computer network internet security phần 1 pptx

1.1.4 Types of Connections and Connectors There are two types of computer hosts connected to the Internet: server hosts andclient hosts.. The second type of host connected to the Interne

INFORMATION RESOURCE GUIDE

Computer, Internet and Network Systems Security

An Introduction to Security

Security Manual

Compiled By:

S.K.PARMAR, CstN.Cowichan Duncan RCMP Det

6060 Canada Ave., Duncan, BC

250-748-5522

sunny@seaside.net

This publication is for informational purposes only In no way should this publication by interpreted as offeringlegal or accounting advice If legal or other professional advice is needed it is encouraged that you seek it fromthe appropriate source All product & company names mentioned in this manual are the [registered] trademarks

of their respective owners The mention of a product or company does not in itself constitute an endorsement.The articles, documents, publications, presentations, and white papers referenced and used to compile thismanual are copyright protected by the original authors Please give credit where it is due and obtain

permission to use these All material contained has been used with permission from the original author(s) orrepresenting agent/organization

Table of Content

1.0 INTRODUCTION 2

1.1 B ASIC I NTERNET T ECHNICAL D ETAILS 2

1.1.1 TCP/IP : Transmission Control Protocol/Internet Protocol 2

1.1.2 UDP:User Datagram Protocol 2

1.1.3 Internet Addressing 3

1.1.4 Types of Connections and Connectors 3

1.1.5 Routing 6

1.2 Internet Applications and Protocols 6

1.2.1 ARCHIE 6

1.2.2 DNS — Domain Name System 7

1.2.3 E-mail — Electronic Mail 7

1.2.4 SMTP — Simple Mail Transport Protocol 7

1.2.5 PEM — Privacy Enhanced Mail 8

1.2.6 Entrust and Entrust-Lite 8

1.2.7 PGP — Pretty Good Privacy 8

1.2.8 RIPEM — Riordan's Internet Privacy-Enhanced Mail 9

1.2.9 MIME — Multipurpose Internet Mail Extensions 9

1.3 File Systems 9

1.3.1 AFS — Andrew File system 9

1.3.2 NFS — Network File System 9

1.3.3 FTP — File Transfer Protocol 10

1.3.4 GOPHER 10

1.3.5 ICMP — Internet Control Message Protocol 10

1.3.6 LPD — Line Printer Daemon 11

1.3.7 NNTP — Network News Transfer Protocol 11

1.3.8 News Readers 11

1.3.9 NIS — Network Information Services 11

1.3.10 RPC — Remote Procedure Call 12

1.3.11 R-utils (rlogin, rcp, rsh) 12

1.3.12 SNMP — Simple Network Management Protocol 12

1.3.13 TELNET 12

1.3.14 TFTP ? Trivial File Transfer Protocol 12

1.3.15 Motif 13

1.3.16 Openwindows 13

1.3.17 Winsock 13

1.3.18 Windows — X11 13

1.3.19 WAIS — Wide Area Information Servers 13

1.3.20 WWW — World Wide Web 13

1.3.21 HTTP — HyperText Transfer Protocol 13

2.0 SECURITY 16

2.1 S ECURITY P OLICY 16

2.1.0 What is a Security Policy and Why Have One? 16

2.1.1 Definition of a Security Policy 17

2.1.2 Purposes of a Security Policy 17

2.1.3 Who Should be Involved When Forming Policy? 17

2.1.4 What Makes a Good Security Policy? 18

2.1.5 Keeping the Policy Flexible 19

2.2 T HREATS 19

2.2.0 Unauthorized LAN Access 21

2.2.1 Inappropriate Access to LAN Resources 21

2.2.2 Spoofing of LAN Traffic 23

2.2.3 Disruption of LAN Functions 24

2.2.4 Common Threats 24

2.2.4.0 Errors and Omissions 24

2.2.4.1 Fraud and Theft 25

2.2.4.2 Disgruntled Employees 25

2.2.4.3 Physical and Infrastructure 25

2.2.4.4 Malicious Hackers 26

2.2.4.5 Industrial Espionage 26

2.2.4.6 Malicious Code 27

2.2.4.7 Malicious Software: Terms 27

2.2.4.8 Foreign Government Espionage 27

2.3 S ECURITY S ERVICES AND M ECHANISMS I NTRODUCTION 27

2.3.0 Identification and Authentication 28

2.3.1 Access Control 30

2.3.2 Data and Message Confidentiality 31

2.3.3 Data and Message Integrity 33

2.3.4 Non-repudiation 34

2.3.5 Logging and Monitoring 34

2.4 A RCHITECTURE O BJECTIVES 35

2.4.0 Separation of Services 35

2.4.0.1 Deny all/ Allow all 35

2.4.1 Protecting Services 36

2.4.1.0 Name Servers (DNS and NIS(+)) 36

2.4.1.1 Password/Key Servers (NIS(+) and KDC) 36

2.4.1.2 Authentication/Proxy Servers (SOCKS, FWTK) 36

2.4.1.3 Electronic Mail 37

2.4.1.4 World Wide Web (WWW) 37

2.4.1.5 File Transfer (FTP, TFTP) 37

2.4.1.6 NFS 38

2.4.2 Protecting the Protection 38

2.5 A UDITING 38

2.5.1 What to Collect 38

2.5.2 Collection Process 38

2.5.3 Collection Load 39

2.5.4 Handling and Preserving Audit Data 39

2.5.5 Legal Considerations 40

2.5.6 Securing Backups 40

2.6 I NCIDENTS 40

2.6.0 Preparing and Planning for Incident Handling 40

2.6.1 Notification and Points of Contact 42

2.6.2 Law Enforcement and Investigative Agencies 42

2.6.3 Internal Communications 44

2.6.4 Public Relations - Press Releases 44

2.6.5 Identifying an Incident 45

2.6.5.1 Is it real? 45

2.6.6 Types and Scope of Incidents 46

2.6.7 Assessing the Damage and Extent 47

2.6.8 Handling an Incident 47

2.6.9 Protecting Evidence and Activity Logs 47

2.6.10 Containment 48

2.6.11 Eradication 49

2.6.12 Recovery 49

2.6.13 Follow-Up 49

2.6.14 Aftermath of an Incident 50

2.7 I NTRUSION M ANAGEMENT S UMMARY 50

2.7.0 Avoidance 51

2.7.1 Assurance 51

2.7.2 Detection 52

2.7.3 Investigation 52

2.8 M ODEMS 52

2.8.0 Modem Lines Must Be Managed 52

2.8.1 Dial-in Users Must Be Authenticated 53

2.8.2 Call-back Capability 53

2.8.3 All Logins Should Be Logged 54

2.8.4 Choose Your Opening Banner Carefully 54

2.8.5 Dial-out Authentication 54

2.8.6 Make Your Modem Programming as "Bullet-proof" as Possible 54

2.9 D IAL U P S ECURITY I SSUES 55

2.9.0 Classes of Security Access Packaged for MODEM Access 55

2.9.1 Tactical and Strategic Issues in Selecting a MODEM Connection Solution 56

2.9.2 Background on User Access Methods and Security 57

2.9.3 Session Tracking and User Accounting Issues 60

2.9.4 Description of Proposed Solution to Dial-Up Problem 61

2.9.5 Dissimilar Connection Protocols Support 63

2.9.6 Encryption/Decryption Facilities 63

2.9.7 Asynchronous Protocol Facilities 63

2.9.8 Report Item Prioritization 64

2.9.9 User Profile “Learning” Facility 64

2.10 N ETWORK S ECURITY 64

2.10.0 NIST Check List 65

2.10.0.0 Basic levels of network access: 65

2.10.1 Auditing the Process 65

2.10.2 Evaluating your security policy 66

2.11 PC S ECURITY 66

2.12 A CCESS 67

2.12.0 Physical Access 67

2.12.1 Walk-up Network Connections 68

2.13 RCMP G UIDE TO M INIMIZING C OMPUTER T HEFT 68

2.13.0 Introduction 68

2.13.1 Areas of Vulnerability and Safeguards 69

2.13.1.0 PERIMETER SECURITY 69

2.13.1.1 SECURITY INSIDE THE FACILITY 69

2.13.2 Physical Security Devices 70

2.13.2.0 Examples of Safeguards 70

2.13.3 Strategies to Minimize Computer Theft 73

2.13.3.0 APPOINTMENT OF SECURITY PERSONNEL 73

2.13.3.1 MASTER KEY SYSTEM 73

2.13.3.2 TARGET HARDENING 74

2.13.4 PERSONNEL RECOGNITION SYSTEM 74

2.13.4.0 Minimizing Vulnerabilities Through Personnel Recognition 74

2.13.5 SECURITY AWARENESS PROGRAM 75

2.13.5.0 Policy Requirements 75

2.13.5.1 Security Awareness Safeguards 76

2.13.6 Conclusion 76

2.14 P HYSICAL AND E NVIRONMENTAL S ECURITY 76

2.14.0 Physical Access Controls 78

2.14.1 Fire Safety Factors 79

2.14.2 Failure of Supporting Utilities 80

2.14.3 Structural Collapse 81

2.14.4 Plumbing Leaks 81

2.14.5 Interception of Data 81

2.14.6 Mobile and Portable Systems 82

2.14.7 Approach to Implementation 82

2.14.9 Cost Considerations 84

2.15 C LASS C2: C ONTROLLED A CCESS P ROTECTION –A N I NTRODUCTION 84

2.15.0 C2 Criteria Simplified 84

2.15.1 The Red Book 85

2.15.2 Summary 87

3.0 IDENTIFICATION AND AUTHENTICATION 92

3.1 I NTRODUCTION 92

3.1.0 I&A Based on Something the User Knows 93

3.1.0.1 Passwords 93

3.1.0.2 Cryptographic Keys 94

3.1.1 I&A Based on Something the User Possesses 94

3.1.1.0 Memory Tokens 94

3.1.1.1 Smart Tokens 95

3.1.2 I&A Based on Something the User Is 97

3.1.3 Implementing I&A Systems 98

3.1.3.0 Administration 98

3.1.3.1 Maintaining Authentication 98

3.1.3.2 Single Log-in 99

3.1.3.3 Interdependencies 99

3.1.3.4 Cost Considerations 99

3.1.4 Authentication 100

3.1.4.0 One-Time passwords 102

3.1.4.1 Kerberos 102

3.1.4.2 Choosing and Protecting Secret Tokens and PINs 102

3.1.4.3 Password Assurance 103

3.1.4.4 Confidentiality 104

3.1.4.5 Integrity 105

3.1.4.6 Authorization 105

4.0 RISK ANALYSIS 108

4.1 T HE 7 P ROCESSES 108

4.1.0 Process 1 - Define the Scope and Boundary, and Methodology 108

4.1.0.1 Process 2 - Identify and Value Assets 108

4.1.0.2 Process 3 - Identify Threats and Determine Likelihood 110

4.1.0.3 Process 4 - Measure Risk 111

4.1.0.4 Process 5 - Select Appropriate Safeguards 112

4.1.0.5 Process 6 - Implement And Test Safeguards 113

4.1.0.6 Process 7 - Accept Residual Risk 114

4.2 RCMP G UIDE TO T HREAT AND R ISK A SSESSMENT F OR I NFORMATION T ECHNOLOGY 114

4.2.1 Introduction 114

4.2.2 Process 114

4.2.2.0 Preparation 115

4.2.2.1 Threat Assessment 118

4.2.2.2 Risk Assessment 122

4.2.2.3 Recommendations 124

4.2.3 Updates 125

4.2.4 Advice and Guidance 126

4.2.5 Glossary of Terms 127

5.0 FIREWALLS 130

5.1 I NTRODUCTION 130

5.2 F IREWALL S ECURITY AND C ONCEPTS 131

5.2.0 Firewall Components 131

5.2.0.0 Network Policy 131

5.2.0.1 Service Access Policy 131

5.2.0.2 Firewall Design Policy 132

5.2.1 Advanced Authentication 133

5.3 P ACKET F ILTERING 133

5.3.0 Which Protocols to Filter 134

5.3.1 Problems with Packet Filtering Routers 135

5.3.1.0 Application Gateways 136

5.3.1.1 Circuit-Level Gateways 138

5.4 F IREWALL A RCHITECTURES 138

5.4.1 Multi-homed host 138

5.4.2 Screened host 139

5.4.3 Screened subnet 139

5.5 T YPES OF F IREWALLS 139

5.5.0 Packet Filtering Gateways 139

5.5.1 Application Gateways 139

5.5.2 Hybrid or Complex Gateways 140

5.5.3 Firewall Issues 141

5.5.3.0 Authentication 141

5.5.3.1 Routing Versus Forwarding 141

5.5.3.2 Source Routing 141

5.5.3.3 IP Spoofing 142

5.5.3.4 Password Sniffing 142

5.5.3.5 DNS and Mail Resolution 143

5.5.4 F IREWALL A DMINISTRATION 143

5.5.4.0 Qualification of the Firewall Administrator 144

5.5.4.1 Remote Firewall Administration 144

5.5.4.2 User Accounts 145

5.5.4.3 Firewall Backup 145

5.5.4.4 System Integrity 145

5.5.4.5 Documentation 146

5.5.4.6 Physical Firewall Security 146

5.5.4.7 Firewall Incident Handling 146

5.5.4.8 Restoration of Services 146

5.5.4.9 Upgrading the firewall 147

5.5.4.10 Logs and Audit Trails 147

5.5.4.11 Revision/Update of Firewall Policy 147

5.5.4.12 Example General Policies 147

5.5.4.12.0 Low-Risk Environment Policies 147

5.5.4.12.1 Medium-Risk Environment Policies 148

5.5.4.12.2 High-Risk Environment Policies 149

5.5.4.13 Firewall Concerns: Management 150

5.5.4.14 Service Policies Examples 151

5.5.5 C LIENT AND S ERVER S ECURITY IN E NTERPRISE N ETWORKS 153

5.5.5.0 Historical Configuration of Dedicated Firewall Products 153

5.5.5.1 Advantages and Disadvantages of Dedicated Firewall Systems 153

5.5.5.2 Are Dedicated Firewalls A Good Idea? 155

5.5.5.3 Layered Approach to Network Security - How To Do It 155

5.5.5.4 Improving Network Security in Layers - From Inside to Outside 157

5.5.5.5 Operating Systems and Network Software - Implementing Client and Server Security 158

5.5.5.6 Operating System Attacks From the Network Resource(s) - More Protocols Are The Norm - and They Are Not Just IP 159

5.5.5.7 Client Attacks - A New Threat 159

5.5.5.8 Telecommuting Client Security Problems - Coming to Your Company Soon 160

5.5.5.9 Compromising Network Traffic - On LANs and Cable Television It’s Easy 162

5.5.5.10 Encryption is Not Enough - Firewall Services Are Needed As Well 163

5.5.5.11 Multiprotocol Security Requirements are the Norm - Not the Exception Even for Singular Protocol Suites 163

5.5.5.13 New Firewall Concepts - Firewalls with One Network Connection 164

6.0 CRYPTOGRAPHY 167

6.1 C RYPTOSYSTEMS 167

6.1.0 Key-Based Methodology 167

6.1.1 Symmetric (Private) Methodology 169

6.1.2 Asymmetric (Public) Methodology 170

6.1.3 Key Distribution 172

6.1.4 Encryption Ciphers or Algorithms 175

6.1.5 Symmetric Algorithms 175

6.1.6 Asymmetric Algorithms 178

6.1.7 Hash Functions 178

6.1.8 Authentication Mechanisms 179

6.1.9 Digital Signatures and Time Stamps 180

7.0 MALICIOUS CODE 182

7.1 W HAT I S A V IRUS ? 182

7.1.0 Boot vs File Viruses 183

7.1.1 Additional Virus Classifications 183

7.2 T HE N EW M ACRO V IRUS T HREAT 183

7.2.0 Background 184

7.2.1 Macro Viruses: How They Work 186

7.2.2 Detecting Macro Viruses 187

7.3 I S I T A V IRUS ? 189

7.3.0 Worms 190

7.3.1 Trojan Horses 192

7.3.2 Logic Bombs 192

7.3.3 Computer Viruses 193

7.3.4 Anti-Virus Technologies 194

7.4 A NTI -V IRUS P OLICIES AND C ONSIDERATIONS 195

7.4.0 Basic "Safe Computing" Tips 196

7.4.1 Anti-Virus Implementation Questions 197

7.4.2 More Virus Prevention Tips 198

7.4.3 Evaluating Anti-Virus Vendors 198

7.4.4 Primary Vendor Criteria 199

8.0 VIRTUAL PRIVATE NETWORKS: INTRODUCTION 202

8.1 M AKING S ENSE OF V IRTUAL P RIVATE N ETWORKS 202

8.2 D EFINING THE D IFFERENT A SPECTS OF V IRTUAL P RIVATE N ETWORKING 202

8.2.0 Intranet VPNs 204

8.2.1 Remote Access VPNs 205

8.2.2 Extranet VPNs 206

8.3 VPN A RCHITECTURE 207

8.4 U NDERSTANDING VPN P ROTOCOLS 208

8.4.0 SOCKS v5 208

8.4.1 PPTP/L2TP 209

8.4.2 IPSec 211

8.5 M ATCHING THE R IGHT T ECHNOLOGY TO THE G OAL 212

9.0 WINDOWS NT NETWORK SECURITY 215

9.1 NT S ECURITY M ECHANISMS 215

9.2 NT T ERMINOLOGY 215

9.2.0 Objects in NT 215

9.2.1 NT Server vs NT Workstation 216

9.2.2 Workgroups 216

9.2.3 Domains 217

9.2.4 NT Registry 217

9.2.5 C2 Security 218

9.3 NT S ECURITY M ODEL 219

9.3.0 LSA: Local Security Authority 219

9.3.1 SAM: Security Account Manager 220

9.3.2 SRM: Security Reference Monitor 220

9.4 NT L OGON 221

9.4.0 NT Logon Process 222

9.5 D ESIGNING THE NT E NVIRONMENT 222

9.5.0 Trusts and Domains 223

9.6 G ROUP M ANAGEMENT 226

9.7 A CCESS C ONTROL 228

9.8 M ANAGING NT F ILE S YSTEMS 229

9.8.0 FAT File System 229

9.8.1 NTFS File System 230

9.9 O BJECT P ERMISSIONS 231

9.10 M ONITORING S YSTEM A CTIVITIES 232

10.0 UNIX INCIDENT GUIDE 234

10.1 D ISPLAYING THE U SERS L OGGED IN TO Y OUR S YSTEM 235

10.1.0 The “W” Command 235

10.1.1 The “finger” Command 236

10.1.2 The “who” Command 236

10.2 D ISPLAYING A CTIVE P ROCESSES 237

10.2.0 The “ps” Command 237

10.2.1 The “crash” Command 238

10.3 F INDING THE F OOTPRINTS L EFT BY AN I NTRUDER 238

10.3.0 The “last” Command 239

10.3.1 The “lastcomm” Command 240

10.3.2 The /var/log/ syslog File 241

10.3.3 The /var/adm/ messages File 242

10.3.4 The “netstat” Command 243

10.4 D ETECTING A S NIFFER 243

10.4.1 The “ifconfig” Command 244

10.5 F INDING F ILES AND O THER E VIDENCE L EFT BY AN I NTRUDER 244

10.6 E XAMINING S YSTEM L OGS 246

10.7 I NSPECTING L OG F ILES 247

APPENDIX A : HOW MOST FIREWALLS ARE CONFIGURED 251

APPENDIX B: BASIC COST FACTORS OF FIREWALL OWNERSHIP 254

APPENDIX C: GLOSSARY OF FIREWALL RELATED TERMS 258

APPENDIX D: TOP 10 SECURITY THREATS 260

APPENDIX E: TYPES OF ATTACKS 262

APPENDIX F: TOP 10 SECURITY PRECAUTIONS 265

APPENDIX G: VIRUS GLOSSARY 266

APPENDIX H: NETWORK TERMS GLOSSARY 269

x

This manual is an effort to assist law enforcement agencies and other computer crime investigators by providing a resource guide compiled from the vast pool of information on the Internet This manual is not intended to replace any formal training or education This manual should

be used as a supplemental guide to reference too It was not my

intention to compile this manual to provide a specific solution for

investigators This was intended to provide a general overview, which would assist in helping to developing a solution This solution does not have to be hardware or software based Today policy-based protection can also be incorporated into hardware and software systems.

I would like to thank all the authors, and organizations that have provided

me with materials to compile this manual Some of the material

contained in this manual were a part of a larger document It is strongly recommended that if anyone has an interest in learning more about a particular topic to find these documents on the Internet and read them.

A very special thanks to:

Dr Bill Hancock Network-1 Security Solutions, Inc.

( hancock@network-1.com )

who played an active role in the modeling of this manual.

Finally, please respect the copyrights of the original authors and

organizations and give them credit for their work.

Any questions or concerns can be directed to me c/o

1.0 Introduction

1.1 Basic Internet Technical Details

The Internet utilizes a set of networking protocols called TCP/IP The applicationsprotocols that can be used with TCP/IP are described in a set of Internet

Engineering Task Force (IETF) RFCs (Request For Comment) These documentsdescribe the "standard" protocols and applications that have been developed tosupport these protocols Protocols provide a standard method for passing

messages They define the message formats and how to handle error conditions.Protocols are independent of vendor network hardware, this allows communicationbetween various networks with different hardware as long as they communicate(understand) the same protocol The following diagram provides a conceptuallayering diagram of the protocols

1.1.1 TCP/IP : Transmission Control Protocol/Internet Protocol

TCP/IP is used to facilitate communication within a network of diverse hardwaretechnology Information is broken into packets (usually in the range of 1-1500characters long) to prevent monopolizing of the network TCP is a transport levelprotocol which allows a process on one computer to send data to a process onanother computer It is a connection oriented

protocol which means that a path must be

established between the two computers IP

defines the datagram, the format of the data

being transferred throughout the network and

performs connectionless delivery

Connectionless delivery requires each

datagram to contain the source and destination

address and each datagram is processed

separately TCP takes the information, and

breaks it into pieces called packets, numbers

the packets, and then sends them

The receiving computer collects the packets,

takes out the data and puts them in the proper

order If something is missing, the receiving

computer asks the sender to retransmit The packet sent also contains a checksumwhich is used to find errors that may have occurred during transmission If thereceiving computer notices that an error has occurred when it computes and

compares the checksum, it throws that packet away and asks for a retransmission.Once everything is received, the data is passed to the proper application (e.g e-mail)

1.1.2 UDP:User Datagram Protocol

The UDP has less overhead and is simpler than TCP The concept is basically thesame except that UDP is not concerned about lost packets or keeping things inorder It is used for short messages If it does not receive a response, it just resendsthe request Thjs type of protocol transfer method is called a “connectionlessprotocol.”

Figure 1 : Conceptual Layering

1.1.3 Internet Addressing

All computers on the Internet must have a distinct network address to be able toefficiently communicate with each other The addressing scheme used within theInternet is a 32 - bit address segmented into a hierarchical structure IP addressesconsist of four numbers, each less than 256 which are separated by periods

(#.#.#.#) At the lowest level, computers communicate with each other using ahardware address (on LANs, this is called the Medium Access Control or MAC address). Computer users, however, deal with 2 higher levels of abstraction in order

to help visualize and remember computers within the network The first level ofabstraction is the IP address of the computer (e.g 131.136.196.2) and the secondlevel is the human readable form of this address (e.g manitou.cse.dnd.ca) Thisaddress scheme is currently under review as the address space is running out.Address Resolution Protocol (ARP) can be used by the computer to resolve IPaddresses into the corresponding hardware addresses

1.1.4 Types of Connections and Connectors

There are two types of computer hosts connected to the Internet: server hosts andclient hosts The server host can be described as an “information provider” Thistype of host contains some type of resource or data which is available to other hosts

on the Internet The second type of host connected to the Internet is the client hostwhich can be described as an “information retriever” The client host will accessresources and data located on the server hosts, but usually will not provide anyresources back to the server host

Both server and client host computers can be connected to the Internet by variousmethods that offer different communication capabilities dependent on varied

communications surcharges

Direct Internet Connections: A computer connected directly to the Internet via anetwork interface will allow the user the highest internetwork functionality Eachcomputer connected in this manner must also have a unique Internet (IP) address.This type of connection is also the most expensive

Serial Internet Connections: Another type of connection offering most

communications capabilities is a SLIP (Serial Line Internet Protocol) or PPP (Point

to Point Protocol) connection These two connection schemes offer similar services:full network and application capability over a serial (modem) line Since this

connection offers full TCP/IP and ICMP functionality each computer configured inthis manner requires its own IP address This type of connection is an on-demandservice, at slower speeds, that therefore reduces communications charges, howeverall TCP/IP and Internet vulnerabilities remain when the connection is "live"

An important point for the network security investigator to remember is that mostdial-up TCP connections, either SLIP or PPP, assign the IP address to a connectedmachine dynamically This means that when a system dials-up to the InternetService Provider (ISP), the ISP assigns an IP address at that point It also meansthat the address for the dialer may change each and every time the system

connects This can cause serious problems for the investigator when attempting totrace access back through firewall and router logs for specific IP addresses You willneed to work closely with the victim and the ISP to properly track which system wasassigned a particular IP address when the system connected to the ISP at a

particular point in time

Host Access Connections: The most limited type of network access is available as auser account on a host which is directly connected to the Internet The user will thenuse a terminal to access that host using a standard serial connection This type ofconnection is usually the most inexpensive form of access

Sneaker-Net Connections: This type of connection is by far the most limiting, sincethe computer has no electrical connection to the Internet at all This type of

connection is the most secure because there is no direct access to the user'scomputer by a hacker If information and programs are required on the computerthey must be transferred from a networked computer to the user's computer viamagnetic media or manually

All computers with direct, SLIP, and PPP connections must have their own IPaddress, and their security administrators must be aware of the vulnerability

concerns associated with these connections Communications channels work bothways: a user having access to the Internet implies that the Internet also has access

to that user Therefore, these computers must be protected and secured to ensurethe Internet has limited access A terminal user calling using an Internet host hasfewer concerns since the host is where the Internet interface lies In this situationthe host must take all necessary security precautions

To connect the various sub-networks and pieces of the Internet together, hardwareequipment is required The following are definitions of the various terms which areuse to describe this equipment

Repeater A repeater is a hardware device which is used to connect

two Local Area Segments that use the same physical levelprotocol The repeater will copy all bits from one networksegment to another network segment This device will notmake any routing decisions at all, and will not modify thepackets This device operates at layer 1 (Physical) of theOSI Network Model A repeater may also be used toconnect specific workstations in a physically local area toeach other All units connected to a repeater “see” eachother’s traffic on the network Repeaters are very oftenused on networks like Ethernet/802.3 networks and verycommonly available at most computer stores at a low price.Modem A modem is a device which will convert between the digital

signal structures that computers require and the analogvoltage levels that are used by telephone services Theterm MODEM stands for MOdulator DEModulator Amodem operates at level 1 (Physical) of the OSI NetworkModel and therefore does not modify the data packets ormake any routing decisions Modems are used to connecttwo computers together over standard phone lines (usuallyfor on-demand services) Current MODEM speeds rangefrom 50 bits per second to over 56 thousand bits persecond (56kbps)

Bridge A bridge is a device which is used to connect two Local

Area Networks that use the same LAN framing protocol(such as Ethernet or token ring) The bridge acts as anaddress filter by picking up packets from one LAN segmentand transferring them to another IF the bridge recognizesthat the packets need to travel from one LAN to the other If

the communicating source system and destination systemare on the same side of the bridge, the bridge will notforward the frame to the other side of the bridge Thebridge makes no modification to any packets it forwards,and the bridge operates at layer 2 (data-link) of the OSINetwork Model.

Router A router is a device that is used to connect two or more

LAN, MAN or WANsegments that may or may not use theframing protocols Since the router operates at level 3(Network) of the OSI Network Model it is able to makerouting decisions based on the destination network address(IP address for the Internet) Routers will sometimes havefiltering capability included In this case a router might beused as a packet filter to enhance security and/or reducetraffic flow throughout the network that does not need totraverse all locations on the network (described below).Some very large routers at larger network sites caninterconnect dozens of different types of network framingformats

Gateway A gateway is a device which will interconnect two network

segments which utilize different communicationsarchitectures Gateways typically function on a program-type by program-type (application) basis.The gateway maps(or translates) data from one application to another

application and as such operates at level 7 (Application) ofthe OSI Network Model

Packet filter Packet filtering is a capability usually added to routers, but

can be implemented in host or firewall systems as well.Packet filtering applies a set of filters (or rules of traversal)

to all packets entering or leaving the filtering mechanismthat enable the router to decide whether the packet should

be forwarded or disregarded For instance, securityconfigurations may add address filters for certain ranges ofaddresses to keep traffic from roaming all over a network or

to keep undesireable addresses from accessing resourcesthat are restricted in access

Firewall A firewall is a description of a system (one or more pieces

of hardware) that acts as a barrier between two or morenetwork segments A firewall can be used to provide abarrier between an internal network and the Internet Afirewall can be considered the technical implementation of asecurity policy The firewall upholds the security policy of anetwork when connecting that network to a second networkwhich has a less stringent security policy

Cyberwall A cyberwall is similar in scope to a firewall, but instead of

offering perimeter defense filtering between two or morenetworks, cyberwalls are typically installed on desktop andserver systems on the inside network at a corporate site.Cyberwalls provide a defensive barrier to attacks onmission critical systems on internal networks and help

attack Some cyberwalls also include intrusion detectionsoftware to allow the system to detect an attack of specifictypes in progress and effect some levels of defense againstthem

Readers are cautioned that these terms are not always used in a consistent manner

in publications which can cause confusion or misconceptions

1.1.5 Routing

There are two types of routing used by the Internet: source routing and dynamicrouting The Internet is a very robust networking system The network routers willautomatically (dynamically) send out messages to other routers broadcasting routes

to known domains and addresses If a network or router goes down, packets can bedynamically rerouted to the destination The user does not usually know how apacket will be routed to the destination The packet could be rerouted through anuntrusted network and intercepted A router connected to the Internet should beconfigured to ignore dynamic routing changes and the routing tables should remainstatic If the routing tables must be changed, then they should be changed by thenetwork administrator after understanding the reasons for the changes

Unfortunately this is not usually convenient for Internet connected routers This isanother example of when a tradeoff must be made If the router is configured in thismanner then the dynamic routing that the Internet depends on would be disabled Inthis situation your network could be cut off (completely or partially) until the NetworkAdministrator makes the required changes in the routing tables

The second type of routing is known as source routing In this method of routing auser is able to define a route for the packet between the source and destination Allpackets returning to the destination will follow the route information given A hackercan use a source routed packet to spoof another address Computers and routersconnected to external networks should be configured to ignore source routedpackets

1.2 Internet Applications and Protocols

The Internet is a global collection of networks all using the TCP/IP network protocolsuite to communicate The TCP/IP protocols allow data packets to be transmitted,and routed from a source computer to a destination computer Above this set ofprotocols reside the applications that allow users to generate data packets Thefollowing sections describe some of the more common applications as well as somesecurity vulnerabilities and concerns

1 2 1 A R C H I E

Archie is a system for locating public files available via anonymous ftp (see ftp forvulnerability information) A program is run by an Archie site to contact servers withpublic files and the program builds a directory of all the files on the servers Archiecan then be used to search the merged directories for a filename and will provide alist of all the files that match and the servers on which the files reside Public Archieservers are available and can be accessed using telnet, e-mail or an Archie client.Once the filename/server pair has been found using Archie, ftp can be used to getthe file from the server Archie can be used to find security related information(e.g if

one looks up firewall, Archie will give all the matches and locations for information

on firewalls) Archie is limited in that it can only match on filenames exactly (e.g if

the file contains information on firewalls but the author named it burnbarrier, Archie

will not find it if the search was for firewalls)