52 Chapter 4 Managing Security 53 Developing a Security Policy.. 190 Chapter 12 Unix Network Security 191 Unix Network Security Basics.. My goal with Network Security Foundations is to i
Trang 1Foundations Network Security4374FM.fm Page i Tuesday, August 10, 2004 8:16 PM
Trang 24374FM.fm Page ii Tuesday, August 10, 2004 8:16 PM
Trang 3San Francisco ◆ London
Foundations Network Security
Matthew Strebe
4374FM.fm Page iii Tuesday, August 10, 2004 8:16 PM
Trang 4Associate Publisher: Neil Edde
Acquisitions and Developmental Editor: Maureen Adams
Production Editor: Elizabeth Campbell
Technical Editor: Donald Fuller
Copyeditor: Judy Flynn
Compositor: Laurie Stewart, Happenstance Type-o-Rama
Proofreaders: Laurie O’Connell, Nancy Riddiough
Indexer: Nancy Guenther
Book Designer: Judy Fung
Cover Design: Ingalls + Associates
Cover Photo: Jerry Driendl, Taxi
Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501 World rights reserved No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher.
An earlier version of this book was published under the title Network Security Jumpstart © 2002 SYBEX Inc.
Library of Congress Card Number: 2004109315
ISBN: 0-7821-4374-1
SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc in the United States and/or other countries.
Screen reproductions produced with FullShot 99 FullShot 99 © 1991-1999 Inbit Incorporated All rights reserved.
FullShot is a trademark of Inbit Incorporated.
TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer.
The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s) The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
4374FM.fm Page iv Tuesday, August 10, 2004 8:16 PM
Trang 5To Kira Rayleigh Strebe Kira Lyra Loo,
I love you
4374FM.fm Page v Tuesday, August 10, 2004 8:16 PM
Trang 6My wife does an amazing job of handling our life, our house, and our kids so that I can run a business and write books Without her, none of my books would have been written I’d like to thank Seanna for prying off and losing the keycaps of the non-critical laptop, Nathan for only losing the ball out of the trackball twice during the production of this book, and Kira for not being able to walk yet and for not choking on the keycap she found under the couch
I’d like to thank Maureen Adams, who is my friend more than my editor, for suggesting this title and steering
it through the process Elizabeth Campbell did an expert job managing the flurry of e-mail that constitutes the modern writing process, and did so with an infectious enthusiasm that made the process easy Judy Flynn expanded the acronyms, excised the jargon (well, some of it, anyway), clarified the odd constructions, and corrected the capitalization (or standardized it, at least) Without her, this book would have been much harder to understand Thanks also to the CD team of Dan Mummert and Kevin Ly for their work on the companion CD
4374FM.fm Page vi Tuesday, August 10, 2004 8:16 PM
Trang 7Chapter 1 Security Principles 1
Why Computers Aren’t Secure 2
The History of Computer Security 4
–1945 5
1945–1955 7
1955–1965 7
1965–1975 7
1975–1985 8
1985–1995 9
1995–2005 11
2005– 12
Security Concepts 13
Trust 13
Authentication 13
Chain of Authority 14
Accountability 15
Access Control 15
Terms to Know 17
Review Questions 18
Chapter 2 Understanding Hacking 19 What Is Hacking? 20
Types of Hackers 20
Security Experts 21
Script Kiddies 21
Underemployed Adult Hackers 21
Ideological Hackers 22
Criminal Hackers 23
Corporate Spies 23
Disgruntled Employees 24
Vectors That Hackers Exploit 24
Direct Intrusion 25
Dial-Up 25
Internet 26
Wireless 26
4374FM.fm Page vii Tuesday, August 10, 2004 8:16 PM
Trang 8viii Contents
Hacking Techniques 27
Target Selection 27
Information Gathering 29
Attacks 30
Terms to Know 37
Review Questions 38
Chapter 3 Encryption and Authentication 39 Encryption 40
Secret Key Encryption 41
One-Way Functions (Hashes) 41
Public Key Encryption 43
Hybrid Cryptosystems 44
Authentication 44
Password Authentication 45
Session Authentication 47
Public Key Authentication 48
Certificate-Based Authentication 49
Biometric Authentication 50
Terms to Know 51
Review Questions 52
Chapter 4 Managing Security 53 Developing a Security Policy 54
Creating a Policy Requirements Outline 54
Security Policy Best Practices 58
Implementing Security Policy 63
Applying Automated Policy 64
Human Security 65
Updating the Security Policy 67
The Security Cycle 67
Terms to Know 69
Review Questions 70
Chapter 5 Border Security 71 Principles of Border Security 72
Understanding Firewalls 74
Fundamental Firewall Functions 74
Firewall Privacy Services 82
Virtual Private Networks 83
Other Border Services 83
4374FM.fm Page viii Tuesday, August 10, 2004 8:16 PM
Trang 9Contents ix
Selecting a Firewall 84
Terms to Know 85
Review Questions 86
Chapter 6 Virtual Private Networks 87 Virtual Private Networking Explained 88
IP Encapsulation 88
Cryptographic Authentication 89
Data Payload Encryption 90
Characteristics of VPNs 90
Common VPN Implementations 91
IPSec 92
L2TP 93
PPTP 94
PPP/SSL or PPP/SSH 95
VPN Best Practices 96
Terms to Know 99
Review Questions 100
Chapter 7 Securing Remote and Home Users 101 The Remote Security Problem 102
Virtual Private Security Holes 102
Laptops 102
Protecting Remote Machines 103
VPN Connections 104
Data Protection and Reliability 106
Backups and Archiving 106
Protecting against Remote Users 107
Terms to Know 108
Review Questions 109
Chapter 8 Malware and Virus Protection 111 Understanding Malware 112
Understanding Viruses 112
Virus Protection 117
Prevention 117
Natural Immunity 118
Active Protection 118
Understanding Worms and Trojan Horses 119
Protecting Against Worms 121
Implementing Virus Protection 121
4374FM.fm Page ix Tuesday, August 10, 2004 8:16 PM
Trang 10x Contents
Client Virus Protection 122
Server-Based Virus Protection 123
E-Mail Gateway Virus Protection 124
Firewall-Based Virus Protection 124
Enterprise Virus Protection 125
Terms to Know 125
Review Questions 126
Chapter 9 Creating Fault Tolerance 127 Causes for Loss 128
Human Error 128
Routine Failure Events 128
Crimes 130
Environmental Events 132
Fault Tolerance Measures 133
Backups 133
Uninterruptible Power Supplies (UPSs) and Power Generators 138
Redundant Array of Independent Disks (RAID) 139
Permissions 141
Border Security 141
Auditing 141
Offsite Storage 141
Archiving 142
Deployment Testing 142
Circuit Redundancy 143
Physical Security 143
Clustered Servers 144
Terms to Know 147
Review Questions 148
Chapter 10 Windows Security 149 Windows Local Security 150
Security Identifiers 151
Logging In 152
Resource Access 153
Objects and Permissions 154
NTFS File System Permissions 157
Encrypting File System (EFS) 158
Windows Network Security 159
Active Directory 159
Kerberos Authentication and Domain Security 160
Group Policy 163
4374FM.fm Page x Tuesday, August 10, 2004 8:16 PM
Trang 11Contents xi
Share Security 166
IPSec 169
Terms to Know 171
Review Questions 172
Chapter 11 Securing Unix Servers 173 A Brief History of Unix 174
Unix Security Basics 177
Understanding Unix File Systems 177
User Accounts 180
File System Security 184
Access Control Lists 186
Execution Permissions 186
Terms to Know 189
Review Questions 190
Chapter 12 Unix Network Security 191 Unix Network Security Basics 192
Remote Logon Security 193
Remote Access 194
Pluggable Authentication Module (PAM) 195
Distributed Logon 196
Distributed passwd 196
NIS and NIS+ 196
Kerberos 198
File Sharing Security 200
File Transfer Protocol (FTP) 201
Network File System (NFS) 203
Hypertext Transfer Protocol (HTTP) 204
Samba 205
Firewalling Unix Machines 206
IPTables and IPChains 207
TCP Wrappers 208
Firewall Toolkit (FWTK) 209
Terms to Know 210
Review Questions 211
Chapter 13 Web Server Security 213 Web Security Problems 214
Implementing Web Server Security 214
Common Security Solutions 215
4374FM.fm Page xi Tuesday, August 10, 2004 8:16 PM
Trang 12xii Contents
Apache Security 226
Internet Information Services Security 229
Terms to Know 235
Review Questions 236
Chapter 14 E-mail Security 237 E-mail Encryption and Authentication 238
S/MIME 239
PGP 240
Mail Forgery 240
E-mail Viruses 241
Outlook Viruses 242
Commercial Gateway Virus Scanners 242
AMaViS 243
Attachment Security 244
Strip All Attachments 244
Allow Only Specific Attachments 245
Strip Only Dangerous Attachments 245
Foreign E-mail Servers 248
Spam 249
Authenticating SMTP 250
Systemic Spam Prevention 253
Terms to Know 256
Review Questions 257
Chapter 15 Intrusion Detection 259 Intrusion Detection Systems 260
Inspectors 260
Decoys 261
Auditors 263
Available IDSs 263
Windows System 264
Tripwire 265
Snort 265
Demarc PureSecure 266
NFR Network Intrusion Detector 267
Terms to Know 267
Review Questions 268
4374FM.fm Page xii Tuesday, August 10, 2004 8:16 PM
Trang 13Contents xiii
Appendix A Answers to Review Questions 269
Chapter 1 269
Chapter 2 270
Chapter 3 271
Chapter 4 272
Chapter 5 273
Chapter 6 274
Chapter 7 275
Chapter 8 276
Chapter 9 276
Chapter 10 278
Chapter 11 279
Chapter 12 280
Chapter 13 281
Chapter 14 282
Chapter 15 283 Glossary 285
4374FM.fm Page xiii Tuesday, August 10, 2004 8:16 PM
Trang 144374FM.fm Page xiv Tuesday, August 10, 2004 8:16 PM
Trang 15When you’re learning any new topic or technology, it’s important to have all of the basics at your disposal The Sybex Foundations series provides the building blocks of specific technologies that help you establish yourself in IT
Recent major security vulnerabilities in Windows and Linux have caused problems for nearly every computer user in the world The mysterious world
of hackers, spies, and government agents has become the daily annoyance of spyware, spam, virus infection, and worm attacks There was a time when you only needed to worry about security if you had something important to protect, but these days, if you don’t understand computer security, the computers you are responsible for will be hacked
My goal with Network Security Foundations is to introduce you to computer security concepts so that you’ll come away with an intermediate understanding
of security as it pertains to computers This book isn’t boringly technical; each topic is covered to sufficient depth, but not to an extreme
As a former hacker, a military classified materials custodian, and network administrator, I have over twenty years experience working in the computer industry and on all sides of the computer security problem Pulling from this experience, I’ve tried to present the relevant material in an interesting way, and I’ve included what I have found to be the most important concepts The book includes several simple examples and diagrams in an effort to demystify com-puter security
This book is neither operating system specific nor software specific Concepts are presented so that you can gain an understanding of the topic without being tied to a particular platform
Who Should Read This Book?
Network Security Foundations is designed to teach the fundamentals of computer and network security to people who are fairly new to the topic:
◆ People interested in learning more about computer and network security
◆ Decision-makers who need to know the fundamentals in order to make valid, informed security choices
◆ Administrators who feel they are missing some of the foundational mation about network security
infor-◆ Small business owners interested in understanding the ramifications of their IT decisions
4374Book.fm Page xv Tuesday, August 10, 2004 10:46 AM
Trang 16xvi Introduction
◆ Those interested in learning more about why computer security is a problem and what the solutions are
◆ Instructors teaching a network security fundamentals course
◆ Students enrolled in a network security fundamentals course
What This Book Covers
Working in computer security has been an interesting, exciting, and rewarding experience No matter what sector of the computer industry you’re employed in (or even if you’re not employed in IT yet), it is absolutely essential that you under-stand computer security in order to secure the systems that you are responsible for against attack
Network Security Foundations contains many drawings and charts that help create a comfortable learning environment It provides many real-world analogies that you will be able to relate to and through which network security will become tangible The analogies provide a simple way to understand the technical process
of network security, and you will see that many of the security concepts are actually named after their real-world counterparts because the analogies are so apt.This book continues to build your understanding about network security progressively, like climbing a ladder Here’s how the information is presented:
Chapters 1 and 2 These chapters introduce computer security and explain why the security problem exists and why hackers hack
Chapter 3 This chapter explains encryption, a mathematical concept that is central to all computer security Although encryption itself is math-ematically complex, this chapter does not require a math background to understand and presents the major features of encryption and their uses without proving the theories behind them
Chapter 4 This chapter describes security management—the human aspect of controlling the process of computer security It covers such management aspects as computer security policy development, accept-able use policies, and how to automate policy enforcement
Chapters 5 and 6 These chapters describe the major Internet security concepts of firewalling and virtual private networks, which are used to partition the Internet into separate networks with controlled borders and then connect the “islands of data” that are created back together again in
a controlled, secure manner
Chapter 7 This chapter discusses the special challenges of securing home users who may connect to your network Home users create special prob-lems For example, you often have no control over their resources or you might have very little budget to solve their problems
4374Book.fm Page xvi Tuesday, August 10, 2004 10:46 AM
Trang 17Introduction xvii
Chapters 8 and 9 These chapters discuss security issues outside the realm
of direct attack by hackers: viruses, worms, Trojan horses, spyware, spam,
and routine failure Solutions to all of these problems are evaluated
Chapters 10 through 12 These chapters detail the security features of
Windows and Unix, which are the two most popular operating systems
and used on 99 percent of all of the computers in the world
Chapters 13 and 14 These chapters discuss the security ramifications of
running public web and e-mail servers that must be made available on the
Internet and are therefore especially vulnerable to hacking attacks
Chapter 15 This chapter discusses intrusion detection and response:
How to determine when someone is attempting to hack your systems, and
what to do about it
Making the Most of This Book
packet filter
A router that is capable of dropping packets that don’t meet security requirements.
At the beginning of each chapter of Network Security Foundations, you’ll find a
list of the topics I’ll cover within the chapter
To help you absorb new material easily, I’ve highlighted new terms, such as
packet filter, in italics and defined them in the page margins
In addition, several special elements highlight important information:
Notes provide extra information and references to related information
Tips are insights that help you perform tasks more easily and effectively
Warnings let you know about things you should—or shouldn’t—do as you learn more
about security
At the end of each chapter, you can test your knowledge of the chapter’s
relevant topics by answering the review questions You’ll find the answers to
the review questions in Appendix A
4374Book.fm Page xvii Tuesday, August 10, 2004 10:46 AM