security study guide phần 1 pot

Some of these devices such as routers, modems, and PBX systems provide external con-nectivity from your network to other systems and networks.. The network includes routers, firewalls, s

SYBEX Sample Chapter

Michael Pastore

Chapter 3: Infrastructure and Connectivity

Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501 World rights reserved No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic or other record, without the prior agreement and written permission of the publisher ISBN: 0-7821-4098-X

SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc in the USA and other countries.

TRADEMARKS: Sybex has attempted throughout this book to distinguish proprietary trademarks from descriptive terms

by following the capitalization style used by the manufacturer Copyrights and trademarks of all products and services listed or described herein are property of their respective owners and companies All rules and laws pertaining to said copyrights and trademarks are inferred.

This document may contain images, text, trademarks, logos, and/or other material owned by third parties All rights reserved Such material may not be copied, distributed, transmitted, or stored without the express, prior, written consent

of the owner.

The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible Portions of the manuscript may be based upon pre-release versions supplied by software manufacturers The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to

performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged

to be caused directly or indirectly from this book.

Sybex Inc.

1151 Marina Village Parkway

Alameda, CA 94501

U.S.A.

Phone: 510-523-8233

www.sybex.com

3

Infrastructure and Connectivity

THE FOLLOWING COMPTIA SECURITY+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

2.1 Remote Access

 2.1.1 802.1x

 2.1.2 VPN

 2.1.3 RADIUS

 2.1.4 TACACS/+

 2.1.5 L2TP/PPTP

 2.1.6 SSH

 2.1.7 IPSEC

 2.1.8 Vulnerabilities

2.2 Email

 2.2.3 Vulnerabilities

 2.2.3.1 Spam

 2.2.3.2 Hoaxes

2.3 Web

 2.3.1 SSL/TLS

 2.3.2 HTTP/S

 2.3.4 Vulnerabilities

 2.3.4.1 Java Script

 2.3.4.2 ActiveX

 2.3.4.3 Buffer Overflows

 2.3.4.4 Cookies

 2.3.4.5 Signed Applets

 2.3.4.6 CGI

 2.3.4.7 SMTP Relay

2.5 File Transfer

 2.5.1 S/FTP

 2.5.2 Blind FTP/Anonymous

 2.5.3 File sharing

 2.5.4 Vulnerabilities

 2.5.4.1 Packet Sniffing

3.1 Devices

 3.1.1 Firewalls

 3.1.2 Routers

 3.1.3 Switches

 3.1.4 Wireless

 3.1.5 Modems

 3.1.6 RAS

 3.1.7 Telecomm/PBX

 3.1.8 VPN

 3.1.9 IDS

 3.1.10 Network Monitoring/Diagnostics

 3.1.11 Workstations

 3.1.12 Servers

 3.1.13 Mobile Devices

3.2 Media

 3.2.1 Coax

 3.2.2 UTP/STP

 3.2.3 Fiber

 3.2.4 Removable Media

 3.2.4.1 Tape

 3.2.4.2 CDR

 3.2.4.3 Hard Drives

 3.2.4.4 Diskettes

 3.2.4.5 Flashcards

 3.2.4.6 Smartcards

Your network is composed of a variety of media and devices that both facilitate communications and provide security Some of these devices (such as routers, modems, and PBX systems) provide external con-nectivity from your network to other systems and networks Some of the devices (such as CDRs, disks, and tape) provide both internal archival storage and working storage for your systems In order to provide reasonable security, you must know how these devices work and how they provide or fail to provide security This chapter deals with issues of infrastructure and media

They are key components of the Security+ exam and necessary for you to understand in order to secure your network

Infrastructure Security

Infrastructure security deals with the most basic aspects of how informa-tion flows and how work occurs in your network and systems An infrastructure

is simply the basis for all of the work occurring in your organization

When discussing infrastructures, bear in mind that this includes servers, networks, network devices, workstations, and the processes in place to facilitate work

To evaluate the security of your infrastructure, you must examine the hardware and its characteristics, and also examine the software and its characteristics Each time you add a device, change configurations, or switch technologies, you are potentially altering the fundamental security capabilities

of your network

Networks are tied together using the Internet and other network tech-nologies, thereby making them vulnerable to attack in any number of manners The job of a security professional is to eliminate the obvious threats,

to anticipate how the next creative assault on your infrastructure might occur, and to neutralize it before it happens

104 Chapter 3  Infrastructure and Connectivity

The following sections deal with the hardware and software components that make up a network

Hardware Components

Hardware components include physical devices, such as routers, servers, and firewalls Figure 3.1 depicts a typical network infrastructure and some of the common hardware components in the environment From a security per-spective, this infrastructure is more than the sum of all of its parts You must evaluate your network from the perspective of each device in it The complexity

of most networks makes securing them extremely complicated In order to provide reasonable security, every device must be evaluated to determine its strengths and weaknesses

F I G U R E 3 1 A typical network infrastructure

Notice in this figure that the network we will be evaluating has Internet connections Internet connections expose your network to the highest number of external threats These threats can come from virtually any location worldwide The network includes routers, firewalls, switches, servers,

Internet

Clients

Clients

Server Accounting

Server Engineering

Router

Firewall

Infrastructure Security 105

and workstations Each of these devices has its own unique vulnerabili-ties and strengths These devices are covered in more detail later in this chapter As you can see from Figure 3.1, your infrastructure is complicated and dynamic

Software Components

Hardware exists to run software Most of the devices that we use today have

a certain amount of artificial intelligence This intelligence makes them easy

to configure, easy to support, and to a certain extent, easy to bypass The network infrastructure illustrated in Figure 3.1 includes servers, workstations running operating systems, routers, firewalls (which may run as applications

on servers), and dedicated devices that have their own communications and control programs

This situation leaves networks open to attacks and security problems because many of these systems work independently Many larger organiza-tions have built a single area for network monitoring and administrative control

of systems This centralization allows a larger overall picture of the network to

be seen, and it allows actions to be taken on multiple systems or network resources if an attack is underway These centralized areas are called a

Network Operations Center (NOC) Using a NOC makes it easier to see how an attack develops and easier to provide counter measures Unfortu-nately, a NOC is beyond the means of most businesses They are expensive and require a great deal of support

ATT Wireless NOCs

ATT Wireless maintains a huge NOC for each of the cell centers they man-age These centers provide 24/7 real-time monitoring of all devices in the cellular and computer network that they support The operators in the NOC have the ability to literally reach out and touch any device in the network to configure, repair, and troubleshoot A single NOC has dozens of people working around the clock to keep on top of the network When an ATT Wire-less center goes down, it effectively takes down the entire cell-phone service for an entire region As you can imagine, this is horrendously expen-sive and they do not let it happen very often There are several NOC facilities

in the United States, and one region can support or take over operations for another region if that center becomes inoperable.

106 Chapter 3  Infrastructure and Connectivity

Supporting an infrastructure in a large corporation can be a horrendously expensive proposition, and it requires literally years of development to create

an effective NOC

Devices

Connecting all of these components requires physical devices Large multinational corporations, as well as small and medium-sized corporations, are building networks of enormous complexity and sophistication These

networks work by utilizing miles and miles of both wiring and wireless

tech-nologies Whether the network is totally wire and fiber-based, or totally

wireless, the method of transmitting data from one place to another opens vulnerabilities and opportunities for exploitation These vulnerabilities appear whenever an opportunity exists to intercept information from the media

The devices briefly described here are the components that you will typically encounter in a network

Firewalls

Firewalls are one of the first lines of defense in a network There are different

types of firewalls, and they can be either stand-alone systems or included

in other devices such as routers or servers Many firewalls are add-in software available for servers or workstations The basic purpose of a firewall is to isolate one network from another Firewalls are becoming available as appli-ances, meaning they are installed into the network between two networks

Appliances are freestanding devices that operate in a largely self-contained

manner They should require less maintenance and support than a server-based product

Firewalls function as one of the following:

 Packet filter

 Proxy firewall

 Stateful inspection The proxy shown in Figure 3.2 effectively limits access from outside networks, while allowing inside network users to access outside resources

Devices 107

The proxy in this illustration is also performing firewall functions The end user in this network uses the proxy server to manage traffic and receive returning information This section discusses three of the most common functions that firewalls perform

F I G U R E 3 2 A proxy firewall blocking network access from external networks

Packet Filter

A firewall operating as a packet filter will pass or block traffic to specific

addresses based on the type of application A packet filter may allow web traffic on Port 80 and block Telnet traffic on Port 23 This type of filtering

is included in many routers If a received packet request asks for a port that is not authorized, the filter may reject the request or simply ignore it Many packet filters can also specify which IP addresses can request which ports and allow or deny them based on the security settings of the firewall Packet filters are growing in sophistication and capability A packet filter does not analyze the contents of a packet; it decides whether to pass it or not based on the addressing information of the packet

Proxy Firewall

Think of a proxy firewall as an intermediary between your network and

another Proxy firewalls are used to process requests from an outside network and evaluate whether the request is forwarded or not The proxy will intercept all of the packages and reprocess them for use internally This process includes hiding IP addresses The proxy firewall will examine the data and make rules-based decisions about whether to forward the request

or refuse it

External Network

Proxy

Internal Network

108 Chapter 3 Infrastructure and Connectivity

The proxy firewall provides better security than packet filtering because

of the increased intelligence that a proxy firewall offers Requests from internal network users are routed through the proxy The proxy, in turn, repackages the request and sends it along, thereby effectively isolating the user from the external network

A server-based proxy firewall will typically use two NIC cards This type

of firewall is referred to as a dual-homed firewall One of the cards is

connected to the outside network and one is connected to the internal network The proxy software manages the connection between the two NIC cards This effectively segregates the two networks from each other and offers increased security Figure 3.3 illustrates a dual-homed firewall segregating two networks from each other

F I G U R E 3 3 A dual-homed firewall segregating two networks from each other

Dual-Homed Server-Based Proxy Firewall

You are the network administrator of a small network You are installing a new firewall server using Windows 2000 After you complete the installa-tion, you notice that the network does not appear to be routing traffic through the firewall and that inbound requests are not being blocked This presents a security problem for the network because you have been getting unusual network traffic lately.

NIC Card

Make sure routing or IP forwarding is disabled in operating system.

Devices 109

The proxy function can occur at either the application level or the circuit level Application-level proxy functions will read the individual commands of the protocols that are being served This type of server is very advanced and must know the rules and capabilities of the protocol used This type of proxy would know the difference between a GET and

a PUT operation, for example, and would have rules specifying how to

execute them A circuit-level proxy creates a circuit between the client and

the server and does not deal with the contents of the packets that are being processed

A unique application-level proxy server must exist for each protocol

supported Many proxy servers also provide full auditing, accounting, and

other usage information that would not normally be kept by a circuit-level proxy server

Combining firewalls with other firewalls will provide a variety of configuration and security options See Chapter 6, “Working with a Secure Network,” for further details.

Stateful Inspection

The last section on firewalls focuses on the concept of stateful inspection

Stateful Inspection is also referred to as stateful packet filtering Most of the

devices we use in networks do not keep track of how information is routed or used Once a packet is passed, the packet and path are forgotten In stateful inspection or stateful packet filtering, records are kept using a state table that tracks every communications channel Stateful inspections occur at all levels

of the network and provide additional security, especially in connectionless protocols such as User Datagram Protocol (UDP) and Internet Control

The most likely solution to this problem deals with the fact that Windows 2000 offers the ability to use IP forwarding in a dual-homed server IP forwarding bypasses your firewall and uses the server as a router Even though the two networks are effectively isolated, the new router is doing its job well and it is routing IP traffic.

You will need to verify that IP forwarding and routing services are not running on this server