ad

Friday, January 29, 2016

Network Security

Introduction

One of the primary goals of today’s network administrators is to design, imple- ment, and maintain secure networks. This is not always easy. No network can ever be labeled “secure.” Security is an ongoing process involving a myriad of protocols, procedures, and practices. This chapter focuses on some of the ele- ments administrators use to keep their networks as secure as possible.

Firewalls

In today’s network environments, firewalls protect systems from both external and internal threats. Although firewalls initially became popular in corporate environments, many home networks with a broadband Internet connection now also implement a firewall to protect against Internet-borne threats.
Essentially, a firewall is an application, device, system, or group of systems that controls the flow of traffic between two networks. The most common use of a firewall is to protect a private network from a public network such as the Internet. However, firewalls are also increasingly being used to separate a sensi- tive area of a private network from less-sensitive areas.
At its most basic, a firewall is a device (a computer system running firewall soft- ware or a dedicated hardware device) that has more than one network interface. It manages the flow of network traffic between those interfaces. How it manages the flow and what it does with certain types of traffic depends on its configura- tion. 




Strictly speaking, a firewall performs no action on the packets it receives besides the basic functions just described. However, in a real-world implementation, a firewall is likely to offer other functionality, such as Network Address Translation (NAT) and proxy server services. Without NAT, any host on the internal network that needs  to send or receive data through the firewall needs a registered IP address. Although such environments exist, most people have to settle for using a private address range on the internal network. Therefore, they rely on the firewall system to trans- late the outgoing request into an acceptable public network address.
Although the fundamental purpose of a firewall is to protect one network from another, you need to configure the firewall to allow some traffic through. If you don’t need to allow traffic to pass through a firewall, you can dispense with it and completely separate your network from others.
A firewall can employ a variety of methods to ensure security. In addition to the role just described, modern firewall applications can perform a range of other functions, often through the addition of add-on modules:
. Content filtering: Most firewalls can be configured to provide some level of content filtering. This can be done for both inbound and out- bound content. For instance, the firewall can be configured to monitor inbound content, restricting certain locations or particular websites.
Firewalls can also limit outbound traffic by prohibiting access to certain websites by maintaining a list of URLs and IP addresses. This is often done when organizations want to control employee access to Internet sites.
. Signature identification: A signature is a unique identifier for a particu- lar application. In the antivirus world, a signature is an algorithm that uniquely identifies a specific virus. Firewalls can be configured to detect certain signatures that are associated with malware or other undesirable applications and block them before they enter the network.
. Virus scanning services: As web pages are downloaded, content within the pages can be checked for viruses. This feature is attractive to compa- nies that are concerned about potential threats from Internet-based sources.



. Network Address Translation (NAT): To protect the identity of machines on the internal network, and to allow more flexibility in inter- nal TCP/IP addressing structures, many firewalls translate the originat- ing address of data into a different address. This address is then used on the Internet. NAT is a popular function because it works around the lim- ited availability of TCP/IP addresses.
. URL filtering: By using a variety of methods, the firewall can choose to block certain websites from being accessed by clients within the organi- zation. This blocking allows companies to control what pages can be viewed and by whom.
. Bandwidth management: Although it’s required in only certain situa- tions, bandwidth management can prevent a certain user or system from hogging the network connection. The most common approach to band- width management is to divide the available bandwidth into sections and then make just a certain section available to a user or system.

These functions are not strictly firewall activities. However, the flexibility offered by a firewall, coupled with its placement at the edge of a network, makes a firewall the ideal base for controlling access to external resources.



Stateful and Stateless Firewalls

When talking about firewalls, two terms often come up—stateful and stateless. These two terms differentiate how firewalls operate. A stateless firewall, some- times called a packet-filtering firewall, monitors specific data packets and restricts or allows access to the network based on certain criteria. Stateless fire- walls look at each data packet in isolation and therefore are unaware if that par- ticular data packet is part of a larger data stream. Essentially, stateless firewalls do not see the big picture or “state” of data flow, only the individual packets. Today, stateful firewalls are more likely to be used. Stateful firewalls monitor data traffic streams from one end to the other. A stateful firewall refuses unso- licited incoming traffic that does not comply with dynamic or preconfigured firewall exception rules. A stateful firewall tracks the state of network connec- tions, watching data traffic, including monitoring source and destination addresses and TCP and UDP port   numbers.






Packet-Filtering Firewalls

Packet filtering enables the firewall to examine each packet that passes through it and determine what to do with it based on the configuration. A packet-filter- ing firewall deals with packets at the data link layer (Layer 2) and network layer (Layer 3) of the Open Systems Interconnect (OSI) model. The following are some of the criteria by which packet filtering can be implemented:
. IP address: By using the IP address as a parameter, the firewall can allow or deny traffic based on the source or destination IP address. For example, you can configure the firewall so that only certain hosts on the internal network can access hosts on the Internet. Alternatively, you can configure it so that only certain hosts on the Internet can gain access to a system on the internal network.
. Port number: As discussed in Chapter 5, “TCP/IP Routing and Addressing,” the TCP/IP suite uses port numbers to identify which service a certain packet is destined for. By configuring the firewall to allow certain types of traffic, you can control the flow. You might, for example, open port 80 on the firewall to allow Hypertext Transfer Protocol (HTTP) requests from users on the Internet to reach the corporate web server. Depending on the application, you might also open the HTTP Secure (HTTPS) port, port 443, to allow access to a secure web server application.
. Protocol ID: Because each packet transmitted with IP has a protocol identifier, a firewall can read this value and then determine what kind of packet it is. If you are filtering based on protocol ID, you specify which protocols you will and will not allow to pass through the firewall.
. MAC address: This is perhaps the least used of the packet-filtering methods discussed, but it is possible to configure a firewall to use the hardware-configured MAC address as the determining factor in whether access to the network is granted. This is not a particularly flexible method, and therefore it is suitable only in environments in which you can closely control who uses which MAC address. The Internet is not such an environment.



Circuit-Level  Firewalls

Circuit-level firewalls are similar in operation to packet-filtering firewalls, but they operate at the transport and session layers of the OSI model. The biggest difference between a packet-filtering firewall and a circuit-level firewall is that a circuit-level firewall validates TCP and UDP sessions before opening a connec- tion, or circuit, through the firewall. When the session is established, the fire- wall maintains a table of valid connections and lets data pass through when ses- sion information matches an entry in the table. The table entry is removed, and the circuit is closed when the session is terminated. Circuit-level firewalls that operate at the session layer, or Layer 5 of the OSI model, provided enough pro- tection in terms of firewalls in their day. As attacks become more sophisticated and include application layer attacks, circuit-level firewalls might not provide enough protection by themselves.

Application Layer Firewalls

As the name suggests, application layer firewalls operate at the application layer of the OSI model. In operation, application layer firewalls can inspect data pack- ets traveling to or from an application. This allows the firewall to inspect, mod- ify, block, and even redirect data traffic as it sees fit. Application layer firewalls are sometimes called proxy firewalls because they can proxy in each direction. This means that the source and destination systems do not come in direct con- tact with each other. Instead, the firewall proxy serves as a middle point.



Comparing Firewall Types

The following list provides a quick comparison of the types of firewalls previ- ously discussed:
. Packet-filtering firewalls operate at Layers 2 and 3 of the OSI model and are designed to monitor traffic based on such criteria as source, port, or destination service in individual IP packets. They’re usually very fast and transparent to users.



. Session layer firewalls are also known as circuit-level firewalls. Typically these firewalls use NAT to protect the internal network. These gateways have little or no connection to the application layer and therefore cannot filter more complicated connections. These firewalls can protect traffic on only a basic rule base such as source destination port.
. Application layer firewalls control browser, Telnet, and FTP traffic, pre- vent unwanted traffic, and perform logging and auditing of traffic pass- ing through them.


Firewall Wrap-up

Firewalls have become a necessity for organizations of all sizes. They are a com- mon sight in businesses and homes alike. As the Internet becomes an increasing- ly hostile place, firewalls and the individuals who understand them are likely to become an essential part of the IT landscape.






Demilitarized Zones (Perimeter Network)

An important firewall-related concept is the demilitarized zone (DMZ), some- times called a perimeter network. A DMZ is part of a network where you place servers that must be accessible by sources both outside and inside your network. However, the DMZ is not connected directly to either network, and it must always be accessed through the firewall. The military term DMZ is used because it describes an area that has little or no enforcement or policing.



Using DMZs gives your firewall configuration an extra level of flexibility, pro- tection, and complexity. 
By using a DMZ, you can create an additional step that makes it more difficult for an intruder to gain access to the internal network.Forexam- ple, an intruder who tried to come in through Interface 1 would have to spoof a request from either the web server or proxy server into Interface 2 before it could be forwarded to the internal network. Although it is not impossible for an intruder to gain access to the internal network through a DMZ, it is  difficult.




Other Security Devices

A firewall is just one device we can use to help keep our networks secure. It is not, however, the only measure we can take. In many cases additional security strategies are required. Three mentioned in the CompTIA Network+ objectives are IDS, IPS, and a VPN    concentrator.
An intrusion prevention system (IPS) is a network device that continually scans the network, looking for inappropriate activity. It can shut down any potential threats. The IPS looks for any known signatures of common attacks and    auto-



matically tries to prevent those attacks. An IPS is considered a reactive security measure because it actively monitors and can take steps to correct a potential security threat.
An intrusion detection system (IDS) is a passive detection system. The IDS can detect the presence of an attack and then log that information. It also can alert an administrator to the potential threat. The administrator then analyzes the sit- uation and takes corrective measures if needed.
Several variations on IDSs exist:
. Network-Based Intrusion Detection System (NIDS): The NIDS examines all network traffic to and from network systems. If it is soft- ware, it is installed on servers or other systems that can monitor inbound traffic. If it is hardware, it may be connected to a hub or switch to moni- tor traffic.
. Host-Based Intrusion Detection System (HIDS): HIDS refers to applications such as spyware or virus applications that are installed on individual network systems. The HIDS monitors and creates logs on the local system.
. Protocol-Based Intrusion Detection System (PIDS): The PIDS monitors and analyzes protocols communicating between network devices. A PIDS is often installed on a web server and analyzes traffic HTTP  and  HTTPS communications.
. Application Protocol-Based Intrusion Detection System (APIDS): The APIDS monitors application-specific  protocols.



In addition to IPS and IDS, you can use VPN concentrators to increase remote- access security. As mentioned in Chapter 1, “Introduction to Networking,” a VPN provides a way to transfer network data securely over a public network. The data transfer is private, but the network is public or “virtual private.” A VPN can be created using a hardware device known as a VPN concentrator. This device sits between the VPN client and the VPN server, creates the tun- nel, authenticates users using the tunnel, and encrypts data traveling through the tunnel. When the VPN concentrator is in place, it can establish a secure connection (tunnel) between the sending and receiving network devices.



VPN concentrators add an additional level to VPN security. Depending on the exact concentrator, they can
. Create the tunnel.
. Authenticate users who want to use the tunnel.
. Encrypt and decrypt data.
. Regulate and monitor data transfer across the tunnel.
. Control inbound and outbound traffic as a tunnel endpoint or router.

The VPN concentrator invokes various standard protocols to accomplish these functions. These protocols are discussed later in this chapter.

Honeypots and Honeynets

When talking about network security, honeypots and honeynets are often men- tioned. Honeypots are a rather clever approach to network security, but perhaps a bit expensive. A honeypot is a system set up as a decoy to attract and deflect attacks from hackers. The server decoy appears to have everything a regular server does—OS, applications, network services. The attacker thinks he is accessing a real network server, but, in fact, he is in a network trap.
The honeypot has two key purposes. It can give administrators valuable infor- mation on the types of attacks being carried out. In turn, the honeypot can secure the real production servers according to what it learns. Also, the honey- pot deflects attention from working servers, allowing them to function without being attacked.
A honeypot can
. Deflect the attention of attackers from production servers.
. Deter attackers if they suspect their actions may be monitored with a honeypot.
. Allow administrators to learn from the attacks to protect the real servers.
. Identify the source of attacks, whether from inside the network or outside.

One step up from the honeypot is the honeynet. The honeynet is an entire net- work set up to monitor attacks from outsiders. All traffic into and out of the net- work is carefully tracked and documented. This information is shared with net- work professionals to help isolate the types of attacks launched against networks



and to proactively manage those security risks. Honeynets function as a produc- tion network, using network services, applications, and more. Attackers don’t know that they are actually accessing a monitored network.

Access Control Overview

Access control describes the mechanisms used to filter network traffic to deter- mine who is and who is not allowed to access the network and network resources. Firewalls, proxy servers, routers, and individual computers all can maintain access control to some degree. By limiting who can and cannot access the network and its resources, it is easy to understand why access control plays an important role in security strategy. Several types of access control strategies exist, as discussed in the following sections.




Mandatory Access Control (MAC)

Mandatory access control (MAC) is the most secure form of access control. In systems configured to use mandatory access control, administrators dictate who can access and modify data, systems, and resources. MAC systems are common- ly used in military installations, financial institutions, and, because of new priva- cy laws, medical institutions.
MAC secures information and resources by assigning sensitivity labels to objects and users. When a user requests access to an object, his sensitivity level is com- pared to the object’s. A label is a feature that is applied to files, directories, and other resources in the system. It is similar to a confidentiality stamp. When a label is placed on a file, it describes the level of security for that specific file. It permits access by files, users, programs, and so on that have a similar or higher security setting.

Discretionary Access Control (DAC)

Unlike mandatory access control, discretionary access control (DAC) is not forced from the administrator or operating system. Instead, access is controlled by an object’s owner. For example, if a secretary creates a folder, she decides who



will have access to that folder. This access is configured using permissions and an access control list.
DAC uses an access control list (ACL) to determine access. The ACL is a table that informs the operating system of the rights each user has to a particular sys- tem object, such as a file, directory, or printer. Each object has a security attrib- ute that identifies its ACL. The list has an entry for each system user with access privileges. The most common privileges include the ability to read a file (or all the files in a directory), to write to the file or files, and to execute the file (if it is an executable file or program).
Microsoft Windows Servers/XP/Vista, Linux, UNIX, and Mac OS X are among the operating systems that use ACLs. The list is implemented differently by each operating system.
In Windows Server products, an ACL is associated with each system object. Each ACL has one or more access control entries (ACEs) consisting of the name of a user or group of users. The user can also be a role name, such as “secretary” or “research.” For each of these users, groups, or roles, the access privileges are stated in a string of bits called an access mask. Generally, the system administra- tor or the object owner creates the ACL for an  object.

Rule-Based Access Control (RBAC)

Rule-based access control controls access to objects according to established rules. The configuration and security settings established on a router or firewall are a good example.
When a firewall is configured, rules are set up that control access to the net- work. Requests are reviewed to see if the requestor meets the criteria to be allowed access through the firewall. For instance, if a firewall is configured to reject all addresses in the 192.166.x.x IP address range, and the requestor’s IP is in that range, the request would be denied.
In a practical application, rule-based access control is a variation on MAC. Administrators typically configure the firewall or other device to allow or deny access. The owner or another user does not specify the conditions of acceptance, and safeguards ensure that an average user cannot change settings on the devices.





Role-Based Access Control (RoBAC)

In role-based access control (RoBAC), access decisions are determined by the roles that individual users have within the organization. Role-based access requires the administrator to have a thorough understanding of how a particu- lar organization operates, the number of users, and each user’s exact function in that organization.
Because access rights are grouped by role name, the use of resources is restrict- ed to individuals who are authorized to assume the associated role. For example, within a school system, the role of teacher can include access to certain data, including test banks, research material, and memos. School administrators might have access to employee records, financial data, planning projects, and more.
The use of roles to control access can be an effective means of developing and enforcing enterprise-specific security policies and for streamlining the security management process.
Roles should receive just the privilege level necessary to do the job associated with that role. This general security principle is known as the least privilege con- cept. When someone is hired in an organization, his or her role is clearly defined. A network administrator creates a user account for the new employee and places that user account in a group with people who have the same role in the organization.
Least privilege is often too restrictive to be practical in business. For instance, using teachers as an example, some more experienced teachers might have more responsibility than others and might require increased access to a particular net- work object. Customizing access to each individual is a time-consuming process.




MAC Filtering

Filtering network traffic using a system’s MAC address typically is done using an ACL. This list keeps track of all MAC addresses and is configured to allow or deny access to certain systems based on the list. As an example, let’s look at the MAC ACL from a router. Figure 9.3 shows the MAC ACL screen.












TCP/IP Filtering

Another type of filtering that can be used with  an ACL  is TCP/IP  filtering.  The  ACL determines what types of IP traffic will be let through the router. IP traffic that is not permitted according to the ACL is blocked. Depending on the type of IP fil- tering used, the ACL can be configured to allow or deny several types of IP   traffic:
. Protocol type: TCP, UDP, ICMP, SNMP, IP
. Port number used by protocols (for TCP/UPD)
. Message source address
. Message destination address



Tunneling and Encryption

In the mid-1990s, Microsoft, IBM, and Cisco began working on a technology called tunneling. By 1996, more companies had become interested and involved in the work, and the project soon produced two new virtual private networking solutions: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). Ascend, 3Com, Microsoft, and U.S. Robotics had developed PPTP,  and Cisco Systems had introduced the Layer 2 Forwarding (L2F)   protocol.
From these developments, virtual private networks (VPNs) became one of the most popular methods of remote access. Essentially, a VPN extends a local area network (LAN) by establishing a remote connection, a connection tunnel, using a public network such as the Internet. A VPN provides a secure point-to-point dedicated link between two points over a public IP network.
VPN encapsulates encrypted data inside another datagram that contains routing information. The connection between two computers establishes a switched connection dedicated to the two computers. The encrypted data is encapsulated inside Point-to-Protocol (PPP), and that connection is used to deliver the data.
A VPN allows anyone with an Internet connection to use the infrastructure of the public network to dial in to the main network and access resources as if she were logged on to the network locally. It also allows two networks to be con- nected to each other securely.
Many elements are involved in establishing a VPN  connection:
. A VPN client: The VPN client is the computer that initiates the con- nection to the VPN server.
. A VPN server: The VPN server authenticates connections from VPN clients.
. An access method: As mentioned, a VPN is most often established over a public network such as the Internet; however, some VPN implementa- tions use a private intranet. The network used must be IP-based.
. VPN protocols: Protocols are required to establish, manage, and secure the data over the VPN connection. PPTP and L2TP are commonly associated with VPN connections.

VPNs have become popular because they allow the public Internet to be safely utilized as a wide area network (WAN) connectivity solution. (A complete dis- cussion of VPNs would easily fill another book and goes beyond the scope of the Network+  objectives.)






Point-to-Point Tunneling Protocol  (PPTP)

PPTP,  which is documented in RFC 2637, is often mentioned together with  PPP. Although it’s used in dialup connections, as PPP is, PPTP provides differ- ent functionality. It creates a secure tunnel between two points on a network, over which other connectivity protocols, such as PPP, can be used. This tunnel- ing functionality is the basis of  VPNs.





To establish a PPTP session between a client and server, a TCP connection known as a PPTP control connection is required to create and maintain the com- munication tunnel. The PPTP control connection exists between the IP address of the PPTP client and the IP address of the PPTP server, using TCP port 1723 on the server and a dynamic port on the client. It is the function of the PPTP control connection to pass the PPTP control and management messages used to maintain the PPTP communication tunnel between the remote system and the server. PPTP provides authenticated and encrypted communications between two endpoints such as a client and server. PPTP does not use a public key infra- structure but does use a user ID and password.
PPTP uses the same authentication methods as PPP, including MS-CHAP, CHAP, PAP, and EAP, which are discussed later in this chapter.

Layer 2 Tunneling Protocol (L2TP)

L2TP is a combination of PPTP and Cisco’s  L2F  technology.  L2TP,  as  the  name suggests, utilizes tunneling to deliver data. It authenticates the client in a two-phase process: It authenticates the computer and then the user. By authen- ticating the computer, it prevents the data from being intercepted, changed, and



returned to the user in what is known as a man-in-tfte-middle attack. L2TP assures both parties that the data they are receiving is exactly the data sent by the originator.









L2TP and PPTP are both tunneling protocols, so you might be  wondering which you should use. Here is a quick list of some of the advantages of each, starting  with PPTP:
. PPTP has been around longer; it offers more interoperability than L2TP.
. PPTP is an industry standard.
. PPTP is easier to configure than L2TP because L2TP uses digital cer- tificates.
. PPTP has less overhead than L2TP.

The following are some of the advantages of  L2TP:
. L2TP offers greater security than PPTP.
. L2TP supports common public key infrastructure technology.
. L2TP provides support for header compression.



IPSec

The IP Security (IPSec) protocol is designed to provide secure communications between systems. This includes system-to-system communication in the same network, as well as communication to systems on external networks. IPSec is an IP layer security protocol that can both encrypt and authenticate network trans- missions. In a nutshell, IPSec is composed of two separate protocols— Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides the authentication and integrity checking for data packets, and ESP provides  encryption services.




Using both AH and ESP, data traveling between systems can be secured, ensur- ing that transmissions cannot be viewed, accessed, or modified by those who should not have access to them. It might seem that protection on an internal network is less necessary than on an external network; however, much of the data you send across networks has little or no protection, allowing unwanted eyes to see it.



IPSec provides three key security services:
. Data verification: It verifies that the data received is from the intended source.
. Protection from data tampering: It ensures that the data has not been tampered with or changed between the sending and receiving devices.
. Private transactions: It ensures that the data sent between the sending and receiving devices is unreadable by any other devices.



IPSec operates at the network layer of the Open Systems Interconnect (OSI) model and provides security for protocols that operate at the higher layers. Thus, by using IPSec, you can secure practically all TCP/IP-related communi- cations.



Remote-Access Protocols and Services

Today, there are many ways to establish remote access into networks. Some of these include such things as VPNs or Plain Old Telephone System  (POTS)  dialup access. Regardless of the technique used for remote access or the speed at which access is achieved, certain technologies need to be in place for the magic to happen. These technologies include the protocols to allow access to the serv- er and to secure the data transfer after the connection is established. Also nec- essary are methods of access control that make sure only authorized users are using the remote-access features.
All the major operating systems include built-in support for remote access. They provide both the access methods and security protocols necessary to secure the connection and data transfers.

Remote Access Service (RAS)

RAS is a remote-access solution included with Windows Server products. RAS is a feature-rich, easy-to-configure, easy-to-use method of configuring remote access.





Any system that supports the appropriate dial-in protocols, such as PPP, can connect to a RAS server. Most commonly, the clients are Windows systems that use the dialup networking feature, but any operating system that supports dialup client software will work. Connection to a RAS server can be made over a stan- dard phone line, using a modem, over a network, or via an ISDN   connection.
RAS supports remote connectivity from all the major client operating systems available today, including all newer Windows OSs:
. Windows Server products
. Windows XP/Vista Home-based clients
Windows XP/Vista Professional-based clients
. UNIX-based/Linux clients
. Macintosh-based clients

Although the system is called RAS, the underlying technologies that enable the RAS process are dialup protocols such as Serial Line Internet Protocol (SLIP) and  PPP.

SLIP

SLIP was designed to allow data to be transmitted via Transmission Control Protocol/Internet Protocol (TCP/IP) over serial connections in a UNIX envi- ronment. SLIP did an excellent job, but time proved to be its enemy. SLIP was developed in an atmosphere in which security was not an overriding concern; consequently, SLIP does not support encryption or authentication. It transmits all the data used to establish a connection (username and password) in clear text, which is, of course, dangerous in today’s insecure world.





In addition to its inadequate security, SLIP does not provide error checking or packet addressing, so it can be used only in serial communications. It supports only TCP/IP, and you log in using a terminal   window.



Many operating systems still provide at least minimal SLIP support for back- ward compatibility with older environments, but SLIP has been replaced by a newer and more secure alternative: PPP. SLIP is still used by some government agencies and large corporations in UNIX remote-access applications, so you might come across it from time to time.

PPP

PPP is the standard remote-access protocol in use today. PPP is actually a fam- ily of protocols that work together to provide connection services.
Because PPP is an industry standard, it offers interoperability between different software vendors in various remote-access implementations. PPP provides a number of security enhancements compared to regular SLIP, the most impor- tant being the encryption of usernames and passwords during the authentication process. PPP allows remote clients and servers to negotiate data encryption methods and authentication methods and support new technologies. PPP even lets administrators choose which LAN protocol to use over a remote link. For example, administrators can choose from among NetBIOS Extended User Interface (NetBEUI), NWLink Internetwork Packet Exchange/Sequenced Packet  Exchange  (IPX/SPX),  AppleTalk,  or   TCP/IP.




During the establishment of a PPP connection between the remote system and the server, the remote server needs to authenticate the remote user. It does so by using the PPP authentication protocols. PPP accommodates a number of authentication protocols, and it’s possible on many systems to configure more than one authentication protocol. The protocol used in the authentication process depends on the security configurations established between the remote user and the server. PPP authentication protocols include CHAP, MS-CHAP, MS-CHAP v2, EAP, and PAP. Each of these authentication methods is discussed in the section “Remote Authentication Protocols.”





PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) is a protocol used to connect multiple network users on an Ethernet local area network to a remote site through a common device. For example, using PPPoE, it is possible to have all users on a network share the same link, such as a DSL, cable modem, or wire- less connection to the Internet. PPPoE is a combination of PPP and the  Ethernet protocol, which supports multiple users in a local area network (hence the name). The PPP information is encapsulated within an Ethernet frame.
With PPPoE, a number of different users can share the same physical connec- tion to the Internet. In the process, PPPoE provides a way to keep track of indi- vidual user Internet access times. Because PPPoE allows for individual authen- ticated access to high-speed data networks, it is an efficient way to create a sep- arate connection to a remote server for each user. This strategy allows Internet service providers (ISPs) or administrators to bill or track access on a per-user basis rather than a per-site basis.
Users accessing PPPoE connections require the same information as required with standard dialup phone accounts, including a username and password com- bination. As with a dialup PPP service, an ISP will most likely automatically assign configuration information such as the IP address, subnet mask, default gateway,  and DNS server.
The PPPoE communication process has two stages—the discovery stage and the PPP session stage. The discovery stage uses four steps to establish the PPPoE connection: initiation, offer, request, and session confirmation. These steps rep- resent back-and-forth communication between the client and the PPPoE serv- er. After these steps have been negotiated, the PPP session can be established using familiar PPP authentication protocols.

Remote-Control Protocols

CompTIA lists three protocols that are associated with remote-control access: Remote Desktop Protocol (RDP), Virtual Network Computing (VNC),  and  Citrix Independent Computing Architecture (ICA). RDP is used in a Windows environment. Terminal Services provides a way for a client system to connect to a server, such as Windows Server 2000/2003/2008, and, by using RDP, operate on the server as if they were local client applications. Such a configuration is known as tftin client computing, whereby client systems use the resources of the server instead of their local processing power.



Windows Server products and Windows XP and Vista have built-in support for remote desktop connections. The underlying protocol used to manage the con- nection is RDP. RDP is a low-bandwidth protocol used to send mouse move- ments, keystrokes, and bitmap images of the screen on the server to the client computer. RDP does not actually send data over the connection—only screen- shots and client keystrokes.
VNC consists of a client, a server, and a communication protocol. It is a system whereby a remote user can access the screen of another computer system. As with the other systems mentioned here, VNC allows remote login, in which clients can access their desktop while being physically away from their comput- er. VNC uses remote frame buffer (RFB) protocol. RFB is the backbone allow- ing remote access to another system’s graphical interface.
Finally, Citrix ICA allows clients to access and run applications on a server, using the server’s resources. Only the user interface, keystrokes, and mouse move- ments are transferred between the client system and the server. In effect, even though you are working at the remote computer, the system functions as if you were actually sitting at the computer itself. As with Terminal Services and RDP, ICA is an example of thin client  computing.



Authentication, Authorization, and Accounting  (AAA)

It is important to understand the difference between authentication, authoriza- tion, and accounting. Although these terms are sometimes used interchangeably, they refer to distinct steps that must be negotiated successfully to determine whether a particular request for a resource will result in that resource’s actually being returned.
Autftentication refers to the mechanisms used to verify the identity of the com- puter or user attempting to access a particular resource. Authentication is usu- ally done with a set of credentials—most commonly a username and password. More sophisticated identification methods can include the use of



. Smart cards
. Biometrics
. Voice recognition
. Fingerprints

Autftentication is a significant consideration for network and system security.
Autftorization determines if the person, previously identified and authenticated, is allowed access to a particular resource. This is commonly determined through group association. In other words, a particular group may have a specific level of security clearance.


A bank transaction at an ATM is another good example of authentication and authorization. When a bank card is placed in the ATM, the magnetic strip is read, making it apparent that someone is trying to access a particular account. If the process ended there and access were granted, it would be a significant secu- rity problem, because anyone holding the card could gain immediate access. To authenticate the client, after the card is placed in the ATM, a secret code or per- sonal identification number (PIN) is required. This authentication ensures that it is the owner of the card who is trying to gain access to the bank account.
With the correct code, the client is verified and authenticated, and access is granted. Authorization addresses the specifics of which accounts or features the user is allowed to access after being authenticated, such as a checking or savings account.
Accounting refers to the tracking mechanisms used to keep a record of events on a system. One tool often used for this purpose is auditing. Auditing is the process of monitoring occurrences and keeping a log of what has occurred on a system. A system administrator determines which events should be audited. Tracking events and attempts to access the system helps prevent unauthorized access and provides a record that administrators can analyze to make security changes as necessary. It also provides administrators with solid evidence if they need to look into improper user conduct.


The first step in auditing is to identify what system events to monitor. After the system events are identified, in a Windows environment, the administrator can choose to monitor the success or failure of a system event. For instance, if “logon” is the event being audited, the administrator might choose to log all unsuccessful logon attempts, which might indicate that someone is attempting to gain unauthorized access. Conversely, the administrator can choose to audit all successful attempts to monitor when a particular user or user group is log- ging on. Some administrators prefer to log both events. However, overly ambi- tious audit policies can reduce overall system performance.





Passwords and Password Policies

Although biometrics and smart cards are becoming more common, they still have a very long way to go before they attain the level of popularity that user- name and password combinations enjoy. Apart from the fact that usernames and passwords do not require any additional equipment, which practically every other method of authentication does, the username and password process is familiar to users, easy to implement, and relatively secure. For that reason, they are worthy of more detailed coverage than the other authentication systems already discussed.
Passwords are a relatively simple form of authentication in that only a string of characters can be used to authenticate the user. However, how the string of char- acters is used and which policies you can put in place to govern them make user- names and passwords an excellent form of authentication.

Password Policies
All popular network operating systems include password policy systems that allow the network administrator to control how passwords are used on the sys- tem. The exact capabilities vary between network operating systems. However, generally they allow the following:
. Minimum length of password: Shorter passwords are easier to guess than longer ones. Setting a minimum password length does not prevent a user from creating a longer password than the minimum, although each network operating system has a limit on how long a password can be
. Password expiration: Also. known as the maximum password age, pass- word expiration defines how long the user can use the same password before having to change it. A general practice is that a password be changed every 30 days. In high-security environments, you might want to make this value shorter, but you should generally not make it any longer. Having passwords expire periodically is an important feature, because it means that if a password is compromised, the unauthorized user will not have access indefinitely..
. Prevention of password reuse: Although a system might be able to cause a password to expire and prompt the user to change it, many users are tempted to simply use the same password again. A process by which the system remembers the last, say, 10 passwords is most secure, because it forces the user to create completely new passwords. This feature is sometimes called enforcing password ftistory.



. Prevention of easy-to-guess passwords: Some systems can evaluate the password provided by a user to determine whether it meets a required level of complexity. This prevents users from having passwords such as password, 12345678, their name, or their nickname.



Password Strength
No matter how good a company’s password policy, it is only as effective as the passwords that are created within it. A password that is hard to guess, or strong, is more likely to protect the data on a system than one that is easy to guess, or weak.
To understand the difference between a strong password and a weak one, con- sider this: A password of six characters that uses only numbers and letters and that is not case-sensitive has 10,314,424,798,490,535,546,171,949,056 possible combinations. That might seem like a lot, but to a password-cracking program, it’s really not much security. A password that uses eight case-sensitive characters, with letters, numbers, and special characters, has so many possible combinations that a standard calculator can’t display the actual number.
There has always been debate over how long a password should be. It should be sufficiently long that it is hard to break but sufficiently short that the user can easily remember it (and type it). In a normal working environment, passwords of eight characters are sufficient. Certainly, they should be no fewer than six characters. In environments where security is a concern, passwords should be 10 characters or more.
Users should be encouraged to use a password that is considered strong. A strong password has at least eight characters; has a combination of letters, num- bers, and special characters; uses mixed case; and does not form a proper word. Examples are 3Ecc5T0h and e1oXPn3r. Such passwords might be secure, but users are likely to have problems remembering them. For that reason, a popular strategy is to use a combination of letters and numbers to form phrases or long words. Examples include d1eTc0La and tAb1eT0p. These passwords might not be quite as secure as the preceding examples, but they are still very strong and a whole lot better than the name of the user’s pet.



Kerberos Authentication

Kerberos is an Internet Engineering Task Force (IETF) standard for providing authentication. It is an integral part of network security. Networks, including the Internet, can connect people from all over the world. When data travels from one point to another across a network, it can be lost, stolen, corrupted, or misused. Much of the data sent over networks is sensitive, whether it is medical, financial, or otherwise. A key consideration for those responsible for the net- work is maintaining the confidentiality of the data. In the networking world, Kerberos plays a significant role in data confidentiality.
In a traditional authentication strategy, a username and password are used to access network resources. In a secure environment, it might be necessary to pro- vide a username and password combination to access each network service or resource. For example, a user might be prompted to type in her username and password when accessing a database, and again for the printer and again for Internet access. This is a very time-consuming process, and it can also present a security risk. Each time the password is entered, there is a chance that someone will see it being entered. If the password is sent over the network without encryption, it might be viewed by malicious eavesdroppers.
Kerberos was designed to fix such problems by using a method requiring only a single sign-on. This single sign-on allows a user to log into a system and access multiple systems or resources without the need to re-enter the username and password repeatedly. Additionally, Kerberos is designed to have entities authen- ticate themselves by demonstrating possession of secret information.
Kerberos is one part of a strategic security solution that provides secure authen- tication services to users, applications, and network devices by eliminating the insecurities caused by passwords being stored or transmitted across the network. Kerberos is used primarily to eliminate the possibility of a network “eavesdrop- per” tapping into data over the network—particularly usernames and passwords. Kerberos ensures data integrity and blocks tampering on the network. It employs message privacy (encryption) to ensure that messages are not visible to eaves- droppers on the network.
For the network user, Kerberos eliminates the need to repeatedly demonstrate possession of private or secret information.





Kerberos is designed to provide strong authentication for client/server applica- tions by using secret-key cryptography. Cryptography is used to ensure that a client can prove its identity to a server (and vice versa) across an insecure net- work connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all their communications to ensure privacy and data integrity.



The key to understanding Kerberos is to understand the secret key cryptogra- phy it uses. Kerberos uses symmetric key cryptograpfty, in which both client and server use the same encryption key to cipher and decipher data.
In secret key cryptography, a plain-text message can be converted into cipher- text (encrypted data) and then converted back into plain text using one key. Thus, two devices share a secret key to encrypt and decrypt their communica- tions.
                 


Kerberos authentication works by assigning a unique key (called a ticket) to each client that successfully authenticates to a server. The ticket is encrypted and contains the user’s password, which is used to verify the user’s identity when a particular network service is requested. Each ticket is time-stamped. It expires after a period of time, and a new one is issued. Kerberos works in the same way that you go to a movie. First, you go to the ticket counter, tell the person what movie you want to see, and get your ticket. After that, you go to a turnstile and hand the ticket to someone else, and then you’re “in.” In simplistic terms, that’s Kerberos.




Public Key Infrastructure

A Public Key Infrastructure (PKI) is a collection of software, standards, and policies that are combined to allow users from the Internet or other unsecured public networks to securely exchange data. PKI uses a public and private cryp- tographic key pair that is obtained and shared through a trusted authority. Services and components work together to develop the PKI. Some of the key components of a PKI include the  following:
. Certificates: A form of electronic credentials that validates users, com- puters, or devices on the network. A certificate is a digitally signed state- ment that associates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key.
. Certificate authorities (CAs): CAs issue and manage certificates. They validate the identity of a network device or user requesting data. CAs can be either independent third parties, known as a public CA, or they can be organizations running their own certificate-issuing server software, known as private CAs.
. Certificate templates: Templates used to customize certificates issued by a Certificate Server. This customization includes a set of rules and settings created on the CA and used for incoming certificate requests.
. Certificate Revocation List (CRL): A list of certificates that were revoked before they reached the certificate expiration date. Certificates are often revoked due to security concerns such as a compromised cer- tificate.



Public Keys and Private Keys
A cornerstone concept of the PKI infrastructure is public and private keys. Recall from Figure 9.5 that symmetric key cryptography is a system in which both client and server use the same encryption key to cipher and decipher data. The term key is used for very good reason—public and private keys are used to lock (encrypt) and unlock (decrypt) data. These keys are actually long numbers, making it next to impossible for someone to access a particular key. When keys are used to secure data transmissions, the computer generates two different types of keys:
. Public key: A nonsecret key that forms half of a cryptographic key pair that is used with a public key algorithm. The public key is freely given to all potential receivers.
. Private key: The secret half of a cryptographic key pair that is used with a public key algorithm. The private part of the public key cryptography system is never transmitted over a network.
Keys can be used in two different ways to secure data communications:
. Public (asymmetric) key encryption uses both a private and public key to encrypt and decrypt messages. The public key is used to encrypt a mes- sage or verify a signature, and the private key is used to decrypt the mes- sage or to sign a document.
FIGURE 9.6   Public (asymmetric) key encryption.

. Private (symmetric) key encryption uses a single key for both encryption and decryption. If a person possesses the key, he or she can both encrypt and decrypt messages. Unlike public keys, this single secret key cannot be shared with anyone except people who should be permitted to decrypt as well as encrypt messages.






Where Is PKI Used?
The following list discusses areas in which PKI is normally used. Knowing what PKI is used for gives you a better idea of whether it is needed in a particular network.
. Web security: As you know, the Internet is an unsecured network. PKI increases web security by offering server authentication, which enables client systems to validate that the server they are communicating with is indeed the intended sever. Without this information, it is possible for people to place themselves between the client and the server and inter- cept client data by pretending to be the server. PKI also offers client authentication, which validates the client’s identity.
. Confidentiality: PKI provides secure data transmissions using encryp- tion strategies between the client and the server. In application, PKI works with the Secure Socket Layer (SSL) protocol and the Transport Layer Security (TLS) protocol to provide secure HTTP transfers, referred to as Hypertext Transport Protocol Secure (HTTPS). To take advantage of the SSL and TLS protocols, both the client system and the server require certificates issued by a mutually trusted certificate authori- ty (CA).
. Digital signatures: Digital signatures are the electronic equivalent of a sealed envelope and are intended to ensure that a file has not been altered in transit. Any file with a digital signature is used to verify not only the publishers of the content or file, but also to verify the content integrity at the time of download. On the network, PKI allows you to issue certificates to internal developers/contractors and allows any employee to verify the origin and integrity of downloaded applications.
. Secure email: Today’s organizations rely heavily on email to provide external and internal communications. Some of the information sent via email is not sensitive and does not need security, but for communications that contain sensitive data, a method is needed to secure email content. PKI can be deployed as a method for securing email transactions. In application, a private key is used to digitally sign outgoing emails, and the sender’s certificate is sent with the email so that the recipient of the email can verify the sender’s signature.






RADIUS and TACACS+

Among the potential issues network administrators face when implementing remote access are utilization and the load on the remote-access server. As a net- work’s remote-access implementation grows, reliance on a single remote-access server might be impossible, and additional servers might be required. RADIUS can help in this scenario.





RADIUS functions as a client/server system. The remote user dials in to the remote-access server, which acts as a RADIUS client, or network access server (NAS), and connects to a RADIUS server. The RADIUS server performs authentication, authorization, and auditing (or accounting) functions and returns the information to the RADIUS client (which is a remote-access server running RADIUS client software); the connection is either established or reject- ed based on the information received.
Terminal Access Controller Access Control System+ (TACACS+) is a security protocol designed to provide centralized validation of users who are attempting to gain access to a router or Network Access Server (NAS). Like RADIUS, TACACS+ is a set of security protocols designed to provide authentication, authorization, and accounting (AAA) of remote users. TACACS uses TCP port  49 by default.
Although both RADIUS and TACACS+ offer AAA services for  remote  users, some noticeable differences  exist:
. TACACS+ relies on TCP for connection-oriented delivery. RADIUS uses connectionless UDP for data delivery.
. RADIUS combines authentication and authorization, whereas TACACS+ can separate their functions.









Remote Authentication Protocols

One of the most important decisions an administrator needs to make when designing a remote-access strategy is the method by which remote users will be authenticated. Authentication is simply the way in which the client and server negotiate a user’s credentials when the user tries to gain access to the network. The exact protocol used by an organization depends on its security policies. The authentication methods may include the following:
. Microsoft Challenge Handshake Authentication Protocol (MS- CHAP): MS-CHAP is used to authenticate remote Windows worksta- tions, providing the functionality to which LAN-based users are accus- tomed while integrating the hashing algorithms used on Windows net- works. MS-CHAP works with PPP, PPTP,  and  L2TP  network  connec- tions. MS-CHAP uses a challenge/response mechanism to keep the pass- word from being sent during the authentication process. MS-CHAP uses the Message Digest 5 (MD5) hashing algorithm and the Data    Encryption Standard (DES) encryption algorithm to generate the chal- lenge and response. It provides mechanisms for reporting connection errors and for changing the user’s password.
. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2): The second version of MS-CHAP brings with it enhancements over its predecessor, MS-CHAP. These enhancements include support for two-way authentication and a few changes in how the cryptographic key is analyzed. As far as authentication methods are con- cerned, MS-CHAP version 2 is the most secure. MS-CHAP works with PPP, PPTP, and L2TP network connections.



. Extensible Authentication Protocol (EAP): EAP is an extension of   PPP that supports authentication methods that go beyond the simple submission of a username and password. EAP was developed in response to an increasing demand for authentication methods that use other types of security devices such as token cards, smart cards, and digital certifi- cates.
. Challenge Handshake Authentication Protocol (CHAP): CHAP is a widely supported authentication method and works much the same way as MS-CHAP. A key difference between the two is that CHAP supports non-Microsoft remote-access clients. CHAP allows for authentication without actually having the user send his password over the network.
Because it’s an industry standard, it allows Windows Server 2003/2008 and Windows Vista to behave as a remote client to almost any third- party PPP server.
. Password Authentication Protocol (PAP): Use PAP only if necessary. PAP is a simple authentication protocol in which the username and pass- word are sent to the remote-access server in clear text, making it possible for anyone listening to network traffic to steal both. PAP typically is used only when connecting to older UNIX-based remote-access servers that  do not support any additional authentication protocols.
. Unauthenticated access: Users are allowed to log on without authenti- cation.

Choosing the correct authentication protocol for remote clients is an important part of designing a secure remote-access strategy. After they are authenticated, users have access to the network and servers. It is recommended that adminis- trators start with the most secure protocol, MS-CHAP v2, and step down the list.



Physical Security

Physical security is a combination of good sense and procedure. The purpose of physical security is to restrict access to network equipment to only people who need it.



The extent to which physical security measures can be implemented to protect network devices and data depends largely on their location. For instance, if a server is installed in a cabinet located in a general office area, the only practical physical protection is to make sure that the cabinet door is locked and that access to keys for the cabinet is controlled. It might be practical to use other antitheft devices, but that depends on the exact location of the cabinet.
On the other hand, if your server equipment is located in a cupboard or dedicat- ed room, access restrictions for the room are easier to implement and can be more effective. Again, access should be limited to only those who need it. Depending on the size of the room, this factor might introduce a number of other  factors.
Servers and other key networking components are those to which you need to apply the greatest level of physical security. Nowadays, most organizations choose to locate servers in a cupboard or a specific room.

Server Room Access

Access to the server room should be tightly controlled, and all access doors must be secured by some method, whether it is a lock and key or a retinal scanning system. Each method of server room access control has certain characteristics. Whatever the method of server room access, it should follow one common prin- ciple—control. Some access control methods provide more control than others.

Lock and Key
If access is controlled by lock and key, the number of people with a key should be restricted to only those people who need access. Spare keys should be stored in a safe location, and access to them should be controlled.
Here are some of the features of lock-and-key security:
. Inexpensive: Even a very good lock system costs only a few hundred dollars.
. Easy to maintain: With no back-end systems and no configuration, using a lock and key is the easiest access control method.
. Less control than other methods: Keys can be lost, copied, and loaned to other people. There is no record of access to the server room and no way of proving that the key holder is entitled to enter.





Swipe Card and PIN Access
If budgets and policies permit, swipe card and PIN entry systems are good choices for managing physical access to a server room. Swipe card systems use a credit-card-sized plastic card that is read by a reader on the outside of the door. To enter the server room, you must swipe the card (run it through the reader), at which point it is read by the reader, which validates it. Usually, the swipe card’s use to enter the room is logged by the card system, making it possible for the logs to be checked. In higher-security installations, it is common to have a swipe card reader on the inside of the room as well so that a person’s exit can be recorded.
Although swipe card systems have relatively few disadvantages, they do need specialized equipment so that they can be coded with users’ information. They also have the same drawbacks as keys in that they can be lost or loaned to other people. Of course, the advantage that swipe cards have over key systems is that swipe cards are very hard to copy.
PIN pads can be used alone or with a swipe card system. PIN pads have the advantage of not needing any kind of card or key that can be lost. For the budg- et conscious, PIN pad systems that do not have any logging or monitoring capa- bility can be purchased for a reasonable price. Here are some of the character- istics of swipe card and PIN pad systems:
. Moderately expensive: Some systems, particularly those with manage- ment capabilities, are quite expensive.
. Enhanced controls and logging: Each time someone enters the server room, he or she must key in a number or use a swipe card. This process enables systems to log who enters and when.
. Some additional knowledge required: Swipe card systems need special software and hardware that can configure the cards. Someone has to learn how to do this.


Biometrics
Although they might still seem like the realm of James Bond, biometric securi- ty systems are becoming far more common. Biometric systems work by utilizing some unique characteristic of a person’s identity—such as a fingerprint, a palm print, or even a retina scan—to validate that person’s identity.
Although the price of biometric systems has been falling over recent years, they are not widely deployed in small to midsized networks. Not only are the systems themselves expensive, but their installation, configuration, and    maintenance



must be considered. Here are some of the characteristics of biometric access control systems:
. Very effective: Because each person entering the room must supply proof-of-person evidence, verification of the person entering the server area is as close to 100% reliable as you can get.
. Nothing to lose: Because there are no cards or keys, nothing can be lost.
. Expensive: Biometric security systems and their attendant scanners and software are still relatively expensive and can be afforded only by organi- zations that have a larger budget, although prices are sure to drop as more people turn to this method of access control.


Secured Versus Unsecured Protocols

As you know, any network needs a number of protocols in order to function. This includes both LAN and WAN protocols. Not all protocols are created the same. Some are designed for secure transfer, and others are not. Table 9.1 lists several protocols and describes their use.

Table 9.1
Protocol Summary

Protocol
Name
Description
FTP
File Transfer Protocol
A protocol for uploading and downloading files to and from a remote host. Also accommodates basic file management tasks.
SFTP
Secure File Transfer Protocol
A protocol for securely uploading and downloading files to and from a remote host. Based on SSH security.
HTTP
Hypertext Transfer Protocol
A protocol for retrieving files from a web server. Data is sent in clear text.
HTTPS
Hypertext Transfer Protocol Secure
A secure protocol for retrieving files from a web server. HTTPS uses SSL to encrypt data between the client and host.
Telnet
Telnet
Allows sessions to be opened on a remote host.
SSH
Secure Shell
A secure alternative to Telnet that allows secure sessions to be opened on a remote host.
RSH
A UNIX utility used to run a command on a remote machine
Replaced by SSH because RSH sends all data in clear text.





Table 9.1 Protocol Summary Continued
SCP                Secure Copy Protocol             Allows files to be copied securely between two
systems. Uses Secure Shell (SSH) technology to provide encryption services.
RCP                Remote Copy Protocol            Copies files between systems, but transport is

not secured.
SNMPv1/2     Simple Network               A network monitoring system used Management Protocol           to monitor the network’s condition. Both versions 1 and 2                               SNMPv1 and v2 are not secured.
SNMPv3         Simple Network               An enhanced SNMP service offering both Management Protocol                encryption and authentication services. version 3





Managing Common Security Threats

Malicious software, or malware, is a serious problem in today’s computing envi- ronments. It is often assumed that malware is composed of viruses. Although this typically is true, many other forms of malware by definition are not viruses, but are equally undesirable.
Malware encompasses many different types of malicious software:
. Viruses: Software programs or code that are loaded onto a computer without the user’s knowledge. After it is loaded, the virus performs some form of undesirable action on the computer.
. Macro viruses: Although they are still a form of virus, macro viruses are specifically designed to damage office or text documents.
. Worms: Worms are a nasty form of software that propagate automatical- ly and silently without modifying software or alerting the user. After they are inside a system, they can carry out their intended harm, whether it is to damage data or relay sensitive information.



. Trojan horses: Trojan horses appear as helpful or harmless programs but, when installed, carry and deliver a malicious payload. A Trojan horse virus might, for example, appear to be a harmless or free online game, but, when activated, is actually malware.
. Spyware: Spyware covertly gathers system information through the user’s Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications typically are bundled as a hid- den component of freeware or shareware programs that can be down- loaded from the Internet.


More on Viruses

Viruses and their effects are well documented and are feared by users and administrators alike. The damage from viruses varies greatly, from disabling an entire network to damaging applications on a single system. Regardless of the impact, viruses can be destructive, causing irreplaceable data loss and consum- ing hours of productivity.
As mentioned, not all the malware encountered is by definition a virus. To be considered a virus, the malware must possess the following characteristics:
. It must be able to replicate itself.
. It requires a host program as a carrier.
. It must be activated or executed in order to run.

Many different types of viruses exist:
. Resident virus: A resident virus installs itself into the operating system and stays there. It typically places itself in memory and from there infects and does damage. The resident loads with the operating system on boot.
. Variant virus: Like any other applications, from time to time viruses are enhanced to make them harder to detect and to modify the damage they do. Modifications to existing viruses are called variants because they are rereleased versions of known viruses.
. Polymorphic virus: One particularly hard-to-handle type of virus is the polymorphic. It can change its characteristics to avoid detection.
Polymorphic viruses are some of the most difficult types to detect and remove.



. Overwriting/nonoverwriting virus: Viruses can be designed to over- write files or code and replace them with modified data. In many cases the application can function as normal so that the user does not know the program has been modified. Nonoverwriting viruses amend an appli- cation by adding files or code.
. Stealth virus: A stealth virus can hide itself to avoid detection. Such viruses often fool detection programs by appearing as legitimate pro- grams or hiding within legitimate programs.
. Macro virus: Macro viruses are designed to infect and corrupt docu- ments. Because documents are commonly shared, these viruses can spread at an alarming rate.




More on Worms and Trojan Horses

Trojan horses, as the name implies, are about hiding. Trojan horses come hid- den in other programs. For example, a Trojan horse can be hidden in a share- ware game. The game looks harmless, but when it is downloaded and executed, the Trojan is operating in the background, corrupting and damaging the system.
Trojan horses are different from viruses because they do not replicate them- selves and do not require a host program to run. They are commonly found on P2P sharing networks where interesting and helpful-looking programs are actu- ally disguised Trojan horses. Trojan horses are also spread when programs are shared using email communications or removable media. In the past, many exe- cutable jokes sent through email, such as cartoons and amusing games, were in fact the front end of a Trojan  horse.
Worms are different and have the potential to spread faster than any other form of malware. Worms can be differentiated from viruses. Although they can repli- cate, they do not require a host and do not require user intervention to propa- gate. Worms can spread at an alarming rate because they often exploit security holes in applications or operating systems. As soon as a security hole is found, worms automatically begin to replicate, looking for new hosts with the same vul- nerability. Worms look for an Internet connection and then use that connection to replicate without any user intervention. Table 9.2 describes the  differences



between worms, Trojan horses, and viruses.

Malware Type
Replication
Host Required?
User Intervention Required?

 
Table 9.2   Comparing Malware Types


Virus
Can self-replicate.
Requires a host program to propagate.
Needs to be activated or executed by a user.
Trojan horse
Does not replicate itself.
Does not require a host program.
The user must execute the program in which the Trojan horse is hidden.
Worm
Self-replicates without user intervention.
Self-contained and does not require
a host.
Replicates and activates without requiring user intervention.

Denial of Service and Distributed Denial of Service Attacks
Denial of service (DoS) attacks are designed to tie up network bandwidth and resources and eventually bring the entire network to a halt. This type of attack is done simply by flooding a network with more traffic than it can handle. A DoS attack is not designed to steal data but rather to cripple a network and, in doing so, cost a company huge amounts of dollars.
The effects of DoS attacks include the  following:
. Saturating network resources, which then renders those services unusable.
. Flooding the network media, preventing communication between com- puters on the network.
. User downtime because of an inability to access required services.
. Potentially huge financial losses for an organization due to network and service downtime.


Types of Denial of Service Attacks
Several different types of DoS attacks exist, and each seems to target a different area. For instance, they might target bandwidth, network service, memory, CPU, or hard drive space. When a server or other system is overrun by mali-



cious requests, one or more of these core resources breaks down, causing the system to crash or stop responding.
. Fraggle: In a Fraggle attack, spoofed UDP packets are sent to a net- work’s broadcast address. These packets are directed to specific ports, such as port 7 or port 19, and, after they are connected, can flood the system.
. Smurf: The Smurf attack is similar to a Fraggle attack. However, a ping request is sent to a broadcast network address, with the sending address spoofed so that many ping replies overload the victim and prevent it from processing the replies.
. Ping of death: With this attack, an oversized ICMP datagram is used to crash IP devices that were manufactured before 1996.
. SYN flood: In a typical TCP session, communication between two com- puters is initially established by a three-way handshake, referred to as a SYN, SYN/ACK, ACK. At the start of a session, the client sends a SYN message to the server. The server acknowledges the request by sending a SYN/ACK message back to the client. The connection is established when the client responds with an ACK message.
In a SYN attack, the victim is overwhelmed with a flood of SYN packets. Every SYN packet forces the targeted server to produce a SYN-ACK response and then wait for the ACK acknowledgment. However, the attacker doesn’t respond with an ACK or spoofs its destination IP  address with a nonexistent address so that no ACK response occurs. The result is that the server begins filling up with half-open connections.
When all the server’s available resources are tied up on half-open con- nections, it stops acknowledging new incoming SYN requests, including legitimate ones.
. ICMP flood: An ICMP flood, also known as a ping flood, is a denial of service attack in which large numbers of ICMP messages are sent to a computer system to overwhelm it. The result is a failure of the TCP/IP protocol stack, which cannot tend to other TCP/IP  requests.


Other Common Attacks

The following are some of the more common attacks used today:
. Password attacks: Password attacks are one of the most common types of attacks. Typically, usernames are easy to obtain. Matching the user-



name with the password allows the intruder to gain system access to the level associated with that particular user. This access is why it is vital to protect administrator passwords. Obtaining a password with administra- tor privileges provides the intruder with unrestricted access to the system or network.
. Social engineering: Social engineering is a common form of cracking. It can be used by both outsiders and people within an organization. Social engineering is a hacker term for tricking people into revealing their pass- word or some form of security information. It might include trying to   get users to send passwords or other information over email, shoulder surfing, or any other method that tricks users into divulging information. Social engineering is an attack that attempts to take advantage of human behavior.
. Eavesdropping: As the name implies, eavesdropping involves an intrud- er who obtains sensitive information such as passwords, data, and proce- dures for performing functions by intercepting, listening to, and analyz- ing network communications. It is possible for an intruder to eavesdrop by wiretapping, using radio, or using auxiliary ports on terminals. It is also possible to eavesdrop using software that monitors packets sent over the network. In most cases, it is difficult to detect eavesdropping, making it important to ensure that sensitive data is not sent over the network in clear text.
. Back door attacks: In a back door attack, an attacker gains access to a computer or program by bypassing standard security mechanisms. For instance, a programmer might install a back door so that the program can be accessed for troubleshooting or other purposes. Sometimes, as discussed earlier, nonessential services are installed by default, and it is possible to gain access using one of these unused services.
. Man-in-the-middle attack: In a man-in-the-middle attack, the intruder places himself between the sending and receiving devices and captures the communication as it passes by. The interception of the data is invisi- ble to those actually sending and receiving the data. The intruder can capture the network data and manipulate it, change it, examine it, and then send it on. Wireless communications are particularly susceptible to this type of attack. A rogue access point is an example of a man-in-the- middle attack.
. Spoofing: Spoofing is a technique in which the real source of a transmis- sion, file, or email is concealed or replaced with a fake source. This tech- nique enables an attacker, for example, to misrepresent the original



source of a file available for download. Then he can trick users into accepting a file from an untrusted source, believing it is coming from a trusted source.
. Rogue access points: A rogue access point describes a situation in  which a wireless access point has been placed on a network without the administrator’s knowledge. The result is that it is possible to remotely access the rogue access point, because it likely does not adhere to compa- ny security policies. So all security can be compromised by a cheap wire- less router placed on the corporate network.
. Phishing: Often users receive a variety of emails offering products, serv- ices, information, or opportunities. Unsolicited email of this type is called pftisfting (pronounced “fishing”). This technique involves a bogus offer that is sent to hundreds of thousands or even millions of email addresses. The strategy plays the odds. For every 1,000 emails sent, per- haps one person replies. Phishing can be dangerous, because users can be tricked into divulging personal information such as credit card numbers or bank account information.




An Ounce of Prevention

The threat from malicious code is a very real concern. It is important to take precautions to protect our systems. Although it might not be possible to elimi- nate the threat, you can significantly reduce it.
One of the primary tools used in the fight against malicious software is antivirus software. Antivirus software is available from a number of companies, and each offers similar features and capabilities. The following is a list of the common features and characteristics of antivirus  software:
. Real-time protection: An installed antivirus program should continu- ously monitor the system, looking for viruses. If a program is down- loaded, an application opened, or a suspicious email received, the real- time virus monitor detects and removes the threat. The virus application sits in the background, largely unnoticed by the user.



. Virus scanning: An antivirus program must be able to scan selected drives and disks, either locally or remotely. Scanning can be run manual- ly or can be scheduled to run at a particular time.
. Scheduling: It is a best practice to schedule virus scanning to occur automatically at a predetermined time. In a network environment, this typically is off hours, when the overhead of the scanning process won’t impact users.
. Live updates: New viruses and malicious software are released with alarming frequency. It is recommended that the antivirus software be configured to receive virus updates regularly.
. Email vetting: Emails represent one of the primary sources of virus delivery. It is essential to use antivirus software that provides email scan- ning for both inbound and outbound email.
. Centralized management: If used in a network environment, it is a good idea to use software that supports managing the virus program from the server. Virus updates and configurations only need to be made on the server, not on each individual client station.

Managing the threat from viruses is considered a proactive measure, with antivirus software being only part of the solution. A complete virus protection strategy requires many aspects to help limit the risk of viruses:
. Develop in-house policies and rules: In a corporate environment or even a small office, it is important to establish what information can be placed on a system. For example, should users be able to download pro- grams from the Internet? Can users bring in their own storage media, such as USB flash drives?
. Monitoring virus threats: With new viruses coming out all the time, it is important to check whether new viruses have been released and what they are designed to do.
. Educate users: One of the keys to a complete antivirus solution is to train users in virus prevention and recognition techniques. If users know what they are looking for, they can prevent a virus from entering the sys- tem or network. Back up copies of important documents. It should be mentioned that no solution is absolute, so care should be taken to ensure that the data is backed up. In the event of a malicious attack, redundant information is available in a secure location.



. Automate virus scanning and updates: Today’s antivirus software can be configured to scan and update itself automatically. Because such tasks can be forgotten and overlooked, it is recommended that you have these processes scheduled to run at predetermined times.
. Patches and updates: All applications, including productivity software, virus checkers, and especially the operating system, release patches and updates often designed to address potential security weaknesses.

Administrators must keep an eye out for these patches and install them when they are released.