security study guide phần 3 doc

Serial Line Internet Protocol Serial Line Internet Protocol SLIP is an older protocol that was used in early remote access environments.. VPN VPNs are used to make connections between p

Devices 121

Servers

Most modern server products also offer workstation functionality In fact, many servers are virtually indistinguishable from workstations Linux functions as both a workstation and a server in most cases Windows 2000, while having multiple versions of workstation and server, communicates to networks in a virtually identical manner

Most successful attacks against a server will also work against a work-station, and vice versa Additionally, servers will run dedicated applications, such as SQL Server or a full-function web server

An early version of IIS installed a default mail system as a part of its installation This mail system was enabled unless specifically disabled This mail server suffered from most of the vulnerabilities that were discussed in Chapter 2,

“Know Your Enemy,” as they related to virus and worm infections Make sure that your system runs only the services, protocols, and processes that are needed Turn off or disable things you do not need.

Mobile Devices

Mobile devices, including pagers and Personal Digital Assistants (PDAs), are becoming very popular Many of these mobile devices use either RF signaling

or cellular technologies for communication If the device uses the Wireless Applications Protocol (WAP), the device in all likelihood does not have security

Many of the newer systems, such as Windows 2000, allow permissions to

be established to prevent software installation You would want to evaluate the capabilities of the settings in the workstations for security This process

is referred to as locking down a desktop You can lock down most desktops

to prevent the installation of software This may also prevent users from automatically upgrading software, and it may create additional work for the

IS department You will need to evaluate both issues to determine what the best approach to take is.

enabled Several levels of security exist in the WAP protocol These protocols include:

 Anonymous authentication, which allows virtually anyone to connect

to the wireless portal

 Server authentication, which requires the workstation to authenticate

against the server

 Two-way (client and server) authentication, which requires both ends of the connection (client and server) to authenticate to con-firm validity Most newer palm systems are configured to allow authentication This authentication can be configured to challenge the user of the device to log on, as well as allow the user to chal-lenge the server

WAP is covered in more detail in Chapter 4.

Many new wireless devices are also capable of using certificates to verify authentication Figure 3.12 shows a mobile systems network This network uses both encryption and authentication to increase security

The Wireless Session Protocol (WSP) manages the session information and connection between the devices The Wireless Transaction Protocol (WTP) provides services similar to TCP and UDP for WAP The Wireless Datagram Protocol (WDP) provides the common interface between devices

F I G U R E 3 1 2 A mobile environment using WAP security

WSP

WDP

WTLS

WDP Security is managed at the WTLS layer.

802.11 Equipped

Remote Access 123

Remote Access

One of the primary purposes for having a network is the ability to connect systems together As networks have grown, many technologies have come on the scene to make this process easier and more secure A key area

of concern relates to the connection of systems and other networks that are not part of your network This section discusses the more common protocols used to facilitate connectivity

Serial Line Internet Protocol

Serial Line Internet Protocol (SLIP) is an older protocol that was used in

early remote access environments SLIP was originally designed to connect UNIX systems together in a dial-up environment, and it supports only serial communications SLIP is a very simple protocol that is used to pass TCP/IP traffic The protocol is not secure, nor is it efficient Many systems still support SLIP strictly for legacy systems SLIP is not widely used anymore, and it has largely been replaced by Point-to-Point Protocol (PPP)

Point-to-Point Protocol

Introduced in 1994, Point-to-Point Protocol (PPP) has largely replaced

SLIP PPP offers multiple protocol support including AppleTalk, IPX, and DECnet PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster connections such as T1 PPP does not provide data security, but it does provide authentication using CHAP Figure 3.13 shows a PPP connection over an ISDN line In the case of ISDN, PPP would normally use one 64Kbps B channel for transmission PPP allows many channels in a network connection (such as ISDN) to be connected or bonded together to form a single virtual connection

F I G U R E 3 1 3 PPP using a single B channel on an ISDN connection

ISDN Channel

D Channel

B Channel PPP Connection

B Channel

PPP works by encapsulating the network traffic in a protocol called

Network Control Protocol (NCP) Authentication is handled by Link Control Protocol (LCP) A PPP connection allows remote users to log on to the

network and have access as though they were local users on the network PPP does not provide for any encryption services for the channel

As you might have guessed, the unsecure nature of PPP makes it largely unsuitable for WAN connections A dial-up connection using PPP works very well, because it is not common for an attacker to tap a phone line To counter this, other protocols have been created that take advantage of the flexibility of PPP and build on it You want to make sure that all of your PPP connections use secure channels, dedicated connections, or dial-up connections Remote users who connect directly to a system using dial-up connections do not necessarily need to have encryption capabilities enabled If the connection

is a direct one, the likelihood that anyone would be able to tap an existing phone line is relatively small However, you should make sure that connections through a network do use an encryption-oriented tunneling system

802.1X Wireless Protocols

The IEEE 802.1x protocols refer to a broad range of wireless protocols for wireless communications There are two major families of standards for wireless communications: the 802.11 family and the 802.16 family The 802.11 standards are discussed in more detail in Chapter 4 under “Wireless Systems.” The 802.16 standard is undergoing debate in the IEEE and was finalized in the fall of 2002

The 802.11 protocols are primarily short-range systems suitable for use in buildings and campus environments

VPN

VPNs are used to make connections between private networks across a public network, such as the Internet These connections are not guaranteed

to be secure unless a tunneling protocol, such as PPTP, and an encryption system, such as IPSec, is used A wide range of options, including proprietary technologies, is available for VPN support Many of the large ISPs and data communication providers provide dedicated hardware with VPN capa-bilities Many servers also provide software VPN capabilities for use between two networks

VPN systems can be dedicated to a certain protocol, or they can pass whatever protocols they see on one end of the network to the other end A pure VPN connection appears as a dedicated wired connection between the two network ends

Remote Access 125

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a mechanism that

allows authentication of dial-in and other network connections A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether or not an incoming caller is autho-rized In a large network with many connections, this allows a single server

to perform all authentications Figure 3.14 shows an example of a RADIUS server communicating with an ISP to allow access to a remote user Notice that the remote server is actually functioning as a client to the RADIUS server This allows centralized administration of access rights

F I G U R E 3 1 4 The RADIUS client manages the local connection and authenticates against a

central server.

The major difficulty with a single server RADIUS environment is that the entire network may refuse connections if the server malfunctions Many RADIUS systems allow multiple servers to be used to increase reli-ability All of these servers are critical components of the infrastructure, and they must be protected from attack The RADIUS protocol is an IETF standard, and it has been implemented by most of the major operating system manufacturers

TACACS/+

Terminal Access Controller Access Control System (TACACS) is a client/

server-oriented environment, and it operates in a similar manner to RADIUS The most current method or level of TACACS is TACACS/+ TACACS/+ allows credentials to be accepted from multiple methods, including Kerberos The TACACS client/server process occurs in the same manner as the RADIUS process illustrated in Figure 3.14 CISCO has widely implemented TACACS/+ for connections TACACS/+ is expected to become widely accepted as an alternative to RADIUS

Radius Server

Authorization

Validating Request

Tunneling Protocols

Tunneling protocols add an additional capability to the network They

pro-vide the ability to create tunnels between networks that can be more secure, support additional protocols, and provide virtual paths between systems

The most common protocols used for tunneling are Point-to-Point Tunneling

Protocol (PPTP), Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP), and IPSec:

PPTP PPTP supports encapsulation in a single point-to-point

environ-ment PPTP encapsulates and encrypts PPP packets This makes PPTP a favorite low-end protocol for networks The negotiation between the two ends of a PPTP connection is done in the clear Once the negotiation is performed, the channel is encrypted This is one of the major weaknesses

of the PPTP protocol A packet-capture device, such as a sniffer, that

cap-tures the negotiation process can potentially use that information to determine the connection type and information about how the tunnel works Microsoft developed PPTP, and they support it on most of their products PPTP uses port 1723 and TCP for connections

L2F L2F was created by Cisco as a method of creating tunnels primarily for dial-up connections L2F is similar in capability to PPP and should not be used over WANs L2F does provide authentication, but it does not provide encryption L2F uses port 1701 and TCP for connections

L2TP Relatively recently, Microsoft and Cisco agreed to combine their

respective tunneling protocols into one protocol: the Layer Two Tunneling Protocol (L2TP) L2TP is a hybrid of PPTP and L2F L2TP is primarily

a point-to-point protocol L2TP supports multiple network protocols and can be used in networks besides TCP/IP L2TP works over IPX, SNA, and IP This gives L2TP the capability of being used as a bridge across many different types of systems The major problem with L2TP is that it does not provide data security, in that the information is not encrypted Security can be provided by protocols such as IPSec L2TP uses port 22 and TCP for connections

SSH Secure Shell (SSH) is a tunneling protocol originally designed for

UNIX systems SSH uses encryption to establish a secure connection between two systems SSH also provides security equivalent programs such as Telnet, FTP, and many of the other communications-oriented programs under UNIX SSH is now available for use on Windows systems

as well This makes SSH the preferred method of security for Telnet and

Internet Connections 127

other cleartext-oriented programs in the UNIX environment SSH uses port 22 and TCP for connections

IPSec IPSec (Internet Protocol Security) is not a tunneling protocol, but

it is used in conjunction with tunneling protocols IPSec is oriented pri-marily toward LAN-to-LAN connections, rather than dial-up connections IPSec provides secure authentication and encryption of data and headers This makes IPSec a good choice for security IPSec can work in either Tunneling mode or Transport mode In Tunneling mode, the data or payload and message headers are encrypted Transport mode encrypts only the payload

Internet Connections

The Internet is perhaps the area of largest growth for networks The Internet is a worldwide network that offers the capability of instantaneous connections between networks, no matter where they are located The technology started as a research project funded by the Department of Defense and has grown at an enormous rate Within a few years, virtually every computer in the world is expected to be connected to the Internet This creates a security nightmare and is one of the primary reasons that the demand for professionals trained in information and computer security is expected to grow exponentially

The following section describes some of the more common protocols including the World Wide Web, Telnet, FTP, e-mail, and SMTP

Connecting Remote Network Users

Your company wants to support network connections for remote users These users will use the Internet to access desktop systems and other resources in the network What would you advise the company to consider? You would want your organization to implement a tunneling protocol that supports security A good solution would be a VPN connection that uses IPSec You may also want to explore protocols like SSL, TLS, and SSH

as alternatives All of these protocols offer security as a part of their con-nection process.

The information on ports and sockets in this section is intended for back-ground information and is not tested on the exam.

Ports and Sockets

As you already know, the primary method of connection between systems using the Internet is the TCP/IP protocol This protocol establishes

connec-tions and circuits using a combination of the IP address and a port A port

is an interface that is used to connect to a device Sockets are a combination of

the IP address and the port If you attempt to connect to a remote system with the IP address 192.168.0.100 that is running a website, you will use Port 80 by default The combination of these two elements gives you a socket The full address and socket description would then be 192.168.0.100:80

IP is used to route the information from one host to another through a network The four layers of TCP/IP encapsulate the information into a valid

IP packet that is then transmitted across the network Figure 3.15 illustrates the key components of a TCP packet requesting the home page of a website The data will be returned from the website to Port 1024 on the originating host

F I G U R E 3 1 5 A TCP packet requesting a web page from a web server

The source port is the port that is being addressed on the destination The destination port is the port to which the data will be sent In the case of a WWW application, these would both contain 80 A number of the fields in

The destination port indicates Port 80.

This is the default for an HTTP Server The return port to the client is 1024.

The command GET/ instructs the server to send data.

Source Port 1024 Destination Port 80

Sequence Number Acknowledgment Number

Offset Reserved Flags Window Checksum Urgent Pointer

Internet Connections 129

this packet are used by TCP for verification and integrity and you need not

be concerned with them at this time

However, the data field contains the value Get / This requests the home or starting page from the web server In essence, this requested the home page

of the site 192.168.0.100 Port 80 The data is formed into another data packet that is passed down to IP and sent back to the originating system on Port 1024 The connections to most services using TCP/IP are based on this port model Many of the ports are well documented, and the protocols to com-municate with them are well known If a vendor has a technological weakness

or implements security poorly, the vulnerability will become well known and exploited in a short amount of time

E-Mail

E-mail is one of the most popular applications in use on the Internet Several very good e-mail servers and clients are available Figure 3.16 demonstrates the process of transferring an e-mail message

F I G U R E 3 1 6 E-mail connections between clients and a server

The most common e-mail systems use SMTP, POP, or IMAP protocols These protocols use the TCP protocol for session establishment:

Simple Mail Transport Protocol (SMTP) Simple Mail Transport Protocol

(SMTP) is a mail delivery protocol that is used to send e-mail between an

e-mail client and an e-mail server, as well as between e-mail servers Messages are moved from client to server to client via the Internet Each

E-Mail Server

E-Mail Clients E-mail

Stores and forwards E-mail to clients

e-mail can take different paths from the client to the server In this situation, the clients are on two different e-mail servers, they could both be on the same server and the process would appear transparent to the user SMTP uses port 25 and TCP for connections

Post Office Protocol (POP) Post Office Protocol (POP) is a newer

protocol that relies on SMTP for message transfer for receiving e-mail POP provides a message store that can be used to store and forward mes-sages If a server is not operating, the originating server can store a message and try to resend it later POP3, the newest version of POP, allows messages to be transferred from the waiting post office to the e-mail client The current POP standard uses port 109 for POP2 and 110 for POP3 The POP protocol uses TCP for connections

Internet Message Access Protocol (IMAP) Internet Mail Access Protocol

(IMAP) is the newest player in the e-mail field, and it is rapidly becoming

the most popular Like POP, IMAP has a store and forward capability However, it has much more functionality IMAP allows messages to be stored on an e-mail server instead of being downloaded to the client IMAP allows messages to be downloaded based on search criteria Many IMAP implementations also allow connection using web browsers The current version of IMAP (IMAP 4) uses port 143 and TCP for connection

S/MIME and PGP are two of the more popular methods of providing security for e-mails These are covered in more detail in Chapter 8, “Cryptography Standards.”

E-Mail Vulnerabilities

E-mail accounts typically use a separate logon name and password from the OS-user ID and password This somewhat minimizes the security risk, unless they are the same The authentication information for e-mail is not always encrypted and is subject to sniffing Further, the message is unencrypted and all contents are subject to exposure If your e-mail servers are located in another facility and you use the Internet to communicate, your e-mails are very easily intercepted and read If privacy is an issue, you will need to encrypt them using one of the packages or encryption schemes discussed later in this book

Any misuse of corporate resources such as e-mail servers are considered security issues by most organizations.