CIST 1601 Information Security Fundamentals

Chapter 3 Infrastructure and Connectivity

Collected and CompiledBy JD WillardMCSE, MCSA, Network+, Microsoft IT Academy AdministratorComputer Information Systems TechnologyAlbany Technical College

Understanding Infrastructure SecurityInfrastructure security deals with the most basic aspect of how information flows and how work occurs in your network and systems. This includes servers, networks, network devices, workstations, and the processes in place to facilitate work.

Your network is composed of a variety of media and devices that both facilitate communications and provide security.

Some of these devices (such as routers, modems, and PBX systems) provide external connectivity from your network to other systems and networks.

Some of the devices (such as CD-Rs, disks, USB thumb drives, and tape) provide both internal archival storage and working storage for your systems.

Networks are tied together using the Internet and other network technologies, thereby making them vulnerable to any number of attacks.

To provide reasonable security, you must know how these devices work and how they provide, or fail to provide, security.

Each time you add a device, change configurations, or switch technologies, you’re potentially altering the fundamental security capabilities of your network.

The job of a security professional is to eliminate the obvious threats, to anticipate how the next creative assault on your infrastructure might occur, and to be prepared to neutralize it before it happens.A network is no more secure than its weakest node.

Working with Hardware ComponentsNetwork hardware components include physical devices such as routers, servers, firewalls, workstations, and switches. From a security perspective you must evaluate your network from the standpoint of each and every device within it. It cannot be overstated: The complexity of most networks makes securing them extremely complicated. To provide reasonable security, you must evaluate every device to determine its unique strengths and vulnerabilities.

This network has Internet connections. Internet connections expose your network to the highest number of external threats. These threats can come from virtually any location worldwide.

Network Separation (2:52)

Working with Software ComponentsHardware exists to run software. The software is intended to make the hardware components easy to configure and easy to support, however, that software can also make the hardware easy to bypass. Network infrastructure includes servers and workstations running operating systems, routers, firewalls, and dedicated devices that have their own communications and control programs. This situation leaves networks open to attacks and security problems because many of these systems work independently. Many larger organizations have built a single area for network monitoring and administrative control of systems called a Network Operations Center (NOC). This centralization lets you see a larger overall picture of the network, and it lets you take actions on multiple systems or network resources if an attack is under way. Using a NOC makes it easier to see how an attack develops and to provide countermeasures.

NOCs are expensive and require a great deal of support: factors beyond the economy or scale of all but the largest businesses. After a NOC is developed and implemented it must be constantly evaluated and changed as needed.

Understanding the Different Network Infrastructure Devices - Firewalls

Firewalls, Routers, and Switches (7:47) All-in-one Security Appliances and Spam Filters (2:36)A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, software, or a combination of both.Firewalls are the front line defense devices for networks that are connected to the Internet.

A firewall protects hosts on a internal private network from attackers on a external public network by:

Packet filteringPort filteringIP address filtering

A software firewall is a program that runs within an OS, such as Linux, Unix, or Windows. With a software firewall, adding interfaces is as easy as adding and configuring another NIC. It is easier to make configuration errors in a software firewall.

A hardware firewall is also referred to as an appliance firewall. Appliance firewalls are often designed as stand-alone black box solutions that can be plugged in to a network and operated with minimal configuration and maintenance. A hardware firewall is purchased with a fixed number of interfaces available. Hardware firewalls outperform and generally provide increased security over software firewalls.

Packet Filter FirewallsFirewall Rules (7:57)

A packet-filtering firewall is typically a router and operate at the network layer of the OSI model.

A packet filtering firewall only looks at a data packet to obtain the source and destination addresses and the protocol and port used. This information is then compared to the configured packet filtering rules to decide if the packet will be dropped or forwarded to its destination. A packet filtering firewall only examines the packet header information, not the data or payload.

Packet filters examine each incoming (and usually outgoing) packet then pass or discard it based on network data packet fields:

Source and destination IP address Specified port numbersSpecific protocols (TCP, UDP, ICMP)

Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session.

The packet-filtering firewall provides high performance.

Proxy FirewallsProxy firewalls serve as go-betweens for the network and the Internet by processing requests received from external networks and reprocessing them for use internally. This type of firewall has a set of rules that the packets must pass to get in or out.

The primary security feature of a proxy firewall is that it hides the client information.It can be used to hide the internal addresses from the outside would through Network Address Translation, which does not allow the computers on the network to directly access the Internet.NAT hides a packet’s IP address before sending it through another network. It is the only computer on a network that communicates with mistrusted computers. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. A proxy-based firewall provides greater network isolation than a stateful firewall.

A proxy firewall blocking network access from external networks

Web Application Firewalls (3:05)

An application firewall is typically integrated into another type of firewall to filter traffic that is traveling at the Application layer of the OSI model. The proxy function can occur at either the application level or the circuit level.

An application firewall creates a virtual circuit between the firewall clients. Each protocol has its own dedicated portion of the firewall that is concerned only with how to properly filter that protocol’s data. This type of server is advanced and must know the rules and capabilities of the protocol used. A unique application-level proxy server must exist for each protocol supported.

Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and port of the data packet. An application-level proxy firewall is most detrimental to network performance because it requires more processing per packet.

Proxy Firewalls

A proxy firewall typically uses two network interface cards (NICs). This type of firewall is referred to as a dual-homed firewall.

Dual-homed computers have two NICs installed, each connected to a separate network. A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the Internet. The other interface connects to the private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs.

Proxy Firewalls

A dual-homed firewall segregating two networks from each other

Stateful Inspection FirewallsStateful inspection is also referred to as stateful packet filtering.

A stateful-inspection firewall, a combination of all types of firewalls, is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested.

Stateful inspection firewalls work at the Network Layer to provide an additional layer of security and also monitor the state of each connection.

Most of the devices used in networks don’t keep track of how information is routed or used. After a packet is passed, the packet and path are forgotten. In stateful packet filtering records are kept using a state table that tracks every communications channel.

Stateful inspections provide additional security, especially in connectionless protocols such as UDP and ICMP.

Denial-of-service (DoS) attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down or reboot.

Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer better performance than application-level firewalls.

Firewalls and DMZsFirewalls can be used to create demilitarized zones (DMZs).

A DMZ is a network segment placed between an internal (private) network and an external (public) network, such as the Internet.

Typically, either one or two firewalls are used to create a DMZ.

A DMZ implemented with one firewall connected to a public network, a private network and a DMZ segment is cheaper to implement than a DMZ implemented with two firewalls.

A DMZ with a firewall on each end is typically more secure than a single-firewall DMZ.

The main objective for the placement of firewalls is to allow only traffic that the organization deems necessary and provide notification of suspicious behavior.

HubsHubs act as a central connection point for network devices on one network segment. Hubs are used to extend the length of network beyond the cable’s maximum segment distance. They work at the Physical layer of the OSI model.

Hubs are network devices that allow many hosts to inter-communicate through the usage of physical ports. This makes hubs central connectivity devices and prone to being attacked. Traffic sent to one port is regenerated it to all other ports.

Hubs do not provide data isolation between endpoint ports, allowing any node to observe data traffic to and from all other nodes on the same device providing attackers with access to inspect network traffic for interception of user credentials, security encryption traffic, and other forms of sensitive transmitted data.

Hubs are considered highly unsecure.

Physical Port Security (5:24)

ModemsA modem is a hardware device that connects the digital signals from a computer to the analog telephone line. It allows these signals to be transmitted longer distances than are possible with digital signals.

The word "modem" is an amalgam of the words "modulator" and "demodulator," which are the two functions that occur during transmission.

Modems present a unique set of challenges from a security perspective.

Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests.

Setting the callback features to have the modem call the user back at a preset number and using encryption and firewall solutions will help keep the environment safe from attacks.

Monitor computers that have modems to check whether they have been compromised Check for software updates for computers that have modems.Remove all unnecessary modems from computers.

Remote Access ServicesRemote access servers (RAS) allow clients to use dial-up connections and network technologies to access servers and internal networks. RAS connections are achieved through dial-up DSL, VPNs, cable modems and ISDN.

Client systems with a modem can connect using normal dial-up connections to a properly equipped remote-access service server, which functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet.

The RAS environment is vulnerable to public PBX infrastructure vulnerabilities, RAS software bugs, buffer overflows, and social engineering. You should apply vendor security patches as soon as they are available to protect against RAS software bugs. Social engineering and the public PBX infrastructure is a common method used by intruders to access your RAS environment.

Typical methods of securing remote access servers:Implementing a strong authentication method or two-factor authenticationLimiting which users are allowed to dial-in and limiting the dial-in hoursImplementing account lockout and strict password policiesImplementing a real-time alerting system

Allowing dial-in only and forcing callback to a preset number are strategies for securing remote access servers (RAS).

A RAS connection between a remote workstation and a Windows server

Remote Access (2:50)

RoutersRouters enable connectivity between two or more networks and can connect multiple network segments into one network.

Routers operate at the Network Layer (Layer 3) by using IP addresses to route packets to their destination along the most efficient path.

Routers store information about network destinations in routing tables. Routing tables contain information about known hosts on both sides of the router.

Routers can be configured in many instances to act as packet-filtering firewalls. When configured properly, they can prevent unauthorized ports from being opened.

Routers are the first line of defense and should therefore be configured to forward only traffic that is authorized by the network administrator. Access entries can be specified to allow only authorized traffic and deny unauthorized traffic.

Methods for securing routers:Routers should be kept in locked roomsYou should use complex passwords for administrative consolesRouters should be kept current with the latest available vendor security patchesConfigure access list entries to prevent unauthorized connections and routing of trafficUse monitoring equipment to protect connection points and devices

Secure Router Configuration (2:38)

Routers, in conjunction with a CSU/DSU) are also used to translate LAN to WAN framing. Such routers are referred to as border routers. Border routers decide who can come in and under what conditions.

Dividing internal networks into two or more subnets is a common use for routers. Routers can also be connected internally to other routers, effectively creating autonomouslzones. This type of connection keeps local network traffic off the network backbone and provides additional security internally.

Routers establish routing tables. A router contains information about the networks connected to it and where to send requests if the destination is unknown. These tables grow as connections are made through the router.Routers communicate routing information using three standard protocols:

Routing Information Protocol (RIP) is a simple protocol that is part of the TCP/IP protocol suite. Routers that use RIP routinely broadcast the status and routing information of known routers. RIP also attempts to find routes between systems using the smallest number of hops or connections.Border Gateway Protocol (BGP) allows groups of routers to share routing information. Open Shortest Path First (OSPF) allows routing information to be updated faster than with RIP.

Routers

SwitchesSwitches can be used to connect multiple LAN segments. Switches operate at the Data Link layer of the OSI model (Layer 2), using the MAC address to send packets to their destination. Switches create virtual circuits between systems in a network. These virtual circuits are somewhat private and reduce network traffic when used. Virtual circuits are more difficult to examine with network monitors.Only packets destined for the computer on a particular port of a switch can be seen. With computers connected through a switch, eventually any individual computer would be exposed to only traffic destined for that particular computer or for all computers. Therefore, any port would be able to see only traffic destined for it and broadcasts.Switches are used to create security segments on a LAN through the implementation of VLANs. Physical access control to the networking closet is critical to protect switched networks against any exposed supervisory ports that can be exploited by an attacker.Methods for securing switches:

Switches should be kept in locked roomsYou should use complex passwords for administrative consolesSwitches should be kept current with the latest aUse monitoring equipment to protect connection points and device available vendor security patches

Switch Port Security and 802.1X (5:35)

VLAN Management (3:44)

Telecom/PBX SystemsMany modern PBX (private branch exchange) systems integrate voice and data onto a single data connection to your phone service provider. These connections are made using existing network connections such as a T1 or T3 network.

A PBX provides a connection to the public switched telephone network (PSTN) and provides telephone extensions for employees. A PBX is a programmable telephone switch that is typically located on a company’s premises. A PBX can usually be remotely administered.

For years, PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy.

To protect a PBX from hacker attacks:Make sure the PBX is in a secure areaLimit the number of entry pointsChange default passwordsOnly allow authorized maintenanceRemote PBX administration should require user names and passwordsThe telephone number used to remotely administer a PBX should be unlistedBlock all toll numbers and limit long-distance callingImplement a PBX password change and audit policy

Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port.

A modern digital PBX system integrating voice and data onto a single network connection

Virtual Private NetworksVPNs are used to make connections between private networks across a public network.

VPN connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet using a tunneling protocol, such as L2TP or PPTP.

These connections are not guaranteed to be secure unless, and an encryption system, such as IPSec, is used.

VPN Concentrators (2:06)

VPN Server in Front of the FirewallWith the VPN server in front of the firewall attached to the Internet you need to add packet filters to the Internet interface that only allow VPN traffic to and from the IP address of the VPN server's interface on the Internet.

For inbound traffic, when the tunneled data is decrypted by the VPN server it is forwarded to the firewall, which employs its filters to allow the traffic to be forwarded to intranet resources.

Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specific intranet resources.

Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non-VPN Internet users.

For the Internet interface on the VPN server, configure the input and output filters using the Routing and Remote Access snap-in.

VPN Server Behind the FirewallMore commonly, the firewall is connected to the Internet and the VPN server is another intranet resource connected to a DMZ. The VPN server has an interface on the DMZ and an interface on the intranet.

In this approach, the firewall must be configured with input and output filters on its Internet interface to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the DMZ.

The firewall does not have the encryption keys for each VPN connection so it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. No problem, because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.

When you deploy a VPN gateway in its own DMZ behind the external firewall, you receive the following benefits:

The firewall can protect the VPN gatewayThe firewall can inspect plain text from the VPNInternet connectivity does not depend on the VPN gateway

In this deployment, the following drawbacks are experienced:

The firewall will need special routes to the VPN gateway configuredRoaming client support is hard to achieve

For the Internet interface on the firewall, input and output filters need to be configured using the firewall's configuration software.

Wireless Access PointsTo build a wireless network:

On the client side, you need a wireless NICOn the network side, you need a wireless access point (WAP)

A wireless access point (WAP) is a low-power transmitter/receiver, also known as a transceiver, which is strategically placed for access.

The portable device and the access point communicate using one of several communications protocols, including IEEE 802.11 (also known as Wireless Ethernet).

Wireless offers mobile connectivity within a campus, a building, or even a city.

Wireless communications, although convenient, can also be less than secure. While many WAPs now ship with encryption on, you will still want to verify that this is the case with your network.

A wireless portal being used to connect a computer to a company network. Notice that the portal connects to the network and is treated like any other connection used in the network.

Monitoring and Diagnosing Networks Network Monitors

Network monitors, otherwise called sniffers, were originally introduced to help troubleshoot network problems.

Examining the signaling and traffic that occurs on a network requires a network monitor.

Network monitors are now available for most environments, and they’re effective and easy to use.

Today, a network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software.

Microsoft Network Monitor is a packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network.

The monitoring software is menu driven, easy to use, and has a big help file.

The traffic displayed by sniffers can become overly involved and require additional technical materials which you can find on the Internet for free.

With a few hours of work, most people can make network monitors work efficiently and use the data they present.

Microsoft Network Monitor

An IDS (Intrusion Detection System) is a hardware device with software that monitors events in a system or network to identify when intrusions are taking place. IDS are designed to analyze data, identify attacks, and respond to the intrusion. An IDS can run on network devices and on individual workstations. You can configure the IDS to monitor for suspicious network activity, check systems logs, perform stateful packet matching, and disconnect sessions that are violating your security policy. An IDS is used to protect and report network abnormalities to a network administrator or system. It works with audit files and rule-based processing to determine how to act in the event of an unusual situation on the network.

IDSs are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. If the firewall were compromised, the IDS would notify you based on rules it’s designed to implement.In the event the firewall is compromised or penetrated, the IDS can react by disabling systems, ending sessions, and even potentially shutting down your network.

The main types are a host-based IDS system and network IDS system. With a host-based IDS system, software runs on the host computer system to monitor machine logs, system logs, and how applications inter-operate. With a network IDS, the IDS checks for network traffic and traffic patterns that could be indicative of attacks such as port scan and denial-of-service attacks.

Monitoring and Diagnosing Networks Intrusion Detection Systems

An IDS and a firewall working together to secure a network

Log Analysis (2:33)

Securing Workstations and ServersWorkstations are particularly vulnerable in a network. Workstations communicate using services such as file sharing, network services, and applications programs. Many of these programs have the ability to connect to other workstations or servers. These connections are potentially vulnerable to interception and exploitation.

The process of making a workstation or a server more secure is called platform hardening. The process of hardening the operating system is referred to as OS hardening. Platform hardening procedures can be categorized into three basic areas:

Remove unused software, services, and processes from the workstations (for example, remove the server service from a workstation). These services and processes may create opportunities for exploitation.Ensure that all services and applications are up-to-date, including available service and security packs, and configured in the most secure manner allowed. This may include assigning passwords, limiting access, and restricting capabilities.Minimize information dissemination about the operating system, services, and capabilities of the system. Many attacks can be targeted at specific platforms once the platform has been identified. Many operating systems use default account names for administrative access. If at all possible, these should be changed. During a new installation of Windows Vista or Windows XP, the first user created is automatically added to the administrators group. Windows Vista then goes one step further and automatically disables the actual administrator account once another account belonging to the administrators group has been created.

Understanding Mobile Devices Mobile devices, including pagers and personal digital assistants (PDAs) use either RF signaling or cellular technologies for communication. If the device uses the Wireless Application Protocol (WAP), the device in all likelihood doesn’t have security enabled. Several levels of security exist in the WAP protocol:

Anonymous authentication, which allows virtually anyone to connect to the wireless portalServer authentication, which requires the workstation to authenticate against the server Two-way (client and server) authentication, which requires both ends of the connection (client and server) to authenticate to confirm validity

Many new wireless devices are also capable of using certificates to verify authentication.

The Wireless Session Protocol (WSP) manages the session information and connection between the devices. The Wireless Transaction Protocol (WTP) provides services similar to TCP and UDP for WAP. The Wireless Datagram Protocol (WDP) provides the common interface between devices. Wireless Transport Layer Security (WTLS) is the security layer of the Wireless Application Protocol.

A mobile environment using WAP security. This network uses both encryption and authentication to increase security.

Understanding Remote Access Using Point-to-Point Protocol

Point-to-Point Protocol PPP offers multiple protocol support including AppleTalk, IPX, and DECnet, and is widely used today as a transport protocol for dial-up connections.

PPP is a protocol for communicating between two points using a serial interface, provides service at layer 2 of the OSI model. PPP can handle both synchronous and asynchronous connections.

PPP provides no security. PPP is primarily intended for dial-up connections and should never be used for VPN connections.

PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster connections such as T1.

PPP does not provide data security, but it does provide authentication using Challenge Handshake Authentication Protocol (CHAP). CHAP can be used to provide on-demand authentication within an ongoing data transmission.

A dial-up connection using PPP works well because it isn’t common for an attacker to tap a phone line. You should make sure all your PPP connections use secure channels, dedicated connections, or dial-up connections.

PPP using a single B channel on an ISDN connection. In the case of ISDN, PPP would normally use one 64Kbps B channel for transmission.

Tunneling protocols add a capability to the network:

The ability to create tunnels between networks that can be more secure, support additional protocols, and provide virtual paths between systems.

The three primary tunneling protocols are PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and L2F (Layer 2 Forwarding protocol).

Understanding Remote Access Working with Tunneling Protocols

Working with Tunneling ProtocolsPoint-to-Point Tunneling ProtocolPoint-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the Point-to-Point (PPP) protocol to create a virtual Internet connection so that networks can use the Internet as their WAN link.

PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server.

This connectivity method creates a virtual private network (VPN), allowing for private network security. In effect PPTP creates a secure WAN connection using dial-up access.

PPTP supports encapsulation in a single point-to-point environment. PPTP encapsulates and encrypts PPP packets. This makes PPTP a favorite low-end protocol for networks.

The negotiation between the two ends of a PPTP connection is done in the clear. Once the negotiation is performed, the channel is encrypted. A packet-capture device, such as a sniffer, that captures the negotiation process can potentially use that information to determine the connection type and information about how the tunnel works.

Layer 2 ForwardingL2F was created by Cisco as a method of creating tunnels primarily for dial-up connections. L2F is similar in capability to PPP and should not be used over WANs. L2F does provide authentication, but it does not provide encryption.

Layer 2 Tunneling ProtocolLayer Two Tunneling Protocol (L2TP) is an enhancement of PPTP that can be used between LANs and can also be used to create a VPN.

L2TP is primarily a point-to-point protocol.

Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling protocols into one protocol: the Layer Two Tunneling Protocol (L2TP). L2TP is a hybrid of PPTP and L2F.

L2TP supports multiple network protocols and can be used in networks besides TCP/IP. L2TP works over IPX, SNA, and IP.

L2TP isn’t secure, and you should use IPSec with it to provide encryption of the data.

L2TP operates at the Data Link layer of the OSI model and uses UDP for sending packets as well as for maintaining the connection. L2TP uses UDP port number 1701.

Working with Tunneling Protocols

Secure ShellSecure Shell (SSH) is a type of tunneling protocol that allows access to remote systems in a secure manner.

SSH was originally designed for UNIX systems. SSH is a program that allows connections to be secured by encrypting the session between the client and the server. SSH also provides security equivalent programs such as Telnet, FTP, and many of the other communications-oriented programs under UNIX.

SSH transmits both authentication information and data securely during terminal connections with UNIX computers. SSH uses port 22. Internet Protocol SecurityIPSec (Internet Protocol Security) is not a tunneling protocol, but it is used in conjunction with tunneling protocols to provide network security. IPSec is oriented primarily toward LAN-to-LAN connections, rather than dial-up connections.

IPSec can be used to digitally sign headers and to encrypt and encapsulate packets. IPSec provides both authentication and encryption, and is regarded as one of the strongest security standards.

When the Authentication Header (AH) protocol is used, IPSec digitally signs packet headers, and when the Encapsulating Security Payload (ESP) is used, IPSec encrypts packets.

Working with Tunneling Protocols

IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security:

Tunneling mode is used for VPNing over an unsecured public network. In Tunneling mode, packets are encapsulated within other packets and both the payload and message headers are encrypted. Two routers that require secure communications should use IPSec in tunnel mode to encrypt packets.Transport mode is used only when the data portion needs to be encrypted over owner-controlled networks like LAN. In Transport mode, only the payload is encrypted. When transport mode is used, packets are not encapsulated.

Working with Tunneling Protocols

Working with RADIUSRemote Authentication Dial-In User Service (RADIUS) is a mechanism that provides centralized remote user authentication, authorization, and accounting.

The centralized authentication, authorization, and accounting features of RADIUS allow central administration of all aspects of remote login. The accounting features allow administrators to track usage and network statistics by maintaining a central database.

A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether or not an incoming caller is authorized. In a large network with many connections, this allows a single server to perform all authentications.

A RADIUS server acts as either the authentication server or a proxy client that forwards client requests to other authentication servers. The initial network access server, which is usually a VPN server or dial-up server, acts as a RADIUS client by forwarding the VPN or dial-up client’s request to the RADIUS server. RADIUS is the protocol that carries the information between the VPN or dial-up client, the RADIUS client, and the RADIUS server.

RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted.

RADIUS uses UDP transport.

A RADIUS server communicating with an ISP to allow access to a remote user. Notice that the remote server is functioning as a client to the RADIUS server. This allows centralized administration of access rights.

RADIUS and TACACS (5:46)

TACACS/+ Terminal Access Controller Access Control System (TACACS) is a client/server-oriented environment, and it operates in a similar manner to RADIUS.

Extended TACACS (XTACACS) replaced the original and combined authentication and authorization with logging to enable auditing.

Although RADIUS performs in much the same manner, TACACS+ is used almost exclusively by Cisco. RADIUS is more of a generic standard used by many different companies. TACACS+ is gaining ground, however.

The most current method or level of TACACS is TACACS/+. TACACS/+ allows credentials to be accepted from multiple methods, including Kerberos.

TACACS+ provides authentication, authorization, and accounting (AAA).

TACACS relies on TCP over port 49.

Securing Internet Connections Working with Ports and Sockets

TCP/IP establishes connections and circuits using a combination of the IP address and a port.

A port is an interface that is used to connect to a device. Sockets are a combination of the IP address and the port. The socket identifies which application will respond to the network request.

For example, if you attempt to connect to a remote system with the IP address 192.168.0.100, which is running a website, you’ll use port 80 by default. The combination of these two elements gives you a socket; 192.168.0.100:80. IP is used to route the information through the network. The four layers of TCP/IP encapsulate the information into a valid IP packet that is then transmitted across the network.

The figure to the right illustrates the key components of a TCP packet requesting the home page of a website. The destination port is the port data is sent to. In the case of a web application, the data for port addresses would both contain 80. The data field contains the value Get/. This value requests the home or starting page from the web server. In essence, this command or process requested the home page of the site 192.168.0.100 port 80. The data is formed into another data packet that is passed down to IP and sent back to the originating system on port 1024. The connections to most services using TCP/IP are based on this port model.

The most common e mail systems use the following protocols, ‑which use TCP for session establishment:

Simple Mail Transport Protocol SMTP is a mail delivery protocol that is used to send e mail between an e mail client ‑ ‑and an e mail server as well as between e mail servers. SMTP ‑ ‑uses port 25. Post Office Protocol POP is a newer protocol that relies on SMTP for message transfer to receive e mail. POP3, the newest ‑version of POP, allows messages to be transferred from the waiting post office to the e mail client. The current POP3 ‑standard uses port 110. Internet Message Access Protocol IMAP is the newest player in the e mail field, and it’s rapidly becoming the most popular. Like ‑POP, IMAP has a store-and-forward capability. IMAP allows messages to be stored on an e mail server instead of being ‑downloaded to the client. It also allows messages to be downloaded based on search criteria. The current version IMAP 4 uses port 143.

Each of these web services is offered in conjunction with web-enabled programs such as Flash and Java. These services use either a socket to communicate or a program that responds to commands through the browser. If your browser can be controlled by an application, your system is at great risk of attack. Servers are also vulnerable to this issue because they must process requests from browsers for information or data.

Securing Internet Connections Working with E-Mail

The process of transferring an e mail message.‑

There are two common ways to provide secure connections between a web client and a web server:

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most widely used cryptographic protocols used to convey information between a web client and a server. The SSL protocol uses an encryption scheme between the two systems. The client initiates the session, the server responds, indicating that encryption is needed, and then they negotiate an appropriate encryption scheme. TLS is a newer protocol that merges SSL with other protocols to provide encryption. TLS supports SSL connections for compatibility, but it also allows other encryption protocols, such as Triple DES, to be used. SSL/TLS uses port 443 and TCP for connections. HTTP Secure (HTTP/S) is a protocol that is used for secure connections between two systems that use the Web. It protects the connection, and all traffic between the two systems is encrypted. HTTP/S uses SSL or TLS for connection security, and it uses port 443 and TCP for connections.

Securing Internet Connections Working with the Web

ActiveX is a technology that was implemented by Microsoft. ActiveX allows customized controls, icons, and other features to increase the usability of web enabled systems.

ActiveX uses a method called authenticode for security. Authenticode is a type of certificate technology that allows ActiveX components to be validated by a server.

ActiveX runs on the client.Web browsers can be configured so that they require confirmation to accept an ActiveX control. However, many users don’t understand these confirmation messages when they appear, and they automatically accept the components.

Automatically accepting an ActiveX component or control creates the opportunity for security breaches on a client system when the control is used because an ActiveX control contains programming instructions that can contain malicious code or create vulnerabilities in a system.

Securing Internet Connections ActiveX

Perhaps the most popular method of privilege escalation is a buffer-overflow attack. Buffer overflows cause disruption of service and lost data.

Buffer overflows occur when an application receives more data than it is programmed to accept.

This situation can cause:An application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.The overwriting of data or memory storage.A denial of service due to overloading the input buffer’s ability to cope with the additional data.Or the originator can execute arbitrary code, often at a privileged level.

A buffer overflow is targeted toward an individual machine.

Securing Internet Connections Buffer Overflows

Common Gateway Interface (CGI) is an older form of scripting that was used extensively in early web systems.

CGI scripts could be used to capture data from a user using simple forms.

CGI scripts are not widely used in new systems and are being replaced by Java, ActiveX, and other technologies.

The CGI script ran on the web server, and it interacted with the client browser.

Vulnerabilities in CGI are the result of its inherent ability to do what it is told. If a CGI script is written to wreak havoc (or carries extra code added to it by a miscreant) and it is executed, your systems will suffer.

The best protection against any weaknesses is to not run applications written in CGI.

Securing Internet Connections Common Gateway Interface

Cookies are text files that a browser maintains on the user's hard disk. They store information on a Web client for future sessions with a Web server.

A cookie will typically contain information about the user. It is used to provide a persistent, customized Web experience for each visit and to track a user’s browser habits. A cookie can contain the history of a client to improve customer service.

A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a web-site.

The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain sensitive information identifying the user or allowing access to secured sites.

The information stored in a cookie is not typically encrypted and might be vulnerable to hacker attacks.

The best protection is to not allow cookies to be accepted. Almost every browser offers the option to enable or disable cookies. If you enable them, you can usually choose whether to accept/reject all or only those from an originating server.

Securing Internet Connections Cookies

Cross-site scripting (XSS) is when a website redirects the client’s browser to attack yet another site.

XSS is a type of security vulnerability typically found in Web applications that allows code injection by hackers into the Web pages viewed by other users. It is used to trick a user into visiting a site and having code execute locally.

XSS poses the most danger when a user accesses a financial organization’s site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the client’s session. This will allow the hacker to gain information about the legitimate user that is not publicly available.

The best protection against cross-site scripting is to disable the running of scripts.

Securing Internet Connections Cross-site scripting (XSS)

Cross-site Scripting (12:36)

Anytime a user must supply values in a session, validation of the data entered should be done.

Many vendors, however, have fallen prey to input validation vulnerabilities within their code. In some instances, empty values have been accepted, while others have allowed privilege escalation if certain backdoor passwords were used.

The best protection against input validation vulnerabilities is for developers to follow best practices and always validate all values entered.

As an administrator, when you learn of an input validation vulnerability with any application on your system, you should immediately stop using it until a patch has been released and installed.

Securing Internet Connections Input Validation

A Java applet is a small, self-contained Java script that is downloaded from a server to a client and then run from the browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they are popular tools used for website development. Signed applets are similar to unsigned Java applets-with one key difference:

Unsigned Java applets use sandboxes to enforce security. A sandbox protects the system from malicious software by enforcing the execution of the application within the sandbox and preventing access to the system resources outside the sandbox. The concept of a Web script that runs in its own environment and cannot interfere with any other process is known as a sandbox.A signed applet does not run in the Java sandbox, and it has higher system access capabilities. Signed applets are not usually downloaded from the Internet. This type of applet is usually provided by in-house or custom-programming efforts. These applets can also include a digital signature to verify authenticity. If the applet is verified as authentic, it will be installed. Users should never download a signed applet unless they are sure that the provider is trusted.

Errors in the Java virtual machine that runs in the applications may allow some applets to run outside of the sandbox. When this occurs, the applet is unsafe and may perform malicious operations.

From a user’s standpoint, the best defense is to make certain you run only applets from reputable sites you’re familiar with. From an administrator’s standpoint, you should make certain programmers adhere to programming guidelines when creating the applets.

Securing Internet ConnectionsJava Applets

JavaScript is a programming language that allows access to the system resources of the system running the script.

These scripts can interface with all aspects of an operating system just like programming languages, such as the C language. This means that JavaScript scripts, when executed, can potentially damage systems or be used to send information to unauthorized persons.

JavaScript scripts can be downloaded from a website to a client and executed within a Web browser.

The client browser must have the ability to run Java applets in a virtual machine on the client.

Java applets are used extensively in web servers today, and they are becoming one of the most popular tools used for website development.

Securing Internet Connections JavaScript

A Popup occurs when a Web site is opened in the foreground.

Popups are an annoyance, and some can contain inappropriate content or entice the user to download malware.

Some popup blockers may delete the information already entered by reloading the page, causing the users unnecessary grief.Many popup blockers are integrated into vendor toolbars.Field help for fill-in forms is often in the form of a popup.

A Popunder occurs when a Web site is opened in the background. Popunders are in the same family as popups and should be prevented by enabling a popup blocker on the user’s computer.

You can adjust the settings on popup blockers to meet the organizational policy or to best protect the user environment:

High settings might prevent application or program installation. Medium will block most automatic popups but still allow functionality.

You can circumvent popup blockers in various ways: Most popup blockers block only the JavaScript; therefore, technologies such as Flash bypass the popup blocker. On many Internet browsers, holding down the Ctrl key while clicking a link will allow it to bypass the popup filter.

Securing Internet Connections Popups

SMTP relay is a feature designed into many e-mail servers that allows them to forward e-mail to other e-mail servers.

The main purpose of implementing an e-mail relay server is to protect the primary e-mail server by reducing the effects of viruses and port scan attacks.

Initially, the SMTP relay function was intended to help bridge between systems. This capability allows e-mail connections between systems across the Internet to be made easily. Unfortunately, this feature has been used to generate a great deal of spam on the Internet.

You should configure your e-mail server to prevent e-mail relay because e-mail relay can result in untraceable, unwanted, unsolicited e-mail messages being sent.

Securing Internet Connections SMTP Relay

Working with File Transfer ProtocolFTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. FTP has three separate functions. FTP is a protocol, a client, and a server.

The client system runs a program called FTP. The server runs a service called FTP server. The FTP client and server communicate using the FTP protocol. The client requests a connection to a server that runs the FTP service. The client and server communicate using a protocol that defines the command structure and interactions between the client and server.

Early FTP servers based security on the honor system. Most logons to an FTP site used the anonymous logon, conventionally, the user's e-mail address, and the password was anonymous. In this situation, the only security offered is what is configured by the operating system. The major security vulnerability of FTP is that the user ID and password are not encrypted and is sent in clear text. This allows it to be subject to packet capture; a major security breach-especially if you are connecting to an FTP server across the Internet. The only protection is to implement Secure FTP (SFTP) or to implement FTP with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Secure FTP (SFTP) is accomplished using a protocol called Secure Shell (SSH).

Understanding Network Protocols

Simple Network Management Protocol (SNMP) is used to monitor network devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices like UPS. It uses port 161 to communicate. Internet Control Message Protocol (ICMP) is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as Ping and Traceroute.ICMP is used for carrying error, control and informational packets between hosts. ICMP is one of the favorite protocols used for DoS attacks. You can disable ICMP through the router to prevent these types of situations from occurring. Internet Group Management Protocol (IGMP) is used for group messaging and multicasting. IGMP maintains a list of systems that belong to a message group. When a message is sent to a particular group, each system receives an individual copy.Multicasting, can consume huge amounts of bandwidth in a network and possibly create a DoS situation. Most network administrators disable the reception of broadcast and multicast traffic from outside their local network.

ICMP and SNMP (4:39)

The Basics of Cabling, Wires, and Communications Coax

Coaxial cabling has a center conductor which is used to carry data from point to point. The center conductor has an insulator wrapped around it. A shield is found over the insulator, and a nonconductive sheath is found around the shielding.

Coaxial cabling is probably one of the oldest network cabling used these days.

Coax has two primary vulnerabilities from a security perspective.

The most common is the addition of a T-connector attached to a network sniffer. This sniffer would have unrestricted access to the signaling on the cable. The second and less common method involves a connection called a vampire tap. A vampire tap is a type of connection that hooks directly into a coax by piercing the outer sheath and attaching a small wire to the center conductor or core. This type of attachment allows a tap to occur almost anywhere in the network. Taps can be hard to find because they can be anywhere in the cable.

The two common methods of tapping a coax cable.

UTP is broken down into seven categories that define bandwidth and performance.

The most common category is CAT 5, which allows 1000Mbps bandwidth. CAT 5 cabling is most frequently used with 100Base-T networks. The limit of a cable segment length of twisted pair for use with Ethernet is 100 meters; beyond this length, the attenuation of the cables may cause reliability problems.RJ-45 connectors typically connect computers to a 100BaseTX network.

UTP and STP cabling isn’t as secure as coax because it can be easily tapped into, and it’s used primarily for internal wiring. It’s more difficult to splice into a twisted-pair cable, but three-way breakout boxes are easy to build or buy.

The Basics of Cabling, Wires, and Communications Unshielded Twisted Pair and Shielded Twisted Pair

10Base-T network with a sniffer attached at the hub.

Fiber optics and its assembly continue to be very expensive when compared to wire, and this technology isn’t common on the desktop.Fiber networks use a plastic or glass conductor and pass light waves generated by a laser.

Fiber networks are considered the most secure, although they can be tapped.

Fiber’s greatest security weakness is at the connections to the fiber-optic transceivers. Passive connections can be made at the connections, and signals can be tapped from there. The other common security issue associated with fiber optics is that fiber connections are usually bridged to wire connections.

The figure on the right shows how a fiber connection to a transceiver can be tapped. This type of splitter requires a signal regenerator for the split to function, and it can be easily detected.

The Basics of Cabling, Wires, and Communications Fiber Optic

The Basics of Cabling, Wires, and Communications

InfraredInfrared allows a point-to-point connection to be made between two IR transceiver-equipped devices. Many newer laptop PCs, PDAs, and portable printers now come equipped with IR devices for wireless communications. IR is line of sight; it isn’t secure and can be easily intercepted. Radio FrequenciesRadio frequency (RF) transmissions use antennas to send signals across the airwaves. These signals can be easily intercepted. Anyone can connect a shortwave receiver to the sound card of a PC to intercept, receive, and record shortwave and higher-frequency transmissions. Microwave SystemsA relative newcomer on the microwave communications scene involves wireless networks. When implementing wireless networks, you would be wise to make sure you implement or install communications security devices or encryption technology to prevent the unauthorized disclosure of information in your network. Many of the newer devices include encryption protocols similar to IPSec.

A shortwave transmission between two ground sites used for text transmission. Tens of thousands of hobbyists worldwide are eavesdropping.

Employing Removable StorageNetwork File System (NFS), Common Internet File System (CIFS), and Server Message Block (SMB) are all protocols used by network-attached storage (NAS).Removable storage (commonly known as removable media) refers to any type of storage device (such as a floppy drive, magnetic tape cartridge, or CD-ROM) that can be removed from the system. Removable media is subject to viruses, physical damage, and theft. All of these devices can store and pass viruses to uninfected systems. Make sure that all files are scanned for viruses before they’re copied to these media. CD-R/DVD-RThe CD Recordable (CD-R) allows CDs to be burned on a computer. Most new computer systems come standard with a CD-R burner or CD-R drive. You can quickly back up data to or restore data from the CD-R. Data theft is easy with a CD-R; an attacker can get on a system that has a CD-R and copy data from hard disks or servers.

DiskettesDiskettes have properties similar to hard drives, although they usually store smaller amounts of data. They’re one of the primary carriers of computer viruses, and they can be used to make copies of small files from hard disks.

Flash CardsFlash cards, also referred to as memory sticks, are small memory cards that can be used to store information. A system that has a flash card interface usually treats flash cards like a hard drive. Flash cards can carry viruses, and they can be used to steal small amounts of information from systems that support them. Most PDA devices accept flash cards, making them susceptible to viruses that are targeted at PDAs.

Hard DrivesHard drives can be quickly removed from systems, and portable hard drives can be easily attached. Imaging software can be used to download a system onto a hard drive in minutes. Another aspect of hard drive security involves the physical theft or removal of the drives. Hard drives are also susceptible to viruses because they’re the primary storage devices for most computers.

Employing Removable StorageNetwork Attached Storage Most network attached storage (NAS) devices are simply computers dedicated to the task of storing files for users on the network. The users connect to the NAS units typically through Network File System (NFS) or Server Message Blocks (SMB) communication with network file servers.

Smart Cards Smart cards are used for access control, and they can contain a small amount of information. Smart cards are replacing magnetic cards, in many instances because they can store additional personal information and are harder to copy or counterfeit.Smart cards are difficult to counterfeit, but they’re easy to steal. Once a thief has a smart card, they have all the access the card allows. To prevent this, many organizations don’t put any identifying marks on their smart cards, making it harder for someone to utilize them. A password or PIN is required to activate many modern smart cards, and encryption is employed to protect the contents. Tape The most common backup and archiving media in large systems is tape. Tape provides the highest-density storage in the smallest package. Tape can be restored to another system, and all the contents will be available for review and alteration. It’s relatively easy to edit a document, put it back on the tape, and then restore the bogus file back to the original computer system. This, of course, creates an integrity issue that may be difficult to detect.

Thumb DrivesThumb drives allow you to store a large quantity of data on something that easily fits into your pocket. Being nothing more than storage media, thumb drives are susceptible to holding the same malware as other forms of removable media.

The End