitoring.
ExampIe
A public company needs to be able to track down network events Ior the prior 30 days. They
also want to protect against unauthorized web servers running on computers within their
organization. They decide to implement logging, scanning and monitoring to prepare Ior this.
2-36 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Logging
Logging can be used to store a record oI network events.
The practice oI logging is critical to determining what happened on a network and when it
happened. Logging may be done to a local disk, to memory, to a remote server or any
combination, depending on the capabilities oI the system. Stored log Iiles may be archived
allowing a long history to be retained. These log Iiles can be reviewed to determine what has
transpired.
ExampIe
ACME Inc. needs to keep a record oI who has accessed the Human Resources server, and how
long they were using those resources. They enable logging to accomplish this.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-37
System Scanning
Keeping track oI what services are available Irom workstations and servers can be accounted
Ior and veriIied via system scanning.
Periodic scanning oI the networks can reveal what services are available Irom devices on the
network, and may be an important part oI the auditing process.
ExampIe
The company policy strictly Iorbids anyone running an FTP server on their workstation, due to
the Iact that FTP usernames and passwords are sent in plain text. To veriIy compliance, a port
scanner periodically checks Ior responses workstations to see iI an FTP server will respond to
the scan.
2-38 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Monitoring
Reviewing log Iiles and other reports is critical to Iinding out how resources are being used.
An important part oI maintaining an audit trail is to review the logs. Periodic review oI the logs
can reveal unauthorized access attempts as well as other network activity with is being logged.
Routine checks oI log Iiles, as well as checking physical access to resources should be
incorporated into the audit policy.
ExampIe
A company created a baseline Irom the data center log Iiles, that the maintenance crew accesses
server room every evening at around six pm. Upon viewing the previous evenings logs, they
discovered that the maintenance crew arrived at 6 but didn`t leave until 9. Further inspection oI
the logs showed access Irom the data center to outside web server. This log provided the
auditing visibility that would otherwise be diIIicult to trace.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Mitigation Techniques 2-39
Summary
In this lesson, you learned about implementing auditing on a network.
Logging
System Scanning
Monitoring
Next Steps
AIter completing this lesson, go to:
Hardening
2-40 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Case Study: ACME Inc.
ACME Inc. needs to know when users log into the corporate Iile server, what Iiles they access,
and when they log out. Additionally the company would like to conIirm that no unauthorized
WEB servers are being run Irom client workstations.
Q1) What type oI tools may be used to gather this inIormation?
Q2) II the inIormation were collected, what would have to be done to make good use oI the
data?


Overview
Hardening is the process oI making the Network Operating System and the overall network
more diIIicult to penetrate. A proper hardening uses a layered approach and uses a combination
oI techniques Irom hardening the individual operating systems, to intrusion detection, to
organizational security. The main goal it to make it so diIIicult that the computer criminal, iI
not apprehended outright, will leave and look Ior an easier target.
Objectives
Upon completing this chapter, you will be able to:
IdentiIy the various hardening techniques Ior NOS/OS
IdentiIy the purpose oI a Iirewall
IdentiIy the types oI Intrusion Detection systems and the methods employed in them
Describe the various organizational steps used to secure physical and environmental
security
IdentiIy common methods oI backup, recovery and business continuity
Describe common business procedures when responding to a security incident
OutIine
This chapter includes these lessons:
Overview
NOS/OS Hardening
3-2 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Filters and Firewalls
Intrusion Detection Systems
Organization
Forensics
Summary
NCS/CS Hc(ceninç
Overview
Hardening is the process oI increasing the security oI a baseline installation oI an operating
system. This is accomplished by adding additional conIiguration, via service packs and other
updates, and application hardening. Application hardening requires knowledge on how
applications are exposed to the network and what unique challenges are present due to the
nature oI the application
Objectives
Upon completing this lesson, you will be able to:
Understand the purpose oI updating an operating system
Describe when patching is appropriate
Understand the special challenges oI hot-Iixes
Describe the purpose oI a service pack
OutIine
This lesson includes these topics:
Overview
Updating
Patching
Hot Fixes
Service packs
Application hardening
3-4 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Web Servers
Email servers
FTP servers
DNS servers
NNTP servers
File/print servers
DHCP servers
Data Repositories
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-5
Hardening Overview
Networks will always be vulnerable to a variety oI sophisticated attacks. As security
proIessionals Iix one security leak, three more are discovered. The process oI hardening a
network inIrastructure and implementing corporate response policies oIIers a layered deIense to
the most persistent computer criminal. This, with a proactive system oI intrusion detection,
helps ensure that when a penetration does take place that damage is minimized and met with a
logical and measured response.
Hardening the network operating system is one oI the Iirst lines oI deIense in protecting your
corporate assets. II the client machines are secure, potential attackers lose one oI the most
popular points oI entry. Clients are normally one oI the easiest devices to penetrate due to
relative ignorance oI basic security procedures.
Once the clients are locked down, you must turn your attention to the inIrastructure. A layered
deIensive network oI secured servers, isolated network segments, and a proactive and
aggressive intrusion detection system will help ensure rapid identiIication and reaction to any
unauthorized traIIic.
Organizational awareness to security helps ensure that all aspects, physical and environmental,
are taken into account in the security Iramework. This includes access control, shielding, Iire
suppression, and a comprehensive and constant review oI backup and recovery practices.
Planning Ior intentional exploitation without considering natural disasters can result in massive
Iailure in a company`s ability to recover a loss.
3-6 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
NOS/OS Hardening
The current exam does not test speciIics oI operating system hardening. You need to be
Iamiliar with the basic principles and best practices that cover all platIorms.
Network operating systems have similar characteristics. They are designed to provide network
access to corporate resources. Many network operating systems also come bundled with a
variety oI services, like web servers, Iile shares and FTP services. II these services are not
proactively monitored, they can provide an entry port to attack.
The Iirst step in securing any system, server, or workstation, is anti-virus protection. BeIore the
Iirst service pack is installed or update applied, systems need to have an up-to-date virus
application running. This protects the workstation in that viruses are sometimes disguised as
service packs or soItware updates.
You also need to be aware oI the deIault conIiguration oI any servers that share Iiles. MicrosoIt
operating systems traditionally set up administrative shares that expose all oI the drives to the
network connection. They have permissions assigned that prevent the casual browser Irom
connecting, but there are additional resources that are exposed, like printers and printer drivers.
You need to establish a policy on what resources need to be shared. Everything that is not
shared needs to be closed out.
Regularly scheduled port scans against client machines and servers will help ensure that
additional services, possibly installed by Troian horse programs, are not running. Many
applications use well-known ports Ior operations. II you see a system with a non-standard port
operating, that could be a Ilag that the system has been penetrated.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-7
Operating System Updates
When operating systems are shipped, they may not have all oI the bugs worked out. Most
manuIacturers release a number oI updates, service packs and hot Iixes throughout the liIe
cycle oI any operating system.
Once you have the virus protection in place, it is a good idea to visit the operating system
manuIacturer`s web site to see what updates and services packs are available. Many soItware
publishers group their updates by severity oI the problem.
Many operating system updates add additional services and Ieatures to the baseline
conIiguration. You need to research what is added to the conIiguration and explore any
additional security measures you must take to avoid weakening the security oI your systems.
Normally, the manuIacturer provides extensive documentation on the changes imposed by the
updates. It is also an excellent idea to peruse the discussion Iorums hosted by the manuIacturer,
as well as others, to determine what additional issues may arise due to installing updates.
Remember that operating system updates rarely concern themselves with any third-party
applications that are running on a system. Be sure to check with the vendor to ensure that
applying a service pack or hot-Iix will not invalidate any service contracts.
3-8 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Patching
Patches are incremental additions to an operating system or application. They usually include
all oI the previous patches, but in some cases need to be applied in a speciIic order.
Patches are used Ior temporary corrections or conIiguration changes to an application.
Sometimes patches are used to bypass portions oI an application that is buggy or has been
rendered inoperable due to a particular conIiguration.
In some cases, the technical support desk may have an administrator go into the code and
modiIy the source Iiles. You should always backup the original Iiles beIore making any
changes to these Iiles.
Patches are designed Ior a quick Iix or a bypass to a problem. They are not as thoroughly tested
as a hot Iix or a service pack but are designed to quickly resolve a speciIic problem, either
inherent in the OS itselI, or due to the special conIiguration.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-9
Hot Fixes
On many mission critical applications, unscheduled down time is unacceptable. To repair minor
problems without downing a system, you must employ a hot Iix.
A hot repair reIers a repair perIormed without bringing the system down. There are many hot-
swap hardware devices like hard drives. With the advent oI USB, the number oI devices that
can be replaced without shutting the system down is almost limitless.
Hot Iixes in the soItware world are a little diIIerent. Some systems may develop a memory
problem that would require a hot Iix to bypass that section oI memory. You can also use a hot
Iix to move Iiles and Iolders to another section oI the disk drive iI you are starting to experience
drive errors.
MicrosoIt typically calls a bug Iix issued between service pack releases as a hot Iix. Some oI
the hot Iixes need to be applied in a particular order or are only designed to repair a speciIic
problem or security threat.
Note that the manuIacturer does not support many hot Iixes. They are provided as a
convenience. Only apply a hot Iix iI it is required.
3-10 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Service Packs
When enough patches and hot-Iixes have accumulated, the manuIactures combine the relevant
ones and produce a service pack.
A service pack is combination oI hot Iixes, patches, and additional Ieatures, all oI which are
applied at once. Depending on the manuIacturer, you may need to apply service packs in a
particular order on a newly installed system. Many manuIacturers are combining service packs.
For example, service pack Iive may contain all oI the repairs included in service packs one
through Iour.
Thoroughly test service packs beIore deployment on mission-critical production systems.
Research eIIects oI applying serviced packs on any applications that are installed on the
systems and perIorm a through backup beIore applying the packs.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-11
AppIication Hardening
Operating systems only provide the Iramework within which applications operate. Many
operating systems are secure in and oI themselves, but you Iace a completely diIIerent security
challenge when they are combined with other services.
Computer criminals target certain types oI services due to their exposure or well-known
weaknesses. This section will discuss each service type. You will learn some oI the
vulnerabilities that this type oI deployment shares and discuss ways to mitigate the damage iI
the services are penetrated.
3-12 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Web Servers
Web services are one oI the most useIul oI network services. This makes them a tempting target
Ior computer criminals.
Most companies rely on their web site as the Iirst contact a potential customer will use to gain
additional inIormation. Some companies would cease to exist iI their web sites were down Ior
an extended period oI time. Criminals are aware oI the critical nature oI web services. Hackers
are also aware that web sites, due to the nature oI the server, are one oI the most public portions
oI a company`s inIrastructure. Hackers are very adept at penetrating web servers. They oIten
deIace or change the content to suit their own purpose.
Web servers are everywhere. Windows 2000, by deIault, includes web services already
installed. However, not all companies need web services, and companies that do not need web
services should remove it. Since web services are such a public venue Ior attack, it is critical
that you keep up on the service packs and hot Iixes. Because modern web sites are routinely
connected to a database as well as a range oI streaming media, a thorough understanding oI
those additional underlying technologies is required to secure web access and limit exposure oI
sensitive inIormation.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-13
EmaiI Servers
Communication is the liIeblood oI any company. Email systems are only slightly less critical
than an operational telephone system in today`s corporate environment.
Hackers target email services because oI the wealth oI inIormation they contain. Simply
looking at who is mailing who can yield much corporate intelligence. Gaining access to the
actual email gives hackers even more inIormation that is very valuable to competitors.
Email systems need to be protected using email-aware virus soItware. The virus soItware must
be able to monitor the variety oI protocols that make up a modern mail server.
You also need to be aware oI the rising threat oI Spam. II you set your server up to relay
messages, anyone can send your server email and your server will simply Iorward the messages
on. Many unscrupulous marketers will use open relay servers Ior deceptive message delivery
Relays let spammers deliver their unwanted messages.
Proper updates and Iollowing eIIective policies against spam and relay will ensure that hackers
will look elsewhere when they are seeking a target to attack.
3-14 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
FTP Servers
Many applications produce very large Iiles. Many email systems limit the amount oI storage
that can be consumed by attachments. FTP is a way to publicly expose a share without the need
Ior complex Iirewall Iilters to allow authentication.
FTP is another mature protocol that has become an Internet standard. FTP is not a secure
protocol as it sends all authentication requests in clear text. It is a good idea to use VPN or SSH
access to encrypt the transmission.
It is also an excellent security policy to have FTP account username and passwords separate
Irom the normal network access account. FTP is also subiect to penetration. It may be a wise
policy to keep FTP-enabled Iiles and Iolders on a separate physical disk drive than the normal
system or application Iiles.
Always make sure to check any uploaded Iiles Ior viruses regularly, and Iollow the newsgroups
Ior inIormation on how to counter any new threats and FTP exploits.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-15
DNS Servers
Mapping host names to IP addresses makes the Internet Iunction. This name-mapping is
perIormed by a distributed database known as the Domain Name Service, or DNS.
With the new directory services that incorporate DNS, name servers are a desirable target Ior
attackers. Some DNS servers hold the network Iootprint oI most, iI not all, oI the servers and
workstations that reside on your network.
One way around exposing all oI your internal secrets is to separate your internal DNS presence
Irom the outside DNS structure. This is accomplished by having a separate namespace Ior the
internal network. This namespace would typically use a naming convention that does not work
in the normal Internet. An example is acme.root. The .root domain is not a valid Internet DNS
entry, but as long as the proper conIiguration exists on your DNS server, internal clients will be
able to locate records.
You must also ensure that only the correct types oI machines have the ability to update external
DNS records. You can restrict updating protocols to speciIic IP addresses, or hold the public
portion oI the namespace behind a Iirewall. Then, set up the public DNS server as a secondary
server. That way, iI the machine is penetrated, the attacker only has access to one server and
not the entire namespace. One way to prevent DNS poisoning is to require that all DNS servers
authenticate with each other beIore accepting a replication notice. Strong encryption using
IPSec or a similar protocol can also secure transmissions oI zones between servers.
3-16 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
NNTP Servers
Network News TransIer Protocol (NNTP) servers have been around a long time Ior
collaboration and discussion. There are many news Ieeds out there covering almost every topic
imaginable.
NNTP provides a Iorum Ior discussion on many topics. The volume oI traIIic on a Iull NNTP
Ieed exceeds one gigabyte per day. This protocol is seeing even wider adoption as mail servers
such as MicrosoIt Exchange use NNTP to provide access to public Iolders.
NNTP servers generate a large amount oI traIIic. You must be selective about which topics to
Ieed into and out oI your system. Many Ieeds are moderated, which means a person or group oI
people is responsible Ior examining messages that are to be posted to the Ieed. UnIortunately,
many systems are subiect to DoS attacks and are Irequently the target oI spam messages. These
unwanted transmissions can easily overwhelm the moderators and many host systems have
been shut down because oI them.
The best advice is to select which Ieeds you desire and block everything else. Many companies
choose to ignore the public Ieeds and host their own private discussion Iorums. This gives the
administrators a lot oI power in picking and choosing the topics, and it also makes the Ieeds
more manageable.
II you are going to participate in public Iorums, it is a good idea to have a policy that separates
the corporate identity and user logon Irom the one that is posted to the public groups. Many
mass marketers will regularly scour the NNTP Ieeds to Iind new addresses to spam.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-17
FiIe/Print Servers
Serving up Iiles and printers is one oI the main purposes oI servers deployed in corporate
environments. With high-speed backup and dedicated hardware, Iile and print services can be
Iast and secure.
File servers help consolidate data so that it is easy to access and provide disaster recovery
through a comprehensive system oI backups. File servers should only share out those portions
oI their drives that are Ior public consumption. Sharing out the root drives oI the Iile server
places the entire machine at risk. II an attacker can penetrate the share, the entire Iolder
hierarchy stored underneath could be compromised. It is also a good idea to have the operating
systems stored on a separate drive Iorm the Iiles that are to be shared. This prevents head
contention between the OS and the Iiles.
Many networks are incorporating network appliances, which are machines that have a
rudimentary operating system and are designed solely Ior high-speed Iile access. Since these
devices are dedicated Ior the single purpose, you do not have to worry about additional services
providing an access path Ior attackers. In addition, since they are dedicated, the installation and
conIiguration is relatively simple.
Print servers also need security, especially iI they are acting as the Iront-end to restricted
printers. Never print the IP address oI the printer on the printer, as attackers will set their own
servers as the Iront end and completely bypass the print server`s security.
3-18 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
DHCP Servers
Every node on the network needs an IP address. DCHP servers can simpliIy administration by
providing centralized IP address assignment. Since this is such a critical service, DHCP is a
prime target Ior attackers.
Dynamic Host ConIiguration protocol is a great blessing to any administrator that has over 10
machines in their network. Providing a centralized conIiguration point Ior address and service
assignment has greatly eased the burden oI the administrative staII. DHCP is broadcast based,
so steps must be taken to ensure that these broadcasts are sent and received at the proper
subnet.
Many companies have DHCP servers scattered throughout the subnets to secure that the proper
numbering scheme is used to give network access to clients. II an attacker sets up a rogue
DHCP server, they can preempt the assignment process and redirect traIIic to servers that they
own. The newest craze in DHCP is to require that the DHCP server be authorized beIore it will
give out addresses. This prevents the inadvertent assignment oI addresses in a production
environment Irom test bench machines.
II you have a DHCP client that is getting the wrong addresses, examine its IP conIiguration.
This will normally give the IP address oI the DHCP server that assigned the client its address.
You may also look at using reservations Ior all oI your addresses. This will prevent an attacker
Irom bringing in a laptop and automatically connecting to your network. This technique is used
to secure wireless networks and has proven to be eIIective.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-19
Data Repositories
Many applications and networks that support the applications rely heavily on stored data. This
data is usually in the Iorm oI a database. Secure access to the data is paramount to ensuring that
only the correct systems and users have access to services and data on your network.
Data comes in many Iorms. Data can be an order Irom clients or it can be inIormation about the
client itselI, such as their purchase history, preIerences, or credit terms. Many companies spend
millions oI dollars each year in gathering data about their clients, competitors and proiects. II
the data is stolen, lost, or destroyed, the company may suIIer Iinancial losses or even go out oI
business.
The arena oI inIormation storage normally Ialls into two main Iormats: directories and data.
Directory storage consists oI users, computers and groups. This is where most authentications
to gain access to the corporate network occur. This is a very tempting target to attackers as
passwords are typically stored with user and machine account inIormation.
Data storage is critical as it may contain customer inIormation, research data, or other mission-
critical inIormation that has been collected. In many cases, databases are used as a back-end to
other processes, like serving up a catalog oI goods and services via a dynamic web page.
Regardless oI the type oI data, security is oI particular concern as the cost oI rebuilding and
validating data can be prohibitive. Data integrity is oI paramount importance and can have
consequences well beyond the scope oI the original application.
3-20 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Directory Services
Directory services are used Ior user authentication, assigning permissions, and centralized
management. Directory services is the most critical security service, as this is typically the
repository oI the security authenticators that grant access to the rest oI the corporate network.
Directory services are like the white and yellow pages oI the phone book. It contains a list oI
users and what services they are allowed to access. This is where accounts, passwords, rights
and permissions are stored. Penetrating a directory service is the ultimate target to attackers as
it opens the rest oI the network to penetration.
Directory service servers should be dedicated to providing a single service. Many small
companies use their directory severs as Iile and print servers, DHCP servers, DNS servers, and
even their public web servers. A good security baseline is to completely isolate the directory
service inIormation to entities inside the company. You should never expose your directory
servers to the public.
There are many types oI directory services, each with their own advantages and disadvantages.
Each security proIessional must be intimate with the technological details oI the particular
brand oI directory they support.
Many directories will use a variety oI protocols to provide access to the database. These
protocols can range Irom LDAP queries and Kerberos sessions to RPC requests. Each service
has its own unique set oI security concerns. Be Iamiliar with the best practices that are
advocated by the manuIacture oI your service. Peruse the Iorums and discussion groups that
discuss the security aspects oI your chosen directory. Remember that once the directory is
penetrated, there is little you can to protect the rest oI your network.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-21
Databases
Databases are used throughout the enterprise environment. Customer lists, product catalogs and
tracking inIormation are typical contents oI a database. The day-to-day operation oI almost any
company relies on accurate and organized blocks oI inIormation that is easy to Iind.
There are many database products out there. Databases range in scale Irom applications like
MicrosoIt Access to Iull-blown database servers such as SQL and DB2. These databases hold
high levels oI corporate inIormation that is used to make critical business decisions and manage
relationships with vendors and clients.
Databases are also used to create dynamic web applications that customize the look and Ieel oI
a website depending on a customer`s responses. These databases will be exposed to the
customer, but in many cases, the data itselI resides on a server that is separate Irom the web
site. This provides additional scalability, as the web server does not have to dedicate processor
cycles to the task oI storing and retrieving data. All communications between the web server
and the back end database need security. There are Irequently levels oI authentication that need
to pass between these machines. IPSec or dedicated point-to-point connections can help ensure
the data is being transmitted securely.
You also need to guard against data corruption. Inaccurate or corrupt database inIormation can
be worse than having no data at all. A regular schedule oI backups and data validation is critical
to ensure that the inIormation is protected and correct.
Depending on the vendor, you may Iace a variety oI security concerns. Many hackers realize
the wide number oI database services and are writing exploits that target speciIic
manuIacturers. Be sure to keep up on service packs and security alerts so you can proactively
respond to any new threats.
3-22 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This topic summarizes the key points discussed in this lesson.
NOS/OS Hardening
Filters and Firewalls
Intrusion Detection Systems
Organization
Forensics
Summary:
 Updates applied to a system rarely consider any third party applications
 Patches may be perIormed under the direction oI customer support
 HotIixes are designed to be applied while a system is in an operating state
 Service packs may include additional Ieatures that will require additional security
reviews
 Each service that runs on a server will have diIIerent requirements Ior security
 Directory services are the most sought-aIter targets Ior attackers
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-23
Lesson Assessment
Q1) What can be done to increase the security oI your new FTP server that is in the DMZ?
Q2) What is the diIIerence between a service pack and a hot Iix?
Q3) How can unauthorized DHCP servers be detected?
Q4) What is the purpose oI patching a server?
3-24 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Filters/Firewalls
Overview
This lesson discusses how Firewall techniques, along with intrusion detection, can protect and
warn against network attacks.
Importance
High-speed access to non-trusted networks poses security risks. Having the ability to scrutinize
what traIIic is allowed through is important Ior the overall security oI a network.
Objectives
Upon completing this lesson, you will be able to:
Describe the general methods Ior implementing a Iirewall
Understand the techniques oI layer 3 Iiltering, proxy server and stateIul Iiltering
3-26 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Learner SkiIIs and KnowIedge
To Iully beneIit Irom this lesson, you must have these prerequisite skills and knowledge:
Basic understanding oI Local Area Networks (LANs)
OutIine
This lesson includes these sections:
Overview
Layer 3 Iiltering
Proxy servers
StateIul Iiltering
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-27
FiIters/FirewaIIs
Using a Iirewall or Iiltering device is required to implement most security policies on today`s
corporate networks.
A true Iirewall is the hardware and soItware that intercepts data between a non-trusted network,
such as the Internet, and your computer. It is the TCP/IP equivalent oI a security gate at the
entrance to your company. All traIIic (or data) must pass through it, and the security guard (the
Iirewall) allows only authorized people (data) to pass into the Iacility (the LAN).
ExampIe
A company needs to connect to the Internet Ior email, web traIIic and other company purposes.
They are concerned that once they connect to the Internet all oI their company computers will
be exposed to attacks Irom hackers on the Internet. They decide to implement a Iirewall
between the Internet and the company computers to mitigate this threat.
3-28 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Layer 3 fiItering
Using the OSI model as a reIerence, you can implement packet Iiltering based on the layer 3
(IP) addresses.
The most basic line oI deIense is a layer 3 packet Iilter Iirewall. Packet Iilters examine
incoming and outgoing packets and apply a Iixed set oI rules to the packets to determine
whether they will be allowed to pass. The packet Iilter Iirewall is typically very Iast because it
does not examine any oI the data in the packet, but it does examine the type oI packet along
with the source and destination IP address, as well as port combinations. Then, it applies the
Iiltering rules. This makes it easy to Iilter out all packets destined Ior port 80, Ior example,
which might normally be the port Ior a web server. The administrator may decide that port 80 is
oII limits except Ior speciIic IP sub-nets, and a packet Iilter will accomplish this.
ExampIe
A company`s security policy dictates that no traIIic Irom the 24.234.0.0 / 16 network should
ever be allow to go to the Human Resources network oI 24.235.0.0 / 16. The company decides
to implement layer 3 Iiltering to accomplish this requirement.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-29
Proxy Servers
One method oI protecting the resources on a given network Irom the attacks coming Irom a
diIIerent network is to use a proxy server.
The proxy Iirewall Iorces all client applications on workstations protected by the Iirewall to use
the Iirewall itselI as a gateway. The Iirewall authorizes each packet Ior each protocol
diIIerently. The proxy Iirewall must have a proxy in it Ior each type oI protocol that can be
used. Sometimes, proxy Iirewalls can be quite slow, however they are very secure.
ExampIe
A company wants to protect its internal users Irom direct attacks Irom the Internet. They
implement a proxy server between the Internet and the end users to accomplish this.
3-30 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
StatefuI FiItering
StateIul Iiltering Iirewalls are sometimes known as stateIul inspection Iirewalls.
In a stateIul Iiltering Iirewall, all connections are monitored and only those connections that are
Iound to be valid are allowed to pass through the Iirewall. This generally means that a client
behind the Iirewall can initiate any type oI session, but clients outside the Iirewall cannot see or
connect to a machine protected by the Iirewall.
ExampIe
A company wants to implement security between the Internet and the company computers, but
the administrators are concerned with having to conIigure detailed layer 3 Iiltering and want a
solution that will be relatively Iast. They decide to implement a stateIul Iiltering Iirewall. This
Iirewall allows computers on the inside oI the private network to initiate connections to Internet
resources. As each user on the inside begins the connection, the Iirewall keeps track oI these
sessions and allows the appropriate return traIIic back to the inside hosts. II conversations are
initiated Irom the Internet, or iI return traIIic does not match what the stateIul Iirewall expects,
the inbound traIIic is not allowed through the Iirewall.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-31
Hardening
By deIault, network and end user equipment, iI not conIigured correctly, may give an attacker
an advantage that may be used during an attack.
Network and end user equipment is never perIectly secure. When a system provides services,
an attacker may leverage those services. OIten, bugs are Iound which may provide vulnerability
in the system. As a general rule, you should periodically check to see iI there are new
vulnerabilities and security risks Ior the systems you support. By updating Iirmware and or
soItware, you may remove the vulnerabilities. Disable any known insecure protocols. Disabling
services and interIaces that are not used is also a good practice. All access methods to the
system, either local or remote, should be secured using the strongest authentication possible.
Implement access lists to restrict the source Irom which the access is sought.
ExampIe
The new network engineer is surprised to Iind that there are not passwords Ior telnet access to
any oI the routers. He also discovers that he can telnet Irom any location and still receive
access. To solve this, he removes the Telnet Iunctionality and replaces it with secure shell
(SSH). Implementing a one-time password system and access control corrects the problem.
3-32 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
In this lesson we learned several methods Ior Iirewall protection and system hardening.
Layer 3 Iiltering
Proxy servers
StateIul Filtering
Next Steps
AIter completing this lesson, go to:
Intrusion Detection
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-33
Lesson Assessment
Case Study: ACME Inc.
ACME Inc, needs to provide security Ior the corporate headquarters. They are concerned about
unauthorized people, coming Irom the Internet, and attacking or accessing corporate data on the
company computers.
Q1) Which Iirewall techniques might they choose to provide the security they want?
Q2) What are the pros and cons oI these types oI Iirewalls
Q3) Once they put the Iirewalls in place, what else may be done on the workstations and
servers to provide Iurther protection?
3-34 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Intrusion Detection Systems
Overview
This lesson discusses the use oI Intrusion Detection Systems (IDS) to identiIy malicious traIIic
on a network.
Importance
II there is a network attack, or attempts to do so, it is important to be made aware oI these
attacks. Using an IDS will help in this eIIort.
Objectives
Upon completing this lesson, you will be able to:
IdentiIy the two main methods oI intrusion detection implementation
Understand the pros and cons oI each method
3-36 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Learner SkiIIs and KnowIedge
To Iully beneIit Irom this lesson, you must have these prerequisite skills and knowledge:
Basic understanding oI Local Area Networks (LANs)
OutIine
This lesson includes these sections:
Overview
Host based intrusion detection
Network based intrusion detection
Summary
Assessment (Case Study): ACME Inc.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-37
Host Based Intrusion Detection
Two main implementations oI Intrusion Detection Systems (IDS) are host based and network
based. We discuss host based IDS here.
A host based intrusion detection system (IDS) is installed on each device (usually key servers
and workstations) to identiIy system calls and traIIic to that speciIic host that would result in
malicious behavior. One oI the beneIits oI having a host based IDS is the ability to see all
activity on the host without being impaired by encryption (due to the Iact that the end host
would decrypt the traIIic Irom a SSL/SSH/IPSec connection) and perIorming the intrusion
detection later. Host based IDS is also convenient in a switched network environment, because
the host will see all the traIIic destined Ior that speciIic host, while a network based IDS may
not see speciIic traIIic due to layer 2 switching.
IDS may be passive or active. An active system perIorms a speciIic task when triggered by an
attack. Responses may be to send one or more alarms, implement access control mechanisms,
launch a program, terminate the TCP session, log the attack, send a page, send an email and
other options as implemented by the IDS developer.
ExampIe
A company has Iour public servers that provide web content to the Internet users. The Iirewall
has been conIigured to allow the correct protocol and port, but the company is concerned that
an attacker may launch an attack through this port. They decide to implement host based
intrusion detection on the public servers to protect those systems against the attacks.
3-38 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Network Based Intrusion Detection
A network based Intrusion Detection System (IDS) is usually a dedicated appliance that
analyzes all traIIic that passes through the network, looking Ior malicious traIIic.
Network Intrusion Detection Systems, oIten reIerred to as (NIDS) monitors packets on the
network wire and attempts to discover iI a hacker is attempting to break into a system or cause
a denial oI service. A typical example is a system that watches Ior a large number oI SYN
connection requests to many diIIerent ports on a target machine in order to discover iI someone
is attempting a TCP port scan. Usually NIDS runs on an independent machine, promiscuously
watching all network traIIic. One beneIit oI network based IDS over host based IDS is that
network based IDS monitors many machines, whereas host-based IDS monitors only the
machine IDS is installed on.
IDS may be passive or active. An active system perIorms a speciIic task when triggered by an
attack. Responses may be to send one or more alarms, implement access control mechanisms,
launch a program, terminate the TCP session, log the attack, send a page, send an email and
other options as implemented by the IDS developer.
ExampIe
The Human Resources department wants to know iI anyone is attempting unauthorized access
to the departmental server. They would also like to detect any denial oI service attacks against
the server or workstations on the entire Human Resources network. A network based intrusion
detection system is implemented to Iacilitate this.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-39
Summary
In this lesson we discussed IDS, host and network based.
Host Based Intrusion Detection
Network Based Intrusion Detection
Next Steps
AIter completing this lesson, go to:
Organization
3-40 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Case Study: ACME Inc.
ACME Inc. has two DNS servers, six web servers and two email servers. They also have over
600 networked computers at their central cite. They are using SSL Ior Iinancial transactions on
three oI their web servers. They want to prevent attacks against their network. They have
implemented Iirewalls and Ieel they are secure.
Q1) Would IDS be a good decision Ior them?
Q2) Which IDS solution, host or network, would be appropriate and why?
Q3) What is the risk oI not using any IDS?
Organization
Overview
This lesson explains how to organize security policy and procedures.
Importance
The network or security administrator must know the options available when creating corporate
policy and procedures.
Objectives
Upon completing this lesson, you will be able to:
Describe the components that make up Physical Security
Understand how Environmental Security plays a role in a secure inIrastructure
Describe appropriate disaster recovery procedures and vulnerabilities
Describe how Business Continuity plans are necessary to ensure ongoing operations
List important Policy and Procedures companies implement to mitigate security threats
Describe how Honey Pots and Honey Nets are used to catch attackers and monitor
unauthorized access attempts
3-42 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Learner SkiIIs and KnowIedge
To Iully beneIit Irom this lesson, you must have these prerequisite skills and knowledge:
Basic understanding oI networking and data communications
OutIine
This lesson includes these sections:
Overview
Introduction
Physical Security
Environmental Security
Disaster Recovery
Business Continuity
Policy and Procedures
Honey Pots and Honey Nets
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-43
Introduction
This section addresses the goals Ior organizing a secured environment.
Your networking environment consists oI many outposts that can pose possible security risks
and be the cause oI many issues. Security is more than iust creating usernames and passwords:
it`s the process oI identiIying and addressing all oI security as a whole. This requires an in-
depth view oI your entire network, including the actions oI the people that work in it every day.
Documenting the existing security procedures, Irom both a high-level view down to detailed
procedures, is important. However, it is iust as important to have an understanding oI good
security versus bad, and what types oI problems you may Iace. From this knowledge, the next
step is to create the policies and procedures that will help ensure adherence to a secured
environment.
This Iinal task cannot be perIormed in a vacuum. It requires expertise Irom the human
resources department and the legal team. No policy is enIorceable unless the management team
agrees, and no security policy can be Iollowed iI it is not understood. You will Iind that training
the users oI your network will be a critical task in accomplishing your goals.
Organizing all the inIormation, creating and organizing the documentation, and getting the
documentation approved will pay oII when you have a secured network.
3-44 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
PhysicaI Security
This section introduces the locked-door concept oI security. Restricting physical access is the
Iirst issue.
For decades, the intrusion oI non-authorized personnel into a computer environment has been
one oI the most Ieared types oI security weaknesses. Physical access is the method in which
transIer oI data ownership is complete.
Compromising physical security can be devastating, iI an intruder can access your server then
the intruder has complete control over it. The good news is that many techniques and products
will prevent unauthorized access. The problem occurs because people, the most critical Iactor,
are oIten overlooked. As Kevin Mitnick pointed out in his book The Art of Deception, the true
security problem is the human Iactor. Mitnick wrote, 'Security is not a technology problem, it`s
a people and management problem.¨ Mitnick, one oI the most notorious hackers, could invade
the most complex system simply by making a series oI phone calls, and gain access within
minutes. Mitnick invaded millions oI dollars worth oI physical security by manipulating
people, rather than penetrating the system.
The goal oI physical security is to reduce the odds oI an intruder (Ioreign or internal) gaining
access to your data, whether accidentally or maliciously. By restricting physical access, you can
prevent someone Irom picking up your computer and walking out the door. This scenario may
seem unlikely, but physical security breaches cost billions oI dollars every year.
For example, an intruder in Phoenix, Arizona, raided small doctors` oIIices, primarily dentists.
The burglar would evade the door security by entering through the rooI and crawling through
the ceiling. He would then lower himselI down to the server and snatch it. Police were
conIounded as to why the only theIt was the computer, but discovered that the invoicing
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-45
application on the server maintained all oI the patients` inIormation, such as credit card, social
security, and address inIormation. The burglar was using this inIormation Ior identity theIt.
This simple example can be taken to much higher levels in terms oI attacking larger and more
complex systems.
Your physical security should protect your network Irom some Iorm oI attack. To accomplish
this goal, you need to view your network as a whole and make sure you leave no weaknesses
behind.
For additional inIormation, go to:
http://www.cybercrime.gov/
http://www.nipc.gov/
3-46 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Access ControI
This section addresses the security principle oI controlling security through limiting the people
that can have access.
Access control is the process oI deciding who can access the system and what they are
permitted to access. In addition, you should document when they accessed the system and why.
Access control is more than preventing certain people Irom having access to the system: you
also must record every access that occurs. By documenting the access, you can determine iI a
security problem has occurred, and possibly, who created the security breach. Toward this goal,
many technologies will allow you to scan access to a hardened computer center, recording each
individual`s access to and Irom the system Ior reporting purposes. When an incident occurs, it
throws an event. You can check this event later by reviewing the report.
Controlling access can be as simple as placing your valued servers in a locked closet. More
secure environments require the use oI keycards, or code locks, on the doors.
For example, a computer room may include an automatically locked door that requires a
keycard Ior access. Every time the card is swiped, a database records it to keep track oI who
entered and when. In addition, the room should contain the same security alarm Ieatures as the
rest oI the building, such as motion detectors and magnetic door detectors. Some server rooms
include a camera or a row oI windows so that whoever is in the computer room is always being
observed.
The goal oI access control is to document the staII and personnel that should have access to the
network and the type oI access they should be able to exercise.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-47
PhysicaI Barriers
This section examines methods oI barricading your network to prevent unauthorized access.
AIter access control has been deIined, the next task is to physically deploy methods to stop
unauthorized intruders.
A standard hollow door will probably prevent unauthorized access. However, someone truly
wanting access may be able to kick down the door. You should place well-constructed walls
around your server area.
Since the terrorist attacks in the United States on September 11, 2001, a new interest in
physical barriers has sparked an entire industry. Protective storage mechanisms include small
saIes to lock important backups and documents, and large vaults that house the computer
center. Each oI these provides a strong preventative measure against any unauthorized access.
The challenge to the company is to determine the cost versus the beneIit. You have to decide
whether constructing a IireprooI vault is economical Ior the company. Consider the ability oI
the IT staII to recover Irom an incident. II the computers are destroyed, can you purchase new
ones, restore your data, and recover quickly? II so, the physical barriers become more about
human prevention than disaster prevention. Physical barriers to prevent human access are much
more aIIordable: they may consist oI a simple locked room. You can add a barrier layer by
placing your desk in Iront oI the door and restricting access to only those that you approve.
3-48 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Biometrics
This section addresses implementing a secured physical barrier that permits easy access Ior
authorized personnel.
The process oI gaining access to resources can oIten be challenging Ior administrators and end
users. The challenge is passing through the security layers in an eIIicient manner that neither
conIuses end users nor prevents them Irom having the type oI access they require.
While trying to control physical access and logical (electrical) access, the administration team
oIten makes the process so challenging that countless minutes are wasted in progressing Irom
one secured level to the next. A door with a row oI locks requiring diIIerent keys may be great
prevention, but it seriously interIeres with those that should have access.
The task oI supporting superior locking with ease oI access has Iallen to the biometrics
companies. Their goal has been to create locks that cannot be penetrated by any means, but that
do allow quick access to those that have authorization. The challenge that biometrics has
successIully met was to create keys that cannot be lost, duplicated, misplaced, or loaned to
someone else.
Biometrics has created a new concept on the lock and key methodology. Now, computers can
identiIy a person directly through technologies such as retinal scans, voice recognition, hand
and Iinger geometry recognition, Iace recognition, vein displacement recognition, and many
others.
All oI the biometrics lock and key mechanisms available today permit authorized access
quickly and eIIiciently, and they prevent unauthorized access.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-49
These systems are tied into a central database that keeps a record oI everyone that has passed
through, even those that tried and Iailed. By using this inIormation, an administrator could
determine when a security breach occurred, and possibly identiIy the person.
For additional inIormation, go to:
http://www.ibometrics.org/
http://www-1.ibm.com/industries/government/doc/content/solution/371315109.html
3-50 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
EnvironmentaI Security
UnIortunately, physical attacks to your network are not the most common. Environmental or
over-the-network attacks are the greatest threat.
Physical intruder access is only a part oI the total security picture. An intruder would rather
copy your data Irom the saIety and comIort oI home than attempt a highly risky theIt oI your
server. Until recently, copying data was not necessarily illegal, as the laws protecting digital
data had not been created.
The process oI manipulating a security system to gain computer access is known as hacking.
Hacking involves the electronic process oI breaching a computer system and a human Iactor. II
an intruder, pretending to be an administrator, calls a receptionist and is given the new
password to the network the intruder has successIully hacked the security system by
manipulating the human process.
Hacking is also the electronic breaching oI a system: an intruder gains access through poorly
created usernames and passwords, lack oI security, security holes, or poor administration.
Environmental security can also aIIect your network in other ways. A computer that Iails
because it has gotten wet or too hot would be iust as useless as one that has been hacked. You
might also experience unexpected environmental attacks, especially iI you are using wireless
network connectivity.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-51
WireIess CeIIs
A new area oI environmental security targeted by the hacking community is wireless
networking and cellular phones.
II a hacker is monitoring your cell phone call when you give a iunior administrator the system
password, the hacker has access to your system. Even iI you have no outside physical lines oI
communication Ior your network, wireless networking components act as a giant radio station,
broadcasting your sensitive network data to the world.
While digital cell phones and wireless networks improve data encryption techniques, the
hacking community has the ability to crush the latest security using simple packet-sniIIing
technology.
You must practice careIul and secured implementation oI wireless technologies. Each
manuIacturer oI wireless network communication equipment has instructions to set up secured
networking, though not all oI these manuIacturers necessarily provide the highest level oI
security. The administrator`s responsibility is to understand the implications oI installing
wireless networking and purchase the right equipment to meet the security model.
3-52 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Location
This section addresses the issues surrounding the physical placement oI your equipment.
The location oI your network servers can have a dramatic eIIect on their liIespan and
perIormance. Placing a server to close to an air conditioning or heating unit, or any other large
machine, can cause unusual and diIIicult problems to occur.
Servers should never be in direct sunlight, which causes heat problems, and they should not be
located anywhere they are in danger oI becoming wet or damp. More advanced problems stem
Irom running cables along the same axis as Ilorescent lamps, or placing machinery near the
computer center.
Make sure that you do not locate your servers and networking equipment in a location that
would be easily accessible. Placing your network servers near an outside window makes them a
tempting target Ior thieves. Internal theIt may be also be a Iactor, so be sure to use good
physical security to prevent access.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-53
ShieIding
This section covers a type oI attack completely unexpected by most administrators.
Computers generate a tremendous amount oI radio Irequency interIerence (RFI). People have
been known to complain because RFI can cause headaches, eyestrain, and other symptoms that
make a diIIicult working environment. Hackers have also been very successIul in using RFI to
breach security.
It is very simple Ior hackers to create a device that allows them to see everything that occurs on
a nearby computer. They can see iI someone reads an important document, accesses the
network, types in passwords, and so on. The hacker can collect this inIormation without anyone
knowing. For this reason, the concept oI shielding computers and cables, and reducing the RFI
has become a common security measure.
Shielding Irom RFI can be accomplished in many ways. Some computers are manuIactured to
provide shielding. Special cables can be purchased that provide security, and you can even
build special shielded rooms to provide containment Ior the entire computer center.
Most oIten, military applications will use shielding oI computers and special rooms, but it is
very expensive and exceeds the cost oI beneIit Ior most companies.
3-54 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Fire Suppression
Fire is a tremendous security threat in that it can quickly destroy the data you have worked so
hard to protect.
One oI the worst onsite disasters is Iire. Fire will quickly destroy a computer room and all the
data stored inside. II the Ilames and heat do not do the damage, the smoke will. Even a small
Iire in the computer room can quickly destroy an entire corporation.
With all the electrical components, the huge amount oI power, the heat, battery acid Irom
backup batteries, the computer room is a very dangerous place. II a Iire breaks out, suppressing
the Iire becomes a primary goal, but only trained Iire prevention personnel should attempt to
control a Iire. Everyone else should leave the building immediately and call the Iire department.
Under no circumstances should computer staII attempt to put out a Iire.
Most computer rooms contain one or two Iire extinguishers and you may be tempted to use
them, however, anything past a lit match, the administrative staII should let Iire Iighting
proIessionals handle the situation. Nothing in the computer room is worth your liIe.
The key is to plan Ior a Iire and take measures to prevent maior damage and loss. The most
common method is the use oI Iire suppression equipment. This usually involves installing
special equipment that will rapidly seal the room and release a gas that suppresses the Iire.
Sprinklers are not a good option Ior a computer room, because they will do more damage than
good, and they can even make an electrical Iire more hazardous.
Computer Iires are diIIicult to manage and an ordinary extinguisher will not do the trick. You
need a Iire extinguisher that can suppress an electrical Iire, usually a Class C extinguisher.
Computer rooms that contain batteries may also Iace a chemical Iire, so make sure your
extinguisher is rated Ior these iI a chemical Iire is a possibility.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-55
The best suppression is a system oI gas release nozzles that removes the oxygen Irom the room
and quickly extinguishes the Iire. Systems such as Halon, FM-200, and Inergen are designed to
handle the complex nature oI computer Iires. A small Iire can be extinguished, leaving the
remaining equipment still Iunctioning. This provides a rapid response to any Iire situation until
the Iire Iighting proIessionals can arrive. They can be expensive, but they pay Ior themselves
the Iirst time they are used.
3-56 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Disaster Recovery
This section discusses recovering Iorm a security breach or disaster.
Once a security breach or a disaster occurs, the maior Iocus should be getting the company
back to a position to conduct business. You should plan Ior recovery ahead oI time, not aIter a
disaster has occurred. This means that the administration team needs to anticipate the types oI
breaches and disasters that can occur, and create recovery procedures Ior each scenario.
The time and money spent on a recovery plan is solely dictated by the value oI your data. II you
can live without something, then you do not need to prevent loss. This is rarely the case, and
the cost oI losing even 10 minutes worth oI data can place some companies at grave risk oI
survival.
Balance the potential monetary loss with the cost equipment and procedures to recover. Is your
corporate data worth a $5000 backup device?
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-57
Backups
This section discusses using a backup as a recovery method.
The most common practice to recover Irom a data disaster is making a backup copy oI the data.
This can be done with a backup tape, CD/RW, another hard drive, or diskette. Regardless oI the
Iormat oI the backup, the process oI backing should be done nightly by the administration team.
There are several backup strategies to help ensure that you have a complete copy oI your data,
regardless oI the size or amount oI servers. Third party soItware packages, along with Ilexible
backup devices, can be used to scale to any solution desired.
A backup strategy should be determined early. This is a description oI what data should be
backed up and how oIten it should occur. Be sure to document the catalog method and how the
data sets are stored and retrieved so the proper backup can be retrieved iI needed.
What most administrators Iorget about is that it is not as important to backup data as it is to be
able to recover data when a disaster hits. Testing a restore procedure is critical. This will help
ensure that you are properly backing up the data expected and that the equipment and soItware
Iunctions correctly. Make sure to have a restore plan in place, and test that plan at least once a
month.
3-58 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Off-Site Storage
This section covers data preservation in the event oI a disaster.
When a disaster hits, the most important procedure to have is Ior data recovery. You may also
need new computers and new hardware, but recovering the data quickly is paramount to the
company`s survival. To do this, administrators need to plan and test their recovery options.
II a disaster occurs, it could possibly destroy your backup tapes. Many administrators take a set
oI backup tapes home with them each night Ior iust this reason. This is inexpensive, but it is not
considered secured, reliable, or the best practice. Like any backup strategy, you want a series oI
backup sets available oIIsite.
Several companies provide the service oI storing your backups oIIsite Ior you. They will
manage the tape sets Ior you: all you need to do is ship them the tapes. Some vendors will even
backup your data over the Internet in a secured Iashion. This eliminates the need Ior tapes, tape
devices, and complex restore strategies, as the vendor takes care oI everything Ior you. This is
an excellent method Ior branch oIIices without an administration team that can perIorm the
backup.
From a security standpoint, having a proIessional oIIsite storage service is an insurance policy
against employee theIt. It avoids the great danger oI having the company`s data rest solely on a
single individual.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-59
Secure Recovery
This section identiIies the issues oI keeping your data secured.
Most administrators ignore the options oI password protecting or encrypting their backup data
because oI the increased time it takes to perIorm the backup process. The soItware may or may
not even support such Ieatures.
Secured recovery ensures that only authorized personnel can use the backup medium to restore
inIormation. When the backup is properly conIigured with a password, or even data encryption,
the inIormation on the backup cannot be read unless that password and encryption key is used
to open the backup. This helps prevent someone Irom viewing your data.
The proIessional oIIsite establishments will also have such a procedure. You must make sure
that none oI their employees can randomly view your data, so check to make sure the backup
company supports the use oI passwords and encryption.
3-60 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
AIternate Sites
This section examines the use oI alternate sites to protect the company`s data.
Another option Ior backup storage issue and disaster recovery is to maintain alternate computer
sites. This involves keeping an up-to-date computer center in a diIIerent location so that in the
event oI an emergency, the alternate site can take over with virtually no business downtime.
This is obviously an expensive proposition, but is an option to companies that must have
uptime reliability. Many Iinancial institutions use alternate sites as a means to test backup
restores and prevent downtime during critical business hours. It is expensive, but it is a viable
solution Ior critical operations.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-61
Disaster Recovery PIan
The administration team must create and Iollow a well-Iounded disaster recovery plan.
Even the simplest, most innocent mistake, such as one oI the administrators cleaning a
directory and deleting the wrong Iiles, can become a critical disaster situation. Building a clear
and concise plan to deal with these situations is the greatest challenge administrators Iace.
Disaster recovery is based on the value oI not only your data, but also your business. II a server
goes down because oI a bad video card, the Iact that users can not access this server may cause
iust as much lost revenue as iI you had lost the data. Disaster recovery is about down time as
much as data recovery.
A disaster recovery plan should contain every possible disaster case that the administration
team Ioresees. You should plan Ior everything Irom deleted directories to hard disk Iailures to
Iires. Systematic recovery measures should be documented, along with an estimated time-oI-
recovery. Once these procedures are created, they should be extensively tested in a secure
environment.
Management should then approve these Iinished procedures. This makes them aware oI the Iact
that clear recovery guidelines are in place, and it allows them to check Ior any issues relating to
human resources or the legal department.
3-62 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Business Continuity
This section covers the considerations that should be taken in regards to the company`s ability
to do business in the event oI a disaster.
The purpose oI a disaster recovery plan is to provide Ior continuation oI the business in the
event oI an emergency. Once again, the cost oI this proposition must be balanced with the cost
oI downtime. While some companies can handle an hour or two oI downtime, others would be
gravely aIIected.
Armed with the knowledge oI acceptable downtime, the administration team can make
decisions on how to handle certain events. The balance must always be in regards to the
operations oI the business. When considering the purchase oI equipment and soItware, always
consider the impact oI the new purchase on the Iollowing:
 Will this cause any downtime?
 Will this help prevent downtime?
 Is this easily supported by internal staII?
 Is this supported in the industry? Are there patches or upgrades available?
 Is there better equipment that is more reliable?
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-63
UtiIities
This section addresses business continuity in relation to external utilities.
One oI the basic requirements Ior any computer center is electrical power. When commercial
power Iails, how will your business react? Most computer centers use battery backups, but
these only provide an electrical supply Ior a short period oI time. They are best used to help
condition the electrical power in case oI brown outs or spikes, and to provide enough electrical
power to keep the computers running iust long enough to properly shut them down.
Most battery backup devices only will provide a Iew minutes oI sustained power, which is iust
long enough Ior the administrative team to react. They are generally not designed to keep the
computer center running Ior days without commercial power. This sort oI power backup
requirement requires the addition oI auxiliary power.
Auxiliary power is a power generation station that can detect when commercial power Iails, and
then engage to generate its own electricity. It usually takes a minute or two Ior the generators to
start, so battery backup units run temporarily to keep the computers running until the auxiliary
power has become available. While auxiliary power generators can be large units stored in their
own separate building, smaller portable units can be used Ior small power applications. The
size oI your computer center determines which is best.
3-64 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
High AvaiIabiIity/FauIt ToIerance
This section examines methods that can prevent a single server Iailure Irom disrupting business
operations.
End-users need access to applications and data stored on your server to perIorm their iobs. One
common way to help ensure they have the access is to prevent a server Iailure Irom becoming
an emergency situation. You can maintain high availability by adding Iault tolerance to
computer systems.
High availability is the amount oI uptime required Ior a server over a one-year period. The
standard Ior high availability is 99.999 percent uptime. This means that the server can only be
down Ior about 15 minutes a year.
No ordinary stand-alone server will be able to guarantee this uptime. II a video card or hard
drive should Iail, the server will be down as long as it takes you to replace it. To prevent this,
Iault tolerance Ieatures can be used. Basically, you must double, triple, or even quintuple
hardware in case oI a Iailure. Hard drives have had several Iault tolerant Ieatures Ior years, such
as disk mirroring and RAID 5. These Ieatures allow a hard disk to Iail without losing data or
causing the server to go down.
Another Iault tolerant Ieature becoming common Ior high availability systems is server
mirroring, or clustering. This is where two or more servers will act as one. II a server should
Iail due to a hardware problem, the other server takes its place. As Iar as the end-user is
concerned, the system has never gown down. Using these Ieatures is how the 99.999 percent
uptime is achieved.
It is currently impossible to guarantee 100° uptime and no data loss. Until it is possible, you
must make sure that data is protected, not only Irom a hardware Iailure, but also viruses and
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-65
worms that could aIIect it. To do so, use backup soItware and devices to backup your data and
system.
There are many diIIerent types oI backups: the most common is magnetic tape. It provides a
large storage capacity, ease oI change, and relatively low cost. In addition, there are other types
oI backup medium to suit speciIic needs such as CDROM, DVD, hard drive to hard drive, and
new technologies such as volume shadowing.
Keep a close track oI new technology, as smarter 'selI-healing¨ servers start becoming
available. These servers have completely redundant internal systems, and can switch to this
hardware iI a problem is detected.
3-66 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
PoIicy and Procedures
This section covers the type oI documentation that should be prepared and updated.
To Iacilitate a secured and eIIicient working environment, it is common practice to create a set
oI policy guidelines regarding acceptable network use. These oIten entail the 'rules¨ oI the
network and security guidelines. It is important that both the administration team and
management have agreed to these policies and their implementation.
Once the policies have been agreed to, the next step is the creation oI the procedures to
maintain those policies. Procedures should outline the exact steps to create, backup, and
remove end user accounts, set security options, implement a disaster recovery plan, and so on.
One oI the most important procedures is in the implementation oI a security policy.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-67
Security PoIicy
This section examines developing a security policy.
A security policy lets management and the administration teams determine the proper use Ior
the network, and set standards Ior acceptable and unacceptable activities. Building a security
policy can be a daunting task, however there are several documents that can assist in the
process.
One such document is the U.S. Patriot Act (H.R. 3162). This document, along with the ensuing
court battles, has opened the legal responsibilities Ior the computer center administration team.
Some oI the additional responsibilities oI companies that provide Internet access include
administrative logging procedures. Other documents can assist in building a secure policy and
acceptable use policy.
3-68 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Users Security Handbook (RFC2504)
This section Iocuses on the end user security handbook.
This guide, along with the Site Security Handbook, provides guidance to both end-users and
administrators oI computer systems to help keep their networks secure.
The Users Security Handbook can be Iound on the Internet by perIorming a search on
RFC2504. It is currently broken into three sections. Part One is primarily a guide to end-users
about communication privacy and security. Part Two concerns corporate users in small to large
computer environments. The third section is primarily Ior home users and small system
administrators.
This document discusses what to watch Ior regarding security and provides a great Ioundation
to building the end-user documentation. It helps the end user understand what the security risks
are, without giving them any ideas. It explains symptoms Ior them to be aware oI, and oIIers
guidelines Ior notiIying system administrators.
While this document is a Ioundation, you can use it as a Iramework Ior end-user education at
your own company. Adding your own network-speciIic inIormation and removing pieces that
you do not want the users to have, you can quickly build a substantial end user document.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-69
Site Security Handbook (RFC2196)
This section examines documents speciIically to help the administrators with site security.
The Site Security Handbook is a guide to help administrators build a security policy and
procedure guidelines. It covers a wide area oI technical speciIications and provides a great
Ioundation as a security plan.
The document covers areas such as risk assessment, building a good security policy, Iirewalls,
authentication, conIidentiality, and how to handle a variety oI incidents. It can be used to assist
in the education oI management, as well as the administration team.
Use this document, along with the Users Security Handbook, as a Iramework Ior building
security policies. ModiIy it to include your network speciIic inIormation and policies. Use the
Iollowing pages as a template to add speciIic guidelines that you determine Ior your system.
The most important Iactor in this document is the ever-changing environment that our computer
systems are contained in, and the need to update, review, and enhance this new document as
you move Iorward. Your document should reIlect changes as new security threats occur, and
you should document any policy changes you make to counter them.
3-70 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
AcceptabIe Use
This section discusses the creation oI an Acceptable Use Policy.
Part oI the overall security policy is the acceptable use policy. This is usually a corporate
statement to employees regarding what is considered acceptable use oI the computer, network,
and email Iacilities oI the company.
Many times, the acceptable use policy is created under the careIul eye oI the Human Resources
department. It may seem strange that a security policy to prevent hacking includes Human
resources, but acceptable use includes the enIorcement oI sexual harassment laws and
discriminatory policies. Employees should be aware oI the company`s view on email practices
and Internet download restrictions.
The distribution oI the acceptable use policy may even take place with Human Resources as
part oI their new hire policy and retraining oI employees. The importance oI this document is
paramount. Explaining to employees the company`s policy on right to privacy, ownership oI
Intellectual Property, and email monitoring can actually help employees better understand what
the company deems acceptable. Because oI the obvious legal ramiIications, the HR department
has already prepared a similar document, and you may simple need to add network speciIic
inIormation.
Many oI the legal acceptable use policies regarding security and privacy issues can also be
gleaned Irom the current version oI the U.S Patriot act.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-71
Due Care
This section covers the complex and ever changing issue oI 'due care.¨
Protecting your own network is not enough. Protecting your network Irom being used as a tool
by others Ior malicious intent is now your legal responsibility. Due care is the process oI
recording and monitoring all security violations, and attempted violations, so that the
inIormation can be used in Iorensic analysis when tracking a malicious user. This user does not
need to be an employee he or she could be an unknown hacker Irom the Internet.
The administration team is legally responsible to properly Iollow the due care policies
established by the United States Government. There are several web sites that can get you
started on creating procedures Ior due care, and some even have tools to help.
WWW.CISecrity.org is one such web site that has a series oI benchmarking tools to provide
inIormation about your system and the levels oI due care acceptability.
Much discussion is happening about the penalties Ior unacceptable due care. As an
administrator, iI you do not provide nor attempt to provide acceptable due care Ior your
network, you may Iace a series oI Iederal charges.
Remember, iI your network is compromised by a hacker, and is then used to compromise
another computer system, you network has been used as a tool to assist the hacker. It is
becoming the responsibility oI the administration team to be able to provide logging
inIormation to investigative teams.
Current court cases have not established a clear guideline at this time, but it is prudent to
continue to monitoring inIormation on the subiect. Many current ISPs deal with due care on a
daily basis. II one oI their connections is used in the theIt oI credit card numbers, the ISP is
now required by law to provide a complete logging trail oI the hacker. Failure to comply could
3-72 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
mean that someone Irom the administration team goes to iail. This is starting to apply to any
company that connects to the Internet.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-73
Privacy
This section discusses issues that revolve around the complex legal issue oI privacy.
Establishing privacy rules is no longer the complex, legal entanglement that it used to be.
Because oI the U.S. Patriot act oI 2001, corporate employees can no longer claim privacy to
such things as email and Iiles stored on a local hard drive. Most corporations today will spell
this out clearly in their acceptable use or security policies.
It is important that management and the administration team understand the privacy laws Ior
corporate America. It is also iust as important that employees be made aware oI their rights, (oI
which there are very Iew leIt) regarding the use oI corporate networking resources. Because oI
the important process oI due care, employees can be monitored on the network, including the
inIormation they send in emails. II an employee violates corporate acceptable use or security
policy, the administration perIorming due care has a responsibility to report this to
management.
The beneIit to administrators is that use oI monitoring soItware, email interception soItware,
web URL analysis soItware, and other tools is permitted. These tools no longer violate privacy
laws, and their use is now encouraged with the laws governing due care.
Note Ìt is best to consult with management and an attorney specializing in privacy laws before
establishing and publishing new policies. The laws are difficult to understand, and change
often.
3-74 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Separation of Duties
This section covers a common security saIeguard reIerred to as separation oI duties.
One oI the most common security procedures in larger corporate environments is the concept oI
separation oI duties and 'need to know¨ policies. The separation oI duties restricts security
access by iob role, which also restricts the possibilities oI computer crime. A single or small
group oI staII is responsible Ior speciIic security duties. This also clearly marks responsibility.
An administration team may consist oI enterprise administrators with security access to the
entire network, and sub-administrators that only have access to portions oI the network under
restricted security access.
An example is a sub group oI administrators that have the ability to create and manage new
user accounts, but do not have the ability to manage the users' email or set speciIic security
permissions. Only an enterprise administrator has the role (and permissions) oI deleting
accounts or monitoring email. This separation oI duties helps to ensure that mistakes are not
made by iunior administrators, and clearly lays the bulk oI the responsibility on the most
trusted administrative personnel.
Many management tools are provided Ior administrators to meet this role-based administrative
control. For example, Windows2000 and Server 2003 Irom MicrosoIt use Active Directory to
permit the separation oI duties Ior administrators.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-75
Need to Know
This section examines creating a security boundary through restriction oI inIormation.
'Need to know¨ is the concept oI compartmentalization oI inIormation. Who really needs to
know the enterprise administrator's username and password? The answer is a list oI need to
know personnel. These people then become responsible Ior the inIormation. II separation oI
duties has been properly developed, then the pattern oI 'need to know¨ will probably align with
the separation oI duties. Administrators, and users Ior that matter, which have a proven need to
know, can be given access. Anyone else should be restricted Irom access. This does not only
apply to administrative duties, but inIormation access overall. Users should not iust be given a
blank check to the inIormation stored on the network.
The process oI determining need-to-know access should be the Ioundation oI security
permission assignment. An example would be the access to payroll inIormation. Should the
Sales group really have access to this? Probably not, so the inIormation should be stored in its
own directory, with permissions that only permit the accounting staII to access it.
This concept has been used recently to change the installation properties oI MicrosoIt`s Server
2003. Unlike previous versions, which installed with an open system and open deIault
permissions, Server 2003 now installs as a closed system, completely locked down. The
administrator is required to determine 'need to know¨ and permit access.
3-76 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Password/Certificate Management
This section addresses the most common secured password issues.
One oI the most obvious and neglected areas oI security is password management. Passwords
are the keys to entering our computer networks and generally are not secured. They are too
short or too long (requiring users to write them on paper), pet names, birthdays, spouse names,
and changed inIrequently. Developing a strong password system would increase security
tremendously.
A strong password is one that is 7 to 8 alphanumeric characters, where the case is changed in a
non grammatical manner, that includes unique characters such ($°`&*!() and Alt key
characters. This type oI password is much more diIIicult Ior dictionary attacks against the
system to crack.
Passwords should also be changed every 30 to 45 days. It is important that the same password
is not used within a single year, so password uniqueness and history rules should apply.
Another area oI rapid growth is the certiIicate assignment certiIicates. This guarantees that the
inIormation you are exchanging is shared only with approved sources and destinations. Many
network operating systems, such as Windows 2000 and Server 2003, Ieature the ability to use
and create certiIicates. CertiIicates are a popular technology Ior both local area computing and
Internet inIormation access.
You probably have experienced the use oI certiIicates iI you have purchased anything with a
credit card on the Internet. Companies such as Verisign issue certiIicates so that your credit
card inIormation cannot be sniIIed oII the wire with a packet analyzer.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-77
SLA
This section covers the conIusing topic oI soItware licensing.
A SoItware License Agreement (SLA) determines how many legal copies oI a particular piece
oI soItware you can run on your network. The conIusing part oI this process is the complex
licensing rules that each manuIacturer requires. The administration team can quickly become
overwhelmed with licensing issues.
The most common issue is not having enough SLAs to match the number oI users you have
using a particle piece oI soItware. This license violation can be very costly. SoItware
companies today are prosecuting anyone on any level state, local, or even Iederal that
violates the SLA. This can lead to Iines oI $500,000.00 per license violation.
There are many tools that can help collect soItware inventory inIormation, so the administration
team can properly license and clean up their network. At worst, you can create a spreadsheet
that lists the number oI legal licenses versus the amount oI soItware installed.
The challenge is to Iirst establish how many legal licenses you own. Did the license come with
the operating system? Do you need additional server-based licenses Ior the operating system?
Since each soItware vendor will have diIIerent licensing guidelines, it is oIten easiest to contact
the vendor directly Ior assistance in assuring you meet the necessary requirements.
3-78 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
DisposaI/Destruction
This section examines how to properly dispose oI highly secured devices and data.
Part oI the process oI keeping your computers up-to-date is destroying or disposing oI
computer hardware such as monitors and hard drives. The EPA has speciIic laws regarding
disposal oI computer equipment.
A great security threat is the improper disposal oI hardware such as hard drives, CD-ROMs,
and Iloppy disks. Because these devices may contain data, it is important to consider a
destruction strategy, as well as proper disposal.
Anyone can go through the corporate trash to Iind an old hard drive. Once located, there are
many ways to access the data. The simplest involves merely plugging it in to another computer!
Properly destroying and disposing oI devices securely can prevent unauthorized access.
Many companies use both soItware tools and hardware tools (such as hammers and drive
crushers) to perIorm security erasures, physically smashing hard drives to prevent anyone Irom
retrieving data. OIten, the hard drive components are then disposed oI in a secure Iashion, such
as driving them to the dump or reclamation Iacility, where they are burned, as opposed to
leaving them outside in the trash bin.
CD-ROMs, diskettes, backup tapes, and devices that hold data should be disposed oI in a
secure manner.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-79
HR PoIicy
This section discusses the importance oI involving the HR Department in the security policy
process.
Creating a well-deIined security strategy includes addressing issues relating to the practices oI
hiring and termination oI employees. Involving the HR department is mandatory in properly
establishing a solid security policy.
The human resource department has several legal guidelines they must Iollow in a variety oI
situations. The computer network is only one small thing they must consider. Communicating
with HR is critical to both establish and practice proper security measures.
3-80 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Hiring
This section discusses the hiring process and how documentation plays a role.
In the process oI hiring new staII, the human resources department prepares a set oI guidelines,
including conduct oI the staII. They Iace issues oI sexual harassment and discrimination
guidelines that must be understood by new employees. This is also a great time to convey the
acceptable use policies regarding the network, to discuss the procedures Ior acquiring a
computer account, and explain the responsibilities oI the end-user.
During the hiring process, it is common Ior HR to notiIy the IT department oI new users and
their iob roles. Following the security procedures in place, administrators can create these new
accounts and assign the appropriate permissions to them.
The employee may require direct inIormation about how to create strong passwords. They
should also understand the types oI privileges they will be granted. Most oI this should already
exist in a policy document Ior that particular role in the company. End-user education may be
required by the IT staII to help new employees access the system.
This should help you understand why it is important to have your documentation created and
ready to go early in the hiring process. A clear end-user document, acceptable use policy, and
'need-to-know¨ permission policies will make the task oI adding new users and educating them
a much smoother process.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-81
Termination
This section addresses the responsibilities oI the administration team during the termination
phase.
The termination process should be managed similarly to the hiring process. Employees that
have planned termination dates should generally be restricted Irom all sensitive network areas.
The administration team should plan Ior the employee`s departure by executing the procedures
already developed.
An important part oI the termination process is to make sure the employee no longer has access
to the network. In many cases, the administration team will simply delete their computer
account, but there are problems with this practice.
Many times the computer account may 'own¨ Iiles and Iolders that could be lost iI the account
is deleted, many times the employee`s email will no longer Iunction, causing a possible
customer communication problem.
It is generally a best practice to disable the account and not delete it until a certain amount oI
time has passed. This allows the administration team to deal with the changes. A disabled
account cannot be accessed by the old user, but is still available Ior administrators iI they need
it. No Iiles or Iolders are lost, and email can be checked or redirected.
AIter a planned amount oI time, usually 30 to 45 days, the account can saIely be removed Irom
the system.
3-82 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Code of Ethics
This section examines ethics Iorm the view oI employees and the administration team.
A code oI ethics is a standard oI behavior that people are expected to Iollow. In most cases,
people will Iollow a standard set oI business ethics, even during termination. The
administration team cannot rely upon this as a security measure.
When an employee is in the process oI termination, they may decide to do something unethical,
but not necessarily illegal. Deleting the inIormation stored on their local hard drive may not be
illegal, but it could cause the business some hardship in lost documents. Sharing a user account
and password with someone not authorized was not considered illegal Ior a long time.
However, under the U.S. Patriot Act, it can be considered illegal, especially iI the unauthorized
party uses the username and password to gain unauthorized access.
It is the administration team`s responsibility to work with management on the best procedures
Ior handling situations where unethical or potentially unethical activities can occur. Examples
oI preventing this might be removing the local computer or laptop Irom the employee
immediately, disabling their account, watching them clean out their desk, and escorting them
Irom the building. While IT rarely conducts this activity, it is important that possible security
problems be vocalized to management and HR so that they can be addressed.
The other code oI ethics that the administration team needs to be aware oI is the expected
behavior oI themselves in a termination situation. Never perIorm a task that could compromise
the security or operations oI the company. Never give out your Iormer password, and never
access the company electronically without permission. Following an accepted code oI ethics is
as important to your reputation as it is to the company`s continued success.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-83
Honey Pots/Honey Nets
This section examines additional areas where administrators can help Iight against intruders.
Many IT administrators will attempt misdirection and covert action to help trap hackers. A
honey pot is a computer setup the administration uses to attract and monitor hacker activity. A
Iamous honey pot website is http://www.tracking-hackers.com. The idea behind a honey pot is
to deIlect the hacker Irom a real server in the network, while being potentially able to prosecute
the hacker. As a security tool, a well-created honey pot can save critical systems Irom a hacker.
A more advanced version oI the honey pot is the honey net. In what is known as
BlackHat/WhiteHat scenarios, the WhiteHats (network administrators) create a complete
network oI computers to lure the BlackHats (Hackers) into their web. The hackers are oIten
monitored to determine what new types oI attacks they are executing against a system. The
BlackHats may never know that they were lured into a honey net, and may have had all their
secrets recorded.
The honey net was originally Iounded by a group oI security engineers at
http://proiect.honeynet.org. The U.S. Patriot Act has dramatically increased the ability oI
administrators to track and bring hackers to Iederal court.
3-84 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section discussed the type oI material that should be collected and analyzed Ior
documentation, and how to best organize that inIormation.
Physical Security
Environmental Security
Disaster Recovery
Business Continuity
Policy and Procedures
Honey Pots/ Honey Nets
Next Steps
AIter completing this lesson, go to:
Forensics
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-85
Lesson Assessment
Acme Inc has contracted you to review their current security organization. They have been
attacked in recent months and have had some oI their systems penetrated. They are concerned
with the ability to track activity and gather inIormation that will allow prosecution oI criminals,
but want to prevent attackers Irom hacking their production systems. Since Acme`s data center
is located where there are Irequent Ilooding and tornados, they want to mitigate the eIIects oI
natural disasters.
1. What speciIic recommendations would you make to identiIy unauthorized activity that
would allow capture oI intrusion attempts?
2. What recommendations would you make Ior Acme in regards to securing their systems
Irom theIt or environmental damage?
3. What are some ways that Acme can ensure continued service to their customers iI their
data Iacility is destroyed as the result oI a natural disaster?
3-86 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Forensics
Overview
This lesson explains how computer Iorensics can be used to recover lost inIormation and track
intruders. Forensics requires awareness, conceptual knowledge, and understanding, and it helps
you know what your role is.
Importance
The network or security administrator might be Iaced with identiIying the intruder or malicious
user. Computer Iorensics can help build a case in that determination.
Objectives
Upon completing this lesson, you will be able to:
Explain how a proper Chain oI Custody can ensure evidence integrity
Describe how preservation oI evidence is vital in hardening targeted systems and aids in the
prosecution oI criminals
Describe best practices in the process oI collecting evidence
Explain how a proactive policy oI incident response ensures a measured reaction to security
incidents
3-88 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Learner SkiIIs and KnowIedge
To Iully beneIit Irom this lesson, you must have these prerequisite skills and knowledge:
Basic networking topology knowledge
OutIine
This lesson includes these sections:
Overview
Introduction
Chain oI Custody
Preservation oI Evidence
Collection oI Evidence
Incident Responses
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-89
Introduction
This section provides an overview oI how computer Iorensics can assist in recovering data and
identiIying the intruder.
When a crime has been committed or attempted, detectives are called to assist. Similar to TV
shows involving Iorensics, computer Iorensics involves the process oI collecting evidence that
can lead to the prosecution oI a crime. Whether the crime is Iraud, theIt, or some Iorm oI
malicious intent, computer Iorensics can mean the diIIerence between locating the perpetrator
and having the perpetrator escape.
Computer Iorensics requires an extensive knowledge oI computer operating systems and
applications, and a detailed knowledge oI the type oI recovery and Iorensic soItware available.
Knowing how to recover deleted Iiles is generally not enough to perIorm proper Iorensics. The
process involves many legal issues and proper procedures Ior maintaining the original
condition oI the evidence.
You can hire proIessionals to perIorm Iorensic analysis in situations that go beyond the
technical expertise oI the administration team. Again, because oI the constantly changing legal
entanglements oI evidence collection and processing, it is oIten best to contact proIessionals.
The best recommendations come Irom the best investigators in the world, the FBI. II there is
provable loss, you should contact your local oIIice oI the FBI beIore tampering with equipment
that has been hacked or maliciously aIIected. FBI investigators can direct your next steps, such
as removal oI the equipment Irom production use. They will also be able to Iollow up and
perIorm any required Iorensic analysis or recommend another qualiIied person to do so
beIore you inadvertently damage the evidence.
3-90 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
While it may seem extreme to contact the FBI because someone deIaced your Web site, it is the
best recommendation to Iollow iI your company experiences provable loss. Law enIorcement
knows how to best handle these situations.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-91
Chain of Custody
This section introduces the concept oI evidence and how evidence is properly handled.
Part oI the process in perIorming computer Iorensics is to make sure that current legal standards
are met Ior the collection, preservation, and documentation oI evidence. The chain oI custody
is part oI this documentation.
The chain oI custody is a historical road map oI the liIespan oI the evidence, including who
handled the evidence and when was it handled. A complete chain oI custody provides a log oI
everyone that has been exposed to transporting or examining the evidence. This record is
important Ior legal considerations, so it should be handled only by those trained in the process.
The importance oI chain oI custody becomes apparent when the deIense looks Ior opportunities
to question the improper storage or handling oI the evidence. Many things in computer
Iorensics can taint the evidence. With the chain oI custody clearly deIined, the prosecution and
deIense can clearly identiIy and interview each person that could have aIIected the evidence.
Chain oI custody is a critical marker in a court case.
3-92 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Preservation of Evidence
This section introduces the process oI preserving evidence Ior legal prosecution.
In the process oI collecting evidence, an untrained person can easily destroy precious evidence.
OIten, in a scramble to repair the security violation that a hacker has created, the IT team may
overwrite conIiguration Iiles, restore deleted Iiles, or reIormat hard drives: thereby destroying
the evidence to a crime. Procedures outlining the proper preservation oI evidence are diIIicult
to create because problems tend to vary in nature, so the IT staII is generally instructed not to
tamper with the evidence.
To preserve the evidence, it may be best to replace the violated system until the proper
authorities have had a chance to collect the needed evidence, instead oI attempting to repair it.
Replacing the violated component with a temporary one will return the business to operation,
oIten more quickly than repairing the violated system. Then, the process oI evidence collection
can begin.
The IT staII should plan Ior such attacks. II it is aIIordable Ior your company, have a
replacement Ior a Web server, router, switch, or a Iile server on hand.
One thing to avoid is to use oI honey pots or honey nets to trap invaders, then attempt to
prosecute. Because a honey pot is not a production system, proving Iinancial loss (which is
critical to the case) is generally not possible. Instead, consider a replacement strategy.
UnIortunately, only real attacks on production equipment are the a valuable type oI evidence.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-93
CoIIection of Evidence
This section introduces the process oI collecting evidence Ior legal prosecution.
Collecting evidence requires understanding the preservation oI evidence and the technical
means required to accomplish the collection. This process can be a daunting task iI you
consider diIIerent operating systems, coupled with a variety oI logs and conIiguration
possibilities resting on unique Iile systems, grouped with a variety oI possible security holes.
Because the legal community has special requirements regarding evidence, simply printing a
log Iile is not enough. You might have to prove that you did not electronically modiIy the log
Iile in a text editor, or even that the event occurred. To prevent this line oI questioning, the best
course oI action is to maintain the original hardware in its original state, without any tampering
Irom the IT department.
Proper evidence collection could destroy the original, but you can use a special duplication
process to prevent it. For example, consider a hard drive that has had its Iiles maliciously
deleted by a hacker or virus. As you know, many tools could possibly recover these Iiles:
however, the evidence would be destroyed. You could even ruin the hard drive as evidence iI
you simply attempt to recover a log Iile that contains the events that occurred. In cases like this,
you should use a special duplication process that copies every bit (all the 1s and 0s) Irom the
hard drive to another identical hard drive. Then, you can use the copied hard drive Ior the
Iorensic analysis and data recovery without aIIecting the original drive. II a court needs the
original evidence, you can produce it undamaged.
3-94 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Incident Responses
This section introduces methods oI reporting malicious incidents.
When a security breach is detected, the IT team should turn to their planned incident response.
The planned incident response may be as simple as Iixing the problem and returning the
business back to an operational state. II the situation caused a provable monetary loss, the
incident plan may involve contacting local or Iederal authorities.
II you are unsure oI how to handle a security breach, you can contact your local FBI oIIice. In
many cases, the FBI can guide you through the proper process oI preserving the evidence and
making the company operational again. This process usually involves replacing the aIIected
equipment until law enIorcement has had a chance to perIorm a Iorensic analysis.
The plan should also include severity levels. You probably should not call the FBI iI an intruder
simply tried to log on to your system, but you might want to contact them iI an intruder deIaced
your Web site and deleted your payroll inIormation. Remember, the FBI needs Iinancial loss to
be able to pursue the issue. ThereIore, you should create severity levels that your administrators
can Iollow to help guide them in what actions to take. Lower security levels may involve
logging incidents and reviewing them to search Ior a pattern. At the highest security level, law
enIorcement should probably be contacted.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Hardening 3-95
Summary
This section summarizes the key points discussed in this lesson.
Introduction
Chain oI Custody
Preservation oI Evidence
Collection oI Evidence
Incident Response
Next Steps
AIter completing this lesson, go to:
InIrastructure Access Points module
3-96 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Acme has caught a computer criminal 'red-handed¨ in attacking their system. They have
deployed a honey pot and have all activity logged and stored. They have identiIied the criminal
by name and are seeking prosecution.
1. What speciIic recommendations would you make to ensure the evidence is not
compromised or lost prior to the case?
2. What recommendations would you give to Acme to implement 'lessons learned¨ Irom
this attack?
3. What should Acme do to ensure a measured response when this type oI activity is
detected in the Iuture?

lnf(c:l(uclu(e /cce::
Fcinl:
Overview
Access points are methods oI entry into a network. These are broken out based upon the OSI
model. Each layer will present unique challenges to the security proIessional. We will examine
each section and highlight the best practices to secure the many layers oI the network.
Objectives
Upon completing this module, you will be able to:
IdentiIy the various access points that exist in a network
IdentiIy the vulnerabilities oI the media access point
IdentiIy the vulnerabilities oI the switches, bridges and wireless access points
IdentiIy the vulnerabilities oI routers, remote access servers and L3 Firewalls
IdentiIy the vulnerabilities oI proxy servers, workstations, servers and removable media
OutIine
This module includes these topics:
Overview
OSI Layer 1 Access Points
Switches, Bridges and WAP vulnerabilities
4-2 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Securing Routers, Remote Access Servers and Firewalls
Use and security risks associated with Proxy Servers
Workstation and Server security risks
Security Ior Removable Media
Lcye( 1 /cce:: Fcinl:
Overview
An access point is any area in your network where clients, authorized or unauthorized, can gain
access to resources. They all have one thing in common. They need to start with a physical
media. That is where layer 1 oI the OSI model resides.
Objectives
Upon completing this lesson, you will be able to:
IdentiIy the various types oI layer 1 media
IdentiIy the vulnerabilities oI Coaxial cables
IdentiIy the vulnerabilities UTP/STP wiring
IdentiIy the vulnerabilities oI Iiber
IdentiIy the vulnerabilities wireless networks
IdentiIy the vulnerabilities oI Modems
OutIine
This lesson includes these topics:
Overview
Coaxial cable
UTP/STP
Fiber
InIrared
4-4 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Radio Frequency
Microwave
Modems
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-5
CoaxiaI CabIe
The primary purpose oI the physical layer is to provide some Iorm oI transmission media. It
include all oI the wires, cables and even wireless technologies
Coaxial, or coax, cable is one oI the oldest cabling technologies still in use. Coax is constructed
by taking a core wire, usually copper or aluminum, and wrapping the core in an insulating
layer. This layer is then wrapped with a wire mesh that is designed to add physical protection
and bleed oII any stray signals emanating out Irom the core or in Irom the external
environment. The wire mesh is Iurther wrapped by another waterprooI, insulating layer that
gives additional protection Irom physical handling and weather.
The cable connects to the devices in one oI three primary methods. You can use a terminator,
an in-line connector, or a T-connector. The terminating connector can be male or Iemale, and is
used to connect the wire to the device. II the coax cable is used as a transport medium, the very
end oI the cable might not be connected to any device. In this case, a terminating resistor bleeds
oII any signal bounce and eliminates stray signals. II the resistor is removed, that entire
segment can quickly become unusable. Physical security Ior your coax is very important as you
could lose your entire network iI someone removes the resister.
The other connector types make using coax a very modular process. You can add T connectors
as needed by simply cutting the cable, exposing the core and adding BNC connectors to each
end.
Coax tend to break down over time, especially when exposed to heat, sunlight and weather. It is
a good idea to occasionally physically inspect the cable Ior deterioration.
4-6 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Security Risks Associated with Coax cabIe
Coax is well-shielded, so stray signals are diIIicult to intercept, but a variety oI other
weaknesses make coax a particularly vulnerable medium.
One method is to simply add a T-connector somewhere in the line and connect a network
sniIIer. This may alert administrators because as the computer criminals are busy trying to
make new connectors, the network is down. II the admin uses a Time-domain reIlectometer
(TDR), Iinding the source oI the break is easy and Iast.
Clever hackers will use vampire taps to penetrate the layers oI the coax and come in contact
with the core conductor. This is extremely diIIicult to detect, but it is traceable, as this is a
physical penetration into the body oI the cable. One untraceable method is to use an inductive
pickup, or RF collar. This device sits on the cable, where it collects and ampliIies the Iaint
signals that make it past the wire mesh. When the attacker has Iinished gathering the data, they
remove the device and all physical evidence to point to their crime.
The only way to secure coax is physical isolation. II it is diIIicult to access the cable itselI, it is
very diIIicult to use T-connectors, taps or collars. Be certain you have the terminating resistors
in place and removed Irom general access.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-7
UTP and STP
Unshielded Twisted Pair (UTP) and Shielded Twisted Pair (STP) are the media oI choice in
most networks.
They are relatively inexpensive and simple to install. The main diIIerence between UTP and
STP is that STP has a shield around the cable, much like coax. Each wire in STP has a separate
shield. This increases the price considerably, but makes the cable much less susceptible to
electrical interIerence.
UTP and STP twist the wires to reduce inducing a signal across wires that are running in
parallel. The more twists a cable has, the more secure Irom internal and external interIerence it
is. The number oI twists normally mandates the quality or category oI the cable. However,
more twists also will shorten the overall distance that a cable segment can cover.
4-8 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
UTP and STP Pin Configuration
STP and UTP operate in the same manner. They have transmit and receive lines that are
connected diIIerently, depending on the devices being connected.
Some applications will require you to use a crossover connection, where the transmit and
receive lines are connected to each other. One example is when you connect a switch to another
switch. Normal, or straight-through, patch cables will not connect the devices to the expected
lines. Some switches have uplink lines where the crossover is done internally. Examine the
illustration to compare the diIIerences in pin conIiguration between a straight through and a
crossover cable.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-9
STP and UTP cables are also classiIied according to their category oI use.
Category Speed Application
1 Voice Mostly used Ior household telephone wires. Cheap and very
susceptible to outside interIerence and monitoring
2 4 Mbps Not extensively used. Very popular in older mainIrame and mid-
sized computer environments
3 10 Mbps Widespread with the rise oI Ethernet. This was the cable oI choice
Ior 10Base-T deployments
4 16 Mbps Very popular Ior Token-ring networks. Not used much in new
installations
5 1Gbps This is the most common cable used in modern network
implementations.
6 1Gbps This is designed to bring voice and multi-media to the desktop. It is
not in widespread deployments yet, but will soon replace CAT 5 as
the cable oI choice.
7 1Gbps Used when high-speed connectivity is required. Most networks will
use Iiber in these types oI applications
Note that the higher the grade oI cable, the higher the price. You will also run into problems
when you have to bend the wires to Iollow convoluted paths. As the twist numbers increase, the
wires become stiIIer and are more susceptible to interIace iI you exceed the recommended bend
radius. Check with the manuIacturer`s recommendation beIore purchasing high-priced wiring
that may not be suitable Ior your particular application.
STP and UTP cables are not as secure as coax. They radiate and are normally limited to internal
installations due to the relative Iragility oI the cables. Coax is easier to penetrate with vampire
taps, but making a break-out-box, or BOB, is Iairly simple and inexpensive.
It is recommended that you limit physical access to the wiring, but you really need to secure the
wiring closet where the cables converge to a punch-down block or by connecting directly into a
switch. These are normally isolated locations in center oI the building and are prime targets Ior
computer criminals trying to penetrate your network.
4-10 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Fiber
Fiber optic cable is starting to be used extensively Ior wiring the core oI a network
inIrastructure. Most interconnections between high-speed switches and massive NAS devices
rely on Iiber to eliminate a bandwidth bottleneck that has plagued many data-hungry operations
Fiber optic cable is Iairly simple. It is a glass or optical-grade plastic core coated with a
protective layer oI material. Fiber is more secure than either coax or STP/UTP as it is diIIicult
to tap. Since the Iibers need to be optically ioined, breaking a cable and putting in a patch is not
a simple aIIair. The point oI vulnerability lies with the connectors that attach two segments
together. It is Iairly simple to add a passive iunction and sniII the signals at that point. Most
splitters require the addition oI a transmitter/receiver, called a transceiver, and these devices are
very easy to detect.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-11
Infrared
Wireless communications usually Iall into one oI three categories, inIrared (IR), radio
Irequency (RF) and microwaves. Each has a unique set oI limitations and security
vulnerabilities.
InIrared communication is commonly Iound on laptops, and some printers have IR connections.
The rise oI PDAs has brought an increase in the useIulness oI a technology that was mostly
limited to television and stereo remote controls in the past
InIrared is limited by line oI sight as it uses light to transmit and receive. It is also very
susceptible to interception, as you simply need to place the receiver in line with the transmitter.
Fortunately, most inIrared communications are limited by distance as ambient light quickly
overwhelms the signal. To prevent unwanted interception oI signals, most inIrared applications
require the user to approve any transmissions. Printers are the exception iI you have a secure
printer, you need to remove any inIrared port as anyone with an inIrared equipped PDA can use
the printer.
4-12 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Radio Frequency
Communications via radio Irequency (RF) wireless has been a boon to the mobile workIorce.
The ability to move a laptop to diIIerent locations within a company, airport, or coIIee bar has
made the mobile liIestyle more convenient and productive.
Many companies are beginning to realize that the Iootprint oI the wireless network extends well
beyond the building`s walls. Computer criminals will regularly drive around with their wireless
network laptops running a variety oI sniIIer programs. These hackers are able to grab
passwords and data with impunity. The biggest threat is that the passwords that have been
captured can be used to penetrate a more traditionally wired, or even dial-up, environment.
There are a variety oI solutions that can be used to secure RF wireless environments. Most
wireless access points allow you to set a password that must be common between the wireless
NIC and the access point. UnIortunately, these shared keys are Irequently transmitted in clear
text and are easy targets.
WEP, or Wired Equivalency Privacy, is an encryption standard that has been embraced by most
manuIacturers. WEP encrypts the session between the NIC and the access point. This renders
sniIIing ineIIective, as the data that has been captured is diIIicult to decipher. Most WEP
devices oIIer either 64 or 128-bit encryption. Additional encryption technologies are being
developed to prevent unauthorized access.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-13
Microwave
Microwave communications work in a point-to-point manner.
The most popular use oI microwave communication is in cell phones. They require little power
and use collections oI transmit and receive towers known as cells. Cell towers are conIigured to
automatically track and 'hand-oII¨ communications sessions when the mobile device moves
Irom one cell area to another. With the rise oI cell-based wireless networks Ior PDAs and
laptops, the security oI this Iorm oI communication has become increasingly important.
Cellular communication is very easy to intercept. Analog communication is Iairly easy to
capture and, unless encryption technology is in use, it is also simple to view. Digital
communication can be more diIIicult to intercept, as it requires additional equipment to decode
the transmission.
Most devices now oIIer encryption technology similar to IPSec. This uses a session key and has
an anti-cloning Ieature that makes it diIIicult Ior computer criminals to eavesdrop and
impersonate the devices.
4-14 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Modems
Modems are designed to take digital signals and convert them into analog tones that can be
transmitted over normal telephone lines.
Most modems are point-to-point devices that call directly into a company or an ISP. There are
now cellular modems that Iall into the vulnerabilities discussed previously in the microwave
section.
Most outbound communications that use a modem are Iairly secure. The computer criminal
must tap the phone lines in order to eavesdrop on the signal. This requires Iairly sophisticated
equipment and normally takes place in a phone company`s central oIIice or in a company`s
telephone closet. These locations should be physically secure to prevent this type oI activity.
The main threat oI modems is unauthorized inbound communications. II a company runs an
analog line to a desk and the user connects their modem, criminals running a war dialer
program could potentially locate the unprotected machine. Once located, the computer criminal
could use a combination oI brute-Iorce attacks and penetrate that machine. Since the targeted
machine is already in the corporate network, the attacker now has access to the company`s
inIrastructure. ConIiguring modem-enabled machines Ior silent answering will prevent that
machine Irom being targeted by hackers. Silent answering means that the calling device
initiates the connection tone, much like Iax machines.
A better policy would be to the limit the use oI modems and access to analog phone lines.
Normally, you would only have modems connected to dial-in devices Ior remote users.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-15
Summary
This topic summarizes the key points discussed in this lesson.
Coax is reliable and durable but is one oI the easiest to tap
UTP and STP are the most popular. They broadcast EMF, and
it is simple to conIigure a tap
Fiber is the Iastest medium, and is as hard to tap as it is easy to
detect
InIrared is short-ranged, but simple to tap
Radio Frequency is very popular, but will extend the data
availability and is subiect to interIerence
Microwave uses cellular technology. It is easy to track, but can
be diIIicult to tap iI digitally encrypted
4-16 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) What type oI tap will physically penetrate a coax cable?
Q2) What are the primary diIIerences between UTP and STP?
Q3) What category oI UTP is most widely used in new installations?
Q4) What security recommendations would you make to secure the new installation oI a
Radio Frequency-based network?
Lcye( 2 /cce:: Fcinl:
Overview
Layer 2 devices are responsible Ior taking data Irom higher layers and converting it into a
Iormat that is compatible with the physical medium. Layer 2 devices have some levels oI
intelligence, as they must know how to address the physical network adapter. In most cases, the
signaling is sent either by broadcast, or is sent to a particular client based on its Media Access
Control, or MAC, address.
Objectives
Upon completing this lesson, you will be able to:
IdentiIy the diIIerences between hubs, switches and bridges
IdentiIy the vulnerabilities oI bridges and hubs
IdentiIy the vulnerabilities oI switches
IdentiIy the vulnerabilities oI wireless access points
OutIine
This lesson includes these topics:
Overview
Hubs and Switches
Wireless Access Points
Summary
Assessments
4-18 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Hubs and Switches
Bridges, hubs and switches are designed to connect multiple devices in a communications path.
They take digital inIormation and transIorm the bits into whatever Iormat is needed Ior the
transmission medium.
In order to connect network devices in a star or bus topology, you would normally use a hub or
a switch. These devices connect the transmit and receive lines together in a shared medium.
Bridges are designed to extend network segments by using signal regeneration to bypass the
normal cable length restrictions due to signal attenuation.
Hubs and bridges share a common vulnerability in that they indiscriminately retransmit all
signals to every device that is connected to them. Hubs are simple to penetrate, as the computer
criminal only has to connect to one oI the ports to gain complete access to all data transmitted
on the network. Hubs and bridges are also subiect to Ilooding, as any signal that is transmitted
is immediately sent to all devices that are connected. The only way to secure data that is sent
out via a bridge or a hub is encryption. Since the media is completely shared, unencrypted
traIIic is available to any device that desires to tap into the stream
Switches are more intelligent. They are designed Ior micro-segmentation in that directed
signals are only visible on the ports that are designated Ior transmission and reception oI that
particular data stream. This gives additional bandwidth and makes it much more diIIicult Ior
sniIIers to intercept communications. Switches are still susceptible to Ilooding, as any signal
that is broadcast or targeted to an unknown device is sent to all ports. Some switches are also
designed with a monitoring port that is used to examine all traIIic that passes through the
device. Physical security oI the switch is the primary means oI denying a hacker access to the
data stream.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-19
WireIess Access Points
Wireless access points provide connectivity between wireless network adapters and wired
LANs.
Wireless communications use RF in the microwave range. This makes them very easy to
intercept. Computer criminals can use a police scanner and stream the audio to their computers.
This signal can then be converted into data using some widely available soItware.
Hackers can also buy a wireless NIC and wander around, linking to any unprotected networks.
The NIC will negotiate with the access point and will be allowed in without any need oI
network credentials.
To prevent unauthorized access, you must conIigure a shared secret password, called a service
set identiIier, on the access point. II the client NIC does not have the SSI inIormation, the card
will not be allowed to connect. Many access points will also allow you to enter the MAC
address oI allowed cards. Any card that does not match will be reiected. UnIortunately, most oI
this authentication is exchanged via clear text. Encryption is also a necessity as you may
prevent a hacker Irom ioining your network without preventing them Irom listening in on your
conversations.
4-20 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This topic summarizes the key points discussed in this lesson.
Bridges and hubs repeat signals with no decision as to
destination
Switches provide isolation and are not as susceptible to
monitoring
Physical security is paramount on all layer 2 devices
Wireless access points are the most diIIicult to secure, as they
may extend past the physical boundary oI the building
Encryption is essential in a secure environment
Access keys, called SSI, help secure wireless networks
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-21
Lesson Assessment
Q1) How does a switch reduce the chance oI unauthorized monitoring oI traIIic?
Q2) What technology helps prevent clear-text transmission in a wireless environment?
Q3) What is the most important security concern on layer 2 devices?
Q4) What type oI security prevents connection oI unauthorized wireless access cards?
4-22 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lcye( 3 /cce:: Fcinl:
Overview
Layer 3 devices are responsible Ior routing data Irom a source network to a destination
network. Layer 3 devices move Irom a physical identiIier to a logical identiIier. Layer three
devices are where a lot oI active security takes place. Remote access devices and Iirewalls are
used to authenticate users and expose designated segments oI the network to outside users.
Objectives
Upon completing this lesson, you will be able to:
IdentiIy the vulnerabilities oI routers
IdentiIy the vulnerabilities Remote Access Servers
IdentiIy the purpose and vulnerabilities oI Layer 3 Firewalls
OutIine
This lesson includes these topics:
Overview
Routers
Remote Access Server
Layer 3 Firewalls
Summary
Assessments
4-24 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Routers
Routers are designed to route packets Irom one network segment to another.
These devices make it possible to connect networks to each other and maintain traIIic Ilow to
the correct destination. Unlike switches, routers are designed to block broadcast traIIic. This
blocking Ieature is useIul in preventing data storms Irom aIIecting an entire network.
Higher-priced routers can also include packet-Iiltering Ieatures that let the router act as a
Iirewall, discarding unwanted traIIic and controlling access to the network. Routers can also be
conIigured to provide Quality oI Service (QoS) Iunctionality that queues traIIic based on a set
oI conIigurable priorities. This ensures that time-sensitive traIIic, like voice communications,
will not be delayed by other processes.
Routers share some oI the same vulnerabilities as switches. Many routers have a special port
that can be conIigured to replicate all traIIic that Ilows through the device. When a sniIIer is
connected to this port, it is easy to monitor all traIIic.
The process oI routing can also open the router to attacks. Each router maintains a routing list
that is a map oI all possible networks that it can send traIIic to. These routing tables are shared
between many routers using routing protocols like RIP or OSPF. II a computer criminal can
iniect a corrupt routing table, the router will misdirect traIIic. Using neighbor conIiguration
techniques with the routing protocols will help eliminate route table corruption. Most routers
are conIigured using a Telnet session. This lets administrators conIigure and maintain routers
remotely. Telnet transmissions, including username and password, are sent via clear text.
Anyone sniIIing that network segment can expose these secrets. Encryption and physically
connecting the management station directly to the router will help eliminate the clear text
problem.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-25
Remote Access Servers
Remote access servers are designed to provide network connectivity to remote users who
connect to the corporate network via a modem or VPN connection through the Internet.
II the caller comes in via a direct dial to the modem, it is Iairly secure. Hackers can use a war
dialer to call a list oI phone numbers and record any call answered by a computer. ConIiguring
the modems to silent answer will help eliminate that problem.
When a user calls in, they need to authenticate. Many hardware-based remote access servers are
conIigured with their own list oI user accounts and passwords. These are typically stored in
clear text. Since these usernames and passwords are commonly the same Ior dial-up and
network access, anyone who gains access to the box can attack more than iust the dial-in
accounts. A way to solve this, and provide centralized authentication and accounting, is to use
Remote Authentication Dial-in User Service, also known as RADIUS. RADIUS sends the
authentication request Irom the remote access server to an authentication server that stores the
user account inIormation in a centralized database. RADIUS can also log which user logged on
and how long they maintained the connection. Depending on your remote access server,
RADIUS can also centralize control oI remote access policies to provide diIIerent levels oI
access based on time-oI-day, group memberships and even Caller-ID inIormation. Most
dedicated remote access servers support RADIUS, and it is also implemented in most soItware
solutions like MicrosoIt`s Routing and Remote Access Server, also known as RRAS.
4-26 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
FirewaIIs
Firewalls are typically the Iirst line oI deIense in protecting a network.
They can be hardware devices that are dedicated to Iiltering, or they can run as applications,
typically on servers that are acting as routers.
Firewalls vary in complexity and cost. Hardware Iirewalls are typically more expensive, but
they are much Iaster. Firewalls operate by examining traIIic as it Ilows through the device. The
Iirewall, depending on its sophistication, will examine the source and destination address,
protocol or even content, to decide whether to allow or deny the traIIic.
Firewalls can also perIorm redirection based on the port or protocol oI the packet. For example,
you can conIigure the Iirewall to send all SMTP traIIic coming in on port 25 to the email
server. In this manner, the Iirewall acts as a proxy to the real server. This hides the actual
server`s IP address and helps eliminate probes to any additional ports that may be open on the
targeted server.
Firewalls, by their very nature, are reasonably secure. SoItware-based Iirewalls are somewhat
vulnerable iI additional services are running on the server acting as a Iirewall. II you have a
multi-homed server, the server may automatically route the packets beIore they are ever sent all
the way up the protocol stack to the Iirewall application. It is a good idea to dedicate a machine
that is going to act as a Iirewall. This helps eliminate any unsecured conIigurations that may
compromise your network.
You can enhance you Iirewall protection by employing layers. One Iirewall gives access to the
public servers and a second Iirewall is between the public servers and the private network. This
sets up what is called a screened subnet, or DMZ.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-27
Summary
This topic summarizes the key points discussed in this lesson.
Routers employ packet Iiltering to eliminate undesirable traIIic
Routers have the same vulnerabilities as a switch iI they have a
monitoring port
Remote Access servers are subiect to dial and ping scanning
Remote Access servers should use RADIUS to centralize
authentication and provide accounting
Layer 3 Firewalls are the Iirst line oI deIense Ior networks
connected to the Internet
Firewalls may be deployed in a layered conIiguration to
enhance security
Firewalls can provide port redirection to target
4-28 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) What can a router do to eliminate undesirable traIIic?
Q2) What is the physical vulnerability oI a router that allows an attacker to monitor all
traIIic that is processed through the device?
Q3) What type oI Iirewall should you use iI speed is the most important consideration?
Q4) Why type oI deployment can be used Ior Iirewalls to decrease vendor related risks?
Lcye( 4 cnc /Lcve
Overview
Layers 4 and above is where the operating system and applications reside. It is vital to provide
various security Ieatures as each operating system and application brings its own set oI security
challenges.
Objectives
Upon completing this lesson, you will be able to:
IdentiIy the use and security aspects oI a Proxy server
IdentiIy the vulnerabilities workstations
IdentiIy the vulnerabilities oI Servers
IdentiIy the vulnerabilities removable media
OutIine
This lesson includes these topics:
Overview
Proxy servers
Workstations
Servers
Removable media
Summary
Assessment
4-30 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Proxy Servers
Proxy servers are designed to allow systems that are inside oI a protected environment to get
outside access to resources.
Proxy servers can also monitor traIIic and disallow access to 'banned¨ protocols or websites.
Many proxy servers store Irequently requested web pages to the server`s local hard drive. This
speeds up access because when a client requests a page that is in the proxy cache, the proxy
server does not have to download the page again. The proxy can also allow inbound traIIic
targeted to a speciIic list oI protocols to move into the network. This targeted traIIic can use
various security Ieatures to help isolate servers Irom external attacks, like port translation.
Proxy servers are sometimes used as Iirewalls, but using separate boxes, one Ior Iirewall
Iunctions and the other Ior proxy Iunctions, is more secure, as penetrating a single machine can
lay your entire network bare to any type oI attack.
Proxy servers are vulnerable iI they are hosting additional Iunctions. It is best to dedicate any
security Iunction, like Iirewalls and proxy services, to run exclusively on a machine. II you
have additional services on a server, you may introduce additional security weaknesses that can
be exploited, allowing unauthorized users to bypass your security conIiguration.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-31
Workstations
Workstations are a very visible target Ior attackers. They are much less secure than servers and
are typically available Ior local and remote exploits.
Workstations are typically operated by end-users who may pay little attention to security. The
workstations may be running services and applications that expose the local system and the
entire network to attack. Not to mention the Iact that laptops are being stolen in record numbers
Irom inattentive users.
The best line oI deIense in securing a workstation is to remove any unnecessary services,
soItware and hardware. Modems, applications and services that are not needed leave an
unmonitored hole in your layered deIense. Preventing installation oI applications is easy to
accomplish, depending on the operating system. Unauthorized applications can contain viruses,
Troian horses or spy-ware. The number one vulnerability to workstations comes in the Iorm oI
a virus. Up-to-date virus protection is a must in any environment. There are many utilities that
are sent to unsuspecting users that report keystrokes or collect Iinancial inIormation. Some
virus soItware can even activate the microphone on a laptop to record conversations. The
captured inIormation can then be sent to a collection site. Since the traIIic is originating inside
oI your network, your Iirewalls and proxy server would be hard-pressed to prevent the leak oI
vital and compromising inIormation. The attacker gathers data and either uses it to launch
additional attacks or simply sells the collected inIormation to interested parties.
To prevent exploits against services, you should remove or disable the unneeded services. Most
MicrosoIt operating systems include a mini-web server in most deIault installations, although
some oI the newer operating systems are changing this. It is always a good idea to make sure
4-32 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
the workstations are up to date with the latest service packs and hot Iixes. This helps close
some oI the security holes that are constantly being discovered.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-33
Servers
Servers share the same vulnerabilities as workstations, mainly unmonitored hardware, soItware
and services.
Servers are oIten targets because they may contain inIormation that is oI interest to the
computer criminal. Servers that act in security and authentication roles are oI particular interest,
as penetrating these servers can leave the rest oI the network unguarded.
Many servers are used Ior dedicated purposes like running SQL, web sites or email. These
servers add additional challenges to the security proIessional as they may have vulnerabilities
that are unique to these applications. Many hackers specialize in attacking a particular type oI
server. For example, a particular hacker may know all oI the intricacies oI penetrating a
MicrosoIt Exchange server.
DNS, email, FTP, and web servers are particularly exposed, as they are available to the public.
They also present a public Iace that could impact revenue, in the case oI an e-commerce site, or
lead to corporate embarrassment iI the public web server is deIaced.
Security proIessionals need to keep up to date on the latest security issues associated with
services that they are running. All oI the workstation security guidelines still apply, namely
virus updates, security Iixes and application oI the latest service packs.
Servers should always be placed in a physically secure area. There are many utilities available
that will let anyone boot the server Irom a CD-ROM or Iloppy disk that will let the attacker
change the administrator`s password or gain access to protected Iiles. II an attacker cannot
penetrate the system, they can also steal the server or disable it by damaging the hardware.
4-34 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
RemovabIe Media
Moving data Irom one machine to another is not limited to networks. The so-called 'sneaker-
net¨ is alive and well in corporate society. Most soItware is still deployed using physical media,
and many books now come with CD-ROMS.
Any removable media is subiect to theIt. Backup tapes, installation CDs, and entire hard drives
are portable and can be easily read. Sharing pirated copies oI movies, games and documents is
an easy entry point Ior a variety oI attacks ranging Irom viruses, Troian horse programs and
automated attacks.
Physically securing removable media is the key to prevent loss due to theIt. Checking required
CDs in and out or legally copying the contents to a Iile server can add a level oI security and
can even improve the installation process. You should also ensure that any Iiles that are stored
on the server, particularly installation applications, are protected Irom unauthorized changes.
Removable media devices should only be installed on systems that require them. Many schools
have greatly reduced the incidents oI viruses by removing the Iloppy disks and CD-ROM
drives Irom their installed systems. All applications and data are stored on a server that is
available on their network.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-35
Tapes
Tape was the Iirst replacement Ior punched cards during the inIancy oI the computer industry.
New technology has made it possible to store staggering amounts oI inIormation on a small
tape cartridge. This, coupled with high speed, automated tape systems, makes tape the media oI
choice Ior most backup and recovery solutions.
Stolen backup tapes can be stripped oI data Ior examination. Sophisticated hackers can also
modiIy the data on the tape and use it to modiIy or destroy inIormation that is kept on the
normal server. Tapes can also be iniected with virus and Troian horse programs Ior Iurther
penetration on production systems.
Server backups that are stolen can be recovered on a diIIerent computer in the hacker`s home
network and the attacker is then Iree to run a variety oI brute Iorce attacks that would normally
be noticed on the regular network.
Tapes are a magnetic medium, and thereIore susceptible to electromagnetic radiation. They can
be easily damaged or erased with magnets. Many cases Ior tapes contain special shielding, but
you must still protect tapes Irom strong magnetic Iields.
4-36 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
CDR and DVD-R
CD-ROMs have replaced the Iloppy disk as the preIerred media Ior soItware installation.
CD-ROMs are inexpensive and hold over 600 MBs oI inIormation. DVDs hold between 4.5
and 9 GBs oI inIormation and are becoming the preIerred installation media Ior today`s
storage-intensive applications. CDs are not susceptible to magnetic Iields, but some recordable
CDs (CD-Rs) will erase when exposed to ultraviolet light.
Burners are cheap and Iast. There are new versions that plug into a parallel or USB port. These
devices are detected via plug and play and make it very easy Ior someone to connect,
download, and disconnect without leaving a trace. Remove any ports, USB in particular, that
are not required. SoItware piracy is also rampant with advanced burners and bit copying
soItware. Unlicensed copies oI soItware cost the development industry billions oI dollars in lost
revenue.
The disks themselves are small and widely distributed. This makes them attractive targets oI
theIt and it is diIIicult to detect a stolen disk among the dozens that any typical user may have.
Physical security is paramount. Store installation soItware in a secure location. Remove
unneeded ports Irom servers. Limit access to ROM burners in your corporation. Require all
media to be clearly labeled and tracked.
The availability oI ROM burners, Ior both CDs and DVDs, makes a tempting avenue oI attack
Ior hackers seeking to penetrate systems. There is also the perception oI invulnerability oI a CD
as it is typically read-only. This makes it very easy Ior attackers to burn malicious code to a
CD, print a new label and distribute the disk as a legitimate application. Some hackers will
check out books Irom the library and replace the CD with one oI their own manuIacture.
Always scan any media, whether Iloppy or CD Ior viruses beIore using it in any system.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-37
RemovabIe Hard Drives
Hard disks are becoming more mobile.
You can purchase an adapter that takes a standard hard drive and adds a USB port. This is
simply plugged into the computer and the plug and play operating system instantly recognizes
it and allows Iile transIers. This gives the computer criminal hundreds oI GBs oI instant
storage. USB is a powerIul invention, but you need to make sure you remove any unused ports
and provide physical security to your servers to prevent hackers Irom taking advantage oI it.
Another security concern is theIt oI the drive itselI. Many manuIacturers make removing drives
simple. It is a great idea to lock cases so that they cannot be easily opened
Do not Iorget that disk drives are the primary source Ior virus inIestation. You need to treat
Ioreign drives like any other Ioreign media. Always scan Ior viruses and damaging
applications.
When you decommission old computers, remember that the erase and Iormat command does
not normally erase the entire drive, iust the index pointer. You need to ensure that all oI the
data is permanently erased beIore donating old drives to schools or other proiects. A wealth oI
inIormation is routinely recovered Irom supposedly 'erased¨ hard disks.
4-38 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Diskettes
Next to tape drives, Iloppy disks are one oI the oldest Iorms Ior transportation oI data.
Disks are very portable, and most computers have a Iloppy drive. Floppies are one oI the
primary entry points Ior viruses into corporate networks. Many workers will bring an inIected
Iloppy Irom their home computer and pass the virus into the corporate network.
To prevent this entry point, many companies are removing all Iloppy drives Irom their
computers. II the users need to transIer Iiles, they can use email or put the Iiles on a network
share. Some companies oIIer to burn CD-ROMS Ior employees who do not have access to the
network aIter hours. Since the disk is read only, there is little chance that the worker can
inadvertently inIect any other machine.
Most computers are conIigured to boot Irom a Iloppy prior to any other device. This makes it
easy Ior a computer criminal to stick in a boot disk, hard-boot the server, and gain access to the
Iiles or inIect the machine. Remove Iloppy drives Irom any machine that does not have a
constant need oI disk access. II you need to use the Iloppy Ior occasional access, get a USB
model or get one that is connected via a port on the server. One college reduced virus incidents
over 90° by simply removing the Iloppy dives Irom all oI the student-accessible machines.
Floppies are very small and portable, but they have very limited storage space. With the advent
oI USB storage devices that Iit on a key ring and CD-R, Iloppies are rapidly losing popularity.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-39
FIashcards
Flashcards are sometimes known as memory sticks.
You can Iind them in PDA devices, digital cameras, and they even have readers built into a
mouse. They are somewhat limited in size, but are typically detected as a hard drive.
Computer criminals typically use Ilashcards them to steal small volumes oI inIormation or to
iniect virus and Troian horse applications into network.
More and more PDA devices accept Ilashcards, so this has become a popular entry point Ior
viruses and exploits targeted at these devices. Many times these applications lie in wait until the
next synchronization cycle with the main desktop. The application will then inIect the parent
machine and through it, iniect itselI into the corporate network. All removable media should be
treated with caution and scanned Ior virus inIection prior to being inserted into the system.
4-40 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Smartcards
Smartcards are used throughout the corporate environment. They give access to restricted areas
and can even be used to validate a user`s logon and ID.
One oI the most common examples oI a smartcard is the ATM card that many keep in their
wallet. The user inserts the card into a reader and must then enter a PIN number.
Smartcards oI greater sophistication have an embedded certiIicate that is mapped to a user
account and password in the security environment. The advantage oI a smartcard auto login is
that you would have to steal the physical card and know the PIN to log in. Most users will
quickly notice iI their card is missing and report its loss. This makes stolen cards, even with the
PIN intact, a short-lived victory.
II you plan to use smartcards in your inIrastructure, make sure that the card requires a PIN
when logging in. This two-Iactor authentication makes it harder Ior hackers to steal a card and
gain access to the network. Another advantage oI the smart card technology is since the
certiIicate on the card is mapped to a user account, the username and password are never
transmitted across the wire. Unless the host or the validating server is penetrated, it is very
diIIicult to uncover the username and password. In many environments, the user does not even
know the mapped user or account. That makes it impossible Ior the user to accidentally divulge
the inIormation
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Access Points 4-41
Summary
This topic summarizes the key points discussed in this lesson.
Proxy servers can Iilter out banned protocols and web sites
Proxy servers should be dedicated to proxy services and should
not be used Ior additional services
Workstations can provide an easy access point Ior viruses and
Troian horse programs
Virus updates are critical on all servers and workstations
Remove or disable all unnecessary hardware and services
Removable media should be scanned Ior viruses and
unauthorized applications beIore their introduction to the
environment
Removable media must be secured as they are very susceptible
to theIt
4-42 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) XYZ Company is planning on deploying 200 workstations and 5 new servers. What
suggestions would you make Ior hardening these new machines?
Q2) What type oI servers could be employed to cache Irequently accessed web pages, yet
restrict the types oI protocols and services that are allowed out to the Internet?
Q3) How do attackers use CDR media to penetrate systems?
Q4) What is the biggest threat to removable media?
5
InIrastructure Protocols
Overview
This module discusses the various types oI protocols used in remote access and Internetwork
access inIrastructures.
Objectives
Upon completing this module, you will be able to:
Describe the many types oI protocols used in remote access environments
Describe the many types oI protocols used in an internetwork access environment
5-2 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
The module contains these lessons:
Remote Access
Internetwork Access
Remote Access
Overview
In today`s world oI telecommuting Irom home and on the road, users require complete access
to central oIIice resources. Thanks to the global Internet and service providers, the
inIrastructure is in place Ior road warriors and home employees to access their resources Irom
iust about anywhere on the planet. But in order to take advantage oI the inIrastructure, we need
protocols that are agreed upon in order to achieve connectivity. This section discusses these
protocols and how they aIIect security in the enterprise.
Importance
Almost all companies provide remote access to their employees. Not understanding the security
implications oI remote access can allow an attacker unIettered access into your network.
Objectives
Upon completing this lesson, you will be able to:
Describe the PPP protocol and how it relates to remote access and security
Describe the PPTP tunneling protocol
Describe the IPSec protocol
Understand the security implications oI using Telnet in your enterprise
Describe the Secure Shell (SSH) protocol
Describe the TACACS¹ and RADIUS protocols
Understand wireless services in the enterprise
5-4 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
This lesson includes these sections:
Overview
PPP
PPTP
IPSec
Telnet
Secure Shell (SSH)
TACACS¹
RADIUS
Wireless
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-5
PPP
This section describes Point-to-Point Protocol (PPP), why it is used Ior remote access, and the
security implications to the enterprise.
The Point-to-Point Protocol (PPP) is a layer 2 protocol that is used to encapsulate IP datagrams
on point-to-point links. PPP is arguably the most prevalent protocol used in the world today.
Internetwork Service Providers (ISPs) use it to connect clients to their inIrastructure and Irom
their inIrastructure to the global Internet. ISPs use PPP because it can perIorm authentication
upon connection. Other layer 2 protocols, such as Ethernet, Token ring, and Irame relay, there
have no authentication mechanism Ior authenticating the requester. Without requiring users to
authenticate, anyone can access the network. This is unacceptable to the ISP, so they adopted
PPP in order to authenticate users and give them access to the Internet. However, PPP has
evolved into much more than a simple authentication protocol. It perIorms additional Iunctions
such as dynamic IP address assignment, compression, link quality control, and others.
Because PPP works at layer 2, it can encapsulate other layer 3 traIIic besides IP. Other popular
layer 3 protocols PPP can encapsulate include IPX and AppleTalk.
5-6 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
PPTP
This section describes the layer 2 tunneling protocols PPTP and L2TP, both oI which are used
to encapsulate PPP packets over an IP network.
The PPP protocol is used to encapsulate IP datagrams on point-to-point links, but networks are
oIten made up oI multi-access segments, which PPP cannot travel over. To address this issue,
the IETF create the Point-to-Point Tunneling Protocol (PPTP).
The PPTP protocol allows PPP Irames to be tunneled inside an IP network. PPTP is a
client/server architecture with two new Iunctional components, a tunnel termination point PPTP
Network Server (PNS) and a client component PPTP Access Concentrator (PAC). These two
points make up the head end and tail end oI the PPTP tunnel, which means none oI the systems
in between need to be PPTP aware. The tunnel itselI is created using a modiIied version oI the
Generic Routing Encapsulation (GRE) protocol.
BeIore a PPTP tunnel can be established, a control connection using a standard TCP session
must be established. The PPTP control connection uses TCP port 1723, and the tunnel uses
protocol 47 (GRE).
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-7
IPSec
This section describes a suite oI protocols used to enable conIidentiality and integrity on
packets crossing a public network.
Packets crossing a public network such as the Internet do so in a very insecure manner. Each
packet is transmitted in clear text with no conIidentiality, which makes them subiect to sniIIing
and replay attacks. They can also be modiIied in transit as they have no integrity. IPSec was
created to provide security to these packets.
IPSec is not a protocol itselI, but is a suite oI protocols used to provide various security services
at the IP layer Ior IP version 4 and IP version 6. The main protocols identiIied or used by IPSec
include IKE, which is also a suite oI protocols, Authentication Header (AH), and Encapsulating
Security Payload (ESP). These protocols in turn rely on additional protocols Ior the actual
security services, such as the Internet Security Association and Key Management Protocol
(ISAKMP), Oakley, Skeme, DiIIie-Hellman, MD5, SHA-1, DES, 3DES, AES, and many
others.
IPSec is a Iorm oI IP in IP encapsulation: IP packets are encapsulated in security packets (AH
or ESP). IPSec packets can be identiIied as they cross the Internet by one oI two protocol types,
protocol 50 or protocol 51. Protocol 50 identiIies the ESP protocol and is used to provide
conIidentiality services, integrity services, and optional anti-replay services. Protocol 51
identiIies the AH protocol and is used to provide integrity services and anti-replay services.
IPSec is widely used to deploy Virtual Private Networks (VPNs) across insecure mediums, but
can also be used to provide security Ior remote access and dial-up users.
5-8 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
TeInet
This section describes the Telnet protocol, its uses and its security shortcomings.
In the 1970s there was really no such thing as the personal computer. Each user on a mainIrame
was physically connected to a terminal, which was a dumb input/output device. All
computations Ior all users were perIormed on the central processing unit or mainIrame. When
TCP/IP came into the picture with its connectionless nature, users were no longer required to be
directly connected to the mainIrame, yet they still needed terminal, or terminal-like access.
That is what Telnet provides. It provides a terminal emulation service on an IP network.
The Telnet protocol is one oI the main protocols in the TCP/IP suite and is used to provide a bi-
directional, eight-bit, character driven communications Iacility. It provides a standard method
oI interIacing terminal devices and terminal-oriented processes with each other. Telnet uses the
TCP protocol to maintain an interactive connection-oriented session between two parties.
Telnet uses TCP port 23. Because Telnet traIIic crosses the network in clear text and is subiect
to many types oI attacks, most administrators block Telnet access in or out oI their network.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-9
Secure SheII
This section discusses a secure alternative to the Telnet protocol.
Secure Shell (SSH) is secure alternative to the Telnet protocol that Iills many oI Telnet`s
shortcomings. However, SSH can also transIer Iiles between systems. For additional security,
SSH authenticates users and encrypts data as it traverses the wire. SSH uses the RSA and DSA
ciphers Ior authentication, and the DES, 3DES, IDEA, and BlowIish encryption algorithms,
among others.
Authentication oI SSH requires each device to generate a public and private key pair. Upon
initial connection, each device will authenticate the opposite device by encrypting a value with
the public key oI the other device. The other device must then decrypt the value with their
private key and return the value. II the decrypted value matches the original value,
authentication is complete, because only the owner oI the correct private key could have
decrypted the original value.
SSH uses an encryption algorithm and a shared secret key algorithm, both oI which are
negotiated during the initial connection.
SSH packets use TCP port 22.
5-10 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
TACACS+
This section provides an overview oI the Terminal Access Control Access Control System Plus
(TACACS¹) protocol.
When systems need to perIorm authentication to a gateway device, the gateway usually checks
the username/password against its local database. II you have hundreds oI users, each one
connecting to multiple systems, this authentication system breaks down. To scale to a large
network with many users, perIorming authentication via a central database is required. The
problem with this method is that the data transmitting between the gateway and the central
database needs to carry authentication, authorization and accounting (AAA) data, along with
sensitive data such as usernames and passwords. This requires a protocol to allow a secure
exchange oI data between these two systems. Cisco`s Terminal Access Control Access Control
System Plus (TACACS¹) protocol is one oI two main protocols that accomplish this.
TACACS¹ is used to exchange AAA messages between the gateway and the central database,
called an Access Control Sever (ACS). TACACS¹ messages can be identiIied on the network
as using TCP port 49. It uses a shared secret key conIigured on both systems to encrypt and
decrypt messages between both systems.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-11
RADIUS
This section provides an overview oI the Remote Access Dial-in User Service (RADIUS)
protocol.
Another protocol that perIorms the same Iunctionality as TACACS¹ is the Remote Access
Dial-in User Service (RADIUS). RADIUS was created Ior use in dial-up environments, but has
quickly moved to the mainstream network. Like TACACS¹, RADIUS is used as the message
protocol to transIer AAA data between a remote access gateway and an ACS server.
Unlike TACACS¹, RADIUS is an open protocol with distributed source code, which makes it
an attractive option Ior many vendors. RADIUS is deIined in RFC 2865 and uses a client/server
model where the Network Access Server (NAS) is the client oI RADIUS. RADIUS packets can
be identiIied as using UDP port 1812. Unlike TACACS¹, which encrypts the entire payload,
RADIUS only encrypts the user`s password, which allows inIormation, such as username,
authorized services, and accounting traIIic to be captured by sniIIers.
5-12 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
WireIess
This section describes wireless networks, protocols, and security measures.
Having users physically restrained to a connection to access their resources has hampered many
businesses. However, moving a user Irom iack-to-iack has proven impractical. Because oI these
and other physical access limitations, wireless networks have become a necessity Ior many
corporations. Wireless gives users the Ireedom to move throughout their company and stay
connected to their data and resources, which increases productivity.
Most companies today create a public wireless DMZ network, where partners, consultants,
investors and the like can connect to the Internet to access their email, surI the Internet, and
access other resources without creating a security threat to the companies internal network.
Although wireless has proven to be a great asset to companies, it is not without its problems.
Allowing access into the private network requires security measures to mitigate attacks such as
sniIIing and access attacks. Certain protocols were created to assist in this endeavor, but these
soon proved to be ineIIective. However, like most rearing oI a technology, wireless has become
more secure as time goes by.
A wireless LAN (WLAN) is one in which a mobile user can connect to a LAN through a
wireless connection. The gateway Irom the wireless network into the LAN is called the Access
Point.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-13
802.11x
802.11x reIers to a group oI standards Ior wireless local area networks (WLANs) that are part
oI the overall IEEE 802.11 WLAN inIrastructure.
Some oI the completed standards include:
802.11- A Iamily oI speciIications Ior WLANs developed by a working group oI the
Institute oI Electrical and Electronics Engineers (IEEE).
802.11a- a speciIication that applies to wireless asynchronous transIer mode (ATM)
systems and is used in access hubs. Typical wireless speeds include, 6Mbps, 12,Mbps,
24Mbps, or 54Mbps.
802.11b (Wi-Fi)- An 11Mbps wireless protocol that is backwards compatible with 802.11
802.11g- A 54Mbps wireless protocol that is also backwards compatible with 802.11
Other wireless protocols being created include:
802.11e- Quality oI Service (QoS)
802.11I- Access Point interoperability
802.11h- InterIerence
802.11i- Security
5-14 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Wired EquivaIent Privacy (WEP)
Wired LAN networks usually have some Iorm oI physical protection to the wires, such as
locked doors, guards, and security guards. Wireless networks have no equivalent privacy
Ieature. 802.11b speciIies a security measure used to protect data conIidentiality as it crosses
the radio medium. That security measure takes the Iorm oI the Wired Equivalent Privacy
(WEP) protocol.
To encrypt data, WEP relies on a shared secret key known only to the mobile stations and the
access point. The key is used to encrypt packets beIore they are transmitted. An integrity check
is also perIormed to make sure packets are not modiIied in transit. WEP uses the stream cipher
RC4 algorithm Ior encryption.
WEP has been criticized by researches Ior being a Ilawed system with many security
vulnerabilities. A research team at the University oI CaliIornia at Berkley claims the Iollowing
problems exists with WEP:
 Passive attacks to decrypt traIIic based on statistical analysis.
 Active attack to iniect new traIIic Irom unauthorized mobile stations, based
on known plaintext.
 Active attacks to decrypt traIIic, based on tricking the access point.
 Dictionary-building attack that, aIter analysis oI about a day's worth oI traIIic,
allows real-time automated decryption oI all traIIic.
The Wireless Ethernet Compatibility Alliance (WECA) claims that WEP was not intended to
be the sole security system Ior wireless networks, but when used with other security measures,
WEP is quite eIIective.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-15
WireIess AppIication ProtocoI (WAP)
Wireless Application Protocol (WAP) was created to deal with the issue oI displaying Internet
content on mobile devices.
Today, web pages are very rich in content and graphics and are usually Iormatted Ior at least an
800x600 display. Trying to display these pages on a handheld device such as a PDA or mobile
phone can be diIIicult and time consuming. Because oI the ever-increasing popularity oI these
devices and the demand oI the consumers Ior Internet access, a special Iorum called the
Wireless Application Protocol (WAP) Iorum was created to deal with the issue oI displaying
Internet content on mobile devices. The WAP deIines a set oI protocols in transport, security,
transaction, session, and application layers to enable the creation oI advanced mobile services.
WAP is an application communication protocol used to show Internet content on wireless
clients, like PDAs and mobile phones. WAP is an access services and communications protocol
used to create mobile web applications designed Ior micro browsers. WAP uses the Wireless
Mark-up Language (WML) as deIined in the XML 1.0 speciIication. WML is an inherited
version oI HTML and is used speciIically to create web pages Ior small browsers.
WML Iocuses on displaying text over graphics. Tags that would slow down the communication
with handheld devices are not a part oI the WML standard. Because text is the maior
component oI WML, the use oI tables and images is strongly restricted.
5-16 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
802.1x
Port-based access control deIined in the IEEE 802.1x protocol was created to restrict access on
wired MAC based point-to-point segments.
For example, imagine you have a publicly available classroom with multiple iacks used to
connect students to the campus network. Each oI the Ethernet iacks connects to a port on a
switch. You need to make sure only authorized students can access the network. Normally,
anyone who connects to any oI the Ethernet ports will obtain their IP address, deIault gateway,
and DNS servers via DHCP. From there, students will access their resources. Port-based access
control (802.1x) was created to solve this problem.
802.1x has three main components, the supplicant (the end user in our example), the
authenticator (the switch), and the authentication server, which holds the user database (usually
a RADIUS server).
802.1x works in the Iollowing Iashion:
Every 802.1x controlled port starts out in what is called a controlled state. In a controlled state,
only a certain type oI Irame can enter and leave the port. These Irames are called Extensible
Authentication Protocol (EAP) Irames and are used to authenticate users. Thus, iI no
authentication occurs on a port, no data (other than EAP Irames) can pass.
Note EAP packets cannot traverse Ethernet by themselves; they must be encapsulated in another
protocol. The protocol used to carry EAP packets is called EAP over LANs or EAPOL.
When a user, or supplicant, attaches to a MAC port, the switch will attempt to authenticate the
end user. The end user will encapsulate his credentials in an EAPOL Irame and send it to the
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-17
switch (authenticator), which will in turn Iorward it to the authentication server. II the user has
proper credentials, the authentication server will Iorward a permit Irame to the switch, which
will transition the port to uncontrolled port status. Uncontrolled ports allow all Irames to pass
without restriction. Thus, only the authenticated user on a speciIic port has access to the
network. All other ports remain in the controlled state, until a supplicant gives their correct
credentials.
802.1x was later modiIied to allow its use over wireless 802.11 networks. The basic nature oI
802.1x stays the same as you still have a supplicant, an authenticator, and an authentication
server. In wireless networks, the authenticator is always an access point.
5-18 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
WTLS
Wireless Transport Layer Security (WTLS) is the security layer oI the Wireless Application
Protocol (WAP).
Wireless networks pose interesting and diIIerent security threats compared to wired networks.
For this reason, new security measures are needed to support wired environments. Wireless
Transport Layer Security (WTLS) is the security layer oI the Wireless Application Protocol
(WAP), providing authentication, privacy, and data integrity Ior WAP services. WTLS was
created speciIically Ior wireless networks to provide a means oI securing sensitive data as it
travels the airwaves.
WTLS is based upon the widely accepted TLS 1.0 security layer oI the Internet. TLS was
modiIied to support the low bandwidth requirements, limited CPUs, relatively low memory
storage, and export restrictions on wireless devices.
The new Ieatures that WTLS incorporates include datagram support, dynamic key reIreshing,
and optimized packet size and handshaking. WTLS was designed speciIically to support low-
bandwidth bearer networks with relatively long latency times. It perIorms these Iunctions by
utilizing Iast cryptographic algorithms Ior its algorithm suite.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-19
ExtensibIe Authentication ProtocoI (EAP)
Extensible Authentication Protocol (EAP) can support multiple authentication mechanisms.
The PPP protocol can use various types oI authentication mechanisms in order to authenticate a
peer, but both sides must agree in advance on which authentication mechanism will be used.
Wireless networks can contain many diIIerent types oI users on many diIIerent types oI
platIorms, which means requiring a single authentication protocol can be very diIIicult to
implement. ThereIore, PPP was supplemented with an optional authentication mechanism
called the Extensible Authentication Protocol (EAP), which can support multiple authentication
mechanisms.
EAP usually runs directly over the data link layer without requiring IP, and thereIore includes
its own support Ior in-order delivery and retransmission. EAP allows the use oI diIIerent
authentication mechanisms by postponing transmission Irom the normal Link Control Phase to
a new authentication phase. This allows the authenticator to obtain more inIormation on the
speciIic authentication type. This works perIectly in an 802.1x network, where the authenticator
does not need to know the authentication method being used, as it only passes the messages
between the supplicant and the authentication server.
The maior Iunction oI EAP is to head oII proprietary authentication systems and let anything
Irom static username/password combinations to a complete public key inIrastructure work
smoothly and eIIiciently. This allows complete interoperability and compatibility oI any
authentication method.
5-20 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lightweight EAP (LEAP)
Lightweight EAP (LEAP) strengthens several oI EAP`s deIiciencies.
EAP has some limitations that can potentially compromise security. One oI the maior problems
with EAP is that it only perIorms one-way authentication, where the authentication server
authenticates the user, but the user does not authenticate the server. One maior vendor, Cisco
Systems Inc., has created an enhanced version oI EAP called Lightweight EAP (LEAP), which
strengthens several oI EAPs deIiciencies.
LEAP strengthens several oI the EAP weaknesses by utilizing dynamic WEP and sophisticated
key management, as well as incorporating MAC address authentication. Some oI the maior
security implementations oI LEAP include:
Mutual authentication- Mutual authentication between the client and the back-end
authentication server is perIormed over a secure channel. This eliminates any type oI man-in-
the-middle attack.
Dynamic WEP keys- LEAP provides Ior dynamic, per-user, per-session WEP keys at 128-bits.
This allows individual session keys and eliminates the shared key dilemma. To strengthen WEP
key exchanges, LEAP will encrypt the broadcast WEP key using the session key beIore
delivering it to the end client.
Secure key derivation- Mutual challenge responses are constructed using a shared secret key.
These responses undergo an irreversible one-way hash that makes the password impervious to
replay attacks.
Re-authentication- When new session keys are requested or necessary, clients will be Iorced
to re-authenticate, which reduces the eIIectiveness oI brute Iorce attacks.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-21
Initialization Vector (IV) modifications- The IV is changed on a per-packet basis, this means
an attacker cannot exploit known or predetermined sequence numbers. The combination oI this
and dynamic WEP keys makes it very diIIicult to successIully attack a session even with
knowledge oI the IV`s seen on the network.
5-22 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
EAP Over LANs (EAPOL)
EAP Over LANs (EAPOL) protocol allows you to leverage EAP over broadcast mediums.
The EAP protocol is part oI the PPP protocol, which means it is encapsulated in a PPP Irame.
In order to use EAP in our network environment we must be running PPP on our links.
However, other layer 2 technologies, such as Ethernet and 802.11, do not use PPP. By
encapsulating EAP in Ethernet Irames using the new EAP Over LANs (EAPOL) protocol, you
can leverage EAP over these broadcast mediums.
EAPOL is deIined in the 802.1x standard Ior using EAP messages over Ethernet. Ethernet
Irames identiIy EAPOL messages by using the Ethernet type value 888E.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-23
Summary
This section summarizes the key points discussed in this lesson.
PPP
PPTP
IPSec
Telnet
Secure Shell (SSH)
TACACS¹
RADIUS
Wireless
Next Steps
AIter completing this lesson, go to:
Internetwork Access
5-24 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) Which protocol(s) can a client use to dynamically obtain an IP address?
A. PPP
B. L2TP
C. PPTP
D. Telnet
Q2) Which protocol, in the wireless world, seeks to emulate a wired LANs privacy
measures?
A. EAPOL
B. WTLS
C. WEP
D. WAP
Q3) IPSec packets can be identiIied on the wire by which protocol or port?
A. TCP 1701
B. Protocol 50
C. TCP 1723
D. Protocol 51
Q4) Between TACACS¹ and RADIUS, which protocol is considered more secure and
why?
Q5) Port based access control is identiIied as what standard?
A. 802.11x
B. 802.1x
C. EAP
D. EAPOL
Q6) Which would be the protocol oI choice to provide conIidentiality when perIorming
remote terminal emulation?
A. L2TP
B. PPTP
C. SSH
D. IPSec
Internetwork Access
Overview
Internetwork access is the goal oI all network administrators. Users need to reach resources
such as email, documents, spreadsheets, Internet access, etc. all in a secure environment. This
lesson will give a description oI the more common protocols seen on the network and how
security applies to each.
Importance
Knowing which protocols are secure or how to secure protocols as they cross the wire is a
necessity in any network environment.
Objectives
Upon completing this lesson, you will be able to:
Understand and describe diIIerent email technologies
Understand security in the diIIerent WWW protocols
Understand security when transIerring Iiles across the network
Understand and describe the Lightweight Directory Access Protocol (LDAP)
OutIine
This lesson includes these sections:
Overview
E-mail
Web
File TransIer
5-26 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Directory
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-27
E-maiI
This lesson discusses the diIIering standards used to access electronic mail (e-mail) over the
Internet.
E-mail access was one oI the Iirst protocols deIined under the TCP/IP protocol suite. To obtain
email Irom a server, the Simple Mail TransIer Protocol (SMTP) was created. This protocol
deIines the mechanism a sender (email server) uses to connect to, request, and send email to the
client (receiver). SMTP was created to be eIIicient and get the iob done. SMTP was an
eIIective protocol, but was soon Iound to be riddled with holes Ior crackers to exploit.
SMTP uses TCP port 25 on the network. Although SMTP is a workable solution, many smaller
companies could not take the overhead hit required in order to keep their email inIrastructure in
place. A new lightweight protocol was needed in order Ior a single workstation to connect to a
server and request its email. The solution was Post OIIice Protocol version 3 (POP3), which
permits a workstation to dynamically access a maildrop on a server host in a useIul Iashion.
Email typically gets into an SMTP server via the SMTP protocol. Users obtain their email via
the POP3 protocol. In short SMTP is used the send email and POP3 is used to receive email.
POP3 uses TCP port 110 on the network.
5-28 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
MIME
Multipurpose Internet Mail Extensions (MIME) protocol is the standard to display email
messages in the same manner across systems.
Email messages were originally meant to be pure text-only messages. As the Internet started to
grow, people also wanted to share graphics, audio, and other Iiles, but not simply as
attachments. Instead, they wanted the obiect to be visible immediately upon opening the email.
The problem manuIactures had was there are a multitude oI graphic Iormats as well as audio
Iormats, as well as diIIerent platIorms and operating systems. A standard was needed in order
Ior all platIorms to display email messages in the same manner across systems. That standard
turned out to be the Multipurpose Internet Mail Extensions (MIME) protocol, and is deIined in
RFC 1521 and RFC 1522.
MIME allowed a one-time modiIication to email reading programs enabling the program to
display a wide variety oI types oI messages. This allows you to view dynamic multi type email
messages Iull oI color, sound, and animations.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-29
S/MIME
MIME led to the creation oI Secure MIME (S/MIME).
While MIME allowed email to display in many new ways, it did so without regard to security.
ConIidential email was still subiect to hacks such as sniIIing and replay. MIME had to be
upgraded to guarantee security and conIidentiality, which led to the creation oI Secure MME
(S/MIME).
S/MIME provides cryptographic security services Ior electronic messaging applications by
providing: authentication, message integrity and non-repudiation oI origin (using digital
signatures) and privacy and data security (using encryption). Using S/MIME is the preIerred
way oI securing e-mail as it traverses the unIriendly world oI the Internet.
RFC 2311 describes S/MIME version 2, and RFC 2633 describes S/MIME version 3.
5-30 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
PGP TechnoIogies
Pretty Good Privacy (PGP) is a technology created by Phil R. Zimmermann in response to the
1991 Senate Bill 266.
This ominous anti-crime bill had a measure in it that all encryption soItware must have a back
door in it, which the US Government could use to decrypt messages sent between parties.
Being a staunch supporter oI civil rights, Phil created crypto system in which no one except the
two parties could read their email messages.
PGP works using a public key cryptosystem. In this method, each party creates an RSA public
key that is available on the Internet and a private key that is only available to the person who
creates it. II the public key is used to encrypt a Iile, only the corresponding private key can
decrypt it. Thus, user X can obtain user Y's public key and encrypt a message to user Y with it.
The only way to decrypt the message is Ior user Y to use the private key. Thus, user X can be
certain that nobody but user Y can read the message.
PGP is a hybrid cryptosystem in that beIore encryption is perIormed the email data is Iirst
compressed. Compression not only makes an email message smaller, it also removes any
patterns Iound in plain text, which mitigate many cryptanalysis techniques that look Ior these
patterns.
PGP perIorms the Iollowing security measures: ConIidentiality, data integrity, and sender
authenticity.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-31
E-MaiI VuInerabiIities
E-mail is subiect to many security exploits.
Protocol exploits are the most common type oI exploit used against email servers and clients.
SMTP is one oI the most insecure protocols ever created on the Internet. The POP3 protocol
also has vulnerabilities that crackers have exploited, as do MIME and PGP.
But there are some vulnerabilities to mail standards that cannot be mitigated by altering the
protocol itselI. We will discuss these types vulnerabilities in the next couple oI pages.
5-32 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
SPAM
Spam is simply unsolicited and unwanted email messages.
When a spammer sends large amounts oI mail, it costs them very little as most oI the costs are
paid Ior by the carriers in terms oI wasted bandwidth. The recipients' e-mail servers are also hit
in terms oI wasted resources and the end users are hit in terms oI wasted time looking at the
iunk mail. Most Spam messages take the Iorm oI commercial advertising, oIten Ior dubious
products, get-rich-quick schemes, quasi-legal services and the like.
There are two types oI Spam messages seen on the Internet: Usenet Spam and email Spam.
Usenet Spam messages are posts that are aimed at many newsgroups, while email Spam are
email messages received by many parties. Email Spam lists are oIten created by individuals
who scan Usenet postings, steal Internet mailing lists, or search the Web Ior addresses. It has
been commonplace Ior many companies to sell their customers email addresses to the highest
bidder in order to turn a higher proIit Ior their business.
Spam exploits do exist. These attacks are aimed at the email server itselI and are an attempt to
deny service to normal users. Spam attacks send very large amounts oI Iorged and
undeliverable mail messages to a server in order to use up all available resources, eventually
crashing or halting the server.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-33
Hoaxes
Hoaxes usually come in the Iorm oI an email message.
These messages are Ialse statements meant to mislead or Irighten users and usually end with a
sentence or two urging readers to send the email on to everyone they know. Users who receive
warnings should always be wary when reading them. Also, always be sure oI the legitimacy oI
the email, you should always veriIy its accuracy beIore acting upon it. Hoaxes do nothing more
that scare people into perIorming some rash action, so you should take care not to Iall Ior them.
5-34 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
SMTP ReIay
This section discusses SMTP relaying.
SMTP relaying is the sending oI email messages via the SMTP protocol Irom one server to
another. Crackers use this Iunction to send unsolicited email Spam and hide the real origin oI
their messages. Many ISPs also use SMTP relaying in their war on Spam by allowing SMTP
traIIic Irom their local inside customers, but blocking all SMTP traIIic Irom the outside. Mail
traIIic on the inside is then Iorwarded to their Iinal destination. This has the added beneIit oI
hiding the destination SMTP server behind the SMTP relay, making it less susceptible to
attack.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-35
Web
This section discusses the various protocols used to send web traIIic over the Internet.
In 1991, the NSF liIted the ban on commercial access on the Internet, and the Wide Area
InIormation Servers came online. This provided a mechanism Ior indexing and accessing items
on the Internet. At this time, Tim Berners posted a notice on the alt.hypertext newsgroup
inIorming people oI how to download his hypertext based Web server and line mode browser.
Web servers started popping up around the world almost immediately thereaIter. The World
Wide Web was born. HyperText Markup Language (HTML) was used to display web pages on
the monitor.
Today, over halI oI all traIIic on the Internet is web-based, where IP packets are carrying some
type oI HTTP type traIIic Irom server to client. This section discusses those protocols
commonly seen on the Internet and how security plays its part with them.
5-36 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
HTTP
HTTP is deIined in RFC 2616 and uses TCP port 80 on the Internet.
In 1992, the WWW consisted mainly oI documents and links. Indexes were special documents,
which, rather than being read, were to be searched. The search result was another document
containing links to where those documents could be Iound. A simple protocol 'HTTP¨ was
used to allow the browser program to perIorm this search request.
HyperText Markup Language (HTML) was used to display a web page on a monitor, while the
HyperText TransIer Protocol (HTTP) was used carry HTML traIIic across the Internet. In 1992,
all Web traIIic was text based, but that changed in 1993 with the release oI Mosaic, the Iirst
graphic-based Web browser. HTML has evolved tremendously since 1991, but HTTP has
remained mostly the same. HTTP still carries HTML payloads across the Internet.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-37
HTTPS
HTTPS provides a secure communication mechanism between an HTTP client-server pair.
HTTP is one oI the most widely used protocols on the Internet, but it carries its payload in an
open clear text Iormat. This means any Iorm oI conIidential transaction would be susceptible to
sniIIing attacks. This is not acceptable Ior the transIer oI secure inIormation such as credit card
numbers. A secure version oI HTTP was needed and HTTP over TLS/SSL (HTTPS) was
created. HTTPS provides a secure communication mechanism between an HTTP client-server
pair in order to enable spontaneous commercial transactions Ior a wide range oI applications.
This secure communication Iunction is only perIormed Irom server to client by way oI public
key cryptography.
In this system, the server creates a public/private key pair and obtains a digital certiIicate Irom
a trusted third party. When the client wishes to create a secure communications channel with
the server, the server will Iirst send its digital certiIicate to the client. The client`s browser will
attempt to validate the digital certiIicate with one oI its built-in root certiIicates. It the proper
root certiIicate is located and the servers digital certiIicate is validated, the sender then
negotiates proper security algorithms and encrypts keying material with the servers public key.
At that point, both parties know the security algorithms to use as well as the shared secret key
Ior encryption and decryption oI data, which means all Iurther communications are
conIidential.
HTTPS traIIic uses TCP port 443 on the Internet.
5-38 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Secure Sockets Layer (SSL)
The Secure Sockets Layer (SSL), currently in its third revision, was created to provide privacy
and reliability between two communicating applications.
SSL is composed oI two layers. At the lowest level, the SSL Record Protocol is layered on top
oI some reliable transport protocol such as TCP. The SSL Record Protocol is used Ior
encapsulation oI various higher-level protocols. One such encapsulated protocol, the SSL
Handshake Protocol, allows the server and client to authenticate each other and to negotiate an
encryption algorithm and cryptographic keys beIore the application protocol transmits or
receives its Iirst byte oI data. The Alert Protocol handles any questionable packets. II either the
server or client detects an error, it sends an alert containing the error.
One advantage oI SSL is that it is application protocol-independent, meaning it can run on top
oI any application protocol such as FTP or HTTP.
SSL uses the client/server model. The client is the entity that initiates the transaction, whereas
the server is the entity that responds to the client and negotiates which cipher suites are used Ior
encryption. In SSL, the Web browser is the client and the Web-site server is the server.
There were three security goals in mind when SSL was created.
1) Private connection via a symmetric encryption (DES, RC4, etc)
2) Peer authentication via asymmetric or public key cryptography (RSA, DSS, etc)
3) Reliable connection via integrity checks based on hash algorithms (SHA, MD5, etc)
SSL achieves these elements oI security through the use oI cryptography, digital signatures, and
certiIicates.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-39
Transport Layer Security (TLS)
Transport Layer Security (TLS) is the successor to SSL and was based entirely upon it.
The diIIerences between the TLS protocol and SSL 3.0 are not dramatic, but they are
signiIicant enough that TLS 1.0 and SSL 3.0 do not interoperate. One oI the more Iundamental
diIIerences between TLS and SSL is that TLS has a more secure pseudo random number
generator, which calculates the values used in creation oI all cryptographic keys. Also, TLS has
a more secure hashing algorithm.
5-40 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Instant Messaging
Instant messaging (IM) has become commonplace in the workIorce as well as the home
environment.
Free IM soItware Irom Yahoo, MicrosoIt, and AOL has made IM popular Ior purposes ranging
Irom real-time technical support to personal chatting between Iriends and Iamily. IM protocols
were created to allow anyone to communicate with anyone else under any possible
conIiguration, which makes the protocols very diIIicult to control under normal security
measures.
IM applications are very diIIicult to secure as they inherently do not support access control,
conIidentiality, and logging. Blocking these applications is very diIIicult as they are normally
conIigured to hop Irom port to port, oIten using port 80 Ior communication, which must be
opened Ior Internet access.
IM applications not only provide the ability to transIer text messages, they also can transIer
Iiles. This means instant messengers can transIer viruses, worms, and other malicious Iiles such
as backdoor Troian horses. Crackers can gain backdoor access to computers without opening a
listening port, eIIectively bypassing any Iirewall or desktop security measures currently in
place.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-41
Java
Java enables applets to be downloaded and executed directly on the client`s system.
With the release oI more powerIul markup languages that include support Ior Iorms and scripts,
web pages on the Internet have become bright, vivid, and detailed. However, the pages were
still downloaded statically. Java changed that by enabling programs called applets to be
downloaded and executed directly on the clients system. Java is a programming language
created by Sun Microsystems that has a Iew very interesting properties. Java was created to be
portable so that programs can be dynamically loaded over the network and run locally on any
operating system with the iava plugin. This allowed programmers to actually execute
programming code on the client.
With he increased power oI web content using Java also came with a potential problem.
Applets will execute any code the author programs. Users surIing the Web now have to worry
about potentially hostile iava applets writing malicious code to RAM, sending conIidential data
to unknown destinations, or erasing all data on the hard drive.
Java applets execute as untrusted programs, meaning they have very limited access to client
memory and CPU resources. However, iI the client mis-conIigures their security settings, their
system as well as the entire network could be at risk oI attack.
For this reason, many security administrators do not let Java applets pass Irom unknown
servers. Most Iirewalls have the ability to Iilter out iava applets as they attempt to pass the
trusted interIace. They do so by searching Ior the telltale sign '0xCAFEBABE¨, which is the
JVM Iile type identity number.
5-42 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Active X
MicrosoIt's Active X is a set oI technologies built on the Component Obiect Model (COM) that
enables soItware components, regardless oI the programming language they were created in, to
work together (such as Java and Visual Basic).
Active X Controls (Iormerly called OLE) are reusable, stand-alone components. ActiveX
Controls are the interactive obiects in a Web page that provide user-controllable Iunctions to
hence enliven the experience oI a Web site.
Java is normally conIigured to execute in a protected memory area. Critical areas such as the
Iile system or the boot sector are strictly oII-limits. Theoretically, this makes it impossible Ior
applets built in Java to damage a computer or its contents. Active X, on the other hand, has no
such restrictions, allowing controls to reside on a system and use any oI its resources, even
writing to protected memory and the hard drive.
Active X security is implemented in digital signatures. Here, each control is packaged with a
digital signature signed by VeriSign. MicrosoIt`s Authenticode technology then veriIies the
signature with one oI its built in root certiIicates to make sure the control was not tampered
with beIore downloading. However, users can disable Authenticode, which enables unsigned
controls to be downloaded without warning, which is when problems begin to occur.
For this reason security administrators Iilter Active X controls in much the same way as they
Iilter Java applets.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-43
Common Gateway Interface (CGI)
The Common Gateway InterIace (CGI) is a standard Ior interIacing external applications with
web servers.
In a normal HTML document, the client retrieves a static document, which is a constant
unchangeable text Iile. A CGI program is diIIerent. It is executed in real-time, so the output to
the client is dynamic. This allows the client to aIIect how the web page will look and Ieel.
For example, say you have a Oracle database that you want clients to query. The client will
connect to web page and execute a CGI script. This script will ask Ior items to search Ior. The
CGI gateway will transmit inIormation to the database engine, then receive and display the
results on the clients web page.
CGI scripts are an extremely powerIul means oI displaying dynamic content Ior the client, but
since CGI scripts are executable programs, they are basically equivalent to letting the world run
a program on your server, which brings up many security concerns. Remember, iI a cracker can
compromise the CGI program, they can thereIore gain access to the server and all its resources.
To lessen the potential security holes oI CGI scripts, they are usually executed with the
permission oI 'nobody¨, which gives the program very limited access to critical resources.
5-44 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
8.3 Naming Convention
This section examines MicrosoIt`s 8.3 naming convention.
All versions oI MicrosoIt Windows have their roots in the MSDOS world. MSDOS was the
operating system that displayed Iiles and Iolders Ior the user with a command-line interIace.
These Iiles could have an 8-character name, Iollowed by a period, Iollowed by a three-character
extension, hence the name 8.3. For example, a Iile with the name 'queries1.txt¨ would be
identiIied as a text (.txt) Iile, having the name 'queries1¨.
To ensure backward compatibility with older DOS based programs, Iilenames Irom newer
versions oI Windows (9x/NT), which use long Iile names, are automatically truncated to an 8.3
Iorm. This allows older 16-bit programs to access the Iiles.
While backward compatibility was a good beneIit, it came with a serious security Ilaw. A
certain web server allowed unauthorized remote users the ability to Ietch documents that were
protected with a password. This particular bug aIIected Iiles that did use the standard 8.3
naming convention. For example, iI a document was named mylongdocument.htm, then access
could be gained to the Iile iI it was called by its shorter 8.3 name oI mylong~1.htm. Even
though the document was password protected, the bug enabled the document to be Ietched.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-45
FiIe Transfer
This section discusses the mechanisms and protocols used to transIer data between systems.
The Iirst computers perIormed very simple mathematical equations, but over time they were
able to perIorm increasingly complex calculations. Computers got Iaster and were able to
perIorm additional Iunctions, which could be 'programmed¨ into them. These programs were
then made available to others, usually in the Iorm oI cards, tape, or Iloppy disk. Then came
computer networking, which changed the way data inIormation was exchanged. For the sake oI
consistency, a standard Iile transIer method was needed. In the LAN community, diIIerent
operating systems created their own method Ior Iile sharing. In the Internet community, the File
TransIer Protocol (FTP) was created.
5-46 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
FiIe Transfer ProtocoI (FTP)
The File TransIer Protocol (FTP) deIined in RFC 959 was created to promote the sharing oI
Iiles, programs, and data on the Internet.
FTP was also created to shield a user Irom the multitude oI diIIerent Iile storage systems in use.
FTP was added to the TCP/IP suite oI protocols speciIically Ior its Iile sharing capabilities.
Since FTP runs on top oI TCP, all errors and retransmissions were handled by TCP, which
meant a smaller Iootprint (less code) protocol could be created.
FTP has two ports deIined Ior its use. FTP uses TCP port 21 Ior the control connection, and
TCP port 20 Ior the data connection. It can run in two diIIerent modes:
 Standard mode: In standard mode, the client requests a Iile to be downloaded Irom the
FTP server using TCP port 21. The server then initiates an upload to the client on TCP
port 20. In essence, two sessions are created: one Irom the client to the server, and
another Irom the server to the client. Each connection uses a diIIerent source and
destination port.
 Passive (PASV) mode: In passive mode there are still two sessions being created, but
the client initiates them both. The client requests a Iile to be downloaded Irom the FTP
server using TCP port 21. The server responds with a data port the client should use to
connect to. The client then initiates a diIIerent connection to the servers data port, and
the Iile transIer begins.
FTP has a very insecure method oI data retrieval. In order to download a Iile Irom a server, the
client must Iirst give credentials in the Iorm oI a username and password to the server. The
problem with this method is that the username/password combination is sent across the wire in
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-47
clear text. Anyone sniIIing the wire can see the credentials being used as well as all traIIic
between the two systems as the data is also sent across in clear text.
5-48 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
S/FTP
Secure FTP was created to address security issues that FTP could not support.
FTP control transmissions used Ior setup and user authentication are perIormed in the clear as
are the FTP data transmissions. For simple everyday usage, this is Iine, but iI you want to
transIer a database with very conIidential data (such as credit card numbers), then FTP is not
secure enough. ConIidential data requires security measures including conIidentiality, data
integrity, and secure user authentication. Secure FTP was created to address these very issues.
Secure FTP is basically a marriage between FTP and TLS/SSL. FTP provides the data
transIers, while SSL creates a secure wrapping Ior these transIers.
Secure FTP uses a combination oI encryption (DES, 3DES, AES, etc.) as well as the use oI
digital (x.509) certiIicates Ior Integrity and authentication checks. Public key cryptography
using digital certiIicates are used to authenticate each end as well as perIorm a secure key
exchange. The shared secret key will then be used to perIorm the bulk encryption/decryption oI
data.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-49
Anonymous FTP
Anonymous or Blind FTP is used when the client has no need to identiIy or authenticate
himselI or herselI to the FTP server.
For example, many companies use soItware drivers that oIten need to be updated on the clients
system. Since they have thousands upon thousands oI customers, giving each one a diIIerent
username and password, or even giving them all the same username and password, would be an
administrative nightmare. It would be much easier Ior everyone to log on anonymously using a
well-known username account.
That account is normally named 'anonymous¨. When a user attempts to authenticate with an
anonymous FTP server he simply supplies the username anonymous. The user can supply any
password because the password itselI is never checked. Once the user is authenticated, he can
then download the proper driver that he was aIter.
Some anonymous FTP sites also allow you to write data to a secure portion oI the FTP server.
This in itselI is not a problem, but coupled with allowing users to also read Irom the secure
portion oI the site is when anonymous FTP servers can be exploited. Warez is the name oI this
exploit and is very simple in nature. Basically iI you allow someone to write data to your FTP
server and other people to download the same Iiles, you are opening yourselI up to becoming a
'pirate¨ FTP site. Users will upload popular high priced soItware to the site and make it
available (usually through a pirate newsgroup) Ior download.
5-50 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
FiIe Sharing
File sharing can occur in a multitude oI Iashions, over a LAN, a WAN, the Internet, or any
other medium.
File sharing became critical to a companies success when the Iirst computer networks were
created. Data, which was usually stored on a single machine, can now be passed Irom user to
user in the march toward completion oI a proiect.
The problems with Iile sharing is that it is meant to be open. Because the purpose is Ior others
to have access to the data, it is inherently very diIIicult to secure it Irom unauthorized access.
The most prominent Iile and print sharing method on the market is MicrosoIt`s NetBIOS
implementation. It was actually created by IBM Ior its early PC Network, was adopted by
MicrosoIt, and has since become a de Iacto industry standard. NetBIOS, short Ior Network
Basic Input Output System is an API that augments the DOS BIOS by adding special Iunctions
Ior local area networks (LANs).
NetBIOS provides the session and transport services described in the Open Systems
Interconnection (OSI) model. However, it does not provide a standard Irame or data Iormat Ior
transmission. A standard Irame Iormat is provided in the NetBIOS Extended User InterIace
(NetBEUI). NetBEUI is a layer 2 protocol, which means in order to be passed across the WAN,
NetBIOS Irames must be encapsulated in another transport mechanism, such as TCP.
NetBIOS has a Iew well-deIined ports:
 TCP port 137 is the NetBIOS Name Service port
 TCP port 138 is the NetBIOS Datagram Service port
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-51
 TCP port 139 is the NetBIOS Session Service port
5-52 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Directory
This section discusses a method oI locating a speciIic obiect using computer directory services.
For example, when you want to Iind a phone number Ior a business, you look in the phone
book. With computers we need a standard method oI locating an obiect.
When you want to Iind where something is located, you look in a directory. The same is true
Ior computer networks. In TCP/IP networks, we use the domain name system (DNS) to locate
an IP address based on its Iully qualiIied domain name (FQDN). The problem with DNS is you
must know the FQDN. II you do not know the FQDN, a directory service will allow you to
search Ior an item (host, individual, service, etc) and locate where it is. There are many
directory services available Ior certain types oI operating systems. For example, Novell uses the
Novell Directory Services (NDS), and MicrosoIt uses Active Directory (AD). UnIortunately,
these two directory services cannot share inIormation with the same user. The user can choose
either NDS or AD, but not both. Directory services require the use oI a special communications
protocol.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-53
LDAP
Lightweight Directory Access Protocol (LDAP) is a simple protocol that heterogeneous
systems can use to locate inIormation in a database and is deIined in RFC 1777.
An LDAP directory is organized in a simple "tree" hierarchy consisting oI the Iollowing levels:
 The root directory (the starting place or the source oI the tree), which branches out to:
 Countries, each oI which branches out to:
 Organizations, which branch out to:
 Organizational units (divisions, departments, and so Iorth), which branches out to:
 Individuals (which includes people, Iiles, and shared resources such as printers)
LDAP directories can be distributed among many servers, where each server can have a
replicated version oI the total directory that is synchronized periodically. The LDAP server
itselI is called a Directory System Agent (DSA) and is the entity that receives requests Irom
users. The DSA that receives a user request takes responsibility Ior the request, and can pass
the request to other DSA`s as necessary, but always ensures that a single coordinated response
is sent to the user.
LDAP is based upon the Directory Access Protocol (DAP), which is part oI the x.500 standard.
It is considered 'lightweight¨ (smaller amount oI code) because the initial version did not
include security Ieatures. Secure LDAP (S/LDAP) uses the services oI TLS/SSL.
LDAP uses TCP port 389 on the Internet.
S/LDAP uses TCP port 636 on the Internet.
5-54 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
E-mail
Web
File TransIer
Directory
Next Steps
AIter completing this lesson, go to:
InIrastructure Topologies
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Protocols 5-55
Lesson Assessment
Q1) Which would be the protocol oI choice when secure e-mail is required?
A) MIME
B) IPSec
C) TLS
D) S/MIME
Q2) Warez exploits occur Irom which misconIigured service?
A) HTTP
B) FTP
C) Telnet
D) Instant messaging
Q3) LDAP uses which TCP port(s)?
A) 1701/389
B) 389/636
C) 137/139
D) 37/139
Q4) What is considered the greatest security concern when using Instant Messaging in the
enterprise?
A) Viruses have access into the enterprise
B) Messages are sent in clear text
C) IM programs perIorm port hopping
D) No authentication occurs
5-56 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Q5) Which oI the Iollowing applications can execute code on client web workstations?
A) CGI
B) Java
C) TLS
D) Active X
6
InIrastructure Topologies
Overview
This module will cover the diIIerent types oI topologies used Ior access and security. It will
also cover the various protocols used to secure networks.
Objectives
Upon completing this module, you will be able to:
DeIine the diIIerent types oI security zones in a network
Understand virtual local area networks (VLANs)
Describe network address translation (NAT)
Describe the use oI tunneling protocol
Describe the basics oI IPSec and its Iunctional protocols
6-2 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
The module contains these lessons:
Security zones
VLANs
NAT
Tunneling
IPSec
Security Zones
Overview
This lesson discusses the various types oI security zones typically used in enterprise
environments.
Importance
Knowing how to partition your network to eIIectively handle security in the enterprise is the
Iirst step required in creating a layered approach to security.
Objectives
Upon completing this lesson, you will be able to:
Describe the Intranet security zone
Describe the Extranet security zone
Describe the DMZ security zone
OutIine
This lesson includes these sections:
Overview
Intranet
Extranet
DMZ
Summary
Assessment
6-4 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Intranet
This section discusses the portion oI a network that encompasses the services and resources oI
an enterprise.
The term Intranet is used to describe the use oI IP and LAN technologies to achieve better
resource access than the conventional means oI data access and transIer within an organization.
The Intranet is helpIul in cutting costs by providing easy, low cost, and low delay accessibility
to user resources. Intranets are company networks. Intranets usually have a web site that is
protected Irom the Internal network and to which public access is gained Irom the Internet.
Intranets are diIIerent Irom the Internet in that Intranet web sites make up the Internet. Each
individual organization alone has access to only its internal resources, but when you connect
many Intranets together over a public inIrastructure, they become an Internet.
Because Intranets are used to increase productivity within the organization, they use high-speed
LAN access methods such as Token Ring, Ethernet, Fast Ethernet, and GigabitEthernet and
ATM. Obtaining Internet access to other Intranets is usually done over slower speed serial links
as data usually travels much Iarther to reach its destination.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-5
Extranet
This section discusses a method in which an enterprise gives a partner organization restricted
internal access to its inside resources.
Extranets are private networks that use the IP protocol suite and a public inIrastructure to
securely share portions oI a company's resources with suppliers, vendors, or other partners. An
extranet is usually a secure portion oI an Intranet that is extended to partners Ior access to
certain private company inIormation.
For this reason, extranets require security and privacy, which usually come in the Iorm oI
Iirewalls, VPNs and a public key inIrastructure (PKI).
Companies use extranets to:
 Exchange large amounts oI data, either static or real-time with partners
 PerIorm some type oI ioint collaboration
 Share speciIic data exclusively with partners
6-6 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
DMZ
This section discusses the portion oI an Intranet that is publicly accessible by partners or
Internet users.
In the early 1950`s, the United Nations created a geographic buIIer zone between North and
South Korea, across which neither country could bring military arms. The buIIer zone was
called the demilitarized zone (DMZ), and it was usually a very hostile environment. In
computer terms, a DMZ serves the same Iunction. It serves as a middle ground between
security administrators inside the company Intranet and crackers on the Internet. The DMZ
creates a neutral zone where both internal and external parties can obtain access and share
inIormation.
Typically, Intranet users must pass through the DMZ in order to gain access to the Internet. The
DMZ is also the location where the company's Internet-accessible web and FTP servers reside.
Since the DMZ is the single point into or out oI a company's network, security is much higher
in the DMZ than anywhere else in the Intranet.
Web and FTP servers located in the DMZ are called 'bastion¨ hosts. On the Internet, a bastion
host is one that a company allows to be addressed directly Irom the public network. Security is
minimal on bastion hosts because they require public access, which means crackers attack them
Irequently.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-7
Summary
This section summarizes the key points discussed in this lesson.
Intranet
Extranet
DMZ
Next Steps
AIter completing this lesson, go to:
VLANs
6-8 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) Describe the concept oI a DMZ and how it aIIects security in the enterprise.
Q2) Why are extranets important to an organization?
Q3) Describe an Intranet and how it supports an organization.
VLANs
Overview
This Lesson discusses LANs and VLANs and their importance in security.
Importance
Knowing how direct layer 2 access is achieved between hosts is essential, as eventually
diIIerent layer 2 networks will be grouped together to Iorm a layer 3 network.
Objectives
Upon completing this lesson, you will be able to:
Describe a local area network (LAN)
Describe a virtual local area network (VLAN)
6-10 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
This lesson includes these sections:
Overview
LANs
VLANs
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-11
LANs
A local area network (LAN) is a group oI computers that share a common layer 2 Ioundation.
Normally, users on the network access a server, which contains the applications and data that
users require in order to perIorm their duties, which means that LANs are usually conIined to a
small geographic location such as an oIIice building. With the advent oI routers and campus
networks, a LAN is now considered the entire Intranet oI a company.
The main LAN technologies include:
 Ethernet (all Iorms)
 Token Ring
 Fiber Distributed Data interIace (FDDI)
A wide area network (WAN) is deIined as a computer network that spans a relatively large
geographical area. Typically, a WAN consists oI two or more local-area networks (LANs). In a
LAN environment, the company owns all equipment Irom the physical cable data travels over
to the servers users use to obtain their databases. When a company is deployed in many
diIIerent parts oI a city, state, country, or continent, it is not Ieasible Ior them to connect a wire
between each site. Instead, the company will lease a line Irom a provider whose specializes in
connecting cities, states and countries. The connection between sites is usually very slow as
compared to their local networks as typical WAN connections are serial in nature.
The main WAN technologies include:
 X.25
 Frame Relay and Asynchronous TransIer Mode (ATM)
6-12 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
VLANs
A virtual LAN (VLAN) is a layer 2 network distributed over many devices in diIIerent
geographic locations.
In a normal layer 2 LAN, each device is connected to a hub. The hub internally connects all
devices in a single multi-access environment. II you daisy chain multiple hubs together, you
end up with one large layer 2 network, or broadcast domain. II the hubs are not interconnected,
you end up with two separate layer 2 networks. VLANs allow you to 'logically¨ disconnect
ports on a switch Irom other ports.
For example, iI you have an eight port switch and conIigure ports one through Iour to be part oI
LAN 1 and ports Iive through eight to be part oI LAN 2, then even though they are all ports on
the same switch, internally ports one through Iour cannot connect to ports Iive through eight.
These are VLANs. VLANs allows you to have two separate and secure networks on the same
device. II these two separate layer 2 networks now wish to communicate, they must use the
services oI a layer-3 device, or router.
VLANs also allow you to span multiple switches through the use oI something called a trunk.
Each port on a switch normally belongs to a single VLAN, but trunks belong to many VLANs.
Trunks interconnect switches and allow many diIIerent VLANs to cross the port. Otherwise,
you would need to connect a separate cable Irom every switch to every other switch with the
number oI VLANs you have deIined. Trunk protocols identiIy which VLAN a Irame belongs to
by tagging the Irame with the VLAN number. When the opposite end receives the tagged
Irame, it knows to which VLAN the Irame should be part oI.
There are two main trunking protocols used in production today.
 802.1Q- An industry standard trunking protocol
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-13
 InterSwitch Link (ISL)- Cisco`s proprietary trunking protocol
VLANs came about when the concept oI a switch was released. Switches work at layer 2, but
unlike hubs, switches work on unicast traIIic on a port-to-port basis. For example, on a hub
with eight ports, when device X attempts to send a unicast Irame to device Y, every port on the
hub receives the same Irame, but only device Y will accept and process the Irame. As you can
see, using hubs was very insecure because an attacker could place a sniIIer on any port in the
hub in promiscuous mode to receive all data traversing the hub.
An eight-port switch does not allow this type oI attack. When device X attempts to send unicast
traIIic to device Y, the switch Iorwards the Irame only out the port where device Y is located.
No other port receives the Irame. This is because the switch learns which devices are attached
to its ports. It does this by looking and storing the layer 2 MAC address as it receives
Irames on its ports. ThereIore, iI a source Irame Irom MAC address 1a20.003c.382d was
received on port 3, the switch will store that inIormation in a database in memory. When the
switch receives a Irame with the MAC address 1a20.003c.382d, it consults its
database, knows that this MAC address was seen on port 3, and will Iorward the Irame out that
particular port.
It is very important to understand how switches handle unicast Irames, but it is equally
important to know how switches handle unknown unicast Irames. For example, a switch doesn't
know anything when it is Iirst turned on.. It must learn what devices are attached to its ports. II
a Irame was received on port 1, the switch will store the source MAC address and its associated
port Ior Iuture reIerence. The switch must Iorward the Irame to its destination, so its looks at
the Irames destination MAC address and consults its database. The database only has a single
entry at this point. In order to be sure the destination device receives the Irame, the switch
Iorwards it on all ports in the VLAN except Ior the port on which it was received. In eIIect, the
switch acts exactly like a hub until it learns the MAC addresses attached to its ports. Switches
can learn about thousands oI devices attached to their ports until it reaches a pre-set maximum.
When a switch has learned its maximum number oI devices, it will go into its 'hub¨ mode and
start Iorwarding new unknown Irames out all ports.
Crackers have learned to take advantage oI this Iact and have come up with some very
ingenious ways oI sniIIing on a switched network. They know how switches work, plus they
know that switches can store only a limited number oI MAC addresses in their database. What
they will do is create a script to send thousands oI spooIed MAC addresses to the switch port
they are attached to. The switch, doing what it was programmed to do, will start assigned MAC
addresses to ports until it reaches its maximum. At that point, the switch will go into hub mode,
Iorwarding all new unknown Irames out all ports. The cracker needs only activate his sniIIer
program to start obtaining data on the VLAN.
6-14 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
LANs
VLANs
Next Steps
AIter completing this lesson, go to:
Network Address Translation
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-15
Lesson Assessment
Q1) What are the main technologies used in a LAN?
Q2) What are the main technologies used in a WAN?
Q3) List the main diIIerences between a LAN and a WAN.
Q4) How do VLANs allow users, connected to separate devices, the ability to communicate
at layer 2 oI the OSI model?
6-16 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Network Address Translation
Overview
This lesson discusses how network address translation (NAT) works and its security
implications.
Importance
Almost all networks today use the services oI NAT. Knowing it security Ieatures and
deIiciencies will help you in securing your network.
Objectives
Upon completing this lesson, you will be able to:
Understand and describe NAT
Understand and describe port address translation (PAT)
OutIine
This lesson includes these sections:
Overview
Network Address Translation
Port Address Translation
Summary
Assessment
6-18 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Network Address TransIation (NAT)
This section discusses the concepts oI Network Address Translation.
In the early 1990`s, when the Internet community realized there will eventually be a depletion
oI IP addresses, they began planning up ways to correct the problem. Some people worked on
updating the IP protocol to create an IP addressing scheme that would never run out oI IP
addresses (they recommended a 128-bit address). This would eventually take the Iorm oI IP
version 6. However, the world was already well entrenched in IPv4, so IPv6 would be very
diIIicult to implement. Network Address Translation (NAT) was created to handle the problem
now.
For example, say a company has 500 users. NAT allows a company to purchase a small amount
oI public IP addresses (say 64) and share those IP addresses among all oI their users when they
wish to access inIormation on the Internet. These 500 users all use the Internet, but only Ior
short times. Internally, all 500 users have IP addresses in the private (RFC 1918) address space,
which they use to communicate in the Intranet. When these users attempt to access resources on
the Internet, their private address is translated to a public address Ior the duration oI the session.
When the session ends, the public IP address is placed back in the pool Ior others to use.
A great beneIit oI NAT concerns security. Since the Intranet uses private IP addresses, which
are not routable on the Internet, they cannot be accessed by crackers. All anyone on the Internet
knows is that this company has 64 private IP addresses, and the only way to reach resources in
the company is through those addresses. UnIortunately Ior them, these IP addresses are
constantly being used by diIIerent inside hosts, as the NAT device is assigning each IP address
to diIIerent clients when their sessions end. This makes it extremely diIIicult Ior a cracker to
successIully attack an internal client.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-19
Port Address TransIation (PAT)
This section discusses port address translation, which is very similar in nature to NAT.
Port Address Translation (PAT), also called NAT overload and Network Address Port
Translation (NAPT), works almost identically to NAT with one diIIerence. Where NAT uses a
pool oI IP addresses, PAT uses a single IP address. All internal users share the same IP address
as they attempt to access Internet resources, but they can do it at the same time. To make each
session unique, even though they use the same IP address, each user is assigned a diIIerent
source port. An IP address plus a port is called a socket. As long as you have unique sockets,
you have unique sessions.
With NAT, you only translate source IP addresses, but with PAT you translate the source port
as well as the source IP address. As the port Iield is a 16-bit parameter, a single PAT address
can theoretically handle up to 65,536 diIIerent internal user connections.
One problem with PAT is that that many multimedia applications dynamically assign ports
when creating connection. It is possible to have collisions between these multimedia
applications and PAT, which is why it is recommended you not use PAT iI you will be using
multimedia applications on the Internet.
6-20 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
Network Address Translation
Port Address Translation
Next Steps
AIter completing this lesson, go to:
Tunneling
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-21
Lesson Assessment
Q1) What is considered the greatest security measure when using NAT?
A) It allows a large enterprise to share a small number oI public IP addresses
B) It allows a large enterprise to share a small number oI private IP addresses
C) It hides the internal structure Irom untrusted networks and devices
D) Private IP addresses are translated into public IP addresses
Q2) Typically, what address space do inside (trusted) networks use?
A) 192.168.0.0
B) 172.16.0.0
C) 10.0.0.0
D) RFC1918
Q3) Describe how NAT works when outside crackers attempt to access inside resources.
Q4) Describe the diIIerences between NAT and PAT.
6-22 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Tunneling
Overview
This lesson describes the various tunneling technologies used and their security implications.
Importance
Tunneling has become more and more commonplace as security in the enterprise is becoming
more important to securing conIidential inIormation. In Iact, IPSec is based entirely upon
tunneling protocols.
Objectives
Upon completing this lesson, you will be able to:
Understand and describe basic tunneling techniques
IPSec
OutIine
This lesson includes these sections:
Overview
Tunneling
Internet Protocol Security (IPSec)
Summary
Assessment
6-24 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
TunneIing
This section discusses the diIIerent tunneling protocols used by organizations and the security
concerns belonging to them.
Tunneling is the act oI encapsulating a packet within another packet. There are many tunneling
protocols, each used Ior diIIerent reasons. For example, one oI the most popular tunneling
protocols is the Generic Routing Encapsulation (GRE) protocol. It can tunnel IPX or AppleTalk
packets within an IP packet. This allows IPX or AppleTalk based networks to communicate
over an IP only network, such as the Internet. GRE is its own protocol: it does not ride on top
oI TCP or UDP. GRE uses IP protocol 47 on the Internet.
Additional tunneling protocols include Cisco`s proprietary Layer 2 Forwarding (L2F) protocol,
described in RFC 2341, Point to Point Tunneling Protocol (PPTP), described in RFC 2637, and
a hybrid protocol made up by combining the best oI L2F and PPTP, which is the Layer 2
Tunnel Protocol (L2TP), described in RFC 2661.
PPTP uses TCP port 1723 and is used to tunnel PPP packets over an Ethernet medium.
L2F and L2TP use UDP port 1701 as their transport mechanism. The Version Iield in each
header may be used to discriminate between the two packet types (L2F uses a value oI 1, and
the L2TP version described in this document uses a value oI 2).
IPSec tunnels data through IP using one oI two protocols: Authentication Header (AH) or
Encapsulating Security Payload (ESP).
AH- Uses protocol number 51 and is used Ior integrity and authentication checks
ESP- Uses protocol number 50 and is used Ior integrity, authentication, and conIidentiality
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-25
Internet ProtocoI Security (IPSec)
As Internet security evolved and the tunneling protocols became increasingly susceptible to
attack, the Internet community realized a Iormal security protocol was required. That protocol
was the Internet Protocol Security (IPSec) protocol.
It had such a large scope that many oI the smaller details in the RFC were glossed over. When
manuIacturers attempted to create an IPSec implementation, they implemented many oI these
details in their own way. This made IPSec incompatible across vendors. Subsequently, many
RFCs were created to update and Iinalize IPSec to the point where it has now became
Iunctional across most platIorms.
IPSec is not a protocol unto itselI, but a suite oI protocols designed to bring security into the
Enterprise. IPSec packets use either protocol number 51 (AH) or protocol number 50 (ESP).
AH is used to perIorm integrity checks on peers and their data. AH does not use encryption.
ESP is used Ior conIidential sessions. ConIidentiality is established via encryption algorithms.
Optionally ESP can be used to perIorm integrity checks on peers and the data they send.
6-26 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Basics of Cryptography
Cryptography is the art oI garbling data so it looks nothing like its original Iorm, then being
able to restore back to its original Iorm at some Iuture time.
To garble the data, plain text data is encrypted using a special value called a key. This produces
the garbled data, called ciphertext. Both ends oI a secure link must know the encrypting
algorithm as well as the key used to encrypt/decrypt the data. Ciphertext can be sniIIed by an
attacker, but the attacker cannot decipher the message without the correct algorithm and key.
A problem these two parties have is obtaining the key and algorithm used. They can do a Iew
things such as phone each other and agree on an algorithm and key, but the phone could be
tapped, which would allow the attacker to decipher the messages. ThereIore, a phone call will
not do. They could email the algorithm and key, but the email could be intercepted. ThereIore,
an email will not work. They could meet somewhere and agree on an algorithm and key in
advance. But what happens iI they are both at opposite ends oI a state, or the country. This
obviously will be a problem.
The art oI encryption itselI is very easy. Obtaining the parameters to encrypt data is very
diIIicult, which is why ninety-Iive percent oI IPSec deals with securely exchanging the
parameters used to encrypt data and make sure it is not modiIied in transit.
When sending data across an insecure medium, you need to consider the Iollowing issues:
 Be sure you are talking to the person you think you are to discourage any type oI man-
in-the-middle attack.
 A secure exchange oI the algorithms and key(s) you are going to use makes cracking
the ciphertext more diIIicult.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-27
 Use random shared keys Ior each separate conversation to enable data to be secure iI a
particular session happens to be compromised.
 Make sure your data is encrypted to discourage ordinary sniIIing attacks.
 Make sure the ciphertext has not been modiIied in transit so that the data you send is
the data your peer received.
 When sending large amounts oI data, make sure your keys are changed at some point,
iust to be saIe.
IPSec uses various protocols and algorithms to ensure that these can occur properly.
6-28 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Hash AIgorithms
Many people conIuse hashing with encryption, but this is incorrect. Hashes are used to produce
a 'Iingerprint¨ oI some data by taking the data and running in through an algorithm.
The same data will always produce the same value. II even one bit in the data has been
changed, the 'Iingerprint¨ will be completely diIIerent. This allows you to use a small
Iingerprint Ior a large amount oI data to make sure the data has not been altered. Two main
hash algorithms are in production today.
Message-Digest 5 (MD5)
Secure Hash Algorithm 1 (SHA-1)
Hash algorithms help ensure that data has not been modiIied in transit. Hashing the data gives a
certain value, which is appended to to the data as it travels across the network. The peer
receives two values, separates them, and runs the data through the same hash algorithm. The
peer then compares the hash result to the one received. II they match, the data could not have
been modiIied in transit. II they do not match, the data or hash has been modiIied, which means
they will disregard the data received.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-29
Message Digest 5 (MD5)
The Message-Digest 5 (MD5) algorithm was invented by Ron Rivest oI RSA Security and is
described in RFC 1321.
This algorithm takes a message oI arbitrary length as input and produces a 128-bit "Iingerprint"
or "message digest" as output. A 128-bit algorithm means that there are approximately 2`128
possible values Ior any single message. Although it is technically possible to create a message
to match a particular hash, the probability is so small that it is not worth considering.
For example, iI you run a 64-byte Ethernet Irame through the MD5 algorithm, you will receive
a 128-bit value as output. II you run the same Irame through the algorithm again you will
receive the exact same 128-bit value. II someone modiIies even a single bit, however, the hash
algorithm will compute a completely diIIerent 128-bit value.
The MD5 algorithm always outputs a 128-bit value regardless oI the size oI the input. A 1,500
byte Irame and a 64-byte Irame each gives a 128-bit hash value.
6-30 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Secure Hash AIgorithm 1 (SHA-1)
The MD5 algorithm proved to have some weaknesses in certain situations. Collisions making a
well-known value match a particular hash out value were conIirmed. Knowing there were
possible weaknesses in the algorithm, the Secure Hash Algorithm 1 (SHA-1) was created.
SHA-1 is deIined in RFC 3174.
SHA-1 outputs a 160-bit value as opposed to MD5`s 128-bit. This makes the number oI
possible values much larger, which increases the strength oI the data`s integrity. SHA-1 also
has additional security measures built into the algorithm, such as an additional round to Iurther
hash the value.
For example, iI you run a 64-byte Ethernet Irame through the SHA-1 algorithm, you will
receive a 160-bit value as output. II you run the same Irame through the algorithm again you
will receive the exact same 160-bit value. II someone modiIies even a single bit, however, the
hash algorithm will compute a completely diIIerent 160-bit value.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-31
Hash Message Authentication Code (HMAC)
Message Digest algorithms have a drawback. II a cracker (man-in-the-middle) intercepts the
message containing the data and the hash value, he or she can create a new message, calculate
the correct hash value, append the new hash value to the new data and send it to the destination.
The destination will separate the data Irom the hash, run the data through the hash value, and
compare the result with the received hash. Since they will match, the receiver thinks the data is
valid and accepts it as being sent Irom its peer.
To relieve this type oI attack, a shared secret key known only between the two peers is also
inserted into the hash algorithm. In this way a random value (the key), unknown to anyone else
is used to make sure that the man-in-the-middle attack cannot be successIul. In eIIect, this
creates a built-in message authentication. Mechanisms that provide such integrity check based
on a secret key are usually called "message authentication codes" (MAC).
To create the hash, the data and the shared secret key are inserted into the hash algorithm to
obtain the output message digest. This is appended to the data and sent to the peer. Even iI the
data and hash algorithms are modiIied in transit, the receiver will calculate a diIIerent hash with
the secret value, and discard the message.
Under certain circumstances the MD5 algorithm was shown to be susceptible to certain types oI
attack. An additional hash Iunction was added to the algorithm to mitigate this problem. The
additional hash Iunction is called a Hash Message Authentication code (HMAC).
When using the Iunction, MD5 is called HMAC-MD5 and SHA-1 is called HMAC-SHA-1.
6-32 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Encryption AIgorithms
The goal oI IPSec is conIidentiality, which is achieved by encrypting data. This is the easiest
part oI IPSec to accomplish.
To encrypt data, break the plain text data into pieces and insert it into the encryption algorithm
with an encryption key. The algorithm outputs the ciphertext that is sent to the peer. The peer
perIorms the same algorithm in reverse using the same key.
The end result oI encryption is that only the person who has the shared secret key can decrypt
the ciphertext back into its plain text Iorm.
Encryption algorithms come in two Ilavors:
 Symmetric key encryption- This encryption method uses a shared secret key to both
encrypt and decrypt data.
 Asymmetric key encryption- This encryption method uses two specially created
mathematical keys. These keys have the interesting quality in that what one key
encrypts, the other key can decrypt. The same key cannot both encrypt and decrypt the
same data.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-33
Symmetric Encryption AIgorithms
Symmetric algorithms are algorithms that use the same shared secret key value to encrypt plain
text and decrypt the resulting ciphertext.
Both parties share the same key. Common symmetric algorithms include:
 Data Encryption Standard (DES)
 Data Encryption Standard 3 (3DES)
 Advanced Encryption Standard (AES)
These symmetric encryption algorithms have withstood the test oI time as cryptographers have
attempted to crack the code and look Ior weaknesses to exploit. In order to break a symmetric
algorithm, crackers attack the shared secret key and not the algorithm itselI. As you will see in
the next Iew pages, some algorithms are easily susceptible to brute Iorce attacks, while others
are not.
Other less common symmetric algorithms include IDEA (International Data Encryption
Algorithm), BlowIish and CAST.
6-34 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
DES
Data Encryption Standard (DES) was originally developed in 1977 by IBM.
It is a 56-bit encryption algorithm, meaning the number oI possible keys 'key space¨ is 2`56 or
72,057,594,037,927,936. 72 quadrillion was a very large number in 1977 and would have taken
computers back then hundreds oI years to search the DES key space. It was considered so
secure the US Department oI DeIense adopted it as a standard and restricted its exportation.
In today`s computing environment DES is considered a very weak encryption algorithm.
Searching the 72 quadrillion key space can be done in a relatively short time with modern
computers. In 1999 the Electronic Frontier Foundation broke a DES key in less than one day
using specially designed equipment.
DES is still in wide use today, as it is a Iast encryption algorithm that provides reasonably
secure transmission oI everyday inIormation.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-35
3DES
As DES become more and more vulnerable the Internet community a Iix was required. Because
DES was normally based in hardware, a completely new algorithm was out oI the question. As
a result, 3DES was created.
3DES uses a 168-bit key (actually it uses three 56-bit keys). In essence, the 3DES algorithm
encrypted/decrypted data 3 times with 3 diIIerent keys eIIectively creating a 168-bit key. But
due to weaknesses in the algorithm cryptographers discovered they could apply shortcuts,
which would bring the 'useable¨ key space equal to approximately a 108-bit key space. Using
108 bits (2`108) produces an incredibly large key space. To this day, no one has successIully
broken a 3DES key.
But due to the weaknesses in the 3DES algorithm and the computational overhead it required, a
new symmetric algorithm was needed. In 1997 the National Institute oI Standards and
Technology (NIST) held a contest to see who the successor oI DES would be. The winner oI
the contest would be iudged based on speed and security oI the algorithm. To qualiIy the
winner was to give up all intellectual property oI the algorithm, which was to be called the
Advanced Encryption Standard.
6-36 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Advanced Encryption Standard (AES)
The winner oI the NIST contest was an algorithm named Riindael, which was created by Joan
Daemen and Vincent Riimen. Riindael (now named AES) is a variable block length and key
length cipher.
Current AES key lengths are those oI 128, 192, or 256 bits to encrypt blocks with lengths oI
128, 192 or 256 bits. AES can be implemented very eIIiciently on a wide range oI processors
and in hardware.
Today key lengths oI 128-bits are recommended, but Ior utmost security now and in the Iuture,
options oI using 192 or 256 bits are available. To put that number in perspective, IBM`s Blue
Gene/C supercomputer, which is scheduled Ior completion in 2004, is expected to be capable oI
achieving 1,000 teraIlops, or 1,000 trillion calculations per second. For the sake oI argument,
assume that it takes 20 calculations to check a single key. ThereIore, Blue Gene/C would be
able to check (1,000 trillion/20) or 50 trillion keys per second. Now assume we had 50 trillion
Blue Gene/C supercomputers each checking 50 trillion keys per second, it would take them
almost 1.5 x 10
28
trillion years to search 1° oI the entire key space in a 256-bit key. That`s a
long time.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-37
Asymmetric AIgorithms
Asymmetric algorithms, oIten called public key algorithms perIorm encryption and decryption
in a completely diIIerent way than symmetric algorithms.
Asymmetric algorithms do not rely on a randomly generated shared encryption key that
changes per session: instead, they create two static keys. These static keys are completely
diIIerent but mathematically bound to each other in the sense that one key encrypts what the
other key decrypts. One key alone cannot encrypt and decrypt the same data.
This encryption method works by keeping one key private and giving the other key to anyone
in the public Internet. Anyone can have the public key as it is useless without the private key.
For example, iI peer X generates a public and private key pair, then encrypts a message with his
private key. Peer X then sends the ciphertext to peer Y. Peer Y obtains peer X`s public key via
some mechanism and can then decrypt the message sent Irom Peer X. This may seem Ilawed
because anyone who sniIIs the wire and obtains Peer X`s public key can read the message.
However, iI peer Y obtains peer X`s public key and encrypts a message with it, only peer X can
decrypt the message.
The main problem with asymmetric algorithms is that they are very slow. The reason they are
so slow can be attributed to the Iact that they all use very heavy mathematics to perIorm their
Iunctions. It is not practical to encrypt our bulk data with asymmetric algorithms, but we can
still use them to encrypt/decrypt small amounts oI data, such as a hash value.
6-38 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
RSA
The RSA asymmetric algorithm was developed in 1977 by Ronald Rivest, Adi Shamir, and
Leonard Adleman.
RSA stands Ior the Iirst letter in each oI its inventors' last names. The math behind the RSA
algorithm works as Iollows:
'take two large primes, p and q, and compute their product n ÷ pq: n is called the modulus.
Choose a number, e, less than n and relatively prime to (p-1)(q-1), which means e and (p-
1)(q-1) have no common Iactors except 1. Find another number a such that (ea - 1) is
divisible by (p-1)(q-1). The values e and a are called the public and private exponents,
respectively. The public key is the pair (n, e): the private key is (n, a). The Iactors p and q
may be destroyed or kept with the private key.¨
From what math we know today, it is very diIIicult Ior anyone to attempt to obtain the private
key key a Irom the public key (n, e). II someone could Iactor n into p and q, then one could
obtain the private key a. This is very diIIicult to do, which is what the security oI the RSA
algorithm is based upon. A typical key size Ior RSA is 1024-bits.
The RSA algorithm is used in IPSec Ior two discreet purposes:
Encryption: Here Peer X uses Peer Y`s public key to encrypt data and then sends the data to
Peer Y. Since only Peer Y has the corresponding public key, he can successIully decrypt the
data.
Digital Signatures: Here Peer X encrypts a hash value with his private key and then sends the
data to Peer Y. Peer Y obtains Peer X`s public key and decrypts the ciphertext to obtain the
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-39
hash. Since Peer Y used Peer X`s public key, only Peer X could have encrypted the hash,
hence, the encrypted hash must have come Irom Peer X.
6-40 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
DSA
The Digital Signature Standard (DSS), created by the NIST in 1994, speciIies DSA as the
algorithm Ior digital signatures.
DSA is mainly Iound in government installations, and has been created to work speciIically
with the SHA-1 hash algorithm. DSA is Ior digital signatures only. It is not used Ior encryption,
as is RSA.
'DSA is a public key algorithm: the secret key operates on the message hash generated by
SHA-1: to veriIy a signature, one recomputes the hash oI the message, uses the public key to
decrypt the signature and then compare the results. The key size is variable Irom 512 to 1024
bits which is adequate Ior current computing capabilities as long as you use more than 768
bits.¨
DSA is roughly the same speed as RSA when creating signatures, but 10 to 40 times as slow
when veriIying signatures. Since veriIication is more Irequently done than creation, this is an
issue worth noting when deploying DSA in any environment.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-41
Diffie-HeIIman (DH)
The DiIIie-Hellman (DH) asymmetric algorithm was created in 1976 by WhitIield DiIIie and
Martin Hellman.
DH is not used Ior encryption or digital signatures, but to obtain a shared secret key 'key
agreement¨ between two parties over an insecure medium such as the Internet. It works by
sending large mathematical numbers over the Internet. No one can mathematically obtain the
shared secret key even iI they can see the numbers being sent through the Internet. Only the
two ends oI the exchange using the DH algorithm can compute the shared secret key. The math
Ior the algorithm is as Iollows:
'Suppose Alice and Bob want to agree on a shared secret key using the DiIIie-Hellman key
agreement protocol. They proceed as Iollows: First, Alice generates a random private value a
and Bob generates a random private value b. Both a and b are drawn Irom the set oI integers
¦1, ..., p-2}. Then they derive their public values using parameters p and g and their private
values. Alice's public value is g
a
mod p and Bob's public value is g
b
mod p. They then
exchange their public values. Finally, Alice computes g
ab
÷ (g
b
)
a
mod p, and Bob computes
g
ba
÷ (g
a
)
b
mod p. Since g
ab
÷ g
ba
÷ k, Alice and Bob now have a shared secret key k.¨
The DiIIie-Hellman key exchange is vulnerable to a man-in-the-middle attack. To rectiIy the
problem, the two parties can authenticate themselves to each other by the use oI a shared secret
key, digital signatures or public-key certiIicates.
When two systems need to create a shared secret key between them, they use the services oI
DH to obtain it. Many services need shared secret keys. The problem IPSec has is that DH is
computationally expensive. Too many CPU cycles are used to create all the shared secret keys
needed. ThereIore, to reduce the number oI DH exchanges, IPSec will perIorm DH a single
6-42 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
time and a number oI shared keys will be derived Irom the original. These derived keys are
identical on both sides and tagged such that all possible mechanisms that need a shared key will
have one. For example:
The DH key (prime) will be k
K1 (derived Irom k) used Ior process a
K2 (derived Irom k) used Ior process b
K3 (derived Irom k) used Ior process c
K4 (derived Irom k) used Ior process a
K5 (derived Irom k) used Ior process e
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-43
Concepts of Cryptography
This section discusses using the cryptographic algorithms already discussed to perIorm security
measures Ior IPSec.
As mentioned earlier IPSec uses the services oI many diIIerent types oI algorithms to securely
exchange algorithms, keys, and authentication checks. A minor portion oI IPSec is dedicated to
the actual encryption and decryption oI data. IPSec perIorms its Iunctions Ior three main
cryptographic areas:
Integrity- authenticating peers and veriIying data integrity
Non-repudiation- proving someone took part in a conversation
Confidentiality- encrypting data as it travels over an insecure medium
6-44 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Integrity
In terms oI security, integrity can take many Iorms.
For example, when two people exchange data across an insecure medium, how can they be sure
oI the Iollowing Iacts?
 They are indeed speaking to whom they believe they are
 The data they are exchanging has not been modiIied in transit
IPSec uses cryptographic Iunctions to ensure that inIormation can only be accessed or modiIied
by those authorized to do so.
IPSec will perIorm three main integrity checks:
 Authentication oI endpoint
 Data Integrity
 Digital Signatures
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-45
Authentication of Endpoint
IPSec will guarantee that the endpoint oI the connection is indeed whom it claims. This is
perIormed via authentication during the DH key agreement protocol.
Remember, DH is used to obtain a shared secret key over an insecure medium. There are a Iew
ways to perIorm authentication Ior a peer, including:
Using a shared secret key: Both sides agree upon a shared secret key (this is not one oI the
derived DH keys). One side can encrypt what the other side can decrypt, which proves the
authenticity oI both parties.
Using digital signatures: Both sides obtain a digital certiIicate, which validates that a public
key (remember RSA and DSA) belongs to a certain host. These certiIicates are exchanged to
authenticate the peer using the RSA/DSA algorithm.
Encrypted nonce`s: Public and private keys are generated and public keys are passed to peers
(not using digital certiIicates). A nonce (random number) is encrypted using the public key oI
the peer. The encrypted nonce is sent to the peer, which uses its private key to decrypt the
nonce beIore returning it. The peer has the corresponding private key, and the nonce is the
same, so the peer must be authentic.
6-46 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Data Integrity
IPSec ensures that data has not been modiIied in transit, either by malicious intent or by
corruption oI problematic media or equipment. IPSec perIorms the data integrity check using
an authenticated hash Iunction, usually either MD5 or SHA-1.
Data packets are hashed beIore they are sent to the peer. The hash value and the original data
are sent to the peer, where the hash and data are separated again. The peer perIorms the same
hash Iunction and compares its result with the hash it received. II they match, the data has not
been modiIied and can be trusted. II the values do not match, the data or the hash value has
been modiIied in some way, and the packet must be discarded.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-47
DigitaI Signatures
Digital signatures change Ior every packet that is sent but can only be decrypted using the
corresponding public key.
When the hash Iunction is perIormed and the hash output and the original data are sent to the
peer, the data is subiect to man-in-the-middle attacks. In this case, the cracker intercepts the
hash and data, creates their own data, hashes it using the same algorithm and sends it to the
original receiver. The receiver validates the hash and accepts it. To stop this type oI attack, you
can use one oI the derived DH shared secret keys to authenticate the data. Here, the data and
the shared secret key are hashed to create the hash output value. Only the peer on the opposite
end, who also has the shared secret value, can create the same hash value. Crackers attempting
to Iorge packets will not have the shared key, which means they will never compute a hash that
can match the data.
In addition to stopping man-in-the-middle attacks, you can use public key cryptography to
authenticate the hash. In this case, the hash is encrypted with the private key oI the sender and
then sent to the opposite peer. The opposite peer obtains the public key oI the sender and
decrypts the hash, then perIorms the normal hash checking Iunction to validate the data. Since
only one person in the universe has the private key that was used to encrypt the hash, it can be
saIely assumed that they sent the message.
When you hash data and encrypt it using your private key: you create a digital signature. In
essence, this validates that the hash the peer decrypted with the public key could have come
Irom no one else in the universe.
The great thing about digital signatures is the Iact that they change Ior every packet that is sent,
but they all can only be decrypted using the corresponding public key.
6-48 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Non-Repudiation
This section discusses the concept oI non-repudiation and the ramiIications it produces in the
world oI security.
Suppose a cracker sent an email with a spooIed source email address. The cracker sent the
document posing as the sales manager, which conIirmed the purchase oI a large shipment oI
widgets to a company in the Netherlands. BeIore shipment was sent, the sales manager Iound
out about it and stopped the order. This is possible because he could reIute the Iact that he sent
the email. This is called repudiation, denying that communication via email took place.
In the security world, it is as important to be able to prove that someone else did something, as
it is to prove that you did not. II you had to take someone's denial at their word, they could
easily purchase products or services online, then deny the purchase to avoid payment. Being
able to prove that someone did in Iact do something is called non-repudiation.
Non-repudiation is achieved in the security world through the use oI digital signatures.
Remember, every person in the entire world can have a unique private public key pair. II you
send an email and digitally sign it with your private key, you and only you could have sent it.
Today, many state governments have passed their own digital signature legislation act, which
gives documents marked with digital signatures the same law-binding contractual obligations as
a written signature.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-49
ConfidentiaIity
ConIidentiality is deIined as the mechanisms used to protect data against unintended or
unauthorized access. IPSec implements conIidentiality by using encryption algorithms such as
DES, 3DES, or AES.
ConIidentiality in the IPSec world can only be secure iI the key exchange and integrity checks
are done securely. Otherwise, you have no way oI knowing iI the encryption key has been
compromised or iI a successIul man-in-the-middle attack was launched against you.
When you secure data using IPSec, you can be reasonably sure that no one has compromised
the security oI an encrypted session.
6-50 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
PubIic Key Cryptography
This section discusses the concepts oI public key cryptography and its use in the IPSec world.
Public key cryptography systems have two Iundamental Iunctions:
Encryption: Encrypt with public, decrypt with private
Digital signatures: Encrypt with private, decrypt with public
In public key cryptosystems, each host generates a public and private key pair. The public key
is made publicly available: the private key is kept secret. This eliminates the need Ior the sender
and receiver to share secret key inIormation, as is necessary with symmetric key algorithms. In
this cryptosystem, public keys cross the public medium, and private keys are never transmitted
or shared.
There is still a problem with this system. How can you be sure the public key Iloating around
on the Ether is indeed the public key that the owner claims it to be? This dilemma could be
averted iI there was third party that everyone trusted who could vouch Ior the authenticity oI
the public key. This means that a public key will need additional inIormation attached to it,
such as a name to associate with the public key, who the trusted third party is, an authentication
check the trusted third party perIormed, etc. All this inIormation and more are is what is
contained in an item called a digital certiIicate.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-51
DigitaI Certificates
Digital certiIicates are created to tie a public key to a particular user or host. The creator oI the
certiIicate must be a trusted third party (TTP).
Why should anyone trust a digital document? What is a digital certiIicate? The answer can be
partly answered with the digital signature. II you have a TTP use their private key to sign a
digital certiIicate, you can then use the TTP's public key to veriIy they signed the certiIicate.
This raises another issue. How can you be sure the public key does indeed belong to the TTP
and not someone masquerading as them? Do you have another TTP authenticate the public key
oI the initial third party? This is not necessary. Instead, the TTP will selI-sign his own digital
certiIicate. This means when an individual Iirst obtains the 'root¨ certiIicate oI the TTP, he or
she must make a phone call and validate the 'Iingerprint¨ manually.
When digital certiIicates are created by the trusted third party, they are sent back to the owner
oI the public key. At this point, they can exchange digital certiIicates during the IPSec
exchange as long as both parties trust the same third party.
6-52 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Certificate Authorities
A CertiIicate Authorities (CA) is the trusted third party that signs digital certiIicates.
To obtain a certiIicate, a user must Iill out a Iorm with inIormation about themselves, such as
their name: attributes such as organization, organization unit, and so on: the algorithm used to
create the public key: and the public key itselI. AIter Iilling out the Iorm, it must be encoded
and sent to the CA. The standard used Ior requesting a digital certiIicate, encoding the Iorm,
and sending it to the CA is called the Public Key Cryptography Standard #10 (PKCS #10).
When the CA receives the PKCS #10 request, it will validate the inIormation about the
requester, take the data Irom the Iorm and create a digital certiIicate. The digital certiIicate
itselI is created to a well-known standard and is called an X.509 version 3 certiIicate.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-53
Trust ModeIs
CertiIicate Authorities can be operated in three diIIerent types oI trust models.
Trust models in a PKI may be either Single CA, hierarchical, or peer-to-peer (cross
certiIication). Each mdoel has certain characteristics, advantages and disadvantages
 Single CA- In the Single CA model, all users obtain their certiIicates directly Irom the
CA. This model is easy to maintain Ior a small amount oI users. Scaling this model to
any signiIicant number oI users can be very diIIicult.
 Hierarchical- Trust between CAs Ilow down Irom the root. Users will only directly
trust other users whose CA is a member oI the same hierarchy. In a hierarchy, the level
oI trust Ior a CA is a Iunction oI the level oI trust associated with the CA at the root oI
the hierarchy. The model is diIIicult to maintain, but can scale to a very large number
oI users over a large geographic area.
 Peer-to-Peer- In the Peer-to-Peer model, a separate CA will cross-certiIy another
independent CA. This model allows CA`s to integrate their users with other CAs.
6-54 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Revocation
When a private key becomes compromised, the corresponding digital certiIicate must be
marked such that it cannot be used. This Ieature is called revocation. When a digital certiIicate
is revoked, it is no longer a trusted certiIicate and its contents must not be trusted.
Each certiIicate created by a CA is identiIied with a special Iield called the serial number,
which is unique to each digital certiIicate. When the CA needs to revoke a certiIicate, it creates
a list called the CertiIicate Revocation List (CRL) and publishes it to various locations. The
CRL itselI is nothing more than a list oI revoked certiIicate serial numbers. When a CRL is
created, it is time stamped and digitally signed by the CertiIicate Authority who created it. This
allows any entity receiving the CRL to validate the source as well as the time the CRL was
created.
When IPSec peers exchange their digital certiIicates during the authentication phase, both peers
will consult a local CRL or download the latest CRL to validate the certiIicate received has not
been revoked. II the certiIicate serial number is on the list, the connection will be dropped. II
the certiIicate serial number does not appear on the list, the authentication phase will proceed.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-55
Certificate PoIicies
CAs are a maior piece oI a Public Key InIrastructure (PKI), which is deIined as all the pieces
required to Iacilitate the use oI digital certiIicates in an environment.
PKIs are beyond the scope oI this book, but the CA`s importance must be stressed. The CA is
what the entire trusted public key inIrastructure is based on. II the CA cannot be trusted, all
portions oI our IPSec network Iall to pieces. For this reason, CAs must have very well deIined
policies and security mechanisms to ensure that the services they provide to their customers can
indeed be trusted.
When a CA issues a certiIicate to a requester, it provides a statement that that particular public
key is bound to it. It is not only providing assurance to the requester, but to any party that relies
on the authenticity oI the signed certiIicate. Because oI the level oI importance in establishing
trust in the public certiIicate, it is essential that a clear and concise certiIicate policy (CP) be
used.
A CP conIirms that any entity that accepts electronic communication has assurances that the
digitally signed messages they receive can be veriIied with reIerence to the certiIicate. They
must be assured that the certiIicate is trustworthy Ior its intended purpose. To this end, a CA
using the services oI a Registration Authority (RA) must validate all aspects oI the entity
requesting a certiIicate. The certiIicate itselI might also indicate that the certiIicate is
trustworthy Ior the authentication oI electronic data interchange (EDI) transactions Ior the
purchase oI goods within a particular price range.
6-56 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Certificate Practice Statement (CPS)
Along with the CertiIicate Policy, which is usually a high-level set oI practice provisions, a PKI
should also have a CertiIicate Practice Statement (CPS).
A CPS is a document detailing the description oI practices Iollowed by a CA when issuing and
managing certiIicates. The CPS implements the general rules imposed by the CP.
For example, imagine a particular CP supports the Iollowing general statement: 'II a user
discovers their private key has become compromised, they must immediately contact the PKI
administrator.¨
The CPS will deIine the Iollowing components:
 When not in use, all users are required to keep all copies oI their private key on their
person or in a secure locked environment
 End users and the operator oI CertiIicate Authorities must be inIormed oI a requirement
to report unauthorized discloser oI their private key in a written agreement, which they
must sign prior to their being issued a certiIicate¨
 Upon discovery oI the unauthorized discloser oI their private key, users must contact
their CertiIicate Authority within one working day. Methods oI contacting the CA must
be via email to pksauthority(thepkica.com anytime or via phone at 555-555-2212
during PST business hours
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-57
Summary
This section summarizes the key points discussed in this lesson.
Tunneling
Internet Protocol Security (IPSec)
Cryptography
Next Steps
AIter completing this lesson, go to:
Key Management/CertiIication LiIecycle
6-58 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Assessment
Q1) Which hash algorithm produces a 16-byte output value?
A) MD5
B) SHA-1
C) DES
D) 3DES
Q2) 3DES uses an eIIective key size oI how many bits?
A) 112
B) 160
C) 168
D) 172
Q3) The AES algorithm can use which oI the Iollowing key sizes?
A) 92
B) 128
C) 192
D) 256
Q4) Which oI the Iollowing are considered symmetric encryption algorithms?
A) RSA
B) 3DES
C) DSA
D) AES
Q5) Which oI the Iollowing are considered asymmetric encryption algorithms?
A) RSA
B) 3DES
C) DSA
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-59
D) AES
Q6) Which algorithm is used, over an insecure medium, to create or agree on a shared
secret key?
A) SHA-1
B) DSA
C) DH
D) Donnie-Johnsom
Q7) What is the ability to reIute a claim that an exchange oI data occurred called?
A) conIidentiality
B) integrity
C) non-repudiation
D) repudiation
Q8) What mechanism is used to achieve privacy or conIidentiality?
A) Digital envelopes
B) Digital signatures
C) Hashing
D) Encryption
Q9) What mechanism is used to achieve data integrity?
A) Digital envelopes
B) Encryption
C) Hashing
D) Asymmetric encryption
Q10) Digital signatures use which mechanisms?
A) Hash algorithm
B) Symmetric encryption algorithm
C) Asymmetric encryption algorithm
6-60 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
D) Authentication oI endpoint
Q11) Which is the current standard used Ior digital certiIicates?
A) X.509v3
B) EAPOL
C) X.500
D) 802.9t
Q12) Digital certiIicates establish trust in a network via what mechanism?
A) Digital signatures
B) TTP
C) Encryption
D) Hashing
Key Management/CertiIication
LiIecycle
Overview
This lesson discusses the liIecycle oI key and certiIicates.
Importance
Understanding the liIecycle oI keys or certiIicates is critical in analysis the eIIectiveness oI our
security.
Objectives
Upon completing this lesson, you will be able to:
Describe the diIIerences between a centralized versus decentralized key storage and
distribution conIiguration
Explain how keys are stored
Describe how a key management system will use escrow
Explain the need Ior revocation and the diIIerence between revocation and suspension
Discuss the situations that would warrant key recovery
Explain the process oI key renewal
IdentiIy the hazards associated with improper key destruction
Explain how keys are used in a corporate environment
6-62 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Learner SkiIIs and KnowIedge
To Iully beneIit Irom this lesson, you must have these prerequisite skills and knowledge:
Basic understanding oI computer technology
Basic understanding oI security architecture
OutIine
This lesson includes these sections:
Overview
Centralized versus Decentralized
Storage
Escrow
Revocation
Suspension
Recovery
Renewal
Destruction
Key Usage
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-63
Overview
This section provides an overview oI the key liIecycle process.
The terms key and certiIicate are oIten used interchangeably to describe the access component
that allows secured entry into a computer system. Keys are actually a component oI the
certiIicate. The certiIicate acts as a transport Ior the key.
As an encrypted code or password, keys must be generated, distributed, and eventually replaced
like any other security mechanism. The process oI handling keys through their liIecycle is
important, as tampering or replacement is always a concern. You must handle the digital key
with as much care as you would handle the key to your house. No unknown person should have
any access to the key, or the liIecycle process, at anytime.
Unlike your house key, the key creation process may be a remote server which could Iace the
constant risk oI attack Iorm the outside. In generating the key, the quality oI the algorithm
determines how easily the key could be compromised. The process oI protecting your keys
Irom intruders and being able to utilize strong keys is a challenging aspect to the liIecycle
process.
6-64 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
CentraIized versus DecentraIized
This section introduces the methods oI generating keys.
At the beginning oI the liIecycle, the birth oI the key is tied to many Iactors. What length will
the key be, how strong is the algorithm that is creating the key, and how will it be distributed?
The length oI the key determines how diIIicult it would be to break. A length oI 2 bits could be
guessed in a couple oI seconds, but as length increases, the amount oI combinations
exponentially increases until the time required to break the key is greater than the liIespan oI
the entire planet. Keys generated with a length oI 1024 or 2048 bits are virtually impossible to
break unless there is a Ilaw in the algorithm or the details oI the algorithm become known to
the intruders.
Generating a key requires a great deal oI time and processing power. Also, aIter creating the
new key, you need to transport it to the location it is needed through a certiIicate. One method
oI achieving this goal is a centralized key generation approach. A single system is responsible
Ior generating the key, encapsulating it into a certiIicate, and then distributing the key to where
it is needed. This system is easy to manage, but it has many problems. II the single server Iails,
then key generation stops. II the quality oI the keys increases, the amount oI processing
required will increase, causing a perIormance decrease to the system. From an intruder`s
perspective, they have one target to attack and try to inIiltrate. This created a single point oI
Iailure.
A much more scalable method is a distributed approach. Several servers work together to
accomplish not only the key generation, but also its distribution. By working together, keys can
be generated Iaster, without the single Iailure point, and sent to a Registration Authority (RA)
Ior completion. From this point, the RA can send the key to a CertiIicate Authority that can
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-65
bundle the key into a certiIicate and then distribute the key as needed. Because there is no
single point oI Iailure, this method provides better service. Companies such as Versign use this
approach.
It is possible to combine the two methods to create a single key generation server with many
distribution points. This is a common method that avoids having a single point oI attack Irom
intruders, but lessens the overall cost oI key generation, especially Ior environments where key
generation is low. This is oIten reIerred to as a split-system key generation process.
6-66 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Storage and Distribution
This section examines the concerns around the storage oI keys and certiIicates.
.
Keys are usually stored, managed, and distributed by a distribution center. The client and the
distribution server validate the public and private key. Once validated, the client has requested
access. II a Iailure in the authentication occurs, the client will be reiected.
Two common methods oI key storage and distribution in this Iashion is the Key Distribution
Center (KDC) and the Key Exchange Algorithm (KEA). Both systems provide excellent key
distribution and management, but they vary in slight ways. KDC is best known Ior its use oI the
Kerberos security protocol, which is commonly Iound in many networks today including the
Active Directory used by MicrosoIt Windows 2000 and Server 2003. The KDC server perIorms
the key handshake with the client and assists the approved client in connecting to the desired
network resources. KDC and KEA act as excellent key storage and distribution.
The private key that a client holds can take many Iorms. Most people experience the use oI
private soItware keys in secured networks or when ordering products over the Internet. While
soItware keys are the current standard, they pose several challenges. Because they are soItware
stored on the client machine, it is possible to extract the key and run decryption soItware on
them. This can be accomplished without the client knowing oI the attack. To prevent this type
oI attack, and to increase the portability oI a key, hardware can be used to replace soItware.
Hardware keys, such as smartcards, are portable keys that can be used to logon to a computer
system, provide payment authorization Ior Internet orders, and permit physical access to
restricted areas. Using a smartcard as a personal identiIication device as well as a secured key is
rapidly becoming the preIerred security key encryption method oI choice.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-67
Both private hardware and soItware keys oI individuals need to be closely monitored.
Procedures Ior replacing lost or destroyed physical keys are extremely important. SoItware
keys should be reIreshed and destroyed on a regular basis to avoid inIiltration. Keep in mind
that Irom time to time, when new employment hires or terminations occur, key retrieval and
destruction will be required.
Using KDC or KEA is iust the start oI the security measures you must address. Depending on
your key generation and distribution strategy, keep in the Iailure points that could prevent
access. It is iust as important to consider the access points that intruders could attack the
system. Physical security can be greatly enhanced through proper key utilization. You should
also consider requiring multiple keys Ior access to sensitive areas. It is not uncommon to
require two administrators with physical smartcards to unlock a server cabinet.
6-68 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Escrow
This section examines the beneIit and controversy over key escrow.
You have decided to use keys and certiIicates to help secure your network and the precious data
that it comprises. In the process oI generating your keys, you create a 4,096 bit length key with
an algorithm written by yourselI. Your key protection is virtually unbreakable.
However, the government wishes to analyze your company's accounting practices. Because
they cannot access your data directly, they have to ask you Ior a key. This is not acceptable to
the government, which needs to be able to access your data with or without your approval in
the event they have a warrant.
This is where the key escrow, which is a Iancy term Ior backdoor, comes in. The U.S.
government has declared that no encryption scheme can be used that they themselves do not
have a key to access. In other words, they want a backdoor to everyone`s security system. The
National Security Administration (NSA) has even gone to the trouble oI creating several public
use key generators with the backdoor built in so they gain access when legally provided.
Obviously, the key escrow makes sense when considering the state oI security aIter September
11, 2001. II a court orders a warrant Ior the FBI to view certain inIormation, it would not make
sense Ior the FBI to have to ask an administrator Ior a key Iirst. Even with this understood, key
escrow is one oI the most controversial matters at hand. Can a system be considered secure iI it
has a known backdoor? Is my privacy violated iI the Government has access to my Iiles?
While there is plenty oI room Ior debate, the general answer to both these questions is 'no¨.
Virtually every security system has an 'override¨ or backdoor. II the knowledge about the
backdoor is kept secret, then your system is still secure against the world oI 15-year old
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-69
hackers. The government can only use a backdoor and access your data with a court-issued
warrant, iust as they can only search your house with a search warrant.
Law enIorcement needs the ability to access secured data without themselves becoming
hackers. While this debate will rage Ior many years, key escrow is part oI our key management
and its liIecycle.
6-70 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Expiration
This section introduces the end oI the key and certiIicate liIecycle.
Like strong password strategies, all keys and certiIicates should expire eventually. They
become old, outdated, and possibly inIiltrated. The only way Ior administrators to maintain an
even security protection level is to keep the hackers and would-be intruders guessing. By
setting reasonable expiration dates, new keys, possibly with better encryption strength and
longer bit lengths, can be created in their place.
Keys and certiIicates are stamped with an expiration date, like the milk carton in you
reIrigerator. When the expiration data occurs, the key is no longer valid. Credit cards Iunction
the same way. When a credit card expires, it will no longer work when making purchases. The
credit card company tries to anticipate this by sending a new card iust beIore the old one
expires to avoid a loss oI service. Most key and certiIicate applications perIorm the same task
by issuing a new key iust beIore the old one expires.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-71
Revocation
This section examines the process oI revoking keys and certiIicates.
Keys and certiIicates can be revoked iI necessary. Most applications support immediate
revocation, and oIten oIIer to issue a new certiIicate. It is important to understand these
processes as the security oI the system is dependant on the proper revocation oI certiIicates
should a security breach occur.
II it is discovered, through logging and monitoring, that a key or certiIicate has been tampered
with, compromised, or stolen, the best course oI action is to revoke that key and certiIicate,
then issue a new one to the authorized party. AIter the key is revoked, the next key
management phase is to monitor Ior attempted use. Whether the intent is to monitor Ior law
enIorcement purposes or to help notiIy the certiIicate authority about the possible breach, you
may Iind monitoring the revoked key beneIicial.
CertiIicate Authorities (CAs), maintain a CertiIicate Revocation List (CRL) with all issued
certiIicates that have been revoked, and generally the reason that the revocation occurred.
Checking the CRL should be a mandatory process Ior administrators, as this directly aIIects
security. Once a certiIicate or key has been revoked, it can never be used again. With this in
mind, the CRL will help improve your site security by notiIying you oI breached certiIicates.
6-72 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Suspension
This section introduces the temporary condition oI suspending a key.
.
II a security breach occurs with a key or certiIicate, immediately revoke the Iailed key. There
are times when revoking a key is not needed or wanted, but you do want to temporarily stop the
key Irom being used. You can suspend a key or certiIicate Ior these temporary times, such as
when an employee goes on vacation or an administrator leaves the site to perIorm remote
administration.
Suspending the key or certiIicate prevents intruders Irom attempting to hack at the key, while
allowing you to re-enable it when needed. It greatly reduces the administration load oI revoking
a key and then generating a new one, and it can reduce the expense iI a commercially generated
key is needed.
Many companies that provide e-commerce support will suspend their certiIicates when the site
goes down Ior maintenance or an upgrade. Keep in mind that there is no reason to suspend the
certiIicate iI the maintenance will only last a Iew hours, but iI it should be necessary to stop
access Ior a couple oI days, it is a saIe practice to suspend the certiIicate.
In practice, the CRL will oIten list suspended keys along with revoked ones. Remember that
while checking the status oI a suspended key may be done through the CRL, only suspended
keys can be re-enabled. Revoked keys are invalidated Iorever.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-73
Recovery
This section examines one oI the most diIIicult Iacets oI key liIecycle management.
Up to this point, managing keys and certiIicates has been a relatively straightIorward process.
One oI the greatest challenges that administrators Iace is the 'age¨ oI the key or certiIicate.
When a user encrypts data with a key, he can only open the data with that key. II a new key is
issued a year later, the user cannot open the data with the new key. In order Ior them to open
the data, he must use the old key. This raises the issue oI liIecycle and key management.
The administrator needs to provide the ability to retrieve and use older keys. This is a challenge
because oI the management and security involved. You do not want older keys to be stored on
non-encrypted, non-secured media, so the Iirst issue is to locate proper storage. The next issue
is to keep track oI issued, expired, revoked and suspended keys Ior the entire liIe oI the
encrypted data.
This means you must solve several additional problems as well. First, what happens iI a key is
lost, stolen, or damaged (generally, this would be a physical smartcard, not a soItware key)?
The key is still valid, but nobody can access the data. The next case is when a key expires and
someone needs to access data that was encrypted with the older key. In both these situations,
storing both the new and old keys via soItware or hardware will allow you to recover the data.
II a smartcard is damaged or lost, you can create another with the stored copy oI the key. II an
old key is required Ior data access, you can retrieve the old key Irom our archive.
As you can imagine, the server that stores our archive oI keys is the cornerstone oI key
liIecycle security. In Iact, because oI the huge security impact that having access to this
resource holds, many sites prohibit access to the server by anyone, including an administrator.
The only method oI access is through the 'M oI N¨ rule.
6-74 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
The M oI N control is basically a simple equation. II M number oI administrators have access
to the key archive server, the N number oI administrators is required to authenticate to gain
access. This rule, or control, can be applied to many security situations, not iust key
management, and the logic holds the same. The policy oI using M oI N is established by the
company during the security planning phase. In this case, our M oI N control may be that ten
administrators have access to our archive server, and Iour must authenticate to the server beIore
a key can be used Irom the archive.
You can quickly see how this would prevent a single administrator Irom breaching the security
system and selling oII the keys! Many secured businesses require that the authorization be in
person Ior additional security.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-75
RenewaI
This section introduces the beneIits and concerns oI renewing keys.
Keys that have reached the end oI their liIecycle normally will expire and be archived. A new
key is issued to the user and the key liIecycle begins all over. There may be rare times when
you want to renew an existing key, rather than issue a new one. This is a usually a bad practice,
though, as the entire point oI issuing a new key is that the old key represents a risk.
Generally, renewals are granted because the process oI generating new keys has been
interrupted or requires more time to accomplish that initially thought. An interruption in service
is the most common reason, Iorcing a temporary renewal oI existing keys.
The best practice to Iollow in a renewal situation is to keep the renewal short duration, and then
generate a new key as soon as service is restored. Remember, a renewal allows the user to
continue to use an old key, which may violate the security policies and expose the network to
risk. This should be done rarely, iI ever..
6-76 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Destruction
This section introduces the methods destroying keys and certiIicates.
Because we need to archive are older keys, destruction oI the key is generally never completely
possible. However, Irom a client perspective, destroying the key is required when it expires.
Whether your keys are soItware based or hardware based, when a key expires, it must be
destroyed. With soItware keys, the process oI destroying the keys is oIten handled by the
application. Smartcard destruction is a physical process.
Some hardware keys can be reprogrammed with new keys. Reprogrammable cards are oIten
considered a security risk, though. In these situations, you must physically destroy the device
beIore simply tossing it into a trash can. While there are specially craIted destruction devices
Ior such products as smartcards, the most common method is a hammer and brute Iorce.
Smashing a smartcard to dust will prevent a hacker Irom retrieving data, but will also prevent
you Irom using the smartcard again. II your security policy allows, some devices will securely
erase a smartcard, while still leaving the card available to be reused.
Whatever method you choose to destroy keys with, keep in mind the security goal is to prevent
unauthorized tampering or theIt oI the key. With this in mind, you will be able to avoid the
common pitIalls that could place your system at risk.

Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-77
Key Usage
This section examines the use oI single and multiple key strategies.
Some applications require the use oI a single key. This symmetrical key requirement means that
both the server and client have the same key. This is eIIective, but this type oI key policy is
dangerous because anyone that has the key suddenly has complete access to the server.
A better technology is asymmetrical keys, where the server has part oI the key, and each unique
client has the other part oI the key. This is commonly known as a public/private key. II
someone were to breach the client key, they would still not have enough inIormation to access
the server. For the key to work, both the client and server need to create session access through
a uniIied token created Irom the public and private key.
Many applications use the public/private key architecture, but some sensitive operations and
data require an even higher level oI security. These applications may require dual keys to grant
access. An end user could start the process, but a manger may be required to authenticate as
well to allow access. This type oI access is becoming more common in accounting applications
where the CFO may need to authorize an accountant to access payroll.
6-78 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
Describe Centralized versus Decentralized
Explain the concerns of storing keys and certificates
Explain Escrow and its related controversy
Describe the process of Revocation
Describe the temporary condition of suspending keys
Explain why recovery is one of the most difficult facets of key lifecycle management
Describe the benefits and concerns of renewing keys
Describe the methods of destroying keys and certificates
Describe the use of single and multiple key strategies
Next Steps
AIter completing this lesson, go to:
InIrastructure Management
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Topologies 6-79
Lesson Assessment
Q1) What are two common methods oI key storage and distribution?
A) CA
B) KDC
C) Key exchange algorithm
D) Active Directory
Q2) Digital certiIicates are transports Ior what important item?
A) CA inIormation
B) Security Associations
C) Public key
D) Algorithms client can understand
Q3) What is the mechanism that causes digital certiIicates to become invalid?
A) Outdated algorithms
B) New version to create digital certiIicates
C) Time and date
D) RA is compromised
Q4) A list oI compromised and revoked certiIicates are stored in what type oI Iile?
A) Database
B) CRL
C) CRC
D) Plain text Iile
6-80 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Q5) II you have a certain number oI administrators and want a subset oI them used when
regenerating a private key, what control process will you use?
A) Administrative override
B) Group Collaborative Restoration (GCR)
C) M oI N
D) Key escrow
7
InIrastructure Management
Overview
InIrastructure management is key to properly securing corporate assets. An established policy
oI privilege management, risk identiIication, education and documentation greatly enhances a
company`s ability to protect itselI Irom unauthorized access.
Objectives
Upon completing this module, you will be able to:
IdentiIy critical aspect oI privilege management and how it relates to corporate security
Describe the various aspects oI risk identiIication to support asset security and risk
mitigation
Explain how a proactive educational policy can greatly reduce threats posed by computer
criminals
Explain how through documentation policies can streamline security implementation and
accelerate identiIication oI potential vulnerabilities
7-2 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
The module contains these lessons:
Privilege Management
Risk Identification
Education
Documentation
Privilege Management
Overview
This lesson explains how computer Iorensics can be used to recover lost inIormation and track
intruders.
Importance
The network/security administrator might be Iaced with identiIying the intruder or malicious
user. Computer Iorensics can help build a case in that determination.
Objectives
Upon completing this lesson, you will be able to:
User/Group/Role Management
Single Sign-on
Centralized versus Decentralized
Auditing (Privilege, usage, escalation)
MAC/DAC/RBAC
7-4 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
This lesson includes these sections:
Overview
User/Group/Role Management
Single sign-on
Centralized versus Decentralized
Auditing (Privilege, usage, escalation)
MAC/DAC/RBAC
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-5
Overview
This section provides an overview oI how security is management in a networking environment
Ior our users and resources.
Managing security at a detailed level is a daunting task. AIter creating the documentation,
security policies and procedures, and preparing the network Ior possible attacks, you still need
to perIorm the day-to-day tasks oI getting end users access to the inIormation they need.
Years ago, it was common in a small network to only have a single Iile server with no Internet
access. This made security relatively simple. The administrator would create a user account Ior
each end user and assign them a password. The administrator would then determine what type
oI server resources (Iiles and printers) the end user should have access to and create security
permissions on those resources. The end user would log on to the server with the username and
password to access their Iiles.
II the administrator did not give a user permissions to a particular resource, the user could not
access it (oIten could not even see it). Depending on the permissions assigned by the
administrator, the user might be able to read Iiles, write to Iiles, and print. The administrator
would reserve the more powerIul permissions Ior himselI or herselI.
This simple network security design has changed with the addition oI the Internet, not to
mention the need Ior more servers and greater resources. As the servers and resources have
multiplied, the administration has as well. To better control our security designs, new methods
oI administration have been developed to ease the diIIiculty and increase the security.
7-6 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
User/Group/RoIe Management
This section introduces the concept oI security management through using User, Group, and
Role Management.
Controlling user access to network resources is accomplished by assigning permissions.
Permissions act like keys which allow the users to unlock particular doors. Permissions are
unique Ior each network operating system, but in general, they perIorm the same Iunctions.
When a user accesses a network resource such as a printer, Iile share, or other network device,
their credentials are checked against a permissions list on the resource to determine what type
oI access they are permitted.
The user`s credentials are usually determined by a username and password. The network
administrator assigns permissions to network resources such as who can read Iiles, or who can
write to Iiles.
When a user authenticates to the network using a username and password, they can access
network resources. Should they attempt to open a network share to read and write to Iiles, the
permissions list is checked Iirst to determine iI they have the right to access the inIormation. II
the administrator has added the user to the list, and assigned them permissions, they can access
the resource. The user only has the permissions, such as read or write, that the administrator has
assigned them. II the administrator did not assign them permissions to the resource, they cannot
access it.
The challenge to administrators is that each user needs to get permissions to access resources.
This is not bad iI there is only a handIul oI users, but with hundreds or thousands oI users, this
management task become virtually impossible. Assigning permissions Ior each individual user,
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-7
plus making changes Ior new applications or adding and removing new users becomes a time
consuming task. The ability to create groups has simpliIied the process.
Rather than assign permissions on an case-by-case scenario, virtually all network operating
systems support the use oI groups. Using groups, the administrator assigns permissions to the
group, and then adds the users who need that permission into the group. II a security change
needs to be made, or a user must be added or removed, the administrator can make a single
change to the group instead oI hundreds oI changes to individual users. For example, the
administrator could create a group named 'Accounting¨, where the administrator would assign
permissions to the group to access the accounting application. Then, the administrator can add
all the users that belong to the accounting department to that group.
Another grouping concept is the use oI Roles. Roles are groups oI users that have a speciIic iob
task rather than the broad assignment oI department level groups. Perhaps user Jane, who is a
member oI the Accounting group, also perIorms the nightly backups on one oI the servers.
Again, to avoid assigning permissions directly to Jane, we could create a Role named 'Backup
Admins¨. This Role has speciIic permissions to perIorm a backup only. Because there is a
speciIic role Ior this task, you can also easily add or remove users Irom this group.
7-8 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
SingIe Sign-on
This section introduces the concept oI having a single user account to access many diIIerent
resources.
One oI the greatest diIIiculties in networking today is the management oI usernames and
passwords, not only Ior the administration staII, but Ior the end user as well. The security
system that handles username and passwords is generally built into the server network
operating system and cannot be shared among other servers. ThereIore, iI you have three
network servers, the users need an account Ior each oI these. The end user would need to
remember a username and password Ior each server they wanted to have access, and
authenticate to each server individually.
To make the end user's iob oI remembering usernames and passwords easier, the administration
staII generally creates the same username and password on each server Ior every user. This
way, the end user only has to remember one username and password, even though they still
must perIorm a separate authentication to each server. This means the end user still has to logon
once Ior each server they wanted to access.
To impact the administration even Iurther, iI a user changes their password on one server, it
does not change on the others. This can conIuse the end user and create more work Ior the
administrator in synchronizing the passwords again.
Solving this problem is not an easy task. Each soItware manuIacturer uses a slightly diIIerent
security system, achieving a solution usually requires that you stick with one vendor and use
their security model. This allows the diIIerent servers to share their authentication inIormation
which solves the problem oI multiple server access. This solution is known as 'Single Sign-
on¨.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-9
Single sign-on means that the end user only needs to logon once. They log on to the 'network¨
instead oI a single server. When a user attempts to access inIormation on diIIerent servers, this
authentication is automatically communicated to the other servers so that the end user is not
required to logon again. II the user changes their password, this inIormation is shared between
all the servers. This greatly reduces administration and eases the training required Ior end users.
Many network operating systems support single sign-on within their own product line.
MicrosoIt uses Active Directory, Novell NetWare uses NetWare Directory Services, and other
products use a similar technology. The truly diIIicult issue becomes when trying to authenticate
a user Irom one system, such as MicrosoIt, to another, such as UNIX. Because oI the diIIerence
in the security systems, the end user must know a username and password Ior each.
Single sign-on is rapidly evolving to solve these issues as well. While technologies such as
MicrosoIt Passport and Sun Liberty oIIer a universal single sign-on capability, the complexity
oI the Internet, local network technologies, and a lack oI desire to make a standard
authentication method has slowed progress to the ultimate solution Ior single sign-on.
7-10 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
CentraIized versus DecentraIized
This section introduces the concept oI administration teams working together in either a
centralized or decentralized environment.
Managing a small network, such as one that is contained within an oIIice or a building, has
many challenges, but because oI its size, it avoids some oI the greatest ones. Small networks
generally have a single administrator or small group oI administrators located on site to handle
the everyday tasks oI running the network. Everything Irom server side administration to the
help desk working with end users and client PC problems is part oI the daily task list.
As the network grows to multiple buildings with separate administration teams, and
connections between the buildings to allow shared resources, the network becomes much more
complex. The addition oI a Wide Area Network (WAN) and all oI the communication lines
involved, plus the need to create permissions Ior users Irom other buildings to access local
resources, makes administration very diIIicult.
In a decentralized approach, the administration oI each oI the local area networks is the
responsibility oI the local administration team. This generally works well as each team can take
care oI local issues directly. The challenge is in handling the enterprise-wide issues oI security
and network inIrastructure. In many cases, political issues and the diverse backgrounds oI each
oI the administration teams can pull the company in many technical directions without
achieving much in the end.
To combat some oI the challenges, many companies look toward a centralized management
approach. Whether the administration team is physically located there or not, the company
headquarters oIten becomes the location Ior the enterprise administrators. They are responsible
Ior security standards, network standards, operating procedures, and most oI the documentation
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-11
discussed in this course. The enterprise administrators generally are not concerned with the
day-to-day tasks oI the local area network. They Iocus on the company network as a whole.
Instead oI many individual administration teams battling Ior changes, a single cohesive
administration role now makes those decisions. While this does not eliminate the politics, it
does create an organizational structure that is easily Iollowed.
There are many advantages and disadvantages to both types oI administration, and many times
the individual administrator has no control over the model that is in place.
7-12 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Auditing (priviIege, usage, escaIation)
This section introduces the concept oI auditing users Ior improved security.
Security is one oI the most important measures a company can take. Once the administration
team has worked hard at creating security guidelines, creating the procedures, applying the best
security they can, they then must monitor the security oI the system to determine iI there are
any breaches. Depending on the complexity oI the network environment, this can be a
challenging aspect to many administrators.
Most soItware manuIactures oI network operating systems include some sort oI auditing
mechanism Ior security. Many times, this simple monitoring can be enhanced with third-party
soItware. The goal oI auditing is to veriIy that the accepted security structure is working, and to
determine iI anyone has Iound any weakness. Once the weaknesses have been detected, the
administration team will close those holes.
Auditing records when a privileged user authorized accesses a resource, and the type oI access
they exercise. This creates an audit trail that provides basic usage statistics, which track how
oIten a resource is accessed, along with veriIication that the privileged user only exercised the
permissions given to them by administration.
Auditing also shows any network weaknesses. Two in particular are access to resources by non-
privileged users and an escalation oI permissions. It is possible that through a mistake, a user
can exercise more permission then the administration team desired. This is one Iorm oI
escalation oI permissions. It is easily Iixed, as the administration team can troubleshoot where
they made the improper security assignment.
The more diIIicult escalation oI permissions is when a non-privileged user suddenly becomes
the equivalent oI the administrators. This is generally due to some security weakness in the
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-13
network soItware that the hacker has exploited. This is much more diIIicult to identiIy, and
only proper auditing will detect this type oI problem.
Auditing is crucial in determining the success oI a security policy. Through proper logging oI
user access, you will be able to determine iI a security weakness has been discovered. Keep in
mind that these auditing logs are also used Ior due care. Due care is the ability to log and track
unauthorized access, providing this inIormation to law enIorcement iI needed.
7-14 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
MAC/DAC/RBAC
This section introduces the security principles oI MAC, DAC, and RBAC.
As discussed earlier, assigning permissions to resources so that users can access data is one oI
the primary tasks oI an administrator. Many network operating systems support this
methodology: however there are speciIic methodologies that are deIined. One oI these is MAC,
or Mandatory Access Control.
Mandatory Access Control (MAC) is the traditional assignment oI permission that was
discussed earlier. The administrator creates a permission list (which can be though oI as rules)
threat permits or denies authenticated users Irom accessing the resource. The permission list
also identiIies the speciIic permissions that the user can exercise. MAC compares the
permission list oI the resource with the clearance level oI the user or group.
This is slightly diIIerent Irom Discretionary Access Control (DAC) which states that the
original creator or owner oI the obiect (Iile, Iile share, printer) has the ability to set the access
control (permissions) Ior that obiect. This means that iI you create a Iile, you can determine
'who¨ has access to that Iile, and 'what¨ permissions they have. Notice how the administrator
is not required Ior this security assignment. This can raise problems: such as Iile shares that the
administrator is unaware oI, which aIIects the security model. Users can also create Iiles and
Iolders, and then remove the ability oI the administrator Irom having access to them. This is an
important security Ieature, as the administrator should not have absolute control oI the network.
For instance, why should the administrator be able to read payroll inIormation?
DAC is an important security Ieature, but it can also be overridden. In most network operating
systems, the ability oI the administrator to override the ownership oI a Iile or Iolder is
available. This is an auditable event as it may violate the security policy oI the company.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-15
The Iinal methodology is quickly Iinding use in the market place by operating systems such as
MicrosoIt`s Server 2003. Role Based Access Control (RBAC) has a slightly more complex set
oI rules to deIine its abilities. First, RBAC does not concern itselI with the initial authentication
oI the user. This is handled outside oI the RBAC process, and it is made possible by a single
sign-on process. RBAC concerns itselI more directly with subiects (users, obiects, processes),
the role that the subiect is a part oI, and the transaction the subiect needs to execute. The
transaction is a collection oI procedures including the needed data. Three basic rules deIine
operation:
1. A subiect can execute a transaction only iI the subiect is a part oI a role.
2. A subiect`s active role must be authorized Ior the destination subiect.
3. A subiect can execute a transaction only iI it is authorized Ior the active role.
What this means is that iI a user is a member oI the Accounting group, and the accounting
group has been assigned permissions to read the payroll document, then the user can read the
payroll document. This model excels is in the area oI subiect deIinition. This model supports
any obiect subiect accessing any other obiect (subiect) as long as it plays by the rules. For
instance, a program Iunction can access a database table to retrieve inIormation, iI it is a
member oI an authorized role.
While this may not seem like much oI an addition, it is critical today that we be able to support
the authorization to resources Ior things other than humans. The ability Ior soItware to be able
to communicate in a secured Iashion requires a security model. RBAC is a much more mature
security model that takes these considerations into account.
7-16 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
User/Group/Role Management
Single sign-on
Centralized versus Decentralized
Auditing (Privilege, usage, escalation)
MAC/DAC/RBAC
Next Steps
AIter completing this lesson, go to:
Risk IdentiIication
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-17
Lesson Assessment
Acme is revamping their security Iramework with regards to permission assignment and
administration. They are widely dispersed geographically and need to have some local
administration in some oI the remote sites. They are seeking advice on auditing and permission
assignment to the variety oI servers and network resources.
1. What speciIic recommendations would you provide Acme in regard to the advantages and
disadvantages oI a decentralized management conIiguration?
2. What would you recommend to Acme as Iar as resource auditing and permission
assignment?
3. What should Acme do to ensure that inappropriate access is noted and corrective action is
perIormed?
7-18 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Risk IdentiIication
Overview
This lesson explains how computer Iorensics can be used to recover lost inIormation and track
intruders.
Importance
The network/security administrator might be Iaced with identiIying the intruder or malicious
user. Computer Iorensics can help build a case in that determination.
Objectives
Upon completing this lesson, you will be able to:
Describe the process oI asset identiIication
Explain how a comprehensive risk assessment can save a company time and money when
hardening their systems
Explain the STRIDE process when used Ior threat identiIication
Discuss how a company can identiIy speciIic vulnerabilities that may exist in their
company
7-20 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
OutIine
This lesson includes these sections:
Overview
Asset IdentiIication
Risk Assessment
Threat IdentiIication
Vulnerabilities
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-21
Overview
This section discusses how to minimize the impact oI Iailed network services, and how to plan
Ior preventing a security breach.
As much as you might wish otherwise, the hard reality is that systems will Iail, and security
may be broken. When this occurs, how much does it cost and how will you Iix it?
It is important to keep in mind that the value oI our network is greater than its parts. A business
Iunctions on the services provided by the network. II the network should become unavailable,
the cost oI losing those services may be enormous. Even though the data has not been
destroyed, even though hardware has not Iailed, the loss oI the service is what is causing the
damage.
To this end, the administration team should identiIy which services will cost the company the
most iI they Iail, how best to prevent this loss, and how to recover Irom the loss. Risk
identiIication and analysis is the process oI identiIying, mitigating, and recovering Irom
common Iailure scenarios.
This also includes the risk identiIication oI more than iust network hardware and services. A
hacker leaking top-secret inIormation to your competitors is iust as damaging as you losing the
network Ior a day. Risk identiIication and analysis regarding a threat model is crucial.
7-22 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Asset Identification
This section examines the determination oI asset wealth and cost oI loss.
First, you must identiIy what is at risk and how much is it worth. II a particular resource has no
real value or security purpose, there is no reason to spend much money protecting it.
Most networks do have critical data and inIormation that aIIects company security which must
be protected in order to preserve the daily operations oI the company. You must evaluate how
to protect this data and how to repair it in the event that anything does happen. First, you need
to evaluate how much is it worth so that you can determine how much to spend protecting it.
These are diIIicult questions. The Iirst part oI the process is to identiIy what exactly needs our
protection, and possible replacement, iI a disaster strikes. While having an overall view oI the
situation is important, the process oI risk identiIication and mitigation requires you to take a
very detailed view.
First, identiIy anything that has value to the company. SpeciIically, you need to know what data
to protect and where is it located. In this Iashion, you not only have the speciIics oI the data you
want to protect, but you can also assign a value to this data. For example, the accounting data is
probably more valuable than the 'Administrative tools¨ data.
There are many network resources besides data that we should identiIy. Everything Irom
soItware to hardware should be included. Basically, you want an inventory oI the physical and
logical portions oI your network.
Once your assets have been clearly identiIied, you need to determine the approximate value oI
the assets. This is the value to the company, and not necessarily the sticker price oI the
hardware. The accounting data is much more valuable than the cost oI the hard drive that holds
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-23
it. This can be a diIIicult proposition because actual value is subiective. For example, the Sales
and Engineering departments will each have very diIIerent ideas about what data is critical to
the success oI the business.
Once a comprehensive list oI assets has been identiIied, you will need work with management
and accounting on determining the actual value iI the assets identiIied. In some cases, this may
be the replacement cost, but in many cases it will be related to how long the company can
survive without access to the data. This will involve the time it takes to replace any hardware
needed, plus restoration time. You should also Iactor in how much money will be lost in an
outage.
7-24 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Risk Assessment
This section introduces the process oI identiIying and mitigating risks on the network.
BeIore a risk assessment analysis can begin, you need to complete the asset identiIication list
and determine the cost oI replacement and cost oI outage. These two crucial components will
help you prioritize and build a management risk assessment.
Using the items in the asset identiIication list, you must determine what might happen Ior these
items to become unavailable to users. Try to be as speciIic as possible. For example, imagine
you have an Accounting Iolder that contains all oI your accounting data. What could happen to
make this unavailable? Some possibilities include a hard drive Iailure, server Iailure, and
network cabling Iailure. With these possibilities, you can start to build your risk assessment
analysis. To do this, list the asset item Iollowed by the possible Iailures that can aIIect its
uptime. Next, classiIy this risk based on the likelihood oI one oI those Iailures occurring. Using
a scale oI one to three, with three being the highest, perhaps you rate the hard drive Iailure as a
one, a server Iailure as a two, and a cable Iailure as a one. Now that you have predicted the
likelihood oI Iailure, you need to list the mitigating circumstances to avoid the risk. To avoid
the risk oI loss, you might clean and deIragment the hard drive, update the server patch, and
cable scan the cables to veriIy good connectivity. The idea behind mitigation is to prevent the
risk Irom occurring. The last item is how you respond to Iailure. This is a list oI recovery
procedures to Iollow in case the risk does occur.
By Iollowing this methodology, you can clearly identiIy risks, determine how large a threat
they are to the company, create strategies to avoid the risk, and create procedures should the
risk occur.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-25
Threat Identification
This section introduces the security process oI identiIying a threat.
The continuing management oI risks, especially security risks, can be very daunting. The Iirst
task is to create a threat model that outlines what kind oI security threats you are looking Ior.
Threat identiIication can be a grueling research task: however, the threat model used by many
companies, including MicrosoIt, provides deIinitions Ior identiIying security threats. The
security model is known as STRIDE.
STRIDE is an acronym Ior the grouping oI security threats into categories. There are six
primary threat categories that we Iace:
1. SpooIing Identity This is the illegal access and use oI someone else`s username and
password.
2. Tampering with data. This is the malicious modiIication oI data.
3. Repudiation. The ability oI a user to conduct malicious acts on a system that does not have
the ability to log or track those attacks. The user can deny the events because no log or tracing
exists.
4. InIormation Disclosure. This is the ability oI a user or intruder to access and read
inIormation that they should not have access too. The user may also provide this inIormation to
others that are not supposed to have access.
5. Denial oI Service. This is when a user or intruder makes a service unavailable to valid
users, such as bringing down a web site.
7-26 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
6. Elevation oI privilege. In this threat, a user or intruder gains access then elevates them to
the authority great enough to cause harm or damage to the system.
By using STRIDE as your identity model, you can then create the procedures to prevent these
types oI attacks.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-27
VuInerabiIities
This section introduces the basic vulnerabilities to a network system.
The threat model discussed previously outlines the basic security threat identity that
administrators should be prepared Ior on their network. The administrator must use these six
categories and review their network Ior vulnerabilities to those types oI attacks. Can a user
attempt to spooI? II you have dial-in modems or Internet access, they can. The role oI the
administrator then is to determine how best to thwart those types oI attacks. This is also part oI
a risk assessment, speciIically Ior security.
Many administrators will take a list such as STRIDE and create a risk assessment. AIter
outlining all the possible risks, they create a mitigation strategy. From this, a security policy
and procedure guide is created.
7-28 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
Asset IdentiIication
Risk Assessment
Threat IdentiIication
Vulnerabilities
Next Steps
AIter completing this lesson, go to:
Education
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-29
Lesson Assessment
Acme needs to create a security budget that will be used to harden their corporate
inIrastructure. Due to the overwhelming number oI reported threats, they have asked you to
help guide them in this process.
1. What should be one oI the Iirst steps Acme perIorms to identiIy the ROI oI security
policies?
2. How can Acme determine the cost oI the loss oI an asset?
3. What model would provide guidance in identiIying risks and vulnerabilities that exist
in Acme`s corporate inIrastructure?
7-30 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Education (Training oI End
Users, Executives, and Human
Resources)
Overview
This lesson explains how to conduct security and network training Ior the staII.
Importance
Education oI the staII is critical to the security oI a network. All users need to be aware oI the
policies and procedures that are in place to saIe guard the network.
Objectives
Upon completing this lesson, you will be able to:
Discuss the importance oI constant communication
IdentiIy speciIic aspects oI enhancing user awareness in enhancing corporate security
Explain how a proactive policy oI training helps reduce a company`s level oI vulnerability
to attack
Describe the nature oI online resources that security proIessionals can utilize to keep
current on emerging security threats
OutIine
This lesson includes these sections:
Overview
7-32 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Communication
User Awareness
Training
Online Resources
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-33
Overview
This section gives you an overview oI to prepare training Ior the corporate staII.
Part oI realizing a secured network is the contributions corporate staII makes to the eIIort. As
discussed in Module 3, iI management does not support your security procedures, they will not
enIorce them. II they are not enIorced, the end users will not Iollow them. Many oI the security
policies discussed in this course are meaningless unless supported by human resources and the
legal department. You can have the best security policies in the world, but unless they are
supported, implemented, and Iollowed, you will continue to have vast security holes in your
network.
Training is more than iust passing out documentation. It involves educating management on the
risks and dangers that Iace them. Hypothetical risks are not enough: solid examples oI
experiences had by others, documented risk analysis, mitigation and recovery cost analysis all
play a part oI the education.
Human resources is generally the department that deals with all the legal issues oI employee
behavior and beneIits. They will have considerable policy and procedure guidelines, and they
have experience on both creating these documents and educating the end user. You will need to
work with human resources in order to complete your goals oI security.
The Iinal piece oI the puzzle is getting the end user to accept on the security plan. They need to
be educated on the dangers oI violating basic security policy, such as leaving their passwords
under their keyboards. Once they understand the problem, they generally are much better at
helping to apply the security policies.
7-34 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Communication
This section introduces the methods oI communicating with the company.
Assertive, well-written documentation is a great Ioundation Ior communicating with all
members oI the corporate staII. There are additional means that you should employ, but the
documentation is the Iirst start.
All oI the highly technical documentation you have created Ior your network, its security, and
the risk analysis is wonderIul Ior computer IT proIessionals, however it will not make sense to
many people outside the IT Iield. The reason Ior this goes beyond iust the iargon we use in our
industry, although that is important. It also includes the complex nature oI the technology we
use. Communicating with others means we need to simpliIy the terminology and the
technology. For example, you can explain port access through a Iirewall by using the analogy
oI someone unlocking his or her car with a key.
Communicating with management is challenging in many ways. They need to know the risks
they Iace and how to mitigate those risks. The end users will not need the detail that
management requires. Keep in mind that management is interested in how you are going to
prevent all those horror stories Iorm occurring, so a clearly deIined plan oI action is required.
In the end, regardless oI the audience, communicating the seriousness oI the network security
and the procedures that need to be taken to prevent it are on your shoulders. Besides
documentation, you should use techniques to help users keep security in mind. Email notices oI
new security alerts reminding them to change their passwords, plus banners or graphics
displaying security reminders can help keep security Iresh in the minds oI all users.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-35
User Awareness
This section examines the beneIit to making your end users aware oI the security concerns.
In many cases, security violations occur because an end user did not know any better. It is easy
to download soItware over the Internet and install it, but they may not understand why IT has a
rule against it. Most oIten, taking the time to make users aware oI the security risks encourages
them to become more proactive in helping prevent security violations.
No one wants to be the one responsible Ior inIecting the network with a virus. In order Ior end
users to avoid doing this, it helps them to understand how their actions could cause that
outcome. By explaining that installing unapproved soItware Irom the Internet or home could
cause this problem, you will Iind that many users will no longer try to circumvent your
security. OI course, you still need to take preventative measures such as using virus scanners
and preventing downloads Iorm the Internet, but instead oI attempting to disable these
measures, your end users will now understand them. They will even let you know when their
virus scanning soItware is not working properly.
Increasing user awareness about security comes Irom the IT staII taking the time to explain
common security problems that occur on the network. Explain to them the importance oI not
using passwords such as a pet's name because a hacker could guess this and enter the network
by spooIing their own name!
Increasing the user awareness means you will have hundreds oI people trying to help you,
instead oI working against you.
7-36 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Training
This section introduces the methods Ior acquiring additional training.
As discussed in this course, the success oI our security plans is based on the Iact that we have
some idea what an intruder is going to do. II we do not know how they are attacking our
systems, or we Iorget to update our systems with security patches, all oI our planning is wasted.
Many companies provide security inIormation and patches so that you can keep your systems
up-to-date with the latest security patch. This is more crucial than you might believe, as there
have been times when a company releases a security patch within hours oI a maior hacking
violation. Do not wait beIore installing these patches.
Contacting and working with your hardware and soItware vendors is important, but you should
also gain knowledge about the latest security threats Irom a more general scope. You can Iind
many books that discuss a variety oI threat modeling concepts along with the actual procedures
a hacker may go through to attack your system.
Attend security seminars and additional training on security whenever possible. Learning more
about the changes to a new network operating system can improve your overall security
modeling.

Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-37
OnIine Resources
This section examines the use oI online resources Ior security education.
Throughout this course, many web sites have been discussed that can help in the development
oI your security policies and procedures. The Web is your greatest source oI inIormation,
including everything Irom the user and site guides discussed in Module 3, to the newsgroups
and security web pages that number the thousands.
The soItware vendor Ior your network operating system will have a security web site to help
monitor and track the latest security patches. It is best to check these web pages every day Ior
inIormation including hardware vendors and network inIrastructure hardware such as routers
and switches.
Search Ior threat modeling and you Iind thousands oI discussions oI the latest news regarding
the building and changing oI your threat model. The Web has a tremendous amount oI
inIormation regarding security.
One oI the best sources Ior training in an online environment is KnowledgeNet, which
specializes in delivering the latest inIormation over the Web. See their site at
www.knowledgenet.com.
7-38 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
Communication
User Awareness
Training
Online Resources
Next Steps
AIter completing this lesson, go to:
Documentation
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-39
Lesson Assessment
1. What are the diIIerent levels oI complexity used when discussing security with
management as opposed to end-users?
2. How can training assist a company in securing its assets?
3. What are some online resources that will help keep you abreast oI emerging threats,
and new tools and methods oI mitigating security vulnerabilities in your environment?
7-40 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Documentation
Overview
In this lesson, we review some oI the common Iorms oI documentation that administrators
should maintain.
Importance
Proper documentation can make emergency recover Iaster, security tighter, and budget
planning more eIIective.
Objectives
Upon completing this lesson, you will be able to:
Discuss the need Ior standards and guidelines and how they are to be created and
maintained
Describe how good documentation oI systems architecture can impact a company`s
security posture
Explain the importance oI change documentation
Describe documenting logs and inventories and the reasoning behind this vital process
Explain classiIication and notiIication documentation and their implications in a secure
environment
OutIine
This lesson includes these sections:
Overview
Standards and Guidelines
7-42 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Systems Architecture
Change documentation
Logs and Inventories
ClassiIication/NotiIication
Retention/storage/Destruction
Summary
Assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-43
Overview
This section provides an overview oI how documentation should be collected and handled.
This course has identiIied many areas that you will want to document. Security policies and
procedures are only a Iew oI the types oI documentation you should keep regarding your
network.
In addition to the documentation discussed previously, there are general documentation
guidelines that you should include in collecting inIormation Ior your documentation. Network
resources and physical layer inIormation is oIten needed in order to complete the security
documentation.
Because this documentation contains virtually all the inIormation about the network, you must
protect it Irom Ialling into malicious hands.
7-44 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Standards and GuideIines
This section introduces the concept oI documenting network standards and guidelines.
The goal oI the Standards and Guidelines (SAG) is to create a logical place Ior all oI the
security and network documentation policies and procedures that have been created.
Standards are the policies that have been oIIicially adopted by the company. These oIten have a
signature oI someone representing management and HR. These are the actual working policies
that the corporation has chosen to Iollow, not iust proposed guidelines. They may include your
acceptable use policies Irom HR, the end user security expectations, and the site standards. It
may also contain the expected level oI operational eIIectiveness oI the network, including risk
analysis and mitigation Iactors.
The guidelines detail procedures Ior maintaining the standards. The guidelines list tasks to
ensure that the standards are met, how to evaluate the current situation in comparison to the
standards, and how to achieve the recommended standards.
The important Iact about this documentation is that it is a living document. The standards and
guidelines should be versioned, and each new version should completely replace the outdated
ones. It is important Ior the administrative staII to ensure that the documentation is kept up-to-
date and practical Ior the network. This helps ensure that everyone is working Irom the latest
inIormation.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-45
Systems Architecture
This section introduces the documentation Ior the architecture oI the network.
Part oI the common documentation strategy is to include detailed documentation and drawings
oI the network architecture. Several tools can assist in this process, such as MicrosoIt Visio.
You should create the documentation Irom diIIerent perspectives.
The inIrastructure or physical layer documentation generally contains a diagram and
explanations Ior all oI the physical layer components. This includes a diagram oI the cable
plant, the network devices such as routers and switches, plus the access points Ior the network
such as T1s and dial-in modems. From a security modeling aspect, this document helps to
determine the access points an intruder can use.
The logical layer diagram oIten describes the network resource addressing. This includes a
diagram that outlines the IP addressing scheme oI all physical devices as well as the servers and
client computers on the network. Because oI the complexity oI IP addressing, it should include
the address ranges Ior Internet access, dial-in support, and any additional IP pooling
requirements.
The Services layer diagram exposes the services available to clients. This describes the server
resources such as Iile shares and printers that users can expect to access. It describes their
location and purpose, and servers are clearly identiIied with inIormation total disk space and
operating system version. This diagram can greatly assist in the risk analysis oI security.
Depending on the size and complexity oI the network, additional diagrams and documentation
may be required. These documents should be versioned and changed as the network changes.
7-46 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Change Documentation
This section examines the diIIiculties in change notiIication and the documentation that helps.
A Iactor that aIIects large networks more than smaller ones is the process oI change. A
troubleshooting motto is 'What changed?¨ System troubleshooters oIten look to what has
changed on the network when a new problem surIaces. Rarely does hardware or soItware Iail
when it comes to network operating systems. The most common reason Ior network issues is
that someone, somewhere, changed something, and it has had an eIIect on other components in
the network.
The problem really rears its head when a change that was made does not cause a problem
immediately. Instead, the change only aIIects one small part oI the operation that is not detected
until several weeks later. When the troubleshooter asks, 'What has changed?¨ too much time
has passed and everyone has Iorgotten. An example oI this would be iI an administrator in a
remote oIIice changes the IP address oI the payroll check printer. It would go unnoticed until
the end oI the month when it was time to print the checks.
To prevent this, a change procedure should be put in place. Whether using paper documentation
or a web site to record changes, whenever a change to the network occurs, it should be
documented. The type oI inIormation to document should include the original conIiguration,
the new conIiguration, why the change was made, when the change was made, and who made
the change. Then, when Iaced with another Iailure and the troubleshooter asks, 'What has
changed?¨ you can provide a list that will help resolve the issue Iaster.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-47
Logs and Inventories
This section discusses the importance oI maintaining logs and inventory lists.
Knowing what happened is important when trying to resolve a network issue. One oI the most
common methods oI tracking what happens on the network is by using logs. DiIIerent hardware
and soItware programs have their own procedure Ior creating log inIormation, and the
administrator should know how to conIigure and retrieve these logs Ior storage in a log book.
The logs should include basic system and error logs, security logs, audit trails produced Irom
user access, etc. Many administrators will keep weekly logs, review them, then store them in
paper based documentation or electronic Iormat Ior later retrieval iI necessary. II a network
issue or security breach occurs, one oI the Iirst things to check is the logs.
Logging what occurs on your network is iust as important as knowing what is on the network.
A clear and accurate inventory oI the hardware and soItware on the network is invaluable. You
will use it as the basis Ior several other documents including risk analysis and situations that
require special care.
Inventories typically include the hardware or soItware version, its location oI installation, the
product licensing, and any additional Ieatures. OIten, the administration team will tag the items
with stickers that contain numbers that Accounting will use Ior an oIIicial inventory catalog.
This is important when determining asset value Ior risk analysis.
7-48 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
CIassification/Notification
This section examines the classiIication oI hardware and soItware implementations.
BeIore installing a new server platIorm, many administrators will place the new server into a
test environment. This environment is usually completely disconnected Irom the network so
that it cannot interIere with normal network operations iI a problem occurs. This server is
designated as a test or pilot server. When Iinished testing, the server becomes classiIied as a
production server ready Ior Iull utilization.
In larger networks, it is possible Ior hundreds oI devices and servers to change Irom
'production¨ to 'non-production¨ mode. This could be due to a security breach, virus or worm
inIection, hardware Iailure, or an upgrade. A process to track these changes is important so that
mistakes are not made. Obviously, it would be disastrous Ior a virus inIected computer
classiIied as 'out oI server¨ to be suddenly placed back on the network.
The IT team should create a simple set oI deIinitions Ior classiIying network hardware and
soItware. Once an item changes class, an alert or notice needs to go out to the administration
team to make them aware oI the classiIication change. Placing the change in a document, such
as a change control document, may not be enough. Immediate awareness will help stop any
inadvertent problems Irom happening. Generally, iI a server or network device changes
classiIication, an email or page alert is sent to the IT staII making them aware oI the change.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-49
Retention/Storage/Destruction
This section examines the importance oI properly handling your documentation.
In Module 3, you examined the proper storage and destruction oI network data and devices and
the associated security concerns. II you were a hacker, and tucked in the trash bin behind
company XYZ was a version oI all oI the network documentation that we discussed in this
course, you would virtually have every detail about the network, including all oI the security
policies and procedures.
Whether electronic or paper, network documentation is an extremely valuable part oI the
overall company intellectual property. It should be part oI your risk analysis and your security
procedures.
First, consider how you will securely store the documentation. A locked cabinet may or may
not provide enough protection. Electronic copies oI the documentation are susceptible to
viruses and hacking. Like the system and data backups, documentation is oIten electronically
backed up to tape and held in a secure place oII site.
Paper copies are oIten numbered, and require a signature to view them. This is tracked so that iI
a copy is missing, you have an audit trail to Iollow.
Just as with any portion oI outdated corporate material, it must be destroyed in a secure Iashion.
Burning paper copies and physically destroying electronic copies on tape is necessary. Be as
security minded with your network documentation as you are with any oI the company`s most
important inIormation.
7-50 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Summary
This section summarizes the key points discussed in this lesson.
Standards and Guidelines
Systems Architecture
Change Documentation
Logs and Inventories
ClassiIication/NotiIication
Retention/Storage/Destruction
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-51
Lesson Assessment
Acme needs to set up a proactive policy oI documenting their system and procedures. They
have contracted you to provide guidance in this critical process.
1. What recommendations would you make in the development oI Acme`s policies and
guidelines?
2. What departments should be involved in the development oI policy and guideline
standards?
3. What would you recommend to Acme in the creation oI their systems architecture
documentation?
4. What speciIic considerations should Acme take in designing document retention,
storage, and destruction?
7-52 CompTÌA Security+ Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Ìnfrastructure Management 7-53
A
Answers to Review Questions
The lesson review items and solutions are contained here.
ModuIe 1: Hacking, Cracking, and Attacks
Lesson One: Why Security is Necessary
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q1) The most common threat to an enterprise network comes in the Iorm oI which type oI
threat?
A) Internal threat
B) External threat
C) Structured threat
D) Unstructured threat
Correct answer: A
Approximately 70° oI all security incidents occur Irom within a corporation.
Q2) Cracker Joe who is currently working Ior ABC Company writes a script to search the
companies Oracle database Ior conIidential inIormation, what type oI threat is Cracker
Joe?
A) Internal threat
B) External threat
C) Structured threat
D) Unstructured threat
Correct answer: A and C
A-2 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Since Cracker Joe is an employee he has internal access to corporate resources,
this makes him an internal threat. He also is knowledgeable in creating speciIic
scripts to perIorm his malicious acts, which also makes his threat a structured one.
Q3) Jane is a seasoned programmer Ior XYZ Company, at home in her spare time, she
searches the web Ior cracking soItware. She downloads a particular exploit and
uses it against her companies web servers. What type oI threat is Jane considered
to be?
A) Internal threat
B) External threat
C) Structured threat
D) Unstructured threat
Correct answer: B and D
Jane although a seasoned programmer is using tools created by others, which
makes her a 'script kiddie¨ or an unstructured threat. She is also attacking her
company Irom an outside location, which makes her an external threat.
Q4) Script kiddies are considered which type oI threat?
A) Internal threat
B) External threat
C) Structured threat
D) Unstructured threat
Correct answer: D
Script kiddies have little or no knowledge oI cracking or creating cracker tools.
They use pre-created tools they download over the Internet to perIorm they
malicious acts.
Lesson Two: Reconnaissance Techniques
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q5)A cracker wants to 'scope¨ out which systems are alive on a particular network. What
type oI tool would he use? (Provide examples.)
Answer: To perIorm his reconnaissance to conIirm which systems are active, the
cracker would perIorm a ping sweep. In this way he can determine which systems
are operative and which are not. Examples oI ping sweeping tools include Iping,
Network Sonar, Ping Sweep, and Pinger
Q6) A cracker has identiIied a target web server. He would like to Iind a list oI services
running on this server, but he wants to make sure the server does not log his
activities. What type oI tool would he use? (Provide examples.)
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-3
Answer: The cracker wants to perIorm a port scan. Port scans work by creating a
session to a particular port. Since a session is created, they can be logged, which is
what the cracker does not want to happen. So, in order to stop a log Irom being
created, he must not create a session. Stealth scans use the properties oI TCP to
determine which ports are active, without creating a session. This means a log
entry will not be created.
Q7) Nmap and Queso are tools used to perIorm what type oI activities?
A) Packet scan
B) Port scan
C) OS IdentiIication
D) All oI the Above and more
Correct answer: D
Answer: Nmap is a Iully Ieatured cracking tool, which can perIorm almost any
reconnaissance scan you can think oI, along with many others you probably didn`t
think oI. The thing that Nmap can do and Queso is built to do is perIorm OS
IdentiIication.
Q8) A cracker writes code to place his wireless Network InterIace Card is promiscuous
mode. What malicious activity is he attempting to perIorm?
A) SniIIing
B) Packet smelling
C) Evasive sweep
D) Port sweep
Correct answer: A
Answer: In normal situations, a NIC will only accept Irames that are addressed to
the card itselI. This address identiIication is burned into the card as a Media
Access Control (MAC) address. NIC`s placed in promiscuous mode allow the card
to accept layer 2 Irames destined to anyone. This allows Ior sniIIing to take place,
which is what the cracker has in mind.
Q9) What do crackers do and look Ior when perIorming OS identiIication techniques?
A) SpeciIic OS signature
B) A speciIic active service
C) SpeciIic pattern oI packet behavior
D) OS license keys
Correct answer: A
Answer: Crackers will attempt OS enumeration using tools such as Nmap and
Queso. Current IP Standards don't deIine how operating systems should respond to
nonsensical TCP packets, so each operating system has a distinctive response.
A-4 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
These utilities compare the responses they receive against a list oI known
operating systems and let you know iI they Iind a match.
Lesson Three: Access Techniques
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q10) NetBUS and BO are examples oI which type oI utility?
A) Side entry
B) Reverse-side entry
C) Front access
D) Backdoor
Correct answer: D
Answer: NetBUS and BO are backdoor utilities. They allow remote control oI an
operating system over a pre-determined port when the correct password is entered.
Q11) Describe the concept behind a birthday attack?
Answer: Birthday attacks are based on the 'birthday paradox.¨ This paradox is
based on the Iact that iI you meet someone randomly and ask him what his
birthday is, the chance oI the two oI you having the same birthday is only 1in 365.
In other words, the probability oI any two individuals having the same birthday is
extremely low. Even iI you ask 50 people, the probability is still pretty low (about
1 in 7). However, iI you put 23 people in the same room, things change. Each oI
the 23 people is now asking each oI the other 22 people about their birthdays.
Each individual person only has a small (less than 5°) chance oI success, but each
person is trying it 22 times. That increases the probability oI any two people
having the same birthday to about 50°.
Q12) True or False: Cookies can be programmed to execute binary Iiles.
Correct answer: False
Q12) Describe a buIIer overIlow exploit and why it is eIIective.
A buIIer overIlow occurs when a program or process tries to store more data in a
buIIer (temporary data storage area) than it was intended to hold. Since buIIers are
created to contain a Iinite amount oI data, the extra inIormation - which has to go
somewhere - can overIlow into adiacent buIIers, corrupting or overwriting the
valid data held in them. In buIIer overIlow attacks, the extra data may contain
codes designed to trigger speciIic actions, in eIIect sending new instructions to the
attacked computer that could, Ior example, damage the user's Iiles, change data, or
disclose conIidential inIormation.
Q13) Give two types oI password attacks and describe the diIIerences between the two.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-5
Brute Iorce attacks and dictionary attacks. Brute Iorce attacks are logical attacks
based on all characters possible in a password, while dictionary attacks are based
on words or phrases pre-recorded in a document called a dictionary.
Q14) Which protocol and ports do SMTP and SNMP use?
A) TCP port 25
B) UDP port 161
C) UDP port 162
D) TCP port 23
Correct answer: A
Lesson Four: DeniaI of Service Attacks
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q15) Which oI the Iollowing are selI-replicating?
A) Worms
B) Viruses
C) Troians
D) Logic bombs
Correct answer: A
Q16) Why is a SYN Ilood an eIIective DoS attack?
A) It provides vital inIormation to the attackers
B) It activates the busy signal on incoming sales calls
C) It brings the network to its needs
D) It halts your company`s ability to provide service to its customers
Correct answer: C
Q17) Code that is dormant and set to execute when a user opens his email can be
described as what type oI attack?
A) Malicious
B) Mean
C) Evil
D) Worm
Correct answer: A
Q18) Which type oI attack(s) is normally carried out via email attachments?
A) Email inIection
A-6 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
B) Email bacteria
C) Virus
D) Worm
Correct answer: D
Q19) Which type oI attack(s) is normally carried or stored inside another program?
A) Sneak
B) Troian
C) Ambush
D) Carrier
Correct answer: B
ModuIe 2: Mitigation Techniques
Lesson One: Authentication
Lesson Review
This practice exercise reviews what you have learned in the lesson.
ACME Inc. needs to veriIy that only veriIied users are able to login to the Super
Computer locally at the central site. In addition, they have a Iew dozen remote
scientists that need to access the central database that has detailed notes regarding
the research proiects they are working on. Their primary access to the corporate site
is through dialup networking, although a Iew oI them are considering using VPN
tunnels over the Internet. Each oI the scientists also access the Internet via a local
ISP using their modems.
Q20) What type(s) oI authentication would be used on the Iollowing iI we wanted to use
very strong authentication:
A) Local Access to the Super Computer
B) Access to the ISP Irom the remote Ior Internet access
C) Access to the central site using a modem and an access server at the central
site
D) Access to the central site when the user has a VPN connection
Correct answer: C
Q21) What type(s) oI authentication would be considered the weakest Iorm oI
authentication Ior the above access (not including the option oI NO authentication.)?
A) Local Access to the Super Computer
B) Access to the ISP Irom the remote Ior Internet access
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-7
C) Access to the central site using a modem and an access server at the
central site
D) Access to the central site when the user has a VPN connection
Correct answer: A
Lesson Two: Authorization
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Case Study: ACME, Inc.
ACME, Inc. needs to implement a security policy and access control Ior the
Iollowing servers:
Human Resources server with sensitive data
Engineering Iile server, managed by the local department with occasional access
by other groups in the department
Corporate Email servers
Q22) What types oI Access Control would be the most appropriate Ior each oI these
systems?
A) DAC
B) RBAC
C) MAC
D) CAC
Correct answer: B and C
Q23) Describe the MAC method oI access control.
Access is control by the security administrator. There are two Iundamental
implications oI the approach:
 Users can no longer manipulate access control attributes oI the obiects they
own at their own discretion
 Privileges associated with a process are determined by appropriate
mechanisms, based on relevant mandatory security policy settings, on a per task
basis.
A-8 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Lesson Three: Accounting
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Case Study: ACME Inc.
ACME Inc. needs to know when users log into the corporate Iile server, what Iiles
they access, and when they log out. Additionally the company would like to conIirm
that no unauthorized WEB servers are being run Irom client workstations.
Q24) Which type oI tools may be used to gather this inIormation?
A) Logging
B) Documenting
C) Scanning
D) Monitoring
Correct answer: A, C and D
Q25) II the inIormation is collected, what would have to be done to make good use oI
the data?
A) The inIormation must be organized and analyzed
B) The inIormation must be compiled and stored securely
C) The inIormation must be backed up
D) Usable inIormation gained must aIIect policies relating to security
Correct answer: A, B, C and D
ModuIe 3: Hardening
Lesson One: NOS\OS Hardening
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q26) What can be done to increase the security oI your new FTP server that is in the
DMZ?
A) No change, the FTP protocol is secure enough as it is
B) Install a Iirewall at the DMZ
C) Implement transmission encryption via SSH or VPN
D) Securing the FTP server would negatively impact its connection bandwidth
Ior customers
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-9
Correct answer: C
Q27) What is the diIIerence between a service pack and a hot Iix?
A) Service packs are supported by soItware publishers
B) Hot Iixes are less secure
C) Service packs and hot Iixes are both supported by soItware publishers
D) Hot Iixes can be implemented without taking a system down
Correct answer: A, B and D
Q28) How can unauthorized DHCP servers be detected?
A) Authorization is non-existent
B) Examine clients with incorrectly assigned addresses
C) By hacking every machine on the network to see iI it`s a DHCP server
D) Authorization is implemented
Correct answer: A and B
Q29) What is the purpose oI patching a server?
A) Patching makes a server more secure
B) Patching prevents unexpected down time
C) Patching saves money
E) D) Patching makes an administrator`s liIe less stressIul
Correct answer: A, B, C and D
Lesson Two: FiIters/FirewaIIs
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Case Study: ACME Inc.
ACME Inc, needs to provide security Ior the corporate headquarters. They are
concerned about unauthorized people, coming Irom the Internet, and attacking or
accessing corporate data on the company computers.
Q30) Which Iirewall techniques might they choose to provide the security they want?
A) Hardening
B) Proxy servers
C) Layer 3 Iiltering
D) StateIul Iiltering
A-10 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Correct answer: B and D
Q31) What are the pros and cons oI proxy Iirewalls?
Proxy Iirewalls are very secure as they check each packet through all seven layers
oI the OSI model. This allows Ior a very secure session, but due to the large CPU
processor overhead also means that proxy Iirewalls have additional latency and do
not scale. To overcome some oI these latency issues, proxy Iirewalls can be
conIigured to cache Irequently used web pages, which they serve to requesting
clients.
Q32) Once Iirewalls have been inserted in the network, what else may be done on the
workstations and servers to provide Iurther protection?
To protect workstations and servers Irom malicious crackers, you should install anti-
virus soItware on each system and make sure they are kept up to date. You might
also want to install Intrusion Detection Services on the more important servers to
protect Iurther against attack.
Lesson Three: Intrusion Detection Systems
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Case Study: ACME Inc.
ACME Inc. has two DNS servers, six web servers and two email servers. They
also have over 600 networked computers at their central cite. They are using SSL
Ior Iinancial transactions on three oI their web servers. They want to prevent
attacks against their network. They have implemented Iirewalls and Ieel they are
secure.
Q33) Would IDS be a good decision Ior them?
A) Yes, it would bolster the Iirewalls
B) No, the company is right to Ieel they are secure
C) Yes, since any intrusion that does occur will be easier to prosecute
D) Yes, there is no such thing as too much security
Correct answer: C and D
Q34) Which IDS solution, host or network, would be appropriate and why?
To protect all servers in the server Iarm, you should implement network based
intrusion detection on the server segment. To create a Iurther line oI deIense, you
should also implement host based intrusion detection on your more important web
servers (the ones that do the Iinancial transactions).
Q35) What is the risk oI not using any IDS?
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-11
Your risks oI not using any Iorm oI IDS are signiIicant. First oII, you will not be
alerted oI any type oI attack being used against your network servers. In addition, you
will not be able to shun the attacker at Iirst sight oI the attack. This being said, you will
also not obtain any logs oI how the attack was conducted. So when your servers are
attacked and data is destroyed, you can only re-image the servers and hope the same
attack doesn`t occur again. With IDS, you might have blocked the attack and be able to
ascertain what type oI attack was occurring. This will help you Iight oI Iurther attacks
in the Iuture.
Lesson Four: Organization
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Acme Inc has contracted you to review their current security organization. They
have been attacked in recent months and have had some oI their systems
penetrated. They are concerned with the ability to track activity and gather
inIormation that will allow prosecution oI criminals, but want to prevent attackers
Irom hacking their production systems. Since Acme`s data center is located where
there are Irequent Ilooding and tornados, they want to mitigate the eIIects oI
natural disasters.
Q35) What speciIic recommendations would you make to identiIy unauthorized activity that
would allow capture oI intrusion attempts?
Recommend to Acme Inc. that protection is conducted in layers. The more layers,
the harder to penetrate. Recommend network based intrusion detection on all core
segments and host based intrusion detection on all sensitive production servers.
Q36) What recommendations would you make Ior Acme in regards to securing their systems
Irom theIt or environmental damage?
Recommend authentication badges Ior all personnel in the company. In order to
pass through into the building authentication via the badge token must occur. This
will only allow authorized users into the building. To mitigate environmental
damage, the company should have a environmentally protected server room, with
redundant servers, power, and networked devices. You might also want to
recommend oII-site storage oI sensitive data.
Q37) What are some ways that Acme can ensure continued service to their customers iI their
data Iacility is destroyed due to a natural disaster?
A) Move vital systems to less nature-prone areas
B) Move vital systems underground
C) Harden areas around vital systems with authentication and physical barriers
D) Put vital systems in locked, airtight concrete bunkers underground
A-12 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Correct answer: A and C
Lesson 5: Forensics
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Acme has caught a computer criminal 'red-handed¨ in attacking their system.
They have deployed a honey pot and have all activity logged and stored. They
have identiIied the criminal by name and are seeking prosecution.
Q38) What speciIic recommendations would you have to ensure the evidence isn`t compromised
or lost prior to the case?
Honey pots have become a hot topic based on the legality oI their use. Although it
is legal to use them, no company 'inIormation¨ has been lost, so prosecution
cannot take place. Tell the company that honey pots are used strictly to obtain
inIormation on how attacks occur.
Q39) What recommendations would you give to Acme to implement 'lessons learned¨ Irom this
attack?
Recommend to the company to use the logs to determine how the attacker
successIully attacked their honey pot to strengthen their production servers, so the
same type oI attack cannot occur on them.
Q40) What should Acme do to ensure a measured response when this type is activity is detected
in the Iuture?
A) Consult the proper authorities and organizations
B) Implement proper crime scene policies to ensure Iast, eIIicient prosecution
C) Take the task oI evidence collection upon itselI
D) Keep extensive log Iiles to prove their case
Correct answer: A and B
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-13
MODULE 4 - Infrastructure Access Points
Lesson 1: Layer 1 Access Points
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q41) What type oI tap will physically penetrate a coax cable?
A vampire tap is used to physically penetrate coax cable and create a connection to
the copper medium.
Q42) What are the primary diIIerences between UTP and STP?
Shielding is the primary diIIerence between unshielded twisted pair (UTP) and
shielded twisted pair (STP). The additional shielding oI STP allows it to be used in
Iacilities with more hostile electro magnetic interIerence.
Q43) What category oI UTP is most widely used in new installations?
Category 5 cable is more widely used in new installations as it allows connections
up to 100Mbps (FastEthernet).
Q44) What security recommendations would you make to secure the new installation oI a
Radio Frequency-based network?
Recommend to the company to use a layered approach to securing their radio
based network. To protect against privacy, they can use WEP. To protect against
unauthorized access, port-based access control can be used.
Lesson 2: Layer 2 Access Points
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q45) How does a switch reduce the chance oI unauthorized monitoring oI traIIic?
Switches work on a point-to-point basis. Flooding oI unicast traIIic does not occur
on a switch, which means that placing a sniIIer on a switch port gains the intruder
nothing.
Q46) What technology helps prevent clear-text transmission in a wireless environment?
The Wired Equivalency Protocol (WEP) is used to encrypt traIIic in a wireless
environment.
Q47) What is the most important security concern on layer 2 devices?
Physical or logical access to the device is oI utmost concern. II an intruder can
gain access to the device, they own all data traversing it.
Q48) What type oI security prevents connection oI unauthorized wireless access cards?
A-14 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Port-based access control prevents connection oI unauthorized wireless access
cards at the point oI attachment. With proper credentials an intruder cannot gain
access.
Lesson 3: Layer 3 Access Points
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q49) What can a router do to eliminate undesirable traIIic?
Routers are very good at Iiltering traIIic at layer 3 or Iour oI the OSI model. In this
way you can permit only the type oI traIIic desired as well as the source or
destination traIIic.
Q50) What is the physical vulnerability oI a router that will allow an attacker to monitor all
traIIic that is processed through the device?
Direct access. II the intruder can gain direct or 'console¨ access to the device, they
can implement Ieatures to allow them to monitor all traIIic, such as enabling port
spanning or inserting Ialse routes into the routing table.
Q51) What type oI Iirewall should you use iI speed is the most important consideration?
StateIul Iirewalls should be employed iI speed is the issue. StateIul Iirewalls
monitor traIIic only up to layer 4 on the OSI model, whereas proxy Iirewalls
monitor traIIic all the way up to layer 7 oI the OSI model.
Q52) What type oI Iirewall should be used when access to certain sites Irom many users is
paramount?
A proxy Iirewall would be desirable in this situation. Proxy Iirewalls can be
conIigured to cache Irequently used web pages. This allows all subsequent users
quick access to the site as the proxy server is supplying the data and not having to
retrieve it Ior each request.
Lesson 4: Layer 4 and Above
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q52) XYZ Company is planning on deploying 200 workstations and 5 new servers. What
suggestions would you make Ior hardening these new machines?
AIter each machine has its operating system installed and well as all patches and
hot Iixes, anti-virus soItware should be enabled on each system. The servers
should have host based intrusion detection soItware installed.
Q53) What type oI servers could be employed to cache Irequently accessed web pages, yet
restrict the types oI protocols and services that are allowed out to the Internet?
Proxy servers can cache Irequently accessed web pages and also perIorm Iiltering
oI protocol and services.
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-15
Q54) How do attackers use CDR media to penetrate systems?
There are many utilities available that will let anyone boot the server Irom a
CDROM that will let the attacker change the administrator`s password or gain
access to protected Iiles.
Q55) What is the biggest threat to removable media?
TheIt.
A-16 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
MODULE 5 - Infrastructure ProtocoIs
Lesson 1: Remote Access
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q56) Which protocol(s) can be used by a client to dynamically obtain an IP address?
A. PPP
B. L2TP
C. PPTP
D. Telnet
Correct answer: D
Q57) Which protocol in the wireless world seeks to emulate a wired LANs privacy measures?
A. EAPOL
B. WTLS
C. WEP
D. WAP
Correct answer: C
Q58) IPSec packets can be identiIied on the wire by which protocol or port?
A. TCP 1701
B. Protocol 50
C. TCP 1723
D. Protocol 51
Correct answer: B and D
Q59) Between TACACS¹ and RADIUS, which protocol is considered more secure and why?
TACACS¹ is considered more secure as it encrypts all data between the NAS and
the ACS server. RADIUS only encrypts the password, making it vulnerable to
sniIIing attacks.
Q60) Port based access control is identiIied as what standard?
A. 802.11x
B. 802.1x
C. EAP
D. EAPOL
Correct answer: B
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-17
Q61) To provide conIidentiality when perIorming remote terminal emulation, which would be
the protocol oI choice?
A. L2TP
B. PPTP
C. SSH
D. IPSec
Correct answer: D
Lesson 2: Internetwork Access
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q62) Which would be the protocol oI choice when secure e-mail is required?
E) MIME
F) IPSec
G) TLS
H) S/MIME
Correct answer: D
Q63) Warez exploits occur Irom which misconIigured service?
I) HTTP
J) FTP
K) Telnet
L) Instant messaging
Correct answer: B
Q64) LDAP uses which TCP port(s)?
M) 1701/389
N) 389/636
O) 137/139
P) 37/139
Correct answer: B
Q65) What is considered the greatest security concern when using Instant Messaging in the
enterprise?
Q) Viruses have access into the enterprise
R) Messages are sent in clear text
S) IM programs perIorm port hopping
A-18 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
T) No authentication occurs
Correct answer: D
Q66) Which oI the Iollowing applications can execute code on client web workstations?
U) CGI
V) Java
W)TLS
X) Active X
Correct answer: D
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-19
ModuIe 6 - Infrastructure TopoIogies
Lesson 1: Security Zones
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q67) Describe the concept oI a DMZ and how it aIIects security in the enterprise.
The DMZ is a neutral zone located between two untrusted networks. On it can be
placed a host that can be accessed Irom either side. These hosts are termed bastion
hosts. Access to the DMZ is Ireely given on both sides, but access Irom the DMZ
is strictly monitored. Only permitted traIIic is allowed to cross the DMZ in any
direction.
Q68) Why are extranets important to an organization?
Extranets allow an organization quick and secure access to resources Irom a
partner or partners.
Q69) Describe an Intranet and how it supports an organization?
An Intranet is the whole oI the organization. It contains all equipment, soItware,
and media that allows an organization to Iunction.
Lesson 2: VLANs
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q70) What are the main technologies used in a LAN?
A) Ethernet
B) Token Ring
C) Optical
D) FDDI
Correct answer: A, B and D
Q71) What are the main technologies used in a WAN?
A) H.323
B) Frame Relay
C) X.25
D) ATM
Correct answer: B, C and D
Q72) List the main diIIerences between a LAN and a WAN.
A-20 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
A local area network (LAN) allows local users quick access to company
inIormation and services. A wide area network (WAN) will also allow access to
company inIormation, but usually at a Iar slower rate. WANs usually tie a central
site to its branch oIIices or the Internet.
Q73) How do VLANs allow users, connected to separate devices, the ability to communicate
at layer 2 oI the OSI model?
A) Hubs can be 'daisy-chained¨
B) Ports can be 'logically¨ disconnected
C) ISL
D) 802.1q
Correct answer: A, B, C and D
Lesson 3: Network Address TransIation
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q74) What is considered the greatest security measure when using NAT?
A) It allows a large enterprise to share a small number oI public IP addresses
B) It allows a large enterprise to share a small number oI private IP addresses
C) It hides the internal structure Irom untrusted networks and devices
D) Private IP addresses are translated into public IP addresses
Correct answer: C
Q75) Typically, what address space do inside (trusted) networks use?
A) 192.168.0.0
B) 172.16.0.0
C) 10.0.0.0
D) RFC1918
Correct answer: D
Q76) Describe how NAT works when outside crackers attempt to access inside resources.
NAT translates inside users private IP addresses to globally routable public IP
addresses Ior the duration oI a session. When the session ends, the global IP
address is placed back in a pool where other users can use it. Because the same IP
address will map to many users during the course oI a day, it is very diIIicult Ior
an attacker to exploit an internal system.
Q77) Describe the diIIerences between NAT and PAT.
NAT allows each inside user to obtain a speciIic IP address Ior the duration oI a
session. PAT allows each inside user to use the same IP address, but modiIies the
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-21
source port to uniquely identiIy each individual inside user. NAT has no trouble
with multimedia applications, whereas PAT can have problems due to the dynamic
opening oI ports oI multimedia applications.
Lesson 4: TunneIing
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q77) Which hash algorithm produces a 16-byte output value?
A) MD5
B) SHA-1
C) DES
D) 3DES
Correct answer: C
Q78) 3DES uses an eIIective key size oI how many bits?
A) 112
B) 160
C) 168
D) 172
Correct answer: C
Q79) The AES algorithm can use which oI the Iollowing key sizes?
A) 92
B) 128
C) 192
D) 256
Correct answer: B, C and D
Q80) Which oI the Iollowing are considered symmetric encryption algorithms?
A) RSA
B) 3DES
C) DSA
D) AES
Correct answer: B and D
Q81) Which oI the Iollowing are considered asymmetric encryption algorithms?
A) RSA
A-22 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
B) 3DES
C) DSA
D) AES
Correct answer: A and C
Q82) Which algorithm is used to create or agree on a shared secret key, doing so over an
insecure medium?
A) SHA-1
B) DSA
C) DH
D) Donnie-Johnsom
Correct answer: C
Q83) The ability to reIute a claim that an exchange oI data occurred is called what?
A) conIidentiality
B) integrity
C) non-repudiation
D) repudiation
Correct answer: D
Q84) Privacy or conIidentiality is achieved by what mechanism?
A) Digital envelopes
B) Digital signatures
C) Hashing
D) Encryption
Correct answer: D
Q85) Data integrity is achieved by what mechanism?
A) Digital envelopes
B) Encryption
C) Hashing
D) Asymmetric encryption
Correct answer: C
Q86) Digital signatures use which mechanisms?
A) Hash algorithm
B) Symmetric encryption algorithm
C) Asymmetric encryption algorithm
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-23
D) Authentication oI endpoint
Correct answer: A
Q87) Which is the current standard used Ior digital certiIicates?
A) X.509v3
B) EAPOL
C) X.500
D) 802.9t
Correct answer: A
Q88) Digital certiIicates establish trust in a network via what mechanism?
A) Digital signatures
B) TTP
C) Encryption
D) Hashing
Correct answer: B
Lesson 5: Key Management/Certification LifecycIe
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q89) What are two common methods oI key storage and distribution?
A) CA
B) KDC
C) Key exchange algorithm
D) Active Directory
Correct answer: B and C
Q90) Digital certiIicates are transports Ior what important item?
A) CA inIormation
B) Security Associations
C) Public key
D) Algorithms client can understand
Correct answer: C
Q91) What is the mechanism that causes digital certiIicates to become invalid?
A) Outdated algorithms
B) New version to create digital certiIicates
A-24 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
C) Time and date
D) RA is compromised
Correct answer: C
Q92) A list oI compromised and revoked certiIicates are stored in what type oI Iile?
A) Database
B) CRL
C) CRC
D) Plain text Iile
Correct answer: C
Q93) II you have a certain number oI administrators and want a subset oI them used when
regenerating a private key, what control process will you use?
A) Administrative override
B) Group Collaborative Restoration (GCR)
C) M oI N
D) Key escrow
Correct answer: A
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-25
MODULE 7 - Infrastructure Management
Lesson 1: PriviIege Management
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Acme is revamping their security Iramework with regards to permission
assignment and administration. They are widely dispersed geographically and
need to have some local administration in some oI the remote sites. They are
seeking advice on auditing and permission assignment to the variety oI servers and
network resources.
Q94) What speciIic recommendations would you provide Acme in regard to the advantages
and disadvantages oI a decentralized management conIiguration?
Decentralized Model - Pros
 Less IT labor required
 Simply administered from central locations
 Output is distributed automatically
 Fault tolerant & redundant
 Easy to scale
 Easy to redirect output for balanced resource load
 Easy to archive on other systems
 Security is automated
 Users share responsibility
Decentralized Model - Cons
 Requires a network
 Requires training
 Troubleshooting is more complex
 Users share responsibility
 Specialized software
Q95) What speciIic recommendations would you provide Acme in regard to the advantages and
disadvantages oI a centralized management conIiguration?
Centralized Model - Pros
 Simple administration
 Central location for easy access by administrator
 Easy for administrator to control the printer
 Does not require a network
 Volume is relative to number of printers
 Security is manual
 Simple troubleshooting
 Simple training
 IT is responsible
A-26 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Centralized Model - Cons
 Labor intensive
 Only IT personnel can access
 Output is distributed manually
 Not fault tolerant
 Difficult to scale
 Limited by printer throughput
 Difficult to redirect output
 Difficult to archive on other systems
 IT is solely responsible
Q96) What should Acme do to ensure that inappropriate access is noted and corrective action
is perIormed?
A) PerIorm auditing
B) Call the FBI
C) Implement Logging
D) All oI the above
Correct answer: A
LESSON 2: Risk Identification
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Acme needs to create a security budget that will be used to harden their corporate
inIrastructure. Due to the overwhelming number oI reported threats, they have asked you
to help guide them in this process.
Q97) What should be one oI the Iirst steps Acme should perIorm to identiIy the ROI oI security
policies?
A) PerIorm a complete anti-virus scan oI the network
B) PerIorm threat identiIication
C) PerIorm risk assessment
D) PerIorm asset identiIication
Correct answer: D
Q98) How can Acme determine the cost oI the loss oI an asset?
A) PerIorm a complete anti-virus scan oI the network
B) PerIorm threat identiIication
C) PerIorm risk assessment
Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved. Answers to Review Questions A-27
D) PerIorm asset identiIication
Correct answer: C
Q99) What model would provide guidance in identiIying risks and vulnerabilities that exist in
Acme`s corporate inIrastructure?
A) STRIDE
B) Risk assessment
C) DASH
D) Vulnerabilities
Correct answer: A
Lesson 3: Education (Training of End Users, Executives, and Human
Resources)
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Q100) IdentiIy Iour primary threat categories oI the STRIDE security model?
Answers: SpooIing identity, Tampering with data, Repudiation, InIormation
disclosure, Denial-oI-Service
Q101) How can training assist a company to secure its assets?
A) Users are more aware oI potential insecurities
B) By keeping its employees trim and Iit
C) By showing everyone how to perIorm administrative tasks on the network
D) The more administrators there are, the more security there is
Correct answer: A
Q102) What are some online resources that will help keep you abreast oI emerging threats and
new tools and methods oI mitigating security vulnerabilities in your environment?
Answer: Newsgroups, Security web sites, and search engines
Lesson 4: Documentation
Lesson Review
This practice exercise reviews what you have learned in the lesson.
Acme needs to set up a proactive policy oI documenting their system and
procedures. They have contracted you to provide guidance in this critical process.
Q103) What recommendations would you make in the development oI Acme`s policies and
guidelines?
A-28 LMS Training for Enterprise Administrators Copyright © 2003 KnowledgeNet.com, Ìnc. All rights reserved.
Answer: Acme should Iirst create both an acceptable use policy and a security
standards policy.
Q104) What departments should be involved in the development oI policy and guideline
standards?
A) Building maintenance
B) Top level executives
C) Human Resources
D) IT
Correct answer: C and D
Q105) What would you recommend to Acme in the creation oI their systems architecture
documentation?
Answer: Create detailed documentation and drawings oI the network architecture
then create detailed inIrastructure or physical layer documentation.
Q106) What speciIic considerations should Acme take in designing document retention,
storage and destruction?
First, consider how you will securely store the documentation. A locked cabinet
may or may not provide enough protection. Electronic copies oI the
documentation are susceptible to viruses and hacking. Like the system and data
backups, documentation is oIten electronically backed up to tape and held in a
secure place oII site.