A+ NETWORK+ SECURITY+ EXAMSIN A NUTSHELL phần 8 pdf

Network+ Exam Highlighters Index | 563Remote Authentication Dial-in User Service RADIUS • The RADIUS server provides centralized authentication for remote users.. Areas of Study for Secu

562 | Chapter 9: Network+ Exam Prep and Practice

• It provides end-to-end security for Internet communications by usingencryption

• A Public Key Infrastructure (PKI) is required for end-to-end security usingSSL

Wired Equivalent Privacy (WEP)

• WEP is a security protocol used for IEEE 802.11 wireless networks

• It is designed to provide privacy (confidentiality) to a wired network

• A WEP-enabled client adds a 40-bit secret key to the data

• The data is decrypted using the secret key on the receiving end to recover theplain text

• The newer version of WEP uses 128-bit encryption keys

Wi-Fi Protected Access (WPA)

• WPA overcomes many weaknesses found in WEP

• It uses large encryption keys

• It provides enhanced data encryption security by using a Temporal Key rity Protocol (TKIP)

Integ-• It uses several variations of Extensible Authentication Protocol (EAP) andpublic key cryptography

• WPA can be used in a preshared key mode

• Each user must know and use a paraphrase to access the wireless network

802.1x

• 802.1x is a secure authentication protocol that provides port-based accesscontrol

• It is based on Extensible Authentication Protocol (EAP)

• Supplicant refers to the client software that needs access to a wireless access

point

• Authenticator refers to a centralized wireless access point that forwards

authentication requests to an authentication server such as a RADIUS server

Authentication protocols

• Authentication is the process of verifying the credentials of a user

• Challenge Handshake Authentication Protocol (CHAP) periodically verifiesthe identity of the user

• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is apassword-based authentication mechanism

• Password Authentication Protocol (PAP) is the most basic form of tion in which the username and password are transmitted in clear text

• Extensible Authentication Protocol (EAP) is the most secure of all tion mechanisms

authentica-• Shiva Password Authentication Protocol (SPAP) is used for authentication toShiva remote access servers

Network+ Exam Highlighters Index | 563

Remote Authentication Dial-in User Service (RADIUS)

• The RADIUS server provides centralized authentication for remote users

• RADIUS servers support several popular protocols such as PAP, CHAP, CHAP, EAP, and SPAP

MS-• Large organizations use multiple RADIUS servers to distribute the cation load

authenti-Kerberos

• Kerberos is a cross-platform authentication protocol

• It is used for mutual authentication of users and services

• It requires a trusted third party

• It works in a Key Distribution Center (KDC), which is used to issue secureencrypted keys and tokens

• The tickets carry a timestamp and expire as soon as the user or the servicelogs off

• Kerberos is dependent on synchronization of clocks on the clients and servers

Network Implementation

This subsection covers a summary of highlights from the tion” section in the Network+ Exam Study Guide

“NetworkImplementa-Linux/Unix

• Linux is an open source operating system and is freely distributed

• Users must supply a username and password to log on

• Linux uses the NetworkFile System (NFS) and Virtual File System (VFS) tomange files and folders

• The Line Printer Daemon (LPD) provides printing services

• Most server applications are third-party applications

• Each object has an associated Access Control List (ACL)

• Linux ACLs are stored in text files such as hosts.allow and hosts.deny.

MAC OS X

• MAC OS X is designed for Apple computers

• User authentication is provided through user accounts

• Limited, standard, and administrator are three types of accounts.

• MAC OS X supports Hierarchical File System Plus (HFS+)

• Each file or folder in MAC OS X has associated sets of permissions

NetWare

• NetWare is a full-featured network operating system

• Several network services such as DHCP, DNS, Web, and FTP are built-in

• NetWare also requires users to provide credentials such as username, word, Directory Context, and the name of the directory tree

pass-564 | Chapter 9: Network+ Exam Prep and Practice

• The NetWare filesystem provides users access to hard diskpartitions, known

as volumes.

• NetWare supports Novell Distributed Print Services (NDPS) for printing

• Access to resources in NetWare is controlled through NetWare DirectoryServices

Windows 2000 Server and Windows Server 2003

• Windows 2000 Server and Windows Server 2003 are based on Active tory

Direc-• Active Directory is a centralized database that stores information about allobjects

• Servers running Active Directory services are called domain controllers.

• Objects include computers, users, groups, file shares, and printers

• Windows networks operate in domains

• Administrators apply group policies to domains or Organizational Units(OUs)

• Users are required to log on to the domain once only, upon which they arepermitted access to objects listed within Active Directory

• Windows servers use Kerberos authentication protocol by default

• File and Print Sharing for Microsoft Networks provides file and print services

• Windows servers provide file- and folder-level security using the NT File tem (NTFS)

Sys-• Files can be stored and transmitted over the network in encrypted form

• IP Security (IPSec) can be used for secure data transmission of data in theLAN or over a WAN

Network wiring tools

• A wire crimper is used to cut cable to length and attach a suitable connector

• A punchdown tool is used to attach wires to a patch panel

• Media testers or cable testers are used to test whether the cable is workingproperly

• An Optical Time Domain Reflectometer (OTDR) is used to locate breaks infiber optic cables

• Tone generators and tone locators are used to find cable faults using audiosignals

Loopbackconnectors/adapters are used to test the functionality of networkports

Firewalls

• A firewall protects the internal network from outside networks

• Packet-filtering firewalls inspect the contents of each IP packet

• Packet-filtering firewalls work on two basic policies: Allow by Default and Deny by Default.

Network+ Exam Highlighters Index | 565

• Packet-filtering firewalls can be configured to allow or block traffic based on

IP address, port number, protocol ID, and/or MAC address

• Application layer firewalls work at the Application layer of the OSI model

• They are also called application firewalls or application layer gateways

• Application layer firewalls are much slower than packet filtering firewalls

• Stateful inspection firewalls actively monitor the state of the network traffic

Proxy servers

• A proxy server allows networkusers to connect to the Internet in a securemanner

• It allows better utilization of available Internet connection bandwidth

• It stores web pages locally to improve performance by reducing responsetimes

• It helps track user activities while surfing web sites

• It keeps the internal network secure from the Internet by hiding the internal

IP addressing scheme

Virtual Local Area Network (VLAN)

• A VLAN is a virtual or logical grouping of network devices

• VLANs help reduce collisions by creating separate broadcast domains

• Network switches that support VLAN protocols are used to create VLANs

• VLANs are created on the basis of groups and memberships

• A VLAN can span multiple physical network segments or multiple switches

• A Trunk carries network traffic between each switch that is a part of VLAN

Intranet

• Intranet refers to a private internal network

• It extends connectivity to remote employees through the Internet

• A tunnel is created in the Internet using protocols such as PPTP and L2TP

Extranet

• Extranets allow external clients to access internal resources

• Extranets also allow partner organizations to connect their networks

• They are implemented through VPNs or RAS

Port blocking/filtering

• Port blocking is the process of blocking unwanted traffic from entering a work

net-• Port filtering is configured on firewalls and proxy servers

• Blocking a specific port at the firewall thus stops all external traffic

Authentication

• Authentication is the method of verifying the identity of a person or a system

• In a one-way authentication, only one of the entities verifies the identity ofthe other

566 | Chapter 9: Network+ Exam Prep and Practice

• In a two-way authentication, both entities verify one another’s identity

• User credentials supplied for authentication can be transmitted in clear text

or in encrypted form

Username/password

• The username and password is the most common method of authentication

• Passwords must be at least seven characters long and contain a combination

of upper- and lowercase letters, numbers, and special characters

• Passwords must not contain the full or partial first or last name of the user

• Users must change their passwords periodically, and old passwords must not

be reused

Biometrics

• Biometrics devices identify a person based on her physical characteristics

• Common biometrics include fingerprints and retinal scans

• Handwriting, voice patterns, and body temperature are also used in biometrics

Multifactor

• In multifactor authentication, many factors may be utilized

• Something you know is a factor such as your password or PIN.

• Something you have is a factor such as your hardware token or a smart card.

• Something you are is a factor such as your fingerprints, your eye retina, or

other biometrics that can be used for identity

• Something you do is a factor such as your handwriting or your voice patterns Encryption

• Encryption applies an algorithm to plain text to produce an unreadable text

• It ensures the confidentiality of messages

• The integrity of a message ensures that the message has not been modified

• Digital signatures provide data integrity and non-repudiation of data

• Authentication refers to the verification of the identity of a person

• Non-repudiation ensures that the sender cannot deny he sent the message

Types of malicious codes

• Malicious code infects a user’s computer without his knowledge

• Viruses and worms infect a system without any obvious commercial gains

• Trojan horses, rootkits, and backdoors infect the target system and concealthe identity of the attacker

• Spyware, botnets, and adware gather information about the user in order togain some kind of commercial profit

• A boot sector, or bootstrap, virus infects the first sector on the hard disk

• A parasitic virus infects an executable file

Network+ Exam Highlighters Index | 567

Disk fault tolerance

• Diskfault tolerance is achieved by using a Redundant Array of InexpensiveDisks (RAID)

• A RAID solution can be implemented either through the NOS or throughdedicated hardware

• A software-based RAID solution is inexpensive, but it is not as efficient as ahardware-based RAID solution

RAID-1

• RAID-1, or disk mirroring, is inexpensive because it needs only two disks

• It offers good read performance

• Disk utilization is 50 percent because only one of the disks is used at a time

• No special software is required

RAID-5

• RAID-5 is also called disk striping with parity.

• If one of the disks fails, the data is rebuilt using the parity information

• An equivalent of one full disk space is used for writing parity information

• It offers good disk read performance but poor write performance

• Hardware-based RAID-5 solutions are expensive but more efficient

• Inexpensive RAID-5 solutions can be implemented through the NOS

Server fault tolerance

• In a stand-by server configuration, two identical servers are used: a primaryand a secondary

• The secondary server monitors the heartbeats of the primary server to detectfailures

• Server clustering provides fault tolerance as well as high availability

Power supply

• Redundant power supplies provide an alternate source of power

• An Uninterruptible Power Supply (UPS) provides external redundancy

• A UPS protects the loss of data due to sudden power failure

• It provides time to save necessary files and shut down the server properly

• It protects expensive hardware from power threats such as spikes, surges, andsags

Power problems

• A spike is a sharp increase in voltage for a very short period of time

• A surge is a little longer increase in voltage, usually less intense than a spike

• A sag is a sharp drop in voltage for a short period of time

• A blackout is a complete failure of power supply

• A brownout is a drop in voltage that lasts for a significant time

568 | Chapter 9: Network+ Exam Prep and Practice

Link redundancy

• Linkredundancy ensures that a stand-by connection is available if the mary connection fails

pri-• Adapter teaming provides fault tolerance and improved performance

• Adapter fault tolerance requires two network adapters

• Adapter load balancing provides fault tolerance but also improvedperformance

• Link aggregation effectively utilizes available network bandwidth

Data backups

• A full backup backs up all the data in a single backup job

• An incremental backup backs up the data that has changed after the last full

or incremental backup was taken

• A differential backup backs up the data that has changed since the last fullbackup

• A copy backup copies all the data on the system

Hot and cold spares

• Hot spares are installed inside critical servers and readily take over a failedcomponent

• Cold spares are installed inside a critical server but must be configuredmanually

• Hot swapping is the ability of a server to allow replacement of a failed ponent while the server is powered on

com-• Cold swapping does not allow replacement of failed components while thesystem is powered on

Hot, warm, and cold sites

• A hot site is equipped with all necessary hardware and allows organizations

to resume business activities almost immediately after a disaster

• A warm site normally is equipped with necessary hardware but it is not fullyconfigured

• A cold site requires the maximum amount of time to be set up and madefunctional

Network Support

This subsection covers a summary of highlights from the “NetworkSupport”section in the Network+ Exam Study Guide

tracert/traceroute

• This utility is used to trace the route from one host to another

• It uses ICMP echo packets

• If the network is congested, the output shows Request Timed Out

• Windows operating systems use the commands: tracert <Hostname> ortracert <IPAddress>.

Network+ Exam Highlighters Index | 569

• This utility is used to test connectivity between two TCP/IP hosts

• It can also test whether name resolution is working or not

• A Request Timed Out error means that the echo request did not get aresponse

• A Destination Host Unreachable error appears when the host is not found

• An Unknown Host error means that the hostname could not be resolved

• A TTL Expired error means that no response was received before the TTLvalue reduced to zero

Troubleshooting with ping

• Ping the local loopback address 127.0.0.1

• Ping the IP address configured on the network interface of the local host

• Ping the IP address of another host on the local network segment

• Ping the IP address of the default gateway configured on the local host

• Ping the IP address of a remote host

arp

• The arp utility is used to resolve an IP address to the MAC address.

• Recently resolved MAC addresses are stored locally in the ARP cache

• Dynamic entries are created automatically in the ARP cache

• Static entries are added manually using the arp –s command.

• This utility is used only in Windows operating systems

• It is used to display the NetBIOS over TCP/IP connection statistics

• It is useful for diagnosing problems in Windows networks

570 | Chapter 9: Network+ Exam Prep and Practice

• This utility is used in Windows 95, Windows 98, and Windows ME

• It displays current TCP/IP configuration settings

nslookup

• This utility is used to diagnose name resolution problems

• It can be executed in the interactive mode or in the noninteractive mode

• In the noninteractive mode, it is run with one or two pieces of information

• The interactive mode includes a number of subcommands, as listed inTable 8-25 in Chapter 8

• The query section displays the type and class of the DNS query

• The answer section displays the name of the host and its IP address for whichthe query is being performed

• The authority section displays information about authoritative DNS servers

Troubleshooting with visual indicators

• No light or a yellow light indicates that the device or port is not operational,not connected, or faulty

• A solid green light indicates that the device or port is connected but there is

no activity

• A flashing green light indicates that the device or port is functioning properly

• A flashing amber light indicates that the networkis congested and collisionsare occurring

Troubleshooting remote connectivity

• Users may not be allowed access due to file permissions

• If a single client has a logon problem, make sure that the client is authorized

to connect remotely

• If multiple clients are having logon problems, checkthe RAS server or theauthentication server

• Make sure that all remote clients are using the correct TCP/IP configuration

• Checkthe physical connectivity for DSL modems/cable modems/wirelessaccess points

• Check the LED indicators on modems and wireless access points and routers

• Verify that a dial tone exists for dial-up modems

• Verify the SSID settings on the access point and wireless clients

Network+ Exam Highlighters Index | 571

Adding, removing, or modifying the DHCP service

• The DHCP service is used to dynamically assign IP addresses to clients

• If a new DHCP server is added, the DHCP clients might need to be ured to obtain and renew their IP addresses

reconfig-• If a DHCP server is removed, the clients will not able to obtain or renew their

IP addresses

• If the DHCP server is not available for a long time, the clients will not be able

to connect to the network

Adding, removing, or modifying the DNS service

• The DNS service is used to resolve hostnames to IP addresses

• If the DNS server is removed, the clients will not be able to connect usinghostnames

• Clients will still be able to connect using IP addresses

• If a new DNS server is added, the reconfiguration of DHCP clients should beconfigured through the DHCP server by modifying the DHCP scope

Adding, removing, or modifying the WINS service

• The WINS service is used to resolve NetBIOS names to IP addresses

• If the WINS server is not available, Windows clients will use the broadcasts

to resolve computer names

• Networkbroadcasts create significant networktraffic and cause networkcongestion

• If a new DNS server is added, the reconfiguration of DHCP clients should beconfigured through the DHCP server by modifying the DHCP scope

Troubleshooting bus networks

• If the coaxial cable breaks, all computers will be disconnected

• If one or both terminators are missing, the network is down

• If the cable is not grounded, users will report intermittent connectivityproblems

• Addition or removal of computers from the bus networkusually causes ruptions in network connectivity

inter-• If the network interface on a computer fails, it will also cause network failures

Troubleshooting a star network

• Hubs and switches have LEDs to determine whether a port is connected ordisconnected or whether there are collisions on the media

• The hub or switch is the single point of failure, and all users in the segmentwill report connectivity problems

• If only one user has a connectivity problem, trace the cable from his puter to the hub/switch and try to plug in the cable in a different port, orreplace the cable

com-• If all new computers cannot connect, verify that the correct cable type andlength is used

• Make sure that patch panels and patch cables are connected properly

572 | Chapter 9: Network+ Exam Prep and Practice

Troubleshooting ring networks

• The MSAU is a single point of failure, and all users will report connectivityproblems if it fails

• Make sure that the Ring In and Ring Out ports are properly connected

• Verify that all network interface cards are operating at the same speed

• Verify that the cable connecting the devices is not broken

Troubleshooting network media

• Verify that the correct types of connectors are used and that they are erly attached

prop-• Verify that the correct cable type is used

• Verify that the total length of a cable does not exceed the specifications

• Wireless access points should not be located near areas of high interference

• UTP cables should not be run in high EMI areas

• For ceilings and ducts, plenum-rated cable must be used

Troubleshooting network devices

• If a hub fails, all computers will experience connectivity problems

• A failed switch will also result in connectivity problems to some or allcomputers

• A failed bridge will cause connectivity problems from one segment toanother

• If a router fails, computers on one of the networksegments will not be able toconnect to any other network segment

• If the router is connected to the Internet, no one will be able to access theInternet

• You can test router connectivity using the ping and the tracert/traceroute

commands

Troubleshooting a wireless network

• Wireless signals degrade as they travel away from the access point

• Prevent signal degradation by carefully locating the wireless antenna

• Make sure that all wireless devices support the standard used on the network

• Make sure that the AP and all clients are using the correct SSID

• Make sure that the client is configured to use the correct WEP encryptionstandard

Troubleshooting strategy

• Identify the symptoms and potential causes

• Identify the affected area

• Establish what has changed

• Select the most probable cause

• Implement an action plan and solution, including potential effects

• Test the results

• Identify the results and effects of the solution

• Document the solution and process

Network+ Exam Practice Questions | 573

Network+ Exam Practice Questions

1 Which of the following media access methods is utilized in 802.11b wirelessnetworks?

❏ A These networks are prone to EMI and RFI

❏ B A break in cable can bring down the network

❏ C It is wired in a dual ring physical layout

❏ D A central device is connected to all computers

❏ E A single cable is used to connect all computers

Answers B and E are correct Bus networks use a single cable to connect allcomputers A break in cable can bring down the entire network segment

3 You have been asked to install a small network consisting of eight computers.Your manager wants the best possible fault tolerance Which of the followingtopologies would you choose?

4 Which of the following networks can be easily expanded without rupting the other network devices and users? Select two answers

574 | Chapter 9: Network+ Exam Prep and Practice

Answer C is correct The Fiber Distributed Data Interface (FDDI) based networks are configured in dual ring topology to provide fault toler-ance If one of the rings fails, the other ring takes over

standard-6 Which of the following connectors cannot be attached with a fiber opticcable? Select two answers

7 What is the maximum length of a UTP cable segment in a 10BaseT starnetwork?

Network+ Exam Practice Questions | 575

50-11.One of the following networkdevices forwards the data it receives on a port

to all other connected ports Identify the device from the following:

❏ A It forwards data based on the MAC addresses of devices

❏ B It is used to forward data based on the destination IP address

❏ C It is used to join two network segments to make a large network

❏ D It is used to segment a large network

❏ E It is used to forward signals to all other ports

Answers B and D are correct A router is used to segment a large networkintosmaller segments It forwards the data based on the IP address of thedestination

576 | Chapter 9: Network+ Exam Prep and Practice

14.Which of the following methods to build and maintain routing tables takesmaximum administrative efforts and time in a large network?

manu-15.Which of the following addresses is an invalid MAC address?

17.Which of the following protocols does not depend on addresses or numbers

to identify computers on a network?

18.Which of the following are two constituent layers of the Data Linklayer inthe OSI networking model? Select two answers

Network+ Exam Practice Questions | 577

Answer A is correct The RTMP is included in the AppleTalkprotocol suite

It is used to build and maintain routing tables

20.At which of the following layers of the OSI networkmodel does a networkadapter work?

❍ A FTP

❍ B Telnet

❍ C SMTP

❍ D HTTP

Answer B is correct TCP/IP port number 23 is used by the Telnet service

23.Which of the following is a function of a WINS server? Select two answers

❏ A It resolves hostnames to IP addresses

❏ B It resolves IP addresses to MAC addresses

❏ C It resolves NetBIOS names to IP addresses

❏ D It is used to allocate IP addresses dynamically

❏ E It is used to reduce broadcast traffic

578 | Chapter 9: Network+ Exam Prep and Practice

Answers C and E are correct The function of a WINS server is to resolveNetBIOS names to IP addresses This helps reduce broadcast traffic becausenetwork clients send NetBIOS name resolution queries to the WINS server

24.Which of the following protocols is used to secure HTTP transactions on theInternet?

addresses of web sites using the SSL protocol start with https://.

25.Which of the following statements correctly describes the function of asubnet mask?

❍ A It is used to separate the networkaddress from the host address within

an IP address

❍ B It is used to forward data to remote network segments

❍ C It is used to block undesired network traffic

❍ D It is used to enable computers to communicate in different operatingsystem environments

Answer A is correct The subnet maskenables networkdevices to identify thenetwork address and the host address from an IP address

26.Which of the following protocols can be used to secure remote accessconnections when they are established through the Internet?

Network+ Exam Practice Questions | 579

29.You need to allow only secure Internet traffic in and out of your companynetwork Which of the following ports would you open on the firewall?

30.Which of the following advantages are associated with using a firewall?

❍ A It provides an inexpensive means to share the Internet connection

❍ B It is used to blockundesired external access to internal networkresources

❍ C It is used to monitor the use of Internet by internal users

❍ D It is used to hide the internal addressing scheme of the network

Answer B is correct A firewall is used to blockundesired external access tointernal network resources

31.Which of the following is not a benefit of implementing a proxy server forInternet access?

❍ A The costs associated with Internet access

❍ B Activities of users can be monitored

❍ C It provides a centralization of Internet access

❍ D The Internet hostnames can be resolved internally

❍ E It allows improved performance for web browsing

Answer D is correct A proxy server does not help resolve external host namesinternally External DNS servers must resolve hostnames that are external tothe network

580 | Chapter 9: Network+ Exam Prep and Practice

32.Which of the following backup methods reset the archive bit? Select twoanswers

do not change the archive bit

33.You are using five 80 GB hard disks in your file server to configure RAID-5.What will be the maximum capacity of the RAID be after the configuration iscomplete?

34.Which of the following terms is associated with a power outage for a longperiod of time?

❍ A Inside the server room

❍ B In a locked closet outside the server room

❍ C At a secure offsite location

❍ D In the manager’s cabin

Answer C is correct Backup tapes should be stored at a secure offsite tion to prevent accidental damage This helps with data recovery in the event

loca-of a disaster

36.One of the users in your office complains that he is not able to connect to thenetworkor the Internet Which of the following steps should you take first inorder to troubleshoot the connectivity problem?

❍ A Ping the loopback address

❍ B Ping a remote host

Network+ Exam Practice Questions | 581

❍ C Ping the default gateway

❍ D Ping the IP address of the user’s computer

Answer A is correct The first step in troubleshooting a connectivity problem

in a TCP/IP host is to ping the loopback address 127.0.0.1.

37.Which of the following utilities would you use when a Windows XP user isnot able to connect using computer names?

TCP/IP statistics and the currently active connections

38.Which of the following utilities is used on a Linux system to verify TCP/IPconfiguration?

❍ A ipconfig

❍ B dig

❍ C arp

❍ D ifconfig

Answer D is correct The ifconfig utility is used on Unix and Linux systems to

verify the TCP/IP configuration of the local host

39.A new networkadministrator has configured some new wireless clients.None of these clients is able to connect to the network Other clients already

on the same access point do not have any connectivity problem Which of thefollowing is the possible reason for the problem?

❍ A An incorrect SSID

❍ B An incorrect IP address

❍ C A faulty access point

❍ D A poor signal due to EMI

Answer A is correct The connectivity problem is most probably caused byincorrect SSID settings on the new wireless clients

40.One of the users has reported problems with his desktop He is somewhatunclear about the problem’s symptoms and you need to visit his desktorectify the problem What should be your first step to resolve the problem?

❍ A Check event logs on the desktop

❍ B Ask the user to restart the desktop

❍ C Try to recreate the problem

❍ D Gather more information from the user

Answer D is correct The first step to resolve a networkproblem is to gather

as much information as possible from the user

This is the Title of the Book, eMatter Edition

Copyright © 2007 O’Reilly & Associates, Inc All rights reserved.

IVSecurity+

Chapter 10Security+ Overview

10

Overview of Security+ Exam

CompTIA’s Security+ certification is for those individuals who workor intend toworkin organizations that have a secure IT infrastructure You will need to pass

only one exam (Exam SYO-101) to get this certification Exam SYO-101 tests your

foundation-level knowledge in general security concepts, communications andinfrastructure security, basics of cryptography, and operational and organiza-tional security This exam was developed in response to increasing demand fromsecurity professionals in the IT industry A Security+-certified individual is consid-ered to have proven her skills in implementing basic security in the ITinfrastructure CompTIA’s vendor-neutral certifications, including the Security+certification, are now recognized worldwide

There are several other security-related certifications available in the IT industry,but the Security+ certification is considered the most basic of all One good thingabout CompTIA’s certifications is that they do not expire In other words,CompTIA’s certifications are good for life You do not have to recertify if theexam objectives change after a period of time I still recommend that you checkthe Security+ certification page on the CompTIA web site from time to time at

http://certification.comptia.org/security for news and updates on exam objectives.

The approximate percentage of each section in Security+ Exam SYO-101 is given

in Table 10-1

Table 10-1 Security+ exam domains and percentage of coverage

Domain Percentage of coverage

586 | Chapter 10: Overview of Security+ Exam

CompTIA recommends that, in order to pass the Security+ exam, a candidateshould have at least two years of hands-on experience working in an organizationwhere IT security is a prime concern It is also recommended that the candidatehave passed the A+ and the Network+ exams before attempting to take this exam

It is a good idea to have studied a Security+ certification exam self-paced studyguide or to have attended a training course before you attempt to take this Afterall this, you will be ready to use this section of the bookas your final exam prepa-ration tool

The Security+ certification exam, SYO-101 is considered to be one

of the toughest of all CompTIA exams The percentage of marksrequired to pass this exam is very high, and you have to be well pre-pared You must study the preparation material thoroughly and trysome self-test practice exams before you attempt to take the actualexam Once you pass this, you also get an exemption for one elec-tive exam in Microsoft’s MCSE/MCSA: Security track

Areas of Study for Security+ Exam | 587

Areas of Study for Security+ Exam

General Security Concepts

• Recognize and be able to differentiate and explain the following access trol models:

con-— MAC (Mandatory Access Control)

— DAC (Discretionary Access Control)

— RBAC (Role Based Access Control)

• Recognize and be able to differentiate and explain the following methods ofauthentication:

• Identify non-essential services and protocols, and know what actions to take

to reduce the risks of those services and protocols

• Recognize the following attacks and specify the appropriate actions to take tomitigate vulnerability and risk:

— DOS/DDOS (Denial of Service / Distributed Denial of Service)

588 | Chapter 10: Overview of Security+ Exam

• Understand the concept of and know how to reduce the risks of social neering

engi-• Understand the concept and significance of auditing, logging, and systemscanning

Communication Security

• Recognize and understand the administration of the following types ofremote access technologies:

• 802.1x

• VPN (Virtual Private Network)

— RADIUS (Remote Authentication Dial-In User Service)

— TACACS (Terminal Access Controller Access Control System)

— L2TP/PPTP (Layer 2 Tunneling Protocol/Point-to-Point TunnelingProtocol)

— S/MIME (Secure Multipurpose Internet Mail Extensions)

— PGP (Pretty Good Privacy) technologies

— SSL/TLS (Secure Sockets Layer/Transport Layer Security)

— HTTP/S (Hypertext Transfer Protocol/Hypertext Transfer Protocol overSecure Sockets Layer)

— Instant Messaging, including vulnerabilities, packet sniffing, and privacy

— Vulnerabilities in Java Script, ActiveX, Buffer Overflows, Cookies, SignedApplets, CGI, and SMTP Relay

• Recognize and understand administration of the following directory securityconcepts:

— SSL/TLS (Secure Sockets Layer/Transport Layer Security)

— LDAP (Lightweight Directory Access Protocol)

• Recognize and understand administration of the following file transfer cols and concepts:

proto-— S/FTP (File Transfer Protocol)

— Blind FTP (File Transfer Protocol)/Anonymous

— File sharing

Areas of Study for Security+ Exam | 589

— WEP/WAP (Wired Equivalent Privacy/Wireless Application Protocol)

— Vulnerabilities, including site surveys

— RAS (Remote Access Server)

— Telecom/PBX (Private Branch Exchange)

— VPN (Virtual Private Network)

— IDS (Intrusion Detection System)

— UT/ STP (unshielded twisted pair/shielded twisted pair)

— Fiber optic cable

— Removable Media such as tape, CD-R, hard drives, diskettes, flashcards,and smart cards

• Understand the concepts behind the following kinds of security topologies:

— Security zones such as DMZ (Demilitarized Zone), intranet, and extranet

— VLAN (Virtual Local Area Network)

— NAT (Network Address Translation)

— Tunneling

590 | Chapter 10: Overview of Security+ Exam

• Differentiate the following types of intrusion detection; be able to explain theconcepts of each type; and understand the implementation and configura-tion of each kind of intrusion detection system:

— Network-based: active detection and passive detection

— Host-based: active detection and passive detection

— Honey pots

— Incident response

• Understand the following concepts of Security Baselines; be able to explainwhat a Security Baseline is; and understand the implementation and configu-ration of each kind of intrusion detection system:

— OS/NOS (Operating System/NetworkOperating System) hardening,including filesystem and updates (hotfixes, service packs, patches)

— Networkhardening, including updates (firmware), enabling/disablingservices and protocols, and configuring Access Control Lists

— Application hardening, including software updates (hotfixes, servicepacks, and patches), web servers, email servers, FTP servers, DNSservers, NNTP servers, file/print servers, DHCP servers, and data reposi-tories (directory services and databases)

• Understand and be able to explain the following concepts of PKI:

— Certificates, certificate policies, and certificate practice statements

Manage-— Centralized versus decentralized

— Storage hardware versus software and private key protection

— Escrow

Areas of Study for Security+ Exam | 591

— Expiration

— Revocation, suspension, and status checking

— Recovery (including M-of-N Control), renewal, and destruction

— Key usage

Operational/Organizational Security

• Understand the application of the following concepts of physical security:

— Access control using physical barriers and biometrics

— Disaster recovery plan

• Understand the security implications of business continuity

• Understand the concepts and uses of security and incident response policiesand procedures:

— Security policy, including acceptable use, due care, privacy, separation ofduties, need to know, password management, service level agreements,disposal and destruction, and human resources policy (including termi-nation, hiring, and code of ethics)

• Explain the following concepts of privilege management:

— User/group role management

— Single sign-on

— Centralized versus decentralized

— Auditing (Privilege, Usage, Escalation)

— MAC/DAC/RBAC (Mandatory Access Control/Discretionary AccessControl/Role-based Access Control)

• Understand the concepts of the following topics of forensics:

592 | Chapter 10: Overview of Security+ Exam

• Understand and explain the following documentation concepts:

— Standards and guidelines

— Systems architecture

— Change documentation

— Logs and inventories

— Classification and notification

— Retention/storage and destruction

— Data destruction

Chapter 11Security+ Study Guide

11

Security+ Exam Study Guide

This chapter provides a study guide for the Security+ Exam SYO-101 Eachsection of this chapter is designed to cover specific objectives of the exam Eachsection heading identifies the exam domain, and discusses the key details that youshould grasp before taking the exam

An overview of the sections in this chapter that cover the objectives of the rity+ exam is as follows:

Secu-General Security Concepts

This section covers the details of general concepts and terms related to ITsecurity These concepts include methods of access control, authentication,and auditing This section also includes a study of various types of attacksand malicious code, identifying and disabling nonessential services, andprotocols to reduce vulnerability of computers and networks

Communication Security

This section covers a study of security concepts related to computer nications such as remote access, email, Internet-based services, directoryservices, and file transfer protocols You will also learn about the securityrisks involved in wireless networks

commu-Infrastructure Security

This section includes a study of implementing security in the IT ture by creating security baselines, implementing Intrusion Detection Systems(IDS), and other security topologies This also includes a study of vulnerablepoints in the network, such as network devices and media

infrastruc-Basics of Cryptography

This section includes a study of concepts related to encryption methodsthat are used to provide confidentiality, integrity, authentication, and non-repudiation These encryption methods protect the transfer of data fromone location to another in a network You will learn how encryption algo-rithms and digital certificates are used to create a Public Key Infrastructure(PKI) The PKI is responsible for the creation, distribution, storage, expira-tion, and revocation of digital certificates

594 | Chapter 11: Security+ Exam Study Guide

Operational and Organizational Security

This section covers concepts related to operational and organizational rity This includes a study of the physical security of the network, as well ascreating backup and disaster recovery policies, security policies, and incidentresponse policies You will also learn about privilege management, computerforensics and riskidentification, and guidelines for training end users on how

secu-to create documentation related secu-to security practices in an organization.The sections in this chapter are designed to follow the exam objectives as closely

as possible This Study Guide should be used to reinforce your knowledge of keyconcepts tested in the exam If you study a topic and do not understand itcompletely, I recommend that you go over it again and memorize key facts untilyou feel comfortable with the concepts The chapter contains a number of terms,notes, bulleted points, and tables that you will need to review multiple times Payspecial attention to new terms and acronyms (the ones you are not familiar with)because these may be tested in the exam

Studying for the Security+ certification exam requires that you have access to acomputer network Although it is not essential, it is good to have a Windows-based computer networkto perform the exercises included in this chapter Theseexercises are a required part of your preparation for the exam A small networkwith a Windows XP desktop and a Windows 2000 Server or Windows Server

2003 would serve the purpose as well Needless to say, you will also need anactive Internet connection

The exercises included in this Study Guide should be part of yourpreparation for the exam Do not perform any exercises in a pro-duction environment Instead, create a test environment where youcan workwithout having to worry about the security risks whileperforming the given exercises

General Security Concepts

The first section of this chapter deals mainly with fundamental knowledge ofauthentication, access control, and auditing, also known as AAA in the computersecurity arena Along with this, you will learn about different types of attacks andabout malicious code that can cause significant damage to the organization’s secu-rity setup The concepts discussed in the following section are as follows:

• Access control methods

• Authentication methods

• Auditing and logging

• System scanning

• Types of attacks

• Types of malicious code

• Risks involved in social engineering

• Identifying and disabling nonessential services and protocols

Each of these concepts is discussed in the following sections

General Security Concepts | 595

Access Control Models

In this section, you will learn about different types of access control methods.These methods are used to grant or deny access to a networkor computerresource by means of security policies and hardware or software applications Inits simplest form, access control to files, folders, and other shared networkresources is achieved by means of assigning permissions Smart cards andbiometric devices are examples of hardware devices used for access control.Access control can also be implemented by means of networkdevices, such asrouters and wireless Access Points (APs) You can also achieve access control byimplementing security policies, such as remote access policies and rules forconnecting to a virtual private network(VPN) The following are the main models

or mechanisms employed for access control:

• Mandatory Access Control

• Discretionary Access Control

• Role-Based Access Control

Mandatory Access Control (MAC)

MAC is a mechanism, usually hardcoded into an operating system, that protectscomputer processes, data, and system devices from unauthorized use Onceimplemented, MAC is applied universally to all objects on the system It may also

be built into an application to grant or deny permissions and is universally applied

to all objects The basic concept behind MAC is that it cannot be changed by anyuser Moreover, the control of access can be defined at multiple levels to providegranular control

All operating systems, such as Microsoft’s Windows, Unix/Linux, and Netware,include MAC mechanisms The operating systems hardcode access control indi-vidually on each object, and even the owners of the object or resource cannotchange the implemented level of access In other words, MAC is nondiscre-tionary, and the users who create an object may not have so-called “full control”over the object they create

The main purpose of MAC is to define a security architecture that makes tions of contexts based on security labels In a nutshell, MAC is hardcoded andnondiscretionary, is universally applied to all objects by the operating system, and

evalua-is sometimes also known as label-based access control.

Discretionary Access Control (DAC)

DAC is a mechanism that is usually implemented by the operating system.Administrators or users who are creators/owners of an object or resource are themain users of DAC, which allows them to grant or deny permissions NTFSpermissions (used in Windows-based computers) are a good example of DAC It

is also possible to change ownership of objects or resources when DAC is used

The owner or administrator of the object mainly controls the control of access to

an object or resource As with MAC, you can also have multiple levels of accesscontrol with DAC But at the same time, DAC does not provide the level of accesscontrol that is available with MAC It is not hardcoded into any operating system

596 | Chapter 11: Security+ Exam Study Guide

To have an idea of how DAC is applied, we will perform the following exercise on

a Windows XP Professional computer that has a drive formatted with an NTFSfile system:

1 Click Start➝ Programs➝ Accessories➝ Windows Explorer

2 Locate a user data folder

3 Right-click the folder and select Properties

4 Click on the Security tab

5 The NTFS permissions that have been set on the folder are displayed, asshown in Figure 11-1 The shared folder in this case is the networkresource

and the permissions assigned to the folder are termed the DAC list.

6 Click Cancel to close the dialog box

Role-Based Access Control (RBAC)

The RBAC is a mechanism used to implement security on objects based on theroles or job functions of individual users or user groups Employees of an organi-zation are categorized by their need to perform different types of roles (jobs)within the organization, and permissions to computer or networkresources aregranted to these users based on their roles

Figure 11-1 Viewing DAC permissions on an object

General Security Concepts | 597

RBAC offers the most flexibility in defining access control to available networkresources For example, users in a networkcan be classified into various catego-ries or groups based on their job functions, and access permissions to objects can

be granted to these groups The job functions and access permissions can bemodified at any point in time based on the requirements of the organization.RBAC thus provides simplified and centralized administration of networkresources It is more flexible than MAC and is highly configurable

Authentication Methods

Authentication is the process of confirming that someone or something is

authentic, which means that the claim made about something is true In thecontext of computer security, authentication is the method of verifying that theidentity of a person or an application seeking access to a system, object, or aresource is true For example, if a user wants to access a networkdomain, theauthentication of the user (or the user’s digital identity) is usually verified by theusername and password supplied by the user These data items are also known asthe credentials of the user If the username and password of the user matchesthose stored in the security database of the computer, the user is allowed access

This process is known as the authentication process.

Authentication can be a one-way or two-way-process In one-way authentication,only one of the entities verifies the identity of the other, while in a two-wayauthentication, both entities verify the identity of each other before a securecommunication channel is established In the previous example, you learnedabout the simplest form of one-way authentication wherein the identity of theuser is verified by the system

Authentication is termed as the first point of controlling access to a system

Further access can be controlled by using authorization, which is a term very

closely related to authentication Authorization is provided as part of the ating system and is the process of allowing access to only those resources to which

oper-a poper-articuloper-ar user is oper-authorized These resources moper-ay include the system servicesand devices, data, and application programs

User credentials sent by the user during the authentication process can be mitted either in clear text or in encrypted form Some applications, such as FileTransfer Protocol (FTP) and Telnet, transmit usernames and passwords in cleartext User credentials transmitted in clear text are considered security risks, asanyone monitoring the networktransmissions can easily capture these credentialsand misuse them There are several methods, as you will learn in the followingpages, that can be used to encrypt and secure user credentials as they are trans-mitted over the network

trans-The following sections discuss a number of authentication mechanisms that areused in computer networks

Kerberos

Kerberos is a cross-platform authentication protocol used for mutual tion of users and services in a secure manner This protocol is created and

authentica-598 | Chapter 11: Security+ Exam Study Guide

maintained by the Massachusetts Institute of Technology (MIT) and is defined inRFC 1510 Kerberos v5 is the current version The protocol ensures the integrity

of data as it is transmitted over the network Microsoft’s Windows-based networkoperating systems (Windows 2000 and later) use Kerberos v5 as the defaultauthentication protocol It is also widely used in other operating systems, such asUnix and Cisco IOS The authentication process is the same in all operatingsystem environments

Kerberos protocol is built upon Symmetric Key Cryptography and requires atrusted third party In Windows Server 2003 environments, Kerberos can be

implemented in its own Active Directory domains Kerberos works in a Key Distribution Center (KDC), which is usually a networkserver used to issue secure encrypted keys and tokens (tickets) to authenticate a user or a service The tickets

carry a timestamp and expire as soon as the user or the service logs off

Let’s lookat how Kerberos authentication works Consider a Kerberos realm thatincludes a KDC (also known as the authentication server), a client (a user, service,

or a computer), and a resource server Consider that the client needs to access aresource or shared object on the resource server The following steps are carriedout to complete the authentication process:

1 The client presents its credentials to the KDC for authentication by means ofusername and password, smart card, or biometrics

2 The KDC issues a Ticket Granting Ticket (TGT) to the client The TGT isassociated with an access token that remains active until the time the client islogged on This TGT is cached locally and is used later if the session remainsactive

3 When the client needs to access the resource server, it presents the cachedTGT to the KDC The KDC grants a session ticket to the client

4 The client presents the session ticket to the resource server and the client isthen granted access to the resources on the resource server

The Kerberos authentication process is known as a realm, as shown in

Figure 11-2

The TGT remains active for the entire active session It carries a timestamp to

ensure that it is not misused to launch replay, or spoofing, attacks against the

network Replay attacks happen when someone captures network transmissions,modifies this information, and then retransmits the modified information on thenetworkto gain unauthorized access to resources You will learn more aboutsecurity attacks later in this section

Kerberos is heavily dependent on the synchronization of clocks on the clients andservers Session tickets granted by the KDC to the client must be presented to theserver within the established time limits, or else they may be discarded TGT isnot dependent on time and remains valid until the client is logged on TGT iscached locally by the client and can be used if the user session remains active

Challenge Handshake Authentication Protocol (CHAP)

CHAP is widely used for remote access in conjunction with the Point-to-PointProtocol (PPP) CHAP periodically verifies the authenticity of the remote user

General Security Concepts | 599

using a three-way handshake even after the communication channel has beenestablished CHAP authentication involves the following steps:

1 When the communication linkis established, the authentication server sends

a “challenge” message to the peer

2 The peer responds with a value calculated using a one-way hash functionsuch as Message Digest 5 (MD5)

3 The authentication server checks the response to ensure that the value isequal to its own calculation of the hash value If the two values match, theauthentication server acknowledges the authentication; otherwise, theconnection is terminated

4 The authentication server sends the challenge message to the peer at randomintervals and repeats steps 1 to 3

One drawbackof CHAP is that it cannot workwith encrypted password bases and is considered a weakauthentication protocol It is still better than

data-Password Authentication Protocol (PAP), in which passwords are transmitted in clear text Microsoft has implemented its own version of CHAP, known as MS- CHAP, which is currently in version 2.0 and is the preferred authentication

protocol for remote access services

Certificates

Certificates, or Public Key Certificates, use digital signatures to bind a public key

to the identity of a person or a computer The certificates are used to ensure thatthe public key belongs to the individual Certificates are widely used for Internet-based authentications, as well as for authenticating users and computers innetworkenvironments, to access networkresources and services where directoryservices are implemented They are also used when data transmissions are securedusing Internet Protocol Security (IPSec) protocol All of these are parts of the PKI,which is discussed later in this chapter

Figure 11-2 Kerberos authentication process

1 User logs on and authenticates to KDC

2 KDC provides TGT to user

3 User wants to use network resource; presents TGT to KDC and requests service ticket

4 KDC provides service ticket

5 User session provides service ticket to resource and gets access

6 For subsequent uses, user simply presents service ticket

Network Resource User

600 | Chapter 11: Security+ Exam Study Guide

In a PKI certificate, servers are used to create, store, distribute, validate, andexpire digitally created signatures and other identity information about users andsystems Certificates are created by a trusted third party known as the Certifica-tion Authority, or Certificate Authority (CA) Examples of commercially availableCAs are Verisign and Thawte It is also a common practice to create a CA within

an organization to manage certificates for users and systems within the tion or with trusted business partners In Windows 2000 and later operatingsystems, certificates are used for authenticating users and granting access to

organiza-Active Directory objects CA used within an organization is known as an prise CA or a Standalone CA.

Enter-Another common use of certificates is for software signing Software is digitallysigned to ensure the user who downloads it that it is legitimate or has been devel-oped by a trusted software vendor Digitally signed software ensures that thesoftware has not been tampered with since it was developed and made availablefor download Certificates are also implemented in Internet services to authenti-cate users and verify their identity Web servers must have a certificate installed in

order to use the Secure Socket Layer (SSL).

A certificate essentially includes the following information:

• The public key being signed

• A name that can be that of a user, a computer, or an organization

• The name of the CA issuing the certificate

• The validity period of the certificate

• The digital signature of the certificate, which is generated using the CA’s vate key

pri-Username/Password

The combination of username and password is one of the most common methods

of authenticating users in a computer network Almost all network operatingsystems implement some kind of authentication mechanism wherein users cansimply use a locally created username and password to get access to the networkand shared resources within that network These include Microsoft’s Windows,Unix/Linux, Netware OS, and MAC OS X This is the simplest form of authenti-cation and can be implemented easily, but it also comes with its own limitations

In a secure networkenvironment, simply using the combination of a usernameand password may not be enough to protect the networkagainst unauthorizedaccess

Many organizations document and implement password policies that control howusers can create and manage their passwords in order to secure networkresources If any user does not follow these policies, her user account may belocked until the administrator manually unlocks it The following is an example ofstrong password policy:

• Passwords must be at least seven characters long

• Passwords must contain a combination of upper- and lowercase letters, bers, and special characters

num-General Security Concepts | 601

• Passwords must not contain the full or partial first or last name of the user

• Passwords must not contain anything to do with personal identity such asbirthdays, Social Security numbers, name of their hometown, names of pets,etc

• Users must change their passwords every six weeks

• Users must not reuse old passwords

With a properly enforced password policy, an organization can attain some rity for its network resources

secu-Tokens

An authentication token (also known as a security token or a hardware token) is

considered the most trusted method to verify the identity of a user or a system.Tokens provide a very high level of security for authenticating users because of themultiple factors employed to verify the identity It is almost impossible to dupli-cate the information contained in a security token in order to gain unauthorizedaccess to a secure network Figure 11-3 shows different types of security tokens

In its simplest form, an authentication token consists of the following two parts:

• A hardware device that is coded to generate token values at predeterminedintervals

• A software-based component that tracks and verifies that these codes arevalid

Hardware tokens are small enough to be carried on a key chain or in a wallet.Some security tokens may contain cryptographic keys while others may containbiometrics data such as the user’s fingerprints Some tokens have a built-inkeypad, and the user is required to key in a Personal Identification Number (PIN).Authentication tokens come in a variety of packaging and features RSA’s

SecureID is one type of security token that employs a two-factor authentication

mechanism Other vendors employ digital signatures methods, while still othersuse the single sign-on software mechanisms Some tokens utilize the one-time

Figure 11-3 Security tokens