All these options can be used to increase the security of the internal network by keeping untrusted and unauthorized users out.. VPNs are used to allow remote network users to securely c
Trang 1Authentication schemes for which there are no standards or
pub-■
■ licly available specifications will not receive rigorous peer security review PEAP is an open standard supported under the security framework of the IEEE 802.1x specification
PEAP offers security and efficiency when used with roaming
wire-■
■ less devices Authentication latency is frequently a concern with wireless networks because users may need to reconnect to a network through a number of AP devices as they roam As a result, it is valu-able to be valu-able to quickly perform reauthentication PEAP supports this capability through the TLS session resumption facility, and any EAP method running under PEAP can take advantage of it
PEAP provides support for EAP authentication methods such
■
■
as EAP-TLS and EAP-MS-CHAPV2 that can perform computer authentication
The PEAP protocol specifies an option of hiding a user’s name
■
■
known as identity privacy.
SuMMAry
In today’s networking world, networks no longer have to be designed the same way There are many options available as to how to physically and logi-cally design a network All these options can be used to increase the security
of the internal network by keeping untrusted and unauthorized users out The usage of DMZs to segment traffic into a protected zone between exter-nal and interexter-nal firewalls helps prevent attacks against your Internet facing servers
VPNs are used to allow remote network users to securely connect back
to the corporate network To additionally reduce the risk in your environ-ment, application and service hardening should be considered Be familiar with the required ports for various services so that you can uninstall or disable unused services, which will reduce unnecessary exposure Include evaluation of network services such as DNS and DHCP, and specific types of application services such as e-mail, databases, NNTP servers, and others IDSs are used to identify and respond to attacks on the network Several types of IDSs exist, each with its own unique pros and cons Which type you choose depends on your needs and ultimately on your budget An IPS
is a newer type of IDS that can quickly respond to perceived attacks Hon-eypots are advanced IDSs that can intelligently respond to attacks, actually enticing the attacker to select them over other real targets on the network Honeypots can be used to distract attackers from real servers and keep them
Trang 2occupied while you collect information on the attack and the source of the
attack
After an attack has occurred, the most important thing to do is to collect
all the evidences of the attack and its methods You also want to take steps
to ensure that the same type of attack cannot be successfully performed on
the network in the future
Authentication protocols are chosen based on the applications, complexity,
and level of security needs Kerberos provides access through secure encrypted
keys and issuance of tickets CHAP validates the identity of the clients through
three-way handshake (challenge, response, success or failure)
RADIUS is the most popular of all the AAA servers, which include
RADIUS, TACACS, and TACACS+ Although TACACS offers
authentica-tion and authorizaauthentica-tion, it does not offer any accounting tools TACACS+
is credited with separating the AAA functions We learned the differences
between RADIUS, TACACS, and TACACS+ TACACS+ uses TCP as its
transport instead of UDP
Mutual authentication is a process where both the requestor and the
target entity must fully identify themselves before communication or access
is allowed We also reviewed EAP and PEAP
ExAM oBJECTIvES FAST TrACK
hardware and Software Security devices
IDSs can be deployed to alert administrators of unusual or
suspi-■
■
cious activity on the network
Honeypots and honeynets can be useful tools to redirect the
atten-■
■
tion of attacks to decoy systems to prevent damage to production
components
Firewalls can be deployed to segment the network and add
addi-■
■
tional security with firewall rules
The simplest way to define an IDS is to describe it as a specialized
■
■
tool that knows how to read and interpret the contents of log files
from sensors placed on the network, routers, firewalls, servers, and
other network devices
A
■
■ firewall is a hardware or software device used to keep
undesir-ables electronically out of a network the same way that locked doors
and secured server racks keep undesirables physically away from a
network
Trang 3A
■
■ packet-filtering firewall works at the network layer of the OSI
model and is designed to operate rapidly by either allowing or denying packets
An a
■
■ pplication layer gateway operates at the application layer of the
OSI model, analyzing each packet and verifying that it contains the correct type of data for the specific application it is attempting to communicate with
A
■
■ stateful inspection firewall checks each packet to verify that it is
an expected response to a current communications session This type of firewall operates at the network layer but is aware of the transport, session, presentation, and application layers and derives its state table based on these layers of the OSI model
A
■
■ proxy server is a server that sits between an intranet and its
Internet connection Proxy servers provide features such as document caching (for faster browser retrieval) and access control
A
■
■ honeypot is a computer system that is deliberately exposed to
public access – usually on the Internet – for the express purpose of attracting and distracting attackers
Network ports, Services, and Threats
One of the most common methods of obtaining access to a
■
■ Windows-based system and then gaining control of that system is through NetBIOS traffic
Modern Windows-based platforms allow the configuration of OS
■
■ and network services from provided administrative tools These tools include a service applet in a control panel or a MMC tool in a Windows XP/Vista/2003/2008 environment It may also be possible
to check or modify configurations at the network adaptor properties and configuration pages
As attacks become more complex, they tend to be both application-
■
■
based and network-based, which has spawned the new term mixed
threat applications An example of such an attack can be seen in
the MyDoom worm, which targeted Windows machines in 2004
Network Access Security
Remote Access Policies define the clients’ access methods,
proto-■
■ cols before authentication, and access permissions upon successful authentication
Trang 4Biometrics is used with devices that have the ability to authenticate
■
■
something you already have, such as a fingerprint or retinal image
RADIUS is an acronym of Remote Access Dial-In User Service
■
■
RADIUS is the most popular of all the authentication,
authoriza-■
■
tion, and accounting servers
RADIUS supports a number of protocols including PPP, PAP, and CHAP
■
■
Kerberos is a multiplatform authentication method that requires
■
■
tickets (tokens) and a KDC It exists as a realm in most platforms
and is used in the domain environment in Windows Active
Direc-tory structures
Directory services are used to store and retrieve information about
■
■
objects, which are managed by the service
LDAP services are used to access a wide variety of information
■
■
that’s stored in a directory
All-popular NOS implements directory services similar to LDAP
■
■
CHAP offers a three-way handshake mechanism (Challenge,
■
■
Response and Accept/Reject)
CHAP can use a shared secret, and uses a one-way hash to protect
■
■
the secret CHAP is more secure than PAP, as PAP transmits the
password in cleartext
RADIUS and TACACS use UDP, and TACACS+ uses TCP
■
■
Mutual authentication consists of using various methods to verify
■
■
both parties to the transaction to the other
802.1x uses EAP for passing messages between the supplicant and
■
■
the authenticator
Security zones
A security zone is defined as any portion of a network that has
■
■
specific security concerns or requirements Intranets, extranets,
DMZs, and VLANs are all security zones
You must imagine the different pieces that make up a network as
■
■
discrete network segments holding systems that share common
requirements These are sometimes called security zones and some
of these common requirements can be the types of information the
zone handles, who uses the zone, and what levels of security the
zone requires to protect its data
Trang 5In computer security, a DMZ is a “neutral” network segment where
■
■ systems accessible to the public Internet are housed, which offers some basic levels of protection against attacks
ExAM oBJECTIvES FrEquENTly ASKEd quESTIoNS
What is the difference between access controls and authentication? Q:
They seem to be the same
Access controls set the condition for opening the resource This could A:
be the time of day, where the connection originates or any number
of conditions Authentication verifies that the entity requesting the access is verifiable and who the entity is claiming to be
How do I choose a suitable authentication factor from various Q:
authentication factors available?
Based on the applications you use and the level of security you A:
want to provide, you should choose the authentication factor One-factor is simple and less secure It uses passwords only Two-One-factor introduces further level of security by token cards and PIN Mul-tifactor authentication involves biometrics, voice recognition, or such higher levels of security Cost implication and ease of roll-out
in large scale need to be considered in addition to security concerns while choosing multifactor authentication mechanisms
What are the devices that can be configured as RADIUS clients? Q:
Various network devices including routers, switches, and WAPs can A:
be configured as RADIUS clients
TACACS or TACACS+? Please advise
Q:
TACACS+ is a proprietary Cisco protocol It uses TCP TACACS A:
uses UDP and does not offer accounting tools When your network
is predominantly Cisco, you may consider TACACS+ All aspects
of AAA are offered by TACACS+
What are the factors that influence PEAP deployment?
Q:
PEAP uses TLS to create an encrypted channel between the client A:
supplicant and the RADIUS server PEAP provides additional security for the client-side EAP authentication protocols, such as EAP-MS-CHAPV2, that can operate through the TLS-encrypted channel When you need to implement higher level of security and are looking for a wide range of NOS platforms for deployment, you may want to consider PEAP
Trang 6What is a Proxy server?
Q:
A Proxy server is a device that sits between the Internet and the
A:
intranet and funnels traffic It can provide access control and also
document caching Depending on the proxy server implementation,
they often times have the capability to cache Web page content
as well which makes browsing common sites faster, and they can
publish internal Web site content to the Internet
How do I find out which port numbers are used by a specific
Q:
application?
One of the easiest ways is to consult product documentation when
A:
it is available, but other ways including examining listening ports
on the machine, using a packet sniffer to capture data transmitted
by the application, and viewing the configuration information in
the application
SElF TEST
You are acting as a security consultant for a company wanting
1
to decrease their security risks As part of your role, they have
asked that you develop a security policy that they can publish to
their employees This security policy is intended to explain the
new security rules and define what is acceptable and not
accept-able from a security standpoint, as well as defining the method by
which users can gain access to IT resources What element of AAA
is this policy a part of?
A Authentication
B Authorization
C Access Control
D Auditing
One of the goals of AAA is to provide CIA A valid user has entered
2
their ID and password, and has been authenticated to access
network resources When they attempt to access a resource on the
network, the attempt returns a message stating, “The server you
are attempting to access has reached its maximum number of
con-nections.” Which part of CIA is being violated in this situation?
A Confidentiality
B Integrity
C Availability
D Authentication
Trang 7You are performing a security audit for a company to determine
3
their risk from various attack methods As part of your audit, you work with one of the company’s employees to see what activities
he performs during the day that could be at risk As you work with the employee, you see him perform the following activities:
Log in to the corporate network using Kerberos Access files on a remote system through a Web browser using SSL Log into a remote UNIX system using SSH
Connect to a POP3 server and retrieve e-mail Which of these activities is most vulnerable to a sniffing attack?
A Logging in to the corporate network using Kerberos
B Accessing files on a remote system through a Web browser using SSL
C Logging into a remote UNIX system using SSH
D Connecting to a POP3 server and retrieving e-mail You are reading a security article regarding penetration testing
4
of various authentication methods One of the methods being described uses a time-stamped ticket as part of its methodology Which authentication method would match this description?
A Certificates
B CHAP
C Kerberos
D Tokens You are a security consultant for a large company that wants to make
5
its intranet available to its employees via the Internet They want to ensure that the site is as secure as possible To do this, they want to use multifactor authentication The site uses an ID and password already but they want to add security features that ensure that the site is indeed their site, not a spoofed site, and that the user is an authorized user Which authentication technology supports this?
A Certificates
B CHAP
C Kerberos
D Tokens You are developing a password policy for a company As part of the
6
password policy, you define the required strength of the password Because of the security requirements for the company, you have
Trang 8required a minimum length of 14 characters, the use of uppercase
and lowercase alphabetic characters, the use of numbers, and the
use of special characters What else should you require?
A No dictionary words allowed in the password
B No portion of the username allowed in the password
C No personal identifiers allowed in the password
D All the above
You have been asked to help a company implement multifactor
7
authentication They want to make sure that the environment is
as secure as possible through the use of biometrics Based on your
knowledge of authentication, you understand that biometrics falls
under the “something you are” category Which other category
should be used with the biometric device to provide the highest
level of security?
A Something you know
B Something you have
C Something you do
D All the above
You are attempting to query an object in an LDAP directory using
8
the distinguished name of the object The object has the following
attributes:
cn: 4321
givenName: John
sn: Doe
telephoneNumber: 905 555 1212
employeeID: 4321
mail:jdoe@nonexist.com
objectClass: organizationalPerson
Based on this information, which of the following would be the
distinguished name of the object?
A dcnonexist, dccom
B cn4321
C dn: cn4321, dcnonexist, dccom
D jdoe@nonexist.com
You are creating a new LDAP directory, in which you will need to
9
develop a hierarchy of organizational units and objects To perform
Trang 9these tasks, on which of the following servers will you create the directory structure?
A DIT
B Tree server
C Root server
D Branch server When using LDAP for authentication in an internetworking
envi-10
ronment, what is the best way to ensure that the authentication data is secure from packet sniffing?
A Use LDAP to keep all passwords encrypted when transmitted to the server
B Use LDAP over SSL/TLS to encrypt the authentication data
C Require that the clients use strong passwords so that they cannot easily be guessed
D Use LDAP over HTTP/S to encrypt the authentication data Which password attack will take the longest to crack a password?
11
A Password guessing
B Brute force attack
C Dictionary attack
D All attacks are equally fast The company you are working for has decided to do something to
12
make their workstations more secure They have decided to give all users a Smart Card for use with system logins Which factor of authentication is used with this new requirement?
A Something you know
B Something you have
C Something you are
D Something you do Choose the correct set of terms: When a wireless user, also known
13
as the _ wants to access a wireless network, 802.1x forces them to authenticate to a centralized authority called the
A Authenticator; supplicant
B Supplicant; authenticator
Trang 10C Supplicant; negotiator
D Contact; authenticator
You have been asked to use an existing router and use it as a
14
firewall Management would like you to use it to perform address
translation and block some known bad IP addresses that previous
attacks have originated from With this in mind, which of the
following statements are accurate?
A You have been asked to perform NAT services
B You have been asked to set up a proxy
C You have been asked to set up stateful inspection
D You have been asked to set up a packet filter
EAP is available in various forms including:
15
A EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco LEAPEAP-FAST
B EAPoIP, EAP-TLS, EAP-MPLS, RADIUS, EAP-FAST
C EAPoIP, EAP-TLS, EAP-TTLS, RADIUS, Cisco PEAP
D EAPoIP, EAP-TLS, EAP-TTLS, Kerberos, EAP-FAST
SElF TEST quICK ANSwEr KEy
C
1
C
2
D
3
C
4
A
5
D
6
D
7
C
8
C
9
B
10
B
11
B
12
B
13
B
14
D
15